Jump to content
frozen

MBAM 4.1. flagging Firefox 74.0.1

Recommended Posts

Like all the previous times before if Ransomware in MBAM is enabled and I start FF up with the profile stored on C:\ which has all the files from the problem profile Firefox is not quarantined/ affect by MBAM.

Share this post


Link to post
Share on other sites

Sigh this is getting old very quickly. Another Firefox update.

This time I started FFox with a profile whose extensions are identical to the other other profile I normally use. I updated from 77.0.1 to 78.0.1 restarted FIrefox and everything seemed fine. Firefox was not squashed by Malwarebytes. Closed Firefox. Started it back up this time with my normal profile that is stored on another partition. Whamo Firefox was blocked from running. It was not quarantined but simply blocked. The shortcut on the desktop top would not work saying that I did not have sufficient rights. I closed MBAM and Firefox ran fine.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/1/20
Protection Event Time: 1:54 PM
Log File: 39a305ae-bbcc-11ea-97fb-90e6ba57cdd5.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26253
License: Premium

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

Share this post


Link to post
Share on other sites
5 minutes ago, frozen said:

normal profile that is stored on another partition.

That could be the issue.

I remember reading in passing about your previous issues.

Share this post


Link to post
Share on other sites

It sure looks like there is an issue with MBAM Ransomware module since disabling it does not cause this behavior with the profile on the other partition.

Even after updating MBAM with Ransomware enabled using the profile on another partition Firefox got shutdown.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/1/20
Protection Event Time: 2:17 PM
Log File: 8cac3786-bbcf-11ea-81a1-90e6ba57cdd5.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.972
Update Package Version: 1.0.26255
License: Premium

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

 

Share this post


Link to post
Share on other sites

Same again with the automatic update from Firefox 77.0.1 to 78.0.1.

MBAM 4.1.2.73

Update package Version 1.0.26255

Component package Version 1.0.972

 

Flags up the following Message & then Firefox will not start !!!

Malware.Ransom.Agent.Generic, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked

 

 

If I disable the 'Ransomware Protection" I can install Firefox 78.0.1 from Mozilla site and it installs and runs OK.

I can then re-enable 'Ransomware Protection' with no ill effects !!!

Log file attached.

FireFoxRansomware.zip

Share this post


Link to post
Share on other sites
17 minutes ago, PhoneNumberZero said:

Same again with the automatic update from Firefox 77.0.1 to 78.0.1.

MBAM 4.1.2.73

Update package Version 1.0.26255

Component package Version 1.0.972

 

Flags up the following Message & then Firefox will not start !!!

Malware.Ransom.Agent.Generic, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked

 

 

If I disable the 'Ransomware Protection" I can install Firefox 78.0.1 from Mozilla site and it installs and runs OK.

I can then re-enable 'Ransomware Protection' with no ill effects !!!

Log file attached.

FireFoxRansomware.zip 1.86 kB · 0 downloads

Please explain in more details how you have your setup for Firefox and your computer.  I have updated several computers and have not seen this issue. The user Frozen appears to be the only one I've seen reporting this so curious if both of you are doing something the same that is different than most users and what might be causing it.

 

Share this post


Link to post
Share on other sites

Windows 7 Sp3

Firefox 78.0 which is set to prompt me if an update is available (i.e. NO automatic updates !!!)

MBAM 4.1 with Lifetime License.

 

Firefox prompted that an update was available and I clicked the button on the 'About Firefox' popup window to upgrade.

MBAM kicked in when the update had been completed in the background.

Firefox.lnk or the Firefox.exe would not run !!!

Disabling 'Ransomware Protection' I downloaded the latest Firefox update from Mozilla and applied the install.

All ran as it should, I then re-enabled the 'Ransomware Protection' on MBAM.

All works OK with no messages from MBAM !!!

Share this post


Link to post
Share on other sites

@frozen To confirm, is the issue still not exhibited with the latest standalone Malwarebytes Anti-Ransomware?
https://forums.malwarebytes.com/topic/258918-latest-version-of-mbarw-beta-v091956-11349-released-11-june-2020/

You mentioned the issue is not exhibited when using a different profile. Can you try a new/default profile located on a different drive so we can rule out if the contents of your profile has any impact?

-----

@PhoneNumberZero Is your Firefox profile also located on a different drive than the one Firefox is installed to?

Could you also try the Malwarebytes Anti-Ransomware standalone linked above and see if the issue is still exhibited?

Share this post


Link to post
Share on other sites

Hey Folks, anyone found a solution to this?

