Jump to content

False Positive with Multi-Batch software


REGITDept
 Share

Recommended Posts

Dear Malwarebytes,

There is a false positive between Anti-Ransomware and the software called "Multi-Batch".
It was blocked and quarantined as "Malware.Ransom.Agent.Generic".

The Multi-Batch website is:  multi-batch.com

Please fix this ASAP.

Thanks.

FP.jpg

Edited by AdvancedSetup
removed live hyperlinks
Link to post
Share on other sites

On 4/29/2020 at 5:35 PM, tetonbob said:

@REGITDept thanks for your report. The site you link to is currently showing a 500 error

Please provide:
- the detection log from C:\ProgramData\Malwarebytes\MB3Service\ArwDetections
- the MBAMService.log from C:\ProgramData\Malwarebytes\MB3Service\LOGS
- a copy of the detected file once it's been restore from Quarantine

Thanks.

 

Dear tetonbob,

The ArwDetections is empty (because the Quarantine was restored?).
Attached you will find the LOGS and a copy of the detected file.

Thanks.

logs.zip MBatch.zip

Link to post
Share on other sites

  • Staff

Hi @REGITDept- thanks for the logs and the file. According to the logs, the executable was detected and quarantined as your screenshot shows, but subsequently whitelisted on our end on the same day. Further detections by the ArwSDK as shown in the logs were no longer quarantined. Reference the MBAMService.log.bk5 on 4/14

Are you still seeing detections on this file?

As for the \ArwDetections folder being empty, if you're using the Manangement Console, the detections jsons are actually handled differently than with the unmanaged ARW standalone. Once the detection jsons are parsed by the Agent on the endpoint and sent to the Console, they are removed from that local directory.

 

Link to post
Share on other sites

1 hour ago, tetonbob said:

Hi @REGITDept- thanks for the logs and the file. According to the logs, the executable was detected and quarantined as your screenshot shows, but subsequently whitelisted on our end on the same day. Further detections by the ArwSDK as shown in the logs were no longer quarantined. Reference the MBAMService.log.bk5 on 4/14

Are you still seeing detections on this file?

As for the \ArwDetections folder being empty, if you're using the Manangement Console, the detections jsons are actually handled differently than with the unmanaged ARW standalone. Once the detection jsons are parsed by the Agent on the endpoint and sent to the Console, they are removed from that local directory.

 

Did Malwarebytes fixed the issue yet?

What I did was I put an exclusion inside the policy.

Let me know so I can remove the exclusion once fixed on Malwarebytes' side.

Thanks.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.