wcutler Posted March 14, 2019 ID:1303651 Share Posted March 14, 2019 c:\program files (x86)\scansoft\paperport\paprport.exe is being flagged as ransomware Link to post Share on other sites More sharing options...
wcutler Posted March 14, 2019 Author ID:1303653 Share Posted March 14, 2019 file from pc PaprPort.zip Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 14, 2019 Staff ID:1303655 Share Posted March 14, 2019 (edited) Hi, Can you unquarantine and then zip and attach the c:\program files (x86)\scansoft\paperport\paprport.exe file? Thanks! Edited to add - our posts crossed. This is a false positive indeed and should be fixed in a meanwhile. Please give it a few minutes to process. In case it's still detected afterwards, Quit malwarebytes from the systemtray. Then navigate to the following folder: C:\ProgramData\Malwarebytes\MBAMService In there, locate the file HubbleCache and delete it. Restart Malwarebytes again. A new Hubblecache will then be created again, so it will properly pick it up and remember to not detect this anymore. Edited March 14, 2019 by miekiemoes Link to post Share on other sites More sharing options...
wcutler Posted March 14, 2019 Author ID:1303657 Share Posted March 14, 2019 there is nothing in the quarantine below is from the user The workstation has given this Malware message on Tues and Wed. When this message appears, the PaperPort scanning program stops working and doesn't work even if the computer is rebooted. If I go into Documents and delete or move all the scans that were completed before, it will function again. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 14, 2019 Staff ID:1303659 Share Posted March 14, 2019 Hi, It looks like the process was stopped only, not deleted. This happens in most cases when there's no internet connection or for some other reason, where malwarebytes failed to do an additional checkup in order to give a final verdict for this file. In that case, using the better safe than sorry approach, Malwarebytes kills the running process, as it sees it as suspicious (behavior detection). Link to post Share on other sites More sharing options...
wcutler Posted March 18, 2019 Author ID:1304375 Share Posted March 18, 2019 still getting reports of paprport.exe being blocked by anti-ransomware Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 18, 2019 Staff ID:1304376 Share Posted March 18, 2019 Hi, We would need more info, so can you zip and attach the MBAMService.LOG, this so I can have a look why it is still detected? You can find this log in the following folder: C:\ProgramData\Malwarebytes\MBAMService\LOGS Link to post Share on other sites More sharing options...
wcutler Posted March 18, 2019 Author ID:1304389 Share Posted March 18, 2019 this is where I found it - 😄\ProgramData\Malwarebytes\MB3Service\logs MBAMSERVICE.zip Link to post Share on other sites More sharing options...
wcutler Posted March 18, 2019 Author ID:1304392 Share Posted March 18, 2019 03/18/19 " 09:44:55.624" 346415632 11c8 0ecc INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "arwcontrollerimplhelper.cpp" 1163 "Received threat detection callback from ARW SDK, ObjectPath=C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, Sha256Hash=e0b7029d438aa731078c1819de274c276d226cae2347d8f5d528469ae08c20e1" 03/18/19 " 09:44:55.655" 346415664 11c8 0ecc DEBUG CleanControllerImpl mb::cleanctlrimpl::whitelist::SystemProtectedWhiteLister::IsObjectWhiteListed "systemprotectedwhitelister.cpp" 63 "SystemProtectedWhiteLister 'C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe' => 'Unknown'" 03/18/19 " 09:45:08.088" 346428097 11c8 0ecc DEBUG MBAMCoreImpl MBAMCoreImpl::ClassifyFile "mbamcoreimpl.cpp" 274 "File was successfully classified. FilePath=<C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe>. Status=<Unknown Object>." 03/18/19 " 09:45:08.416" 346428425 11c8 0ecc INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "arwcontrollerimplhelper.cpp" 1188 "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, id=0x0" 03/18/19 " 09:45:33.926" 346453931 11c8 19a0 DEBUG AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwCleanupScheduler::ContainThreatsToRemediate "arwcleanupscheduler.cpp" 674 "Received a results callback from ARW SDK - ObjectPath = C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, RegObjectPath = , ActionTaken=ARW_ACTION_KILL_PROCESS, Result = ARW_RESULT_SUCCESS, Type = Trace::OBJECTTYPE_FILE, RebootRequired = No" 03/18/19 " 09:54:52.937" 422637 1294 1454 DEBUG TelemCtrlImpl TelemetryControllerImpl::SendTelemetryRecord "telemetrycontrollerimplhelper.cpp" 1882 "Sending Telemetry Record: {""client"":{""architecture"":""x64"",""build"":""business"",""caller"":{""name"":""ARWController"",""trigger"":""Detection""},""filesystem"":""ntfs"",""os_version"":""Windows 7 Service Pack 1"",""program"":""MBRW-B"",""version"":""0.9.18.806""},""header"":{""installation_token"":""E1zQCHWxzpraKTqMyLyi1548698427"",""machine_id"":""db8f980da2439a7c0db72fca78a21c02c273396d"",""time"":""2019-03-18T09:45:34-04:00""},""license"":{""license_state"":""licensed""},""nebula"":{""nebula_account_id"":"""",""nebula_ea_plugin_version"":"""",""nebula_ea_version"":"""",""nebula_group_id"":"""",""nebula_job_id"":"""",""nebula_machine_id"":"""",""nebula_machine_name"":"""",""nebula_origin"":"""",""nebula_policy_etag"":"""",""nebula_policy_id"":"""",""nebula_schedule_etag"":"""",""nebula_schedule_id"":""""},""ransomware"":{""detections"":[{""disposition"":""ARW_ACTION_KILL_PROCESS"",""md5hash"":""e0b7029d438aa731078c1819de274c276d226cae2347d8f5d528469ae08c20e1"",""pid"":1712,""proc_path"":""C:\\Program Files (x86)\\ScanSoft\\PaperPort\\PaprPort.exe""}]}}" Link to post Share on other sites More sharing options...
Staff miekiemoes Posted March 18, 2019 Staff ID:1304393 Share Posted March 18, 2019 "0""3/18/19 " 09:45:08.416" 346428425 11c8 0ecc INFO AntiRansomwareControllerImpl mb::arwcontrollerimpl::ArwControllerImpl::ArwShimDetectionCallback "arwcontrollerimplhelper.cpp" 1188 "The detected file is only whitelisted due to error in whitelisting (likely offline), sending an action request to the SDK to kill this process. ObjectPath=C:\Program Files (x86)\ScanSoft\PaperPort\PaprPort.exe, id=0x0"" Looks like it fails to do an additional lookup here, because it doesn't have internet connection at that time - as explained in my previous post already. Unsure why that is in your case, but I suggest you add an exclusion for this folder (ScanSoft\PaperPort\) as it's normally not detected. * To add the exclusion, open Malwarebytes > Settings > Exclusions tab * Below, click the button: "Add Exclusion" * Then, select "Exclude a File or Folder" (this should be prechecked already by default) * Click Next * You'll see a field that says: "Specify a File or Folder" - there, click the button "Select Files..." and browse to the file you want to exclude. * For "How to Exclude", select: "Exclude from detection as malware, ransomware or potentially unwanted item" (this is normally also selected by default already) * Then click the OK button below. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now