Jump to content
DamienLR

False positive on setup that modifies a lot of files with Perl

Recommended Posts

Hi, we use a self made setup to deploy applications for our clients.

This setup may modify a lot of files with text replacement (templates files) with perl (Windows, old version of Strawberry)

Our setup may be blocked by anti ransomware.

Would it be less considered as ransomware with a recent version of Perl, of a signed version of our setup ?

 

Share this post


Link to post
Share on other sites

FA8C9F02C7836D058FDBDE91A66DDCC38737F427DB0E4890B8225F04506A7E09
{
   "applicationVersion" : "4.1.0.56",
   "chromeSyncResetQueryRequested" : false,
   "chromeSyncResetQueryResult" : false,
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.955",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.25903",
   "detectionDateTime" : "2020-06-23T11:54:00Z",
   "fileSystem" : "NTFS",
   "id" : "3a1ea46e-b548-11ea-b9ba-0050560109fa",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows Server 2008 R2 Service Pack 1",
   "schemaVersion" : 16,
   "sourceDetails" : {
      "type" : "arw"
   },
   "threats" : [
      {
         "ddsSigFileVersion" : "",
         "linkedTraces" : [
            {
               "archiveMember" : "",
               "archiveMemberMD5" : "",
               "cleanAction" : "quarantine",
               "cleanContext" : {
                  "unloadData" : {
                     "pid" : 4312
                  }
               },
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 0,
               "cleanTime" : "2020-06-23T11:54:06Z",
               "generatedByPostCleanupAction" : false,
               "id" : "3cf70988-b548-11ea-9651-0050560109fa",
               "isPEFile" : false,
               "linkType" : "linkedTrace",
               "objectMD5" : "",
               "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
               "objectSha256" : "",
               "objectType" : "process",
               "resolvedPath" : "",
               "suggestedAction" : {
                  "archiveDir" : false,
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "disableHubbleWhiteListing" : false,
                  "disableSignatureWhiteListing" : false,
                  "fileDelete" : false,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isDDS" : false,
                  "isDoppleganging" : false,
                  "isExternalDetection" : false,
                  "isPUP" : false,
                  "isShuriken" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : false,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : true,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "silentMode" : false,
                  "singleDelete" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false,
                  "verifyResolvedPath" : false,
                  "whitelistCheckError" : false
               }
            },
            {
               "archiveMember" : "",
               "archiveMemberMD5" : "",
               "cleanAction" : "quarantine",
               "cleanContext" : {
                  "unloadData" : {
                     "pid" : 4312
                  }
               },
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 0,
               "cleanTime" : "2020-06-23T11:54:06Z",
               "generatedByPostCleanupAction" : false,
               "id" : "3cf70989-b548-11ea-97cf-0050560109fa",
               "isPEFile" : false,
               "linkType" : "linkedTrace",
               "objectMD5" : "",
               "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
               "objectSha256" : "",
               "objectType" : "module",
               "resolvedPath" : "",
               "suggestedAction" : {
                  "archiveDir" : false,
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "disableHubbleWhiteListing" : false,
                  "disableSignatureWhiteListing" : false,
                  "fileDelete" : false,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isDDS" : false,
                  "isDoppleganging" : false,
                  "isExternalDetection" : false,
                  "isPUP" : false,
                  "isShuriken" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : true,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : false,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "silentMode" : false,
                  "singleDelete" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false,
                  "verifyResolvedPath" : false,
                  "whitelistCheckError" : false
               }
            }
         ],
         "mainTrace" : {
            "archiveMember" : "",
            "archiveMemberMD5" : "",
            "cleanAction" : "quarantine",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2020-06-23T11:54:06Z",
            "generatedByPostCleanupAction" : false,
            "id" : "3aeb5ace-b548-11ea-b217-0050560109fa",
            "isPEFile" : false,
            "linkType" : "none",
            "objectMD5" : "80fe01936887b58ef539aab6ac714e44",
            "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
            "objectSha256" : "ad0b775dfc5eb115dccde1584de1f29a092a20c6be7b65023d14e3af6b834b51",
            "objectType" : "file",
            "resolvedPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
            "suggestedAction" : {
               "archiveDir" : false,
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "disableHubbleWhiteListing" : false,
               "disableSignatureWhiteListing" : false,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isDDS" : false,
               "isDoppleganging" : false,
               "isExternalDetection" : false,
               "isPUP" : false,
               "isShuriken" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "silentMode" : false,
               "singleDelete" : false,
               "treatAsRootkit" : false,
               "useDDA" : false,
               "verifyResolvedPath" : true,
               "whitelistCheckError" : false
            }
         },
         "ruleID" : 392685,
         "ruleString" : "",
         "rulesVersion" : "0.0.0",
         "srcEngineComponent" : "unknown",
         "srcEngineThreatNames" : [

         ],
         "threatID" : 0,
         "threatName" : "Malware.Ransom.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Share this post


Link to post
Share on other sites

Sometimes signing the file will prevent a detection. Can you provide the file?

Share this post


Link to post
Share on other sites
15 hours ago, cli said:

Sometimes signing the file will prevent a detection. Can you provide the file?

450MB, so, no I can't :D

Any others logs I can provide instead ?

Share this post


Link to post
Share on other sites

I see. 🙂 To prevent detection, you add the file to the allow list.

Share this post


Link to post
Share on other sites
13 hours ago, cli said:

I see. 🙂 To prevent detection, you add the file to the allow list.

Yes, but it was not enough, because it uncompress others files, and even with parent in allow list, it didn't worked !

I had to stop Anti Ransomware protection 😢

Share this post


Link to post
Share on other sites
Posted (edited)

Can you follow the directions here and upload "mbst-grab-results.zip" here? Thanks.

Edited by cli

Share this post


Link to post
Share on other sites

The tool didn't grab the files I wanted to look at. Can you manually grab the files from C:\ProgramData\Malwarebytes\MBAMService\LOGS?

Share this post


Link to post
Share on other sites

Hi, it seams that files vanished after using the MBAM support tool ! I should have not used the repair function I think... It deleted the logs without warnings...

Share this post


Link to post
Share on other sites

Hmm, is the file still being detected after the repair? If does, can you zip up files in C:\ProgramData\Malwarebytes\MBAMService\LOGS? Thanks.

Share this post


Link to post
Share on other sites

Hmm, is the file still being detected after the repair? If does, can you zip up files in C:\ProgramData\Malwarebytes\MBAMService\LOGS? Thanks.

Share this post


Link to post
Share on other sites

Hi, we'll check but won't take any risk, the false positive makes that update is being stopped abruptly, and it's not safe to do so.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.