Jump to content

Help, False positive Office Word even after exclusion (last update)


Recommended Posts

Hello,

I have recently updated Anti Ransomware BETA to build 0.9.19.56-1.1.330 from my previous build, 0.9.18.807-1.1.278 . I absolutely regret doing so, and please help me.

 

I have Windows 7, 64bit, an old version of Malwarebytes Anti-Malware (that I do not update nor use) and Microsoft Office 2013 with my language. I am working in Word documents, and they are set to be automatically saved every 1 minute (can not change this).

While working in my office documents, when clicking Save the whole process freezes, disappears, and then I get a notification next to the clock that Anti-Ransomware stopped a ransomware (the process Winword.exe). By the way, there is no file in the Quarantine section of the application.

 

I set an exclusion in the program for the folder (mine is in Program Files \ Microsoft Office \ Office15  ), restarted my PC, repaired the Office installation,  started again to work ... in a few hours, same problem. I set an other exclusion for the actual word executable, winword.exe (found at the above link) and also an exclusion for the current folder where my Word files are. To no avail!

The program continuously deletes Word (winword.exe) located in the Microsoft Office folder in Program Files even after 3 different exclusions (culprit file, culprit folder and working folder) are set in place.

 

I had no such issues with the previous version of Anti Ransomware.

 

Help.

Link to post
Share on other sites

Hello @LucianV - we will need some information from your computer to help assess the issue.

Please copy to your desktop, zip and attach in reply the following:
C:\ProgramData\Malwarebytes\MB3Service\ARW
C:\ProgramData\Malwarebytes\MB3Service\ArwDetections
C:\ProgramData\Malwarebytes\MB3Service\Logs

Additionally, please run the following tool:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites

Hi @LucianV,

Thank you for providing that file. We have a defect filed and will be investigating further.

Can you confirm that the two exclusions for C:\Program Files\Microsoft Office\Office15\WINWORD.EXE and C:\Program Files\Microsoft Office\Office15 were in place before the most recent winword.exe detection on 2020-05-05 18:21:38?

Could you zip up and provide us with C:\ProgramData\Malwarebytes\MB3Service\config as well please?

Link to post
Share on other sites

Thank you very much for your assistance.

After the first winword detection I added the C:\Program Files\Microsoft Office\Office15 exclusion. After the second detection I also added the working folder and the actual culprit file, C:\Program Files\Microsoft Office\Office15\WINWORD.EXE . So I confirm that the two exclusions mentioned above were in place BEFORE the most recent detection.

Also I would like to add that in the notification box I got the message that the file at C:\Program Files\Micros~2\Office15\Winword.exe  was detected as ransomware (I dont remember now what ~NUMBER it was, but it was definitely a short name like Micros~2 instead of Microsoft Office). When I checked the path manually in an Explorer window, it automatically resolved to the said folder. Other Microsoft folders are Microsoft Analysis Services, Microsoft Games, Microsoft Silverlight, Microsoft SQL Server and Microsoft.NET. Right now when I did a dir /x in Program Files, I see that the Microsoft Office is Micros~2.  But I m unsure if it was Micros~2 in the notification box.

 

Attached below is the config folder, as per your request. Please advise

config.rar

Link to post
Share on other sites

As I can not seem to find the Edit button (if there's one), I would also like to add that the files I was working on were part of an Office Master document (that contain a number of word files all linked in a master document).

 

The first time I got the false positive I had the Master document opened in Word, and manually saved. When you save in a Master document, it automatically saves every small word file that the master document contains (in my case, there are 17 word files).  I assumed that this action of quickly saving 17 word files triggered the false positive in this new version of Anti Ransomware.

 

The second time I got it I believe that I was also in the Master document, definitely clicking on the Save button. It saved 7~8 of the word files and then the word window disappeared and got the notification.

 

The third time I got it I was working in a small word file (that is part of the Master document, but you can also open them individually as a normal document) and clicked Save.

 

I also would like to mention that I have a custom template in the Word document (that is found in the working folder) set as template for the document and also I have installed the Mendeley Word Plugin (and is active in Word).

 

I also worked in the Master document and in individual files between these exclusion messages (and afterwards) and managed to Save successfully, so its an intermittent problem and am unsure how to reliably trigger it.

Link to post
Share on other sites

One day ago I installed Anti-Rootkit . Prior to installing it, I read what was described here

and added beforehand a 4th exclusion in the list, C:\Windows\SysWOW64\RunOnce.exe

Now I have 4 exclusions in the list, RunOnce.exe, the Microsoft Office -> Word folder , the winword.exe and the working folder.

Anti-Rootkit blocked successfully the test at mbae-test.exe


Today when I opened my computer I got the defect mentioned in the above post, even after I put solution 1# as an exclusion.

 

Can I test somehow (safely) if the exclusion panel of my Anti-Ransomware is working? I get the feeling that no matter what I add there it won't save them.

