Jump to content

False positive on setup that modifies a lot of files with Perl


Recommended Posts

Hi, we use a self made setup to deploy applications for our clients.

This setup may modify a lot of files with text replacement (templates files) with perl (Windows, old version of Strawberry)

Our setup may be blocked by anti ransomware.

Would it be less considered as ransomware with a recent version of Perl, of a signed version of our setup ?

 

Link to post
Share on other sites

FA8C9F02C7836D058FDBDE91A66DDCC38737F427DB0E4890B8225F04506A7E09
{
   "applicationVersion" : "4.1.0.56",
   "chromeSyncResetQueryRequested" : false,
   "chromeSyncResetQueryResult" : false,
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.955",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.25903",
   "detectionDateTime" : "2020-06-23T11:54:00Z",
   "fileSystem" : "NTFS",
   "id" : "3a1ea46e-b548-11ea-b9ba-0050560109fa",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : true,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows Server 2008 R2 Service Pack 1",
   "schemaVersion" : 16,
   "sourceDetails" : {
      "type" : "arw"
   },
   "threats" : [
      {
         "ddsSigFileVersion" : "",
         "linkedTraces" : [
            {
               "archiveMember" : "",
               "archiveMemberMD5" : "",
               "cleanAction" : "quarantine",
               "cleanContext" : {
                  "unloadData" : {
                     "pid" : 4312
                  }
               },
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 0,
               "cleanTime" : "2020-06-23T11:54:06Z",
               "generatedByPostCleanupAction" : false,
               "id" : "3cf70988-b548-11ea-9651-0050560109fa",
               "isPEFile" : false,
               "linkType" : "linkedTrace",
               "objectMD5" : "",
               "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
               "objectSha256" : "",
               "objectType" : "process",
               "resolvedPath" : "",
               "suggestedAction" : {
                  "archiveDir" : false,
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "disableHubbleWhiteListing" : false,
                  "disableSignatureWhiteListing" : false,
                  "fileDelete" : false,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isDDS" : false,
                  "isDoppleganging" : false,
                  "isExternalDetection" : false,
                  "isPUP" : false,
                  "isShuriken" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : false,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : true,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "silentMode" : false,
                  "singleDelete" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false,
                  "verifyResolvedPath" : false,
                  "whitelistCheckError" : false
               }
            },
            {
               "archiveMember" : "",
               "archiveMemberMD5" : "",
               "cleanAction" : "quarantine",
               "cleanContext" : {
                  "unloadData" : {
                     "pid" : 4312
                  }
               },
               "cleanResult" : "successful",
               "cleanResultErrorCode" : 0,
               "cleanTime" : "2020-06-23T11:54:06Z",
               "generatedByPostCleanupAction" : false,
               "id" : "3cf70989-b548-11ea-97cf-0050560109fa",
               "isPEFile" : false,
               "linkType" : "linkedTrace",
               "objectMD5" : "",
               "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
               "objectSha256" : "",
               "objectType" : "module",
               "resolvedPath" : "",
               "suggestedAction" : {
                  "archiveDir" : false,
                  "chromeExtensionOther" : false,
                  "chromeExtensionPreferences" : false,
                  "chromeExtensionSecurePreferences" : false,
                  "chromeExtensionSyncData" : false,
                  "chromeUrlOther" : false,
                  "chromeUrlSecurePreferences" : false,
                  "chromeUrlSyncData" : false,
                  "chromeUrlWebData" : false,
                  "disableHubbleWhiteListing" : false,
                  "disableSignatureWhiteListing" : false,
                  "fileDelete" : false,
                  "fileReplace" : false,
                  "fileTxtReplace" : false,
                  "folderDelete" : false,
                  "isChromeObject" : false,
                  "isDDS" : false,
                  "isDoppleganging" : false,
                  "isExternalDetection" : false,
                  "isPUP" : false,
                  "isShuriken" : false,
                  "isWMIEventConsumer" : false,
                  "killProcess" : false,
                  "minimalWhiteListing" : false,
