Java

[FailMelon]

Not sure if false positive

javaw.txt

[cli]

Can you attach the file? Thanks.

[FailMelon]

I cannot malwarebytes is preventing me from doing anything with it even on the exclusion list.

[FailMelon]

Seems like it coming from Java SE Development Kit 8u151 that i have installed. I've tried reinstalling it here is the file i believe that triggered the ransomware detection.

https://drive.google.com/file/d/1SJhcVvJfpbVzFLhmFeu4MNaxu0jqfEeM/view?usp=sharing

[Porthos]

20 minutes ago, FailMelon said:

I cannot malwarebytes is preventing me from doing anything with it even on the exclusion list.

Quit Malwarebytes from the system tray and then you should be able to find and zip the file. It is a hidden folder do you will have to enable hidden files.

C:\ProgramData\Oracle\Java\javapath_target_1874761593\javaw.exe

[FailMelon]

After getting rid of 151 it happened again on my latest version, i don't think it is the file it seems like something at runtime is causing it which is resorting in java itself getting flagged?

[RGuatta]

I have the same Problem.
Suddenly, on Wednesday, I think, Malwarebytes startet to block javaw.exe as ransomware.
I switched OFF ransomware scanning till Friday.
Switched ransomware scanning ON again on Friday and Malwarebytes wasn't interested anymore in javaw.exe.
I thought, "ok, they updated scanning patterns, it was a false positive".
This morning Malwarebytes blocked javaw.exe as ransomware again.
After I updated Java Runtime to the latest version, there is silence again. I hope, it stays that way.

[RGuatta]

My hope is gone.
At this moment Malwarebytes blocked javaw.exe again.
I think it is not the java runtime, that causes this.
I'm running a tool, that monitors outgoing and incoming phonecalls, which uses the java runtime.
But I'm using this tool for years, and there was no change or update within the last weeks.
I will have to disable ransomware protection again.

[Communism101]

Can confirm this is happening to me aswell.

False positive 100%.

Please fix.

[Porthos]

To all posting about the issue. Be sure your Java is up to the latest version. If you do not have any software that requires it, Just uninstall it as it is a security risk.

It is the weekend and researchers might not be available until Monday to fix it.

It would also help if all here can zip up the affected file after a restart and attach it here.

 

[RGuatta]

It is the latest version.

javaw.zip

[Porthos]

51 minutes ago, RGuatta said:

It is the latest version.

Thanks for the file, The researchers might not see the post until Monday.

@cli

[Communism101]

Should i send the File in the state before it gets flagged and broken by Malwarebytes or after? It happens pretty randomly, so i dont know if i can get it to do that again

Heres the File before:javaw.zip

[cli]

Thanks for providing the files, I whitelisted the file. If it is still detected, please add it to your allow list.

[CatPasswd]

I've also gotten bit by this one. Having javaw.exe blocked from running is bad. Very bad.

 

How does one whitelist this?

 

 

javablocked.txt

[Porthos]

2 hours ago, CatPasswd said:

How does one whitelist this?

Add to the Allow List in Malwarebytes for Windows v4

[Communism101]

Still happend. Had to whitelist it. Ill look out if it happens again.

[RGuatta]

