Jump to content

False Positive - userinit.exe


muciqi

Recommended Posts

2 hours ago, torrey said:

Over the weekend Windows updates were applied to my machine. When I came in this morning my machine was exhibiting the lock-up. The updates from February might be the issue.

Hi @torrey,

Could you clarify what you mean by "lock-up"? So far, we're only aware of an issue with userinit.exe being detected (albeit, not actually quarantined). Are you saying this is also resulting in the machine locking up/freezing?

Link to post
Share on other sites

Sorry, my bad. It looks like we may have two different issues that started around the same time. They both have an anti ransomware detection of Malware.Ransom.Agent.Generic but one is userinit.exe and the other is with explorer.exe. The explorer.exe causes the PC to lock up and seems to be linked to the Windows updates that we have been deploying.

 

Should I start another thread with the explorer.exe detection?

Link to post
Share on other sites

@torrey Thank you for clarifying.

Yes, please start a new topic in this forum section with details on the explorer.exe detection. Please include the following:

Link to post
Share on other sites

We've had the lockup/freeze on 3 machines now.  All screens go black with a message displayed from Malwarebytes that ransomware was detected and quarantined.  The only way out is to force power the machine off then back on.  Looking into the quarantine, we find the reference to userinit.exe.  ODDLY ENOUGH, In all cases, this has happened when a user went to save and Excel spreadsheet.  These spreadsheets were different in each case and the users were from different departments in our company.  We are also using McAfee EPS version 10.6.1.  Malwarebytes Anti-Malware 0.9.18.806-1.1.278.

Link to post
Share on other sites

Hi all,

We're making good progress towards a fix for this issue, but currently do not have any details to share about a potential release date.
 

21 hours ago, torrey said:

This morning we had a machine lock up with the userinit.exe detection.

Are you able to temporarily uninstall the McAfee product and confirm the detection stops?

 

2 hours ago, EdT said:

ODDLY ENOUGH, In all cases, this has happened when a user went to save and Excel spreadsheet.

How often after startup does this occur? Does this occur immediately after startup or after a certain amount of uptime? How soon after startup is Excel launched?

Link to post
Share on other sites

2 minutes ago, LiquidTension said:

Hi all,

We're making good progress towards a fix for this issue, but currently do not have any details to share about a potential release date.
 

Are you able to temporarily uninstall the McAfee product and confirm the detection stops?

 

How often after startup does this occur? Does this occur immediately after startup or after a certain amount of uptime? How soon after startup is Excel launched?

It happens so infrequently and we are unable to reproduce at will.  Out of 300-400 users, it has only happened 3 times (1 time for 3 different people) so uninstalling McAfee won't help us determine anything.  If we could trigger it consistently that would be a helpful option to aid in troubleshooting.

Hard to say about timing.  This has happened to my users at different times throughout the day.  To my knowledge, they had been working for a while, well after a machine startup or OS login.  They are also in Excel most of the day.  Sorry.  I know this is not very helpful info.

Link to post
Share on other sites

Incidentally, I went into MWB Management Console and edited our default policy adding this entry to the Ignore List tab and pushed that policy out to all clients.  Don't know if this will prevent the false-positive temporarily until this is all figured out but so far we have not had any other occurrences.  Below is what is in the quarantine tab on the client when the event occurs.  I found I could not add this on the Anti-Ransomware tab as it only accepts File/Folder path, not registry entries.  The Ignore List tab does accept registry entries however.

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT

Link to post
Share on other sites

Just had another machine have this issue.  I discovered something new for those out there with the same issue.  Typically the person sees screen(s) go blank/black and can't do anything but power off the machine and restart.  Just for kicks I used Dameware (remote control agent we use on our helpdesk) to attempt to control the client.  As soon as I connected, my user's screen came back and she was able to use her machine again.  I opened a few apps to make sure all was OK but got a strange error that Outlook 2016 shortcut was broken as if the program didn't exist.  I went to the location where Office is installed only to find the Outlook.exe file size was 0k.  Not sure what happened but I had to run an Office repair and reboot to get Outlook back in action.  Hope a resolution comes soon.

Link to post
Share on other sites

Hi all,

Thank you for your patience.

We are still looking for additional information to narrow down a fix for this issue as reliably reproducing it has unfortunately proved elusive so far.

What would be helpful are full memory dumps of explorer.exe and winlogon.exe immediately after the detection occurs. This can be obtained as follows:

  • Open Task Manager -> Details.
  • Right-click explorer.exe -> Create dump file.
  • Repeat for winlogon.exe.
  • Zip up and provide the new .dmp files saved to %temp%. The file can be messaged to me privately in a private message here on the forum.
  • Include the contents of the programdata\Malwarebytes\MB3Service\ARW directory in the zip file.
  • Include the MBAMService.log file in programdata\Malwarebytes\MB3Service\logs as well.
Edited by LiquidTension
Link to post
Share on other sites

Hello,

We believe we have a potential fix for the issue, but do not currently have any information on when this will be available to your installed Malwarebytes product.

It will first make its way into the standalone Malwarebytes Anti-Ransomware beta. An announcement will be made in the following forum section when a new version of this is available.

Link to post
Share on other sites

  • 1 month later...
  • 1 month later...

@LiquidTension We are a MalwareBytes Endpoint Protection customer still suffering from this issue.  We have McAfee Endpoint - Removing McAfee stops the "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|USERINIT" registry key from being falsely detected as ransomware.

Has Malwarebytes made any progress on this? 

Even just the ability to make an exclusion for this would be acceptible - more so than totally uninstalling our McAfee product.

 

Thanks

Link to post
Share on other sites

Hi @alexl010,

Thank you for your patience with this issue.

Yes, progress has been made. A fix for this is available to Malwarebytes Anti-Ransomware standalone, Malwarebytes version 4 and Malwarebytes Endpoint Security users. Unfortunately, we aren't yet able to release this fix to Malwarebytes Endpoint Protection and are currently in the process of working towards this. We intend on making this available as soon as possible.

Link to post
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.