False Positive: Upgrading from Win 10 Build 1809 to 1903

[REGITDept]

Dear Malwarebytes,

When manually upgrading from Win 10 Pro Build 1809 to Build 1903 we got this false positive. Please see screenshot.

Thanks.

[exile360]

Greetings,

Thank you for informing us about this issue.  If possible, could you please restore the file from quarantine and ZIP and attach a copy of it here for analysis by our Research team?

In the meantime I will ping a member of the Research team to bring their attention to this thread.

@miekiemoes could you please take a look at this issue/FP?

Thanks

[REGITDept]

exile360,

I no longer have the file because I cleared it out before receiving your reply here.

You can easily obtain the file by just upgrading from build 1809 to 1903 using the Upgrade Assistant.

Thanks.

[CHMOD_777]

Hello @REGITDept

Thank you for the information, I have passed this to our internal research team.  As we don't have that file readily available, I will need to wait until I hear back from the team.

 

Warm Regards,

[REGITDept]

Thank you for the help guys.

Waiting for your status updates.

[REGITDept]

Guys,

Here is the file that you requested.

Thanks.

SetupHost.zip

[REGITDept]

Dear Malwarebytes,

What is your current status on this situation?

Thanks.

[shadowwar]

This should no longer be detected. Thanks for reporting.

 

[REGITDept]

12 hours ago, shadowwar said:

This should no longer be detected. Thanks for reporting.

 

Dear Malwarebytes,

As of today 09/18/2019 at 5:57 PM, the issue is still present.

Make sure you guys tested by updating to build 1903 using the Update Assistant and not via Windows Updates.

Thanks.

[exile360]

@shadowwar please take a look when you get a chance.

Thanks

[tetonbob]

@REGITDept - thanks for your report. I've personally tried reproducing the issue on a variety of Windows 10 hardware and VMs, using the Update Assistant, and Windows Update. On one machine where I ran the Update Assistant, I did get the FP. On others, I did not.

We're aware of a code issue which is causing this type of false positive and are working on devising a solution. For now, the only workaround is to add an exclusion or temporarily disable the Ransomware Protection while you run the upgrade.

May I ask, did your Windows 10 upgrade fail when you received this FP detection?

[REGITDept]

7 minutes ago, tetonbob said:

@REGITDept - thanks for your report. I've personally tried reproducing the issue on a variety of Windows 10 hardware and VMs, using the Update Assistant, and Windows Update. On one machine where I ran the Update Assistant, I did get the FP. On others, I did not.

We're aware of a code issue which is causing this type of false positive and are working on devising a solution. For now, the only workaround is to add an exclusion or temporarily disable the Ransomware Protection while you run the upgrade.

May I ask, did your Windows 10 upgrade fail when you received this FP detection?

Dear tetonbob,

In our environment, the FP is 100% of the time on all of our machines.

The installation failed 100% of the time.

Our workaround is to temporarily disabled the protection before running the update.

Waiting for your status update.

Thanks.

[tetonbob]

Thanks for the detail. We'll post here when we have a new status update, but this will likely be some days yet. For now, please do continue to use the workaround in your shop. Once the upgrade is complete, you should be able to re-enable the Ransomware Protection.

One of the things I observed was, the upgrade continued on it's own some 15-20 minutes after the FP detection, and apparently grabbed a new copy of SetupHost.exe to carry on. It will be a while yet before I can tell if that upgrade succeeds or ultimately fails.             Well, that took less time than I expected. After one of the Upgrade reboots, SetupHost.exe was quarantined again, and the Upgrade did fail.

Our apologies for the inconvenience this has caused, and thanks again for bringing it to our attention.

 

Edited September 19, 2019 by tetonbob

[REGITDept]

Thank you tetonbob,

I'll wait for a status update on this case.

Appreciate your help.

[Dheeraj]

Hello REGITDept,

Yesterday evening we have released a fix for this issue on our standalone product. Please let us know if you it resolves your issue or if you are still experiencing it. Once again apologies for the inconvenience 

 

[REGITDept]

30 minutes ago, Dheeraj said:

Hello REGITDept,

Yesterday evening we have released a fix for this issue on our standalone product. Please let us know if you it resolves your issue or if you are still experiencing it. Once again apologies for the inconvenience 

 

Dear Dheeraj,

We are using Malwarebytes Endpoint Security. Not standalone.

Thanks.

[tetonbob]

Hi @REGITDept - the screenshot provided in your initial post comes from our standalone Malwarebytes Anti-Ransomware.

Malwarebytes Endpoint Security includes separate Malwarebytes products, Anti-Malware, Anti-Exploit, and Anti-Ransomware.

Your Malwarebytes Anti-Ransomware clients should be a version number 0.9.18.806. Prior to the component update package we released last night, it should have been a -1.1.238 and after the latest update, it should be -1.1.242

0.9.18.806-1.1.242 should no longer throw this False Positive detection.

 

Edited September 20, 2019 by tetonbob

[REGITDept]

1 hour ago, tetonbob said:

Hi @REGITDept - the screenshot provided in your initial post comes from our standalone Malwarebytes Anti-Ransomware.

Malwarebytes Endpoint Security includes separate Malwarebytes products, Anti-Malware, Anti-Exploit, and Anti-Ransomware.

Your Malwarebytes Anti-Ransomware clients should be a version number 0.9.18.806. Prior to the component update package we released last night, it should have been a -1.1.238 and after the latest update, it should be -1.1.242

0.9.18.806-1.1.242 should no longer throw this False Positive detection.

 

Hi tetonbob,

Our Malwarebytes Anti-Ransomware came from the Malwarebytes Endpoint Security, not standalone. Also what screenshot are you referring to?

Currently I'm looking at my version which is 0.9.18.806-1.1.242 (See screenshot).

Thanks.

[exile360]

What he meant by standalone is that it is a separate application/executable, not integrated into the primary Malwarebytes product as it is with the consumer version (Malwarebytes Premium for home users includes Anti-Malware, Anti-Exploit and Anti-Ransomware all in a single application/executable/interface) and the screenshot being referred to is the notification in your first post in this thread which shows a notification from the standalone version.  Your new screenshot shows that you are now up to date so hopefully the false positive detection should now be resolved, but please let us know if it is not.

Thanks

Edited September 21, 2019 by exile360

[tetonbob]

On 9/10/2019 at 10:18 PM, REGITDept said:

Dear Malwarebytes,

When manually upgrading from Win 10 Pro Build 1809 to Build 1903 we got this false positive. Please see screenshot.

Thanks.

Hi @REGITDept - I was referring to this screenshot. I believe we are speaking about the same product, though perhaps in different ways.

@exile360 - thanks for the assist. Exactly so.

[REGITDept]

On 9/21/2019 at 7:02 AM, tetonbob said:

Hi @REGITDept - I was referring to this screenshot. I believe we are speaking about the same product, though perhaps in different ways.

@exile360 - thanks for the assist. Exactly so.

Hi tetonbob,

Thanks for the clarification.

I confirmed that the issue is resolved with the new version.

Thanks for all the help.

[tetonbob]

Great, thanks for confirming for us, @REGITDept. I'm glad to hear that the FP issue is resolved for you as we expected.