Jump to content

How to remove files from quarantine list


Recommended Posts

There is not currently an easy way to do that. However, the false positive rate with Malwarebytes for Mac is exceptionally low, so when we usually see people wanting to restore things from quarantine, those are not things that really should be restored from quarantine. What are you trying to restore?

Link to post
Share on other sites

I have the same question. I had intended to mark just 3 of the 4 detected malware files, but inadvertently marked all of them. They are now in Quarantine.  One is by Tenorshare and the directory includes my user ID, so I will probably not be able to start the App. I don't know where it belongs. Do you suggest to put everything from Quarantine into the trash and retrieve this file from there? Mac usually knows how to return things to their right place. Thanks!

Link to post
Share on other sites

I'm not sure which particular app from TenorShare you installed, but they are all classified by Malwarebytes as Potentially Unwanted Processes (PUPs). I suspect it was ReiBoot, except that it should have identified that application and a third directory as "PUP.Tenorshare", as well as the one you quarantined. As @treed has mentioned, that directory is unlikely to have been a False Positive. Here is his statement on an iOS app from the same developer that appears to apply to all of their products: 

If I had to guess the directory you currently have in Quarantine belongs in /Users/<YourUserName>/Library/Application Support/tenorshare.

Edited by alvarnell
Link to post
Share on other sites

22 hours ago, treed said:

There is not currently an easy way to do that. However, the false positive rate with Malwarebytes for Mac is exceptionally low, so when we usually see people wanting to restore things from quarantine, those are not things that really should be restored from quarantine. What are you trying to restore?

Hi - I am attaching screenshot of Quarantine Folder. Malwarebytes is finding Total AV virus app as a PUP.

Quarantine.png

Link to post
Share on other sites

arvarnell said:

"I'm not sure which particular app from TenorShare you installed, but they are all classified by Malwarebytes as Potentially Unwanted Processes (PUPs). I suspect it was ReiBoot, except that it should have identified that application and a third directory as "PUP.Tenorshare", as well as the one you quarantined. As @treed has mentioned, that directory is unlikely to have been a False Positive. Here is his statement on an iOS app from the same developer that appears to apply to all of their products"

---

Thanks. In fact I installed demos of:
4MeKey
iCareFone
UltData

Finally I purchased UltData ($90 I think, so not cheap!) That is presumably the registration code which is now in Quarantine.

iTunes is far from adequate when making backups, as you never know what has been backed up. In this case I had lost most of my WiFi access codes to the various places I visit when travelling. 4MeKey was fantastic for getting those back from an old backup in a focussed manner and not deleting photos taken since that backup. Then I purchased the full version of UltData to have more control over the entire iPad backup process.

As you will see, the UltData folder is actually empty and beneath it is my UserID registration which I need to rescue.

What do think is meant by "shady behaviors, but no overtly malicious behavior"

 

 

FinderScreenSnapz072.jpg

Link to post
Share on other sites

3 hours ago, Michael_L said:

Malwarebytes is finding Total AV virus app as a PUP.

PUP's are Potentially Unwanted Programs and that definition is a perfect fit to describe TotalAV. If you are willing to accept software that routinely scores low in ratings, has multiple complaints against it to the Better Business Bureau and nags you to pay before it will do anything about what it finds, then feel free to ignore Malwarebytes and keep using it.

Clearly the TotalAV.app came from your /Applications folder. Probably the easiest way to restore would be to re-install it, either from the TotalAV.dmg you downloaded or if you trashed it, from the developer site.

I believe the TotalAV file belongs in /Users/<YourUserName>/Library/Application Support/TotalAV but no clue about the other one.

Link to post
Share on other sites

1 hour ago, John_T said:

As you will see, the UltData folder is actually empty and beneath it is my UserID registration which I need to rescue.

What do think is meant by "shady behaviors, but no overtly malicious behavior"

Have you tried to launch the UltData app? It should restore a Tenorshare folder somewhere (again, the most probable place is /Users/<YourUserName>/Library/Applications Support/) and then drag the UserID file to it.

Link to post
Share on other sites

@Alvarnell

Strangely a Tenorshare folder with the original installation date is placed directly under the UserName directory alongside Applications, Documents, Libraries, Movies, Music, Pictures, etc. VERY top-level and so an unexpected location.

There are a few entries under Application Support as shown below, but the UltraDat only contains mumbo-jumbo names, so not quite what that is.

Finally, I restarted UltraDat and it all looked OK, but I have not yet tested it. However, Malwarebytes found it immediately and placed the UserID code again in quarantine. So is there a way to tell Malwarebytes that it is OK?

FinderScreenSnapz074.jpg

FinderScreenSnapz075.jpg

Link to post
Share on other sites

6 minutes ago, John_T said:

is there a way to tell Malwarebytes that it is OK?

Assuming it's being identified as a "PUP" as many other Tenorshare files are, go to the Settings tab of your Malwarebytes main window and change "Default action for PUPs:" to "Skip".

Link to post
Share on other sites

7 minutes ago, alvarnell said:

Assuming it's being identified as a "PUP" as many other Tenorshare files are, go to the Settings tab of your Malwarebytes main window and change "Default action for PUPs:" to "Skip".

Great thanks. Is there anything I can do for you to help identify whether this App has any mal intent? It might be useful for others as it appears legit to me, but I'm not a malware expert.