I too am having this issue, using Win7 SP1.

I have to disable ransomware protection in order to run FF. My FF profile is on the C drive, not a separate partition. This is happening before and after I just updated the MBAM client today, which I believe includes the new ransomware module update.

If I re-enable it while FF is open, eventually MBAM will kill the process and delete firefox.exe.  Nothing will be quarantined. Pretty much exactly what the OP was experiencing.

MBAM 4.1.2.73

Update package Version 1.0.26631

Component package Version 1.0.976

Share this post


Link to post
Share on other sites

Greetings,

Unfortunately this post seems to indicate that the issue is only fixed in the latest Malwarebytes Anti-Ransomware Beta standalone build and this issue is not mentioned in the release notes for the latest beta of Malwarebytes Premium.

I would guess that the fix will likely be integrated into the next release of Malwarebytes after the current beta, assuming the fix proves effective in the standalone Malwarebytes Anti-Ransomware Beta.

Share this post


Link to post
Share on other sites

So the Anti Ransomware is a separate thing from Malwarebytes Premium, but Premium does include Anti Ransomware?

Not well versed in what's what with Malwarebytes.  I didn't see anyone acknowledge that it was fixed in the Anti Ransomware Beta either.

 

Share this post


Link to post
Share on other sites
Posted (edited)
8 minutes ago, smokeejoe said:

So the Anti Ransomware is a separate thing from Malwarebytes Premium

Yes, The anti-ransomware beta is.

8 minutes ago, smokeejoe said:

but Premium does include Anti Ransomware?

And yes. The beta is where things are tested/fixed before being integrated with Malwarebytes Premium

Edited by Porthos

Share this post


Link to post
Share on other sites
Posted (edited)

My apologies, I've been on this forum a long time and sometimes forget that not everyone is aware of Malwarebytes' entire product portfolio.

Malwarebytes Anti-Ransomware started out as a standalone product and was later integrated into Malwarebytes Premium, however any changes such as new features and bugfixes for the Anti-Ransomware component are still developed and tested separately in the standalone beta prior to being integrated into Malwarebytes Premium.

Edited by exile360

Share this post


Link to post
Share on other sites

Hello,
I worked at the computer on the night of July 9-10.
I turned on Firefox and it happened the same. I was able to check that Firefox has updated to version 78.0.2.
Maybe it has something to do with something it contains, e.g. something related to security.
Here is her description:
https://www.mozilla.org/en-US/firefox/78.0.2/releasenotes/

Just like the @frozen user, I have a profile on drive D: However, I have installed Firefox and Malwarebytes Premium for a long time (like @frozen in version 4.1.0.56), I haven't changed anything in add-ons in Firefox for a long time, and yet this one has not appeared problem (@frozen problem appeared already in April).

Below is a report from Malewarebytes:

Quote

Malwarebytes
www.malwarebytes.com

-Szczegóły raportu-
Data zdarzenia ochrony: 10.07.2020
Czas zdarzenia ochrony: 03:04
Plik raportu: 50118832-c249-11ea-a9b5-00ff653bb1c8.json

-Informacje o oprogramowaniu-
Wersja: 4.1.0.56
Wersja komponentów: 1.0.955
Aktualna wersja pakietu: 1.0.26629
Licencja: Premium

-Informacje o systemie-
System operacyjny: Windows 8.1
Procesor: x64
System plików: NTFS
Użytkownik: System

-Szczegóły oprogramowania ransomware-
Plik: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Mozilla Firefox\firefox.exe, Zablokowano, 0, 392685, 0.0.0


(end)

I read posts written by @frozen. Therefore, I'm afraid of the next update from Firefox.

Share this post


Link to post
Share on other sites

         I don't know how to edit or delete my previous post. I wanted to correct it but I can't, so I'm sorry but below I am sending it again but corrected:

Hello,
I worked at the computer on the night of July 9-10.
I turned on Firefox and it happened the same. I was able to check that Firefox has updated to version 78.0.2.
Maybe it has something to do with something it contains, e.g. something related to security.
Here is it description:
https://www.mozilla.org/en-US/firefox/78.0.2/releasenotes/

Just like the @frozen user, I have a profile on drive 😧 However, I have installed Firefox and Malwarebytes Premium (like @frozen in version 4.1.0.56) long time ago, I haven't changed anything in add-ons in Firefox for a long time, and this problem has not yet appeared until now (@frozen's problem appeared already in April).