                  "moduleUnload" : true,
                  "noLinking" : false,
                  "physicalSectorReplace" : false,
                  "priorityHigh" : false,
                  "priorityNormal" : false,
                  "priorityUrgent" : false,
                  "processUnload" : false,
                  "regKeyDelete" : false,
                  "regValueDelete" : false,
                  "regValueReplace" : false,
                  "shortcutReplace" : false,
                  "silentMode" : false,
                  "singleDelete" : false,
                  "treatAsRootkit" : false,
                  "useDDA" : false,
                  "verifyResolvedPath" : false,
                  "whitelistCheckError" : false
               }
            }
         ],
         "mainTrace" : {
            "archiveMember" : "",
            "archiveMemberMD5" : "",
            "cleanAction" : "quarantine",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2020-06-23T11:54:06Z",
            "generatedByPostCleanupAction" : false,
            "id" : "3aeb5ace-b548-11ea-b217-0050560109fa",
            "isPEFile" : false,
            "linkType" : "none",
            "objectMD5" : "80fe01936887b58ef539aab6ac714e44",
            "objectPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
            "objectSha256" : "ad0b775dfc5eb115dccde1584de1f29a092a20c6be7b65023d14e3af6b834b51",
            "objectType" : "file",
            "resolvedPath" : "D:\\Temp\\8\\StarterOperis\\InstallOxalis-V1.27.32.0.202006181600.exe",
            "suggestedAction" : {
               "archiveDir" : false,
               "chromeExtensionOther" : false,
               "chromeExtensionPreferences" : false,
               "chromeExtensionSecurePreferences" : false,
               "chromeExtensionSyncData" : false,
               "chromeUrlOther" : false,
               "chromeUrlSecurePreferences" : false,
               "chromeUrlSyncData" : false,
               "chromeUrlWebData" : false,
               "disableHubbleWhiteListing" : false,
               "disableSignatureWhiteListing" : false,
               "fileDelete" : true,
               "fileReplace" : false,
               "fileTxtReplace" : false,
               "folderDelete" : false,
               "isChromeObject" : false,
               "isDDS" : false,
               "isDoppleganging" : false,
               "isExternalDetection" : false,
               "isPUP" : false,
               "isShuriken" : false,
               "isWMIEventConsumer" : false,
               "killProcess" : false,
               "minimalWhiteListing" : false,
               "moduleUnload" : false,
               "noLinking" : false,
               "physicalSectorReplace" : false,
               "priorityHigh" : false,
               "priorityNormal" : false,
               "priorityUrgent" : false,
               "processUnload" : false,
               "regKeyDelete" : false,
               "regValueDelete" : false,
               "regValueReplace" : false,
               "shortcutReplace" : false,
               "silentMode" : false,
               "singleDelete" : false,
               "treatAsRootkit" : false,
               "useDDA" : false,
               "verifyResolvedPath" : true,
               "whitelistCheckError" : false
            }
         },
         "ruleID" : 392685,
         "ruleString" : "",
         "rulesVersion" : "0.0.0",
         "srcEngineComponent" : "unknown",
         "srcEngineThreatNames" : [

         ],
         "threatID" : 0,
         "threatName" : "Malware.Ransom.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Link to post
Share on other sites
15 hours ago, cli said:

Sometimes signing the file will prevent a detection. Can you provide the file?

450MB, so, no I can't :D

Any others logs I can provide instead ?

Link to post
Share on other sites
13 hours ago, cli said:

I see. 🙂 To prevent detection, you add the file to the allow list.

Yes, but it was not enough, because it uncompress others files, and even with parent in allow list, it didn't worked !

I had to stop Anti Ransomware protection 😢

Link to post
Share on other sites

The tool didn't grab the files I wanted to look at. Can you manually grab the files from C:\ProgramData\Malwarebytes\MBAMService\LOGS?

Link to post
Share on other sites

Hi, it seams that files vanished after using the MBAM support tool ! I should have not used the repair function I think... It deleted the logs without warnings...

Link to post
Share on other sites

Hmm, is the file still being detected after the repair? If does, can you zip up files in C:\ProgramData\Malwarebytes\MBAMService\LOGS? Thanks.

Link to post
Share on other sites

Hmm, is the file still being detected after the repair? If does, can you zip up files in C:\ProgramData\Malwarebytes\MBAMService\LOGS? Thanks.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.