Link to post
Share on other sites

18 minutes ago, John_T said:

Is there anything I can do for you to help identify whether this App has any mal intent?

Not me, but somebody from the staff may be interested, especially since the app itself is apparently not being detected, but a component of it is.

You might want to read through this blog post: How to avoid potentially unwanted programs. In the case of Tenorshare apps, they normally get classified as PUPs because they cost money to do things that can be done for free by the OS. It sounds like you have determined that UltraDat doesn't fit that description and provides something you need without unduly hampering your computer experience, so not unwanted by you.

Link to post
Share on other sites

Incidentally, did you see the folder named "T" in the screenshot above? It contains a single file roottools.conf 29 bytes, dated 13.12.16

Does that look like Malware to you? The only reference I found when googling was from an OSX beta tester.  

 

Link to post
Share on other sites

I did notice the T folder and I see that I have it. In my case the root tools.conf file is 57 bytes and contains 2 identical 19 digit number entries for "node_id=" and "node_id2=". In my checking around it seems to be somehow connected to Skype. Nothing other than the file name to indicate malware to me. This is on the current release version of Mojave, not beta, and has been there since Oct 2015. Since it's in the User Library, unlikely to be OS released in any case.

Edited by alvarnell
Link to post
Share on other sites

FYI, the "T" folder is still there after uninstalling Skype and rebooting. If an integral uninstall function is unavailable to uninstall the App I use AppZapper which I find more reliable than just pulling the App to the trash bin. So it might be something other than a Skype tool or perhaps shared by other Apps. 

Link to post
Share on other sites

No surprise there. Very few apps will totally uninstall all their support files, especially those that reflect any kind of preference or registration information, in case you want to re-install them for any reason. AppZapper will only remove files that contain the app or developer name, so that wouldn't be of any use here.

The developer instructions for removing Skype are equally unhelpful: How do I uninstall and reinstall Skype on desktop?

Link to post
Share on other sites

On 5/31/2019 at 8:44 AM, John_T said:

What do think is meant by "shady behaviors, but no overtly malicious behavior"

Tenorshare uses some unethical techniques for selling and promoting this apps, among other things. As a good, concrete example that is easy to see, look at the user reviews on the official UltData page. If you control-click on the photos of each of the users and save the image to the desktop, then search for that image on Google Images, you'll find that they're all stock photos being used in a variety of places. This is a common trick with PUP companies to promote their software.

We'll need to investigate, though, as it sounds like the UltData app is no longer being detected, which must mean that they changed something to avoid detection.

Link to post
Share on other sites

On 5/31/2019 at 12:46 PM, alvarnell said:

I did notice the T folder and I see that I have it. In my case the root tools.conf file is 57 bytes and contains 2 identical 19 digit number entries for "node_id=" and "node_id2=". In my checking around it seems to be somehow connected to Skype. Nothing other than the file name to indicate malware to me. This is on the current release version of Mojave, not beta, and has been there since Oct 2015. Since it's in the User Library, unlikely to be OS released in any case.

I don't see such a folder on my system, and I do have Skype installed. Where is this "T" folder located, and what are the exact contents of the roottools.conf file? Are there any invisible files in that folder? You can check by pressing command-shift-period in the Finder, which will reveal hidden files. (Press it again to turn that back off... I do not recommend using that mode carelessly, as there are many files and folders on the system that are meant to be hidden, because they're not meant to be messed with unless you really know what you're doing.)

Link to post
Share on other sites

On 5/31/2019 at 6:06 AM, Michael_L said:

Hi - I am attaching screenshot of Quarantine Folder. Malwarebytes is finding Total AV virus app as a PUP.

TotalAV is one of several clone apps made by a company who was responsible for PUP software that was found in more than 50% of all adware installers that we saw on the Mac at one point. It's definitely not something I'd advise using.

Link to post
Share on other sites

12 minutes ago, treed said:

Where is this "T" folder located, and what are the exact contents of the roottools.conf file?

~/Library/Application Support/T

node_id=1463325868619150315
node_id2=1463325868619150315
 

14 minutes ago, treed said:

Are there any invisible files in that folder?

No

The directories and .conf file were first installed there on Oct 9, 2015 and the latter updated Oct 29, 2017, so they have been there for some time and may be related to some previous iteration of Skype. When I Google "roottools.conf" I get a several references to the Skype, most, but not all the Windows variety, some mention a "T" folder being touched when Skype is launched.

Link to post
Share on other sites

Ahh, I see that I do have such a folder... it just doesn't show up in a Spotlight search. That's not getting detected by Malwarebytes here, though, so I'd need more information about what's in the copy of that folder that is getting detected. I assume it's not getting detected for you, Al?

Link to post
Share on other sites

8 hours ago, treed said:

I don't see such a folder on my system, and I do have Skype installed. Where is this "T" folder located, and what are the exact contents of the roottools.conf file? Are there any invisible files in that folder? You can check by pressing command-shift-period in the Finder, which will reveal hidden files. (Press it again to turn that back off... I do not recommend using that mode carelessly, as there are many files and folders on the system that are meant to be hidden, because they're not meant to be messed with unless you really know what you're doing.)

Indeed there is a hidden DS-Store file there.

FinderScreenSnapz076.jpg

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.