Below is a report from Malewarebytes:

Quote

Malwarebytes
www.malwarebytes.com

-Szczegóły raportu-
Data zdarzenia ochrony: 10.07.2020
Czas zdarzenia ochrony: 03:04
Plik raportu: 50118832-c249-11ea-a9b5-00ff653bb1c8.json

-Informacje o oprogramowaniu-
Wersja: 4.1.0.56
Wersja komponentów: 1.0.955
Aktualna wersja pakietu: 1.0.26629
Licencja: Premium

-Informacje o systemie-
System operacyjny: Windows 8.1
Procesor: x64
System plików: NTFS
Użytkownik: System

-Szczegóły oprogramowania ransomware-
Plik: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Mozilla Firefox\firefox.exe, Zablokowano, 0, 392685, 0.0.0


(end)

I read posts written by @frozen. Therefore, I'm afraid of the next update from Firefox.

Share this post


Link to post
Share on other sites

Another Firefox update today. I started FIrefox using the profile that is stored on D: rather than the normal C: partition update came down via Help | About clicked on the restart Firefox after the update was applied and whamo

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/29/20
Protection Event Time: 9:52 AM
Log File: 20da2f3a-d1ab-11ea-bcb0-90e6ba57cdd5.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27635
License: Premium

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

The popup message said that it had blocked updater.exe. Started Firefox backup but this time using the Profile stored on C: drive and FIrefox was not blocked and showed that it was properly updated to version to version 79.0

I closed down FIrefox and started it up with the profile stored on D: drive and just let Firefox stay open there on the screen. Whamo:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/29/20
Protection Event Time: 10:04 AM
Log File: cf88a218-d1ac-11ea-906f-90e6ba57cdd5.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27637
License: Premium

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

I bet in a couple of days if I leave Firefox alone or at least not use it with the profile stored on D: that I will be able to start Firefox up and use the D: profile without any issues.

 

Share this post


Link to post
Share on other sites

Thank you for providing the update.  I've made a note of this info for the QA and Product teams.

If anyone else encounters this issue, please provide diagnostic logs by doing the following:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Thanks

Share this post


Link to post
Share on other sites
1 hour ago, frozen said:

Another Firefox update today. I started FIrefox using the profile that is stored on D: rather than the normal C: partition update came down via Help | About clicked on the restart Firefox after the update was applied and whamo

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/29/20
Protection Event Time: 9:52 AM
Log File: 20da2f3a-d1ab-11ea-bcb0-90e6ba57cdd5.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27635
License: Premium

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

The popup message said that it had blocked updater.exe. Started Firefox backup but this time using the Profile stored on C: drive and FIrefox was not blocked and showed that it was properly updated to version to version 79.0

I closed down FIrefox and started it up with the profile stored on D: drive and just let Firefox stay open there on the screen. Whamo:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/29/20
Protection Event Time: 10:04 AM
Log File: cf88a218-d1ac-11ea-906f-90e6ba57cdd5.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27637
License: Premium

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 0
(No malicious items detected)


(end)

I bet in a couple of days if I leave Firefox alone or at least not use it with the profile stored on D: that I will be able to start Firefox up and use the D: profile without any issues.

 

Yep, same issue as @frozen and as I previously posted in this thread.

I only recently was able to re-enable the Ransomware module without it deleting my firefox.exe.. but the new FF update has again caused Malwayrebytes to flag it as ransomware.

Share this post


Link to post
Share on other sites

@exile360
 

I have this same issue as of today with the latest Firefox update (my profile is kept on different drive than C:. as well).  I've created the zip archive with the support tool but it seems bad advice to suggest people upload this content to the forum.  I'm assuming creating a support ticket is the preferable option to this, yes?  I'm new here so I don't know if this is routine practice.

Share this post


Link to post
Share on other sites

I am just glad I am not the only one seeing this behaviour. It was lonely here for the first 3 months ;)

Share this post


Link to post
Share on other sites

I assume both of you either have Firefox installed onto another drive instead of the C drive, and/or you're loading Profiles that are not on the C drive or default folder structure. Is that true?

 

 

Share this post


Link to post
Share on other sites
1 hour ago, antelm1978 said:

@exile360
've created the zip archive with the support tool but it seems bad advice to suggest people upload this content to the forum.  I'm assuming creating a support ticket is the preferable option to this, yes?  I'm new here so I don't know if this is routine practice.

No, we analyze logs here on the forums as well, and staff members monitor the forums and collect logs here the same as they do on the helpdesk with support tickets.  Only authorized members may download logs posted here, so other regular members will not be able to download the logs you provide.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.