Jump to content
REGITDept

False Positive: Upgrading from Win 10 Build 1809 to 1903

Recommended Posts

Dear Malwarebytes,

When manually upgrading from Win 10 Pro Build 1809 to Build 1903 we got this false positive. Please see screenshot.

Thanks.

Screenshot.jpg

Share this post


Link to post
Share on other sites

Greetings,

Thank you for informing us about this issue.  If possible, could you please restore the file from quarantine and ZIP and attach a copy of it here for analysis by our Research team?

In the meantime I will ping a member of the Research team to bring their attention to this thread.

@miekiemoes could you please take a look at this issue/FP?

Thanks

Share this post


Link to post
Share on other sites

exile360,

I no longer have the file because I cleared it out before receiving your reply here.

You can easily obtain the file by just upgrading from build 1809 to 1903 using the Upgrade Assistant.

Thanks.

Share this post


Link to post
Share on other sites

Hello @REGITDept

Thank you for the information, I have passed this to our internal research team.  As we don't have that file readily available, I will need to wait until I hear back from the team.

 

Warm Regards,

Share this post


Link to post
Share on other sites
12 hours ago, shadowwar said:

This should no longer be detected. Thanks for reporting.

 

Dear Malwarebytes,

As of today 09/18/2019 at 5:57 PM, the issue is still present.

Make sure you guys tested by updating to build 1903 using the Update Assistant and not via Windows Updates.

Thanks.

Share this post


Link to post
Share on other sites

@REGITDept - thanks for your report. I've personally tried reproducing the issue on a variety of Windows 10 hardware and VMs, using the Update Assistant, and Windows Update. On one machine where I ran the Update Assistant, I did get the FP. On others, I did not.

We're aware of a code issue which is causing this type of false positive and are working on devising a solution. For now, the only workaround is to add an exclusion or temporarily disable the Ransomware Protection while you run the upgrade.

May I ask, did your Windows 10 upgrade fail when you received this FP detection?

Share this post


Link to post
Share on other sites
7 minutes ago, tetonbob said:

@REGITDept - thanks for your report. I've personally tried reproducing the issue on a variety of Windows 10 hardware and VMs, using the Update Assistant, and Windows Update. On one machine where I ran the Update Assistant, I did get the FP. On others, I did not.

We're aware of a code issue which is causing this type of false positive and are working on devising a solution. For now, the only workaround is to add an exclusion or temporarily disable the Ransomware Protection while you run the upgrade.

May I ask, did your Windows 10 upgrade fail when you received this FP detection?

Dear tetonbob,

In our environment, the FP is 100% of the time on all of our machines.

The installation failed 100% of the time.

Our workaround is to temporarily disabled the protection before running the update.

Waiting for your status update.

Thanks.

Share this post


Link to post
Share on other sites

Thanks for the detail. We'll post here when we have a new status update, but this will likely be some days yet. For now, please do continue to use the workaround in your shop. Once the upgrade is complete, you should be able to re-enable the Ransomware Protection.

One of the things I observed was, the upgrade continued on it's own some 15-20 minutes after the FP detection, and apparently grabbed a new copy of SetupHost.exe to carry on. It will be a while yet before I can tell if that upgrade succeeds or ultimately fails.             Well, that took less time than I expected. After one of the Upgrade reboots, SetupHost.exe was quarantined again, and the Upgrade did fail.

Our apologies for the inconvenience this has caused, and thanks again for bringing it to our attention.

 

Edited by tetonbob

Share this post


Link to post
Share on other sites

Hello REGITDept,

Yesterday evening we have released a fix for this issue on our standalone product. Please let us know if you it resolves your issue or if you are still experiencing it. Once again apologies for the inconvenience 

 

Share this post


Link to post
Share on other sites
30 minutes ago, Dheeraj said:

Hello REGITDept,

Yesterday evening we have released a fix for this issue on our standalone product. Please let us know if you it resolves your issue or if you are still experiencing it. Once again apologies for the inconvenience 

 

Dear Dheeraj,

We are using Malwarebytes Endpoint Security. Not standalone.

Thanks.

Share this post


Link to post
Share on other sites

Hi @REGITDept - the screenshot provided in your initial post comes from our standalone Malwarebytes Anti-Ransomware.

Malwarebytes Endpoint Security includes separate Malwarebytes products, Anti-Malware, Anti-Exploit, and Anti-Ransomware.

Your Malwarebytes Anti-Ransomware clients should be a version number 0.9.18.806. Prior to the component update package we released last night, it should have been a -1.1.238 and after the latest update, it should be -1.1.242

0.9.18.806-1.1.242 should no longer throw this False Positive detection.

 

1.1_242.PNG.02d998dc09e3d5126d4299beec85b2c0.PNG

Edited by tetonbob

Share this post


Link to post
Share on other sites
1 hour ago, tetonbob said:

Hi @REGITDept - the screenshot provided in your initial post comes from our standalone Malwarebytes Anti-Ransomware.

Malwarebytes Endpoint Security includes separate Malwarebytes products, Anti-Malware, Anti-Exploit, and Anti-Ransomware.

Your Malwarebytes Anti-Ransomware clients should be a version number 0.9.18.806. Prior to the component update package we released last night, it should have been a -1.1.238 and after the latest update, it should be -1.1.242

0.9.18.806-1.1.242 should no longer throw this False Positive detection.

 

1.1_242.PNG.02d998dc09e3d5126d4299beec85b2c0.PNG

Hi tetonbob,

Our Malwarebytes Anti-Ransomware came from the Malwarebytes Endpoint Security, not standalone. Also what screenshot are you referring to?

Currently I'm looking at my version which is 0.9.18.806-1.1.242 (See screenshot).

Thanks.

MBAR version.jpg

Share this post


Link to post
Share on other sites

What he meant by standalone is that it is a separate application/executable, not integrated into the primary Malwarebytes product as it is with the consumer version (Malwarebytes Premium for home users includes Anti-Malware, Anti-Exploit and Anti-Ransomware all in a single application/executable/interface) and the screenshot being referred to is the notification in your first post in this thread which shows a notification from the standalone version.  Your new screenshot shows that you are now up to date so hopefully the false positive detection should now be resolved, but please let us know if it is not.

Thanks

Edited by exile360

Share this post


Link to post
Share on other sites
On 9/10/2019 at 10:18 PM, REGITDept said:

Dear Malwarebytes,

When manually upgrading from Win 10 Pro Build 1809 to Build 1903 we got this false positive. Please see screenshot.

Thanks.

Screenshot.jpg

Hi @REGITDept - I was referring to this screenshot. I believe we are speaking about the same product, though perhaps in different ways.

@exile360 - thanks for the assist. :) Exactly so.

Share this post


Link to post
Share on other sites
On 9/21/2019 at 7:02 AM, tetonbob said:

Hi @REGITDept - I was referring to this screenshot. I believe we are speaking about the same product, though perhaps in different ways.

@exile360 - thanks for the assist. :) Exactly so.

Hi tetonbob,

Thanks for the clarification.

I confirmed that the issue is resolved with the new version.

Thanks for all the help.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.