Jump to content
morgan26

copied executable from C:Windows requires long scan?

Recommended Posts

Hi, I'm a software engineer who recently updated my version of Malwarebytes AntiRansomware (Component Update Package: 1.1.258) and started noticing a weird behavior: as part of testing if a Windows directory is executable, I copy over an executable from C:Windows and run it there, then delete it. This process is repeated every time my program is started (multiple times a day).

I found out that Malwarebyte seems to hold onto the .exe (I imagine to scan it?) much longer than previously: between 5 and 20 minutes, to a point that it makes my software crash. I was wondering if there was a way to get Malwarebytes to always trust what is happening in that specific folder, disregarding .exe files being copy pasted. Since I always use the same .exe, I wouldn't mind having a hardset rule that clears it if such a thing exists.

Thanks for any help you may be able to provide!

Morgan

 

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Share this post


Link to post
Share on other sites

Greetings,

It sounds like Ransomware Protection is analyzing the behavior and that's likely what is causing the issues.  Ransomware Protection is more reactive than proactive in that it analyzes the behavior of processes and threads in memory after they are already running to look for possible ransomware behavior (such as deleting backups, attempting to encrypt files etc.) however you should be able to exclude the process that it is getting stuck analyzing and that should prevent the issue in the future as long as the file itself has the same name and path/location.  To exclude it, follow the instructions under the Allow a file or folder section of this support article and select the option to exclude the item from detection as ransomware.

Please let us know how it goes and if the issue is resolved or not.

Thanks

Share this post


Link to post
Share on other sites

Hi, thanks for the info, I really appreciate it!

Unfortunately now that I'm digging into it a bit further, I just found out that I wasn't talking about the right product: we're actually using Malwarebytes Anti-Ransomware.  Would you happen to have additional feedback on how to exclude a specific file for that one?

Morgan

Share this post


Link to post
Share on other sites
4 minutes ago, morgan26 said:

Malwarebytes Anti-Ransomware

Are you using the anti-ransomware beta or the old business version.

Share this post


Link to post
Share on other sites

Anti ransomware Version is 0.9.18.806

Managed client version: 1.9.0.3671

Anti malware version: 1.80.2.1012

Anti exploit version: 1.13.2.127

 

Share this post


Link to post
Share on other sites

Hi @morgan26,

You can't exclude a specific .exe, regardless of directory, if that's what you're asking. You can however, exclude a file within a specific directory or the directory itself. To do that, you'd simply edit the relevant policy, adding the directory or file path to the ignore list on the Anti-Ransomware tab. Alternatively, you could right-click > Stop Protection on the Anti-Ransomware icon in the task tray, then re-enable once testing is complete. Let me know if you have any questions, or if I can be of any further assistance!

Share this post


Link to post
Share on other sites

Hi!

I figured out what the issue was: even though I was whitelisting a whole directory and expecting .exe in there to be left alone, I didn't do it properly: I think that's because that directory was in a user's AppData folder and I had tried to use a regex to match it (something like C:/Users/*/AppData/...) I've moved the .exe to a folder that doesn't require a regex and now things are looking much better, my program isn't freaking out anymore.

Thanks for the help!

Share this post


Link to post
Share on other sites

@morgan26,

That makes sense, as wildcards are not supported in the Anti-Ransomware exclusions. Glad you were able to get it working, and you're very welcome!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.