Jump to content

MBAM 4.1. flagging Firefox 74.0.1


Recommended Posts

  • Replies 86
  • Created
  • Last Reply

Top Posters In This Topic

i am using on my four computer here FF 75.0 with Noscript, uBlock and Privacy Badger, no problems with the update and Mbam 4.1.0.56.

So i doubt these extensions has something to do with it, but maybe there are other extensions installed on his system.

Me to i am curious what could be the cause of this.

Link to post
Share on other sites

  • Root Admin

There a millions of Firefox users and millions of Malwarebytes users. Obviously most users are not having this issues. Removing and reinstalling Firefox fixed it so at this time it would seem to indicate "something" was wrong in Firefox. We'll  have to wait and see if this fixed it long term for him or not

 

Link to post
Share on other sites

  • 4 weeks later...

One thing with my  regular Firefox profile that it is not stored where FIrefox normally  stores the profile files aka C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\. Instead the profile is being stored on a different hard drive partition aka D: in a different folder altogether. If I start Firefox up with a prestine profile that is stored in the normal location then MBAM does not flag Firefox as malicious.

 

Link to post
Share on other sites

Ok in order to see if I can narrow down what is causing this I did the following:

1) zipped up the profile folder for the prestine profile on C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\ that did not cause MBAM to quarantine Firefox.

2) renamed the pristine folder to a different name

3) copy my normal profile folder from D: to C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\

4) renamed the profile folder so that it had the same name as the pristine folder originally had

5) started FIrefox up and selected the "pristine" profile which in fact was the same profile that was  causing issues with MBAM

6) Firefox started up fine and MBAM did not flag it. It appears that Firefox is using a profile that is not being stored in C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\ and then you update Firefox to a new version via the About | Firefox click on download Update etc then MBAM for some reason is flagging Firefox.exe as Generic  Ransomware. 

Link to post
Share on other sites

Hi @frozen,

Thanks for the information. This is what we tried:

  • Installed an older version of Firefox.
  • Created a new profile located on a different drive. Set the new profile to default.
  • With Anti-Ransomware enabled, Menu -> Help -> About Firefox -> Restart to update.


Unfortunately, no detection was exhibited after multiple attempts.

What happens if you use a brand new/default profile located on your different drive? Is the issue still exhibited?

Would you be able to provide us with the Process Monitor log mentioned here? https://forums.malwarebytes.com/topic/258157-mbam-41-flagging-firefox-7401/?do=findComment&comment=1371873

Link to post
Share on other sites

Before generting the Process Monitor log, could you check if the issue is still exhibited with our latest version of Malwarebytes Anti-Ransomware standalone. This contains a newer version of the Anti-Ransomware component compared with your installed Malwarebytes product.

Details can be found here:
https://forums.malwarebytes.com/topic/258918-latest-version-of-mbarw-beta-v091956-build-330-released-23-april-2020/

Before installing, you will need to temporarily uninstall your existing Malwarebytes product.

Please let us know if you still experience the issue with Malwarebytes Anti-Ransomware standalone.

Link to post
Share on other sites

One thing had happened the other day when I was copying my profile folder from the non conventional location to the normal directory. I got the following error message. I simply clicked on skip and allowed the copying process to continue. Firefox ran properly on c: in its default location. MBAM did not flag it. I am wondering if MBAM is flagging something in this Journals directory on my D: partition. Problem is that there are a fair number of subdirectories off the Journals directory.

2020-05-11_090028.gif

Link to post
Share on other sites

I got MBAM beta protection enabled. Started Firefox 76.0.1 up this time using the problem profile which is on the D: partition that MBAM release version had issues flagging as generic Ransomware. MBAM beta did NOT flag or quarantine Firefox.

Link to post
Share on other sites

On 5/9/2020 at 11:33 AM, frozen said:

Another Firefox update this one from 76.0 to 76.0.1 and MBAM  is preventing Firefox from running at all. It is consistently quarantining it. 

Reviewing the support tool report you had run on the 9th,  Malwarebytes Quarantine was totally empty.   Firefox was not quarantined.

What there had been was that there were 2 anti-ransomware detections,   flagging Firefox as a "Malware.Ransom.Agent.Generic"

Those seem to me to have been some sort of false positives.

.

I would suggest you consider the following.

Uninstall the beta Anti-ransomware   ( mbarw) thru the normal Windows Uninstall method.

Next, RESTART Windows.

Do a new setup of Malwarebytes for Windows    https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows-v4

Activate your Premium license  https://support.malwarebytes.com/hc/en-us/articles/360038479154-Activate-Premium-subscription-in-Malwarebytes-for-Windows-v4

Next, do a Update run in Malwarebytes for Windows.

Start it.  Click Settings ion.   Look on the General tab.   Click on the button "Check for Updates"

.

p.s.  The message box from 4 posts back   ( up on this thread)  was windows indicating that the Path  ( destination path)  was too long.

That was not a Malwarebytes thing.  ( forgive the trivia).

Link to post
Share on other sites

The reason I mentioned the Journals problem was that was the only folder that existed at the non conventional location and due to the path too long did not exist at the conventional location when I retested Firefox. Was wondering if something in Journals folder was what was causing MBAM to flag Firefox on updates. 

Link to post
Share on other sites

Hi @frozen,

Thank you for the feedback.

The standalone Anti-Ransomware is currently ahead of the Ransomware Protection in Malwarebytes. We will be updating Ransomware Protection in an upcoming update, so you'll be able to benefit from the fix for this in Malwarebytes once that update is released.