Thank you very much.

 

Link to post
Share on other sites
Posted (edited)

Hello @LucianV,

When you say Anti-Rootkit, do you actually mean Anti-Exploit? Are you saying that now you've installed Anti-Exploit, you find mbae.exe does not launch at boot? The issue in the topic you linked has long since been resolved.

-----

Quote

As I can not seem to find the Edit button (if there's one), I would also like to add that the files I was working on were part of an Office Master document (that contain a number of word files all linked in a master document).

Would you be able to send us a copy of this document in private to help our efforts with reproducing this issue?

Please do the following as well:

  • Right-click the Malwarebytes Anti-Ransomware icon in the notification area and click Quit.
  • Open C:\ProgramData\Malwarebytes\MB3Service.
  • Delete the ARW folder.
  • Relaunch Malwarebytes Anti-Ransomware and try to reproduce the issue.
  • If you encounter another Word detection, click Stop Protection in the Malwarebytes Anti-Ransomware user interface.
  • Zip up and provide:
    • C:\ProgramData\Malwarebytes\MB3Service\logs
    • C:\ProgramData\Malwarebytes\MB3Service\ARW
Edited by LiquidTension
Link to post
Share on other sites

Hello, yes, sorry, I apologize. I installed Anti-Exploit version 1.13.1.164.     On next computer restart I got the issue described in that above linked forum thread, after already doing the 1st fix mentioned there. Even if that's a different issue altogether, I mentioned it as the fix #1 mentioned introducing a new exclusion in MBAR (and I wondered if somehow the exclusions I add to MBAR are ignored). Anyway, after doing fix #2 (with the provided registry file) I didnt get the issue.

 

Back to the issue at hand, I have stopped working on the document for the time being. I will try to delete the ARW folder and try to work in the document again by next week and see what happens. I will keep you updated.

 

Thank you very much for the time.

Link to post
Share on other sites
  • 1 month later...

I am having the exact same problem. I was working on an important document and attempted a save (one of many in the course of the day today), then suddenly:

  • My Word process was kill and I see a Malware Ransomware notice
  • I cannot restart Word. When I try, an installation process starts
  • I added the Word .exe file and parent directory to the Allow list but this did nothing to help me recover my installed instance of Word.

Please tell me how to extract myself from this pit of quicksand your software pushed me into without asking for permission or confirmation.

Link to post
Share on other sites

BTW, I will happily uninstall your product and never use it again if I could be sure that this will fix the problem, but I am afraid that if I do that I will never recover whatever it is that Malwarebytes has quarantined. Please confirm for me that uninstalling Malwarebytes will restore my instance of Microsoft Word to its previous functioning state.

Link to post
Share on other sites

Just read this on the internet and I am very worried. Looks like at a minimum your software is going to deprive me of a day's work. At worst, I will be without the 2010 version of Microsoft Word that I need and be forced to buy a more recent version that does not suit my needs for complicated reasons. Wow. Wow. It is increasingly clear that **Malwarebytes** is the real virus on my machine.

Quarantined malware is rendered inert and no longer poses a threat - it is encrypted and locked. ... On top of this, when you uninstall Malwarebytes, the quarantined items are deleted, meaning if you re-install Malwarebytes, those files won't be able to be restored using normal means.

Link to post
Share on other sites

Greetings,

I'm sorry you're having trouble with the software but we should be able to help in checking your quarantine to ensure you don't lose anything you wish to keep prior to uninstalling.  To do so, please do the following:

  1. Download and run the Malwarebytes Support Tool
  2. Accept the EULA and click Advanced tab on the left (not Start Repair)
  3. Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Thanks

Link to post
Share on other sites

Hi. I think I'm having this exact issue. I got a ransomware stopped popup from Malwarebytes (I forget the exact wording but the name of the supposed ransomware included the word 'generic') as I was clicking the "save" icon in a Windows doc. All Windows docs were immediately shut down and now when I try to open them I get the following error message: It says 'preparing to install Microsoft Office Enterprize 2007' and then another popup says 'Error 1310. Error writing to file: C:\Program Files (x86)\Microsoft Office\Office 12\WINWORD.EXE Verify that you have access to that directory. When I retry nothing happens when I click cancel I get a "fatal error during installation' message.

This is an old PC running and old version of Windows (which is why I purchased Malwarebytes) and I am trying not to freak out right now - those Word files contains months of work and I need access to them all the time. Attaching the Zip files as you instructed the other poster (I am a new poster!). Thank you.

mbst-grab-results.zip

Link to post
Share on other sites
Posted (edited)
14 minutes ago, midwestkrispie said:

Hi. I think I'm having this exact issue.

14 minutes ago, midwestkrispie said:

those Word files contains months of work and I need access to them all the time.

You do not loose the actual documents with this issue.

Edited by Porthos
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.