Jump to content
RevDave

How do I trace the quarantined file back to its host email message?

Recommended Posts

Once or twice a day I receive a quarantine notification from the Mac Version of Malwarebytes (Premium). It is always the same file name and folder names. I'd like to find who is causing this to either block the sender and report the sender or let them know their computer is infected so they can clean it. 

I've looked at the options in the manual. preferences, etc. and have not found anything, It seems to me that identifying the sender of the malware is as important as identifying the threat.

Share this post


Link to post
Share on other sites

What is the file name and complete path to the folder?

Check the reports tab of the main Malwarebytes window and tell us what the Infection name of the file found is.

What gives you the impression it's being caused by the receipt of an e-mail? 

Share this post


Link to post
Share on other sites

The infected file name is oodblefojaocanejnikhhjcglbaelpbpoodblefojaocanejnikhhjcglbaelpbp but when I click on the reports tab all I see is Kind=Real-time Malware Scan with Information= Finished - scanned 37 objects. Threats: 1 detected, 1 remediated or Malwarebytes quarantined 1 threat. No further action is required or kind=Protection Notification Information= Malwarebytes guaranteed 1 threat. No further action is required.

I don't see a path, that's why I'm asking for help.

 

I presumed it is email because it shows up every day at least once. 

Share this post


Link to post
Share on other sites

The file name looks more like that of a browser cache file than e-mail and should be different each time. I suspect it's associated with a web site you visit every day that has somehow become infected. Apple Mail email files are numeric with a file extension of .emlx.

Share this post


Link to post
Share on other sites

I could believe that but why show a browser cache file as a quarantine item in MWB?

How do I get the real file and path of the item being quarantined?

 

Share this post


Link to post
Share on other sites
40 minutes ago, RevDave said:

I could believe that but why show a browser cache file as a quarantine item in MWB?

Any file containing potential malware will be quarantined. Same for PUPs unless you have that disabled. If you have Malwarebytes notifications enabled, you should see an alert at the time this file is created. If you are browsing at the time, then it's associated with the site you just visited. If you happened to download a file at the time, downloaded or decompressed a file or started an installation when the alert occurs, it's that file. If an e-mail arrives at the time of the alert, it's probably an attachment to that message. 

48 minutes ago, RevDave said:

How do I get the real file and path of the item being quarantined?

The file is in the quarantine folder. As you found, there is currently no record of the original path currently available to you. I know there are plans to provide additional logging information to the user in a future release, but no details on the extent and, as always, no timeline will be revealed until actual release.

Share this post


Link to post
Share on other sites

OK, I have another one that came in around 8 pm last night, same file name.

Reports Information shows "Real Time Malware Scan", Information "Finished - scanned 37 objects. Threats: 1 detected. 1 remediated" (Quarantined). If I click on the box for that line I'm given the option to delete. I don't see a way to find the path.

TIA, Dave

Share this post


Link to post
Share on other sites

Sorry, I refreshed the screen to check for responses before sending the last message but didn't see any replies. Your replies showed up after I sent my note. 🙂

There seem to be time lags. The time/date stamp for the quarantine shows "Yesterday at 8:00 pm." The reports section shows April 13, 2019 at 8:03:56. I'll try to watch for a quarantine notification but it will be difficult to pin down a single action with stuff happening in the background. 

I might have better luck turning off Malwarebytes for a few hours. The file contents of the object in question are Folder 3.4.3.1_0 with sub folder _metadata, Background html, subfolders css, omg, lib. Then files named manifest.fingerprint, manifest.json, panel.html, settings.html.

I don't know what file is safe to open/look at and I don't know if any of the above cones names helps either. 

 

Share this post


Link to post
Share on other sites
14 hours ago, RevDave said:

The file contents of the object in question are Folder 3.4.3.1_0 with sub folder _metadata, Background html, subfolders css, omg, lib. Then files named manifest.fingerprint, manifest.json, panel.html, settings.html.

That tells me that it's associated with a Chrome based browser extension. Could be Brave Browser, Google Chrome, Opera, Vivaldi.... I don't seem to have that same extension in any of my browsers and identifying them is always a difficult task. Contents of _metadata folders seem to vary a lot and none of mine exactly match your findings.

The "3.4.3.1_0" might uniquely identify the extension, but I have not been able to track it down. I usually figure that out by looking at the folder just above that which has a 32-character alpha file name.

You can probably get a clue as to which extension is involved by opening "manifest.json" in a text app. No harm can come of just opening any file in a text editor.

I no longer feel this is necessarily related simply to a web site you are visiting, rather it's something about a browser extension that may or may not be triggered by a site visit or might be somehow re-installing itself on a daily basis which would trigger a Real-Time scan.

The staff can probably help you when they get to work tomorrow.

Share this post


Link to post
Share on other sites

The file oodblefojaocanejnikhhjcglbaelpbp is a Chrome browser adware extension called Search Encrypt.

It may be getting synced back onto your device after each removal by Chrome Sync. Try removing it from Chrome manually, which should update Google Sync to prevent this from happening. To do so:

  1. open Chrome
  2. choose Extensions from the Window menu
  3. find the Search Encrypt extension and click its Remove button

If that doesn't work, or if Chrome doesn't allow you to remove it, post back here for further troubleshooting.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.