Jump to content
wcutler

paprport.exe

Recommended Posts

c:\program files (x86)\scansoft\paperport\paprport.exe is being flagged as ransomware

Share this post


Link to post
Share on other sites
Posted (edited)

Hi,

Can you unquarantine and then zip and attach the c:\program files (x86)\scansoft\paperport\paprport.exe file?

Thanks!

Edited to add - our posts crossed.

This is a false positive indeed and should be fixed in a meanwhile. Please give it a few minutes to process.

In case it's still detected afterwards, Quit malwarebytes from the systemtray.
Then navigate to the following folder:

C:\ProgramData\Malwarebytes\MBAMService

In there, locate the file HubbleCache and delete it.

Restart Malwarebytes again. A new Hubblecache will then be created again, so it will properly pick it up and remember to not detect this anymore.

Edited by miekiemoes

Share this post


Link to post
Share on other sites

there is nothing in the quarantine

below is from the user

The workstation has given this Malware message on Tues and Wed.    When this message appears, the PaperPort scanning program stops working and doesn't work even if the computer is rebooted.     If I go into Documents and delete or move all the scans that were completed before, it will function again.

20190313_150805.jpg

Share this post


Link to post
Share on other sites

Hi,

It looks like the process was stopped only, not deleted.

This happens in most cases when there's no internet connection or for some other reason, where malwarebytes failed to do an additional checkup in order to give a final verdict for this file.

In that case, using the better safe than sorry approach, Malwarebytes kills the running process, as it sees it as suspicious (behavior detection).

Share this post


Link to post
Share on other sites

still getting reports of paprport.exe being blocked by anti-ransomware

image.png.03e0f011a0fd3709dac89a7d3bff5047.png

Share this post


Link to post
Share on other sites

Hi,

 

We would need more info, so can you zip and attach the MBAMService.LOG, this so I can have a look why it is still detected?

You can find this log in the following folder: C:\ProgramData\Malwarebytes\MBAMService\LOGS

Share this post


Link to post
Share on other sites

03/18/19    " 09:44:55.624"    346415632    11c8    0ecc    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "arwcontrollerimplhelper.cpp"    1163    "Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, Sha256Hash=e0b7029d438aa731078c1819de274c276d226cae2347d8f5d528469ae08c20e1"

03/18/19    " 09:44:55.655"    346415664    11c8    0ecc    DEBUG    CleanControllerImpl    mb::cleanctlrimpl::whitelist::SystemProtectedWhiteLister::IsObjectWhiteListed    "systemprotectedwhitelister.cpp"    63    "SystemProtectedWhiteLister 'C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe' => 'Unknown'"

03/18/19    " 09:45:08.088"    346428097    11c8    0ecc    DEBUG    MBAMCoreImpl    MBAMCoreImpl::ClassifyFile    "mbamcoreimpl.cpp"    274    "File was successfully classified. FilePath=<C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe>. Status=<Unknown Object>."

03/18/19    " 09:45:08.416"    346428425    11c8    0ecc    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "arwcontrollerimplhelper.cpp"    1188    "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, id=0x0"

03/18/19    " 09:45:33.926"    346453931    11c8    19a0    DEBUG    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate    "arwcleanupscheduler.cpp"    674    "Received a results callback from ARW SDK - ObjectPath = C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, Type = Trace::OBJECTTYPE_FILE, RebootRequired = No"

03/18/19    " 09:54:52.937"    422637    1294    1454    DEBUG    TelemCtrlImpl    TelemetryControllerImpl::SendTelemetryRecord    "telemetrycontrollerimplhelper.cpp"    1882    "Sending Telemetry Record: {""client"":{""architecture"":""x64"",""build"":""business"",""caller"":{""name"":""ARWController"",""trigger"":""Detection""},""filesystem"":""ntfs"",""os_version"":""Windows 7 Service Pack 1"",""program"":""MBRW-B"",""version"":""0.9.18.806""},""header"":{""installation_token"":""E1zQCHWxzpraKTqMyLyi1548698427"",""machine_id"":""db8f980da2439a7c0db72fca78a21c02c273396d"",""time"":""2019-03-18T09:45:34-04:00""},""license"":{""license_state"":""licensed""},""nebula"":{""nebula_account_id"":"""",""nebula_ea_plugin_version"":"""",""nebula_ea_version"":"""",""nebula_group_id"":"""",""nebula_job_id"":"""",""nebula_machine_id"":"""",""nebula_machine_name"":"""",""nebula_origin"":"""",""nebula_policy_etag"":"""",""nebula_policy_id"":"""",""nebula_schedule_etag"":"""",""nebula_schedule_id"":""""},""ransomware"":{""detections"":[{""disposition"":""ARW_ACTION_KILL_PROCESS"",""md5hash"":""e0b7029d438aa731078c1819de274c276d226cae2347d8f5d528469ae08c20e1"",""pid"":1712,""proc_path"":""C:\\Program Files (x86)\\ScanSoft\\PaperPort\\PaprPort.exe""}]}}"

Share this post


Link to post
Share on other sites

"0""3/18/19    " 09:45:08.416"    346428425    11c8    0ecc    INFO    AntiRansomwareControllerImpl    mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback    "arwcontrollerimplhelper.cpp"    1188    "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, id=0x0""

 

Looks like it fails to do an additional lookup here, because it doesn't have internet connection at that time - as explained in my previous post already.

Unsure why that is in your case, but I suggest you add an exclusion for this folder (ScanSoft\PaperPort\) as it's normally not detected.

 

* To add the exclusion, open Malwarebytes > Settings > Exclusions tab

* Below, click the button: "Add Exclusion"

* Then, select "Exclude a File or Folder" (this should be prechecked already by default)

* Click Next

* You'll see a field that says: "Specify a File or Folder" - there, click the button "Select Files..." and browse to the file you want to exclude.

* For "How to Exclude", select: "Exclude from detection as malware, ransomware or potentially unwanted item" (this is normally also selected by default already)

* Then click the OK button below.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.