In the meantime, you can either stick with the standalone Anti-Ransomware or go back to Malwarebytes and temporarily disable Ransomware Protection.

Link to post
Share on other sites

Another Firefox update and another MBAM killing off Firefox. This time I even downloaded the Firefox 77 installer installed Firefox rebooted. When I started Firefox up I selected the default profile which is located on c:\ in the normal location. No problem. I closed Firefox down and started it back up again but this time I selected my normal profile which is store on D:\ drive in a different directory. Firefox loads displays the new tab page and them blam is terminated and MBAM said it quaratined Firefox. Yet when I check the Quartine there is nothing there.

Detection history simply shows RTP detection on all three occasions when I attempted to run Firefox. First via the normal auto update and twice during a download and run the installer from Mozzilla. 

When I try to click on the shortcut on my desktop for Firefox I get the attached error message. When I go to C:\Program Files\Mozilla Firefox there is a 502KB Firefox.exe.

What the heck is going on here I am getting fed up with this every time Firefox gets updated I have to deal with this.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/2/20
Protection Event Time: 11:29 AM
Log File: 36944fb6-a4ee-11ea-8d34-90e6ba57cdd5.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.931
Update Package Version: 1.0.24906
License: Premium

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

Annotation 2020-06-02 113740.jpg

Link to post
Share on other sites

Further update. When I closed down MBAM I was able to run firefox and the affected profile fine. So I had Firefox create a new test profile which by default is C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\randomGUIDdirectoryname . Then deleted all the files and folders in that randomGUIDdirectoryname folder and copied the contents from my Profile causing the issues from its folder on d:\ drive. I started MBAM up. I then started up Firefox and selected this new test profile  and Firefox 77.0 ran fine. MBAM did NOT terminate it with malice.

It seems that I can no longer store my profile over on D:\ drive if I want to use MBAM.

Link to post
Share on other sites

As you found earlier, the issue was not exhibited with the standalone Anti-Ransomware beta. Is this still the case?

Please see my previous post.

Quote

The standalone Anti-Ransomware is currently ahead of the Ransomware Protection in Malwarebytes. We will be updating Ransomware Protection in an upcoming update, so you'll be able to benefit from the fix for this in Malwarebytes once that update is released.

In the meantime, you can either stick with the standalone Anti-Ransomware or go back to Malwarebytes and temporarily disable Ransomware Protection.

 

Link to post
Share on other sites

Before the update to Firefox version 77 aka 76.0.1 I had uninstalled MBAM and installed Anti-Ransomware. Quite frankly I can not remember whether during the time that I had Anti-Ransomware installed whether in fact FF actually had an update to it. Looking back at my prior posts here, I was able to run 76.0.1 profile on drive D:\ without issues with Anti-Ransomware. Then after running Anti-Ransonware for a while I went back to MBAM.

When I ran the update from within Firefox 76.0.1 yesterday I was using the profile on D:\ and MBAM fully updated. MBAM did not flag FF 76.0.1 when FF started up and loaded. I was able to go to Help | About Firefox and click on update to version 77. Only after FF was updated and I restarted FF did MBAM start misbehaving and isolating FF exe. In the past when MBAM flagged FF as ransomware it quarantined it and I saw the firefox.exe in MBAM quarantine. Yesterday I saw no such behavior i.e. Firefox.exe did not show up in Quarantine. Firefox.exe was still showing up in its normal directory in Windows Explorer but i could not run it with MBAM  running. When MBAM was shutdown Firefox ran fine via the same shortcut.

Thing is Ransomware in MBAM was never disabled. If there is something in the profile then why is MBAM not flagging Firefox when I use the profile located on C:\ that has the files and subdirectories that are on the profile that is causing the issue on d:\ ?

I am about to throw up my hands here.

I never disabled Ransomware protection in MBAM. Just now I started Firefox 77 here this time using D:\ profile and MBAM did not quarantine it / isolate it like it was doing yesterday. I was able to go to websites etc. What the heck is going on here. Something is causing MBAM to flag Firefox but only when it updates.  These updates to FF are always done via the D:\ profile and always done using Help | About process. Is there an issue with MBAM when running FF using a profile in a non standard profile location and doing an update to FF which after a couple of days fixes itself? Is it flagging some temp files used during the updating process using this particular D:\  profile configuration. I have no idea.

 

Link to post
Share on other sites

It is indeed Ransomware protection in MBAM that is causing this. I saw a new story that Firefox released 77.0.1 today so I checked via Help | About and Firefox downloaded the update and required me to restart. Up until this time Ransomware in MBAM was enabled yes enabled. Before I clicked on the button on the FF update screen to restart the browser I turned off Rasomware protection in MBAM and then allowed FF to restart. FF started up and ran fine. I close down FF went to MBAM and enabled Ransomware protection. MBAM said it had quarantined firefox.exe yet when I went to MBAM quarantined screen it showed no items in quarantine.  I disabled Rasonmware in MBAM and was able to start FF up without any issues.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/3/20
Protection Event Time: 7:23 PM
Log File: 9cb6fddc-a5f9-11ea-aa51-90e6ba57cdd5.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.931
Update Package Version: 1.0.24970
License: Premium

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Why is my notifications in MBAM say Thursday? It is still Wednesday here in Canada and this event at 7:23PM is me updating to Firefox 77.0.1. Also why is it saying it quarantined the threat when in fact there is noting in quarantine in MBAM?

image.png.50e5e78c82154fe1c24bc41a43b21daf.png

 

image.png.d551c3de8966a715babeb58406a30b43.png

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.