Jump to content
Amdrink

Excel false positive RTP detection

Recommended Posts

When editing multiple excel files, MWB Teams is detecting a Ransomware infection. When scanning PC, no infection is found.

Does not happen immediately upon opening file, it is when saving the file after multiple edits.

No previous issues with this file, it's been used 100's of times over the last 2 years.

Excel version Microsoft 365 MSO (16.0.12827.20328) 64-bit

 

malwarebytes-log.txt Order Form - 2019.xlsx

Share this post


Link to post
Share on other sites
37 minutes ago, Amdrink said:

When editing multiple excel files, MWB Teams is detecting a Ransomware infection. When scanning PC, no infection is found.

Until it is fixed, Please disable ransomware protection.

Share this post


Link to post
Share on other sites

Can you zip and attach this file please?

C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

 

Share this post


Link to post
Share on other sites

Thanks. This should no longer be detected. It can take up to ten minutes from now to take effect. 

 

Share this post


Link to post
Share on other sites

@Amdrink -

Can you please collect and upload as an attachment the diagnostic data using our MBST?

  • Download and run the Malwarebytes Support Tool
  • Accept the EULA and click Advanced tab on the left (not Start Repair)
  • Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Share this post


Link to post
Share on other sites
46 minutes ago, Amdrink said:

my Firefox was also hit with a Malware.Ransom.Agent.Generic alert and crashed

Just out of curiosity, is your Firefox profile on your "C" drive or on your data drive?

Share this post


Link to post
Share on other sites

Firefox is installed to C drive

"C:\Program Files\Mozilla Firefox\firefox.exe"

Share this post


Link to post
Share on other sites

can you either zip and attach 

"C:\Program Files\Mozilla Firefox\firefox.exe"

 

or upload it to virustotal.com and give me the virustotal link after the scan completes?

Thanks!

 

Share this post


Link to post
Share on other sites
On 6/22/2020 at 12:48 AM, Porthos said:

Until it is fixed, Please disable ransomware protection.

Having exact same issue with one of my clients using Excel 365.  All MWB and Office updates have been performed.  

To confirm, it is ok to disable RANSOMWARE PROTECTION?  They were hit about 2 years ago and I implemented MWB as their primary protection at that time.  They do business in China and we don't want to open them back up to attack.

Share this post


Link to post
Share on other sites

@mgmosstn please do this so i can fix it. 

 

 

can you either zip and attach 

excel.exe

 

or upload it to virustotal.com and give me the virustotal link after the scan completes?

Thanks!

 

Share this post


Link to post
Share on other sites

I also had Excel trigger a ransomware block today, had to disable Malwarebytes to get it working again.  

was this supposed to have been fixed by now?

Share this post


Link to post
Share on other sites
4 minutes ago, PaulyB said:

I also had Excel trigger a ransomware block today, had to disable Malwarebytes to get it working again.  

was this supposed to have been fixed by now?

You might have a different version of excel then the other person. Also do a check for updates in Malwarebytes.

Share this post


Link to post
Share on other sites
Posted (edited)

You may need to exclude the directory in which the detected excel.exe resides, while we investigate futher. Add it to Allow List to Exclude from detection as ransomware only.

Edited by tetonbob

Share this post


Link to post
Share on other sites

My Excel has triggered this again today. It was working after the 1st whitelist fix.

Excel.exe file zipped and attached.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/29/20
Protection Event Time: 2:35 PM
Log File: f84f5e42-b9c1-11ea-8ffc-0cdd242dfe9b.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26133
License: Premium

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, Blocked, 0, 392685, 0.0.0


(end)

 

200629-EXCEL.zip

Share this post


Link to post
Share on other sites

I've now added Excel to the Allow List to stop future Ransomware detections.

Share this post


Link to post
Share on other sites

So has Malwarebytes officially verified this to be a false positive when Excel is detected as Malware.Ransom.Agent.Generic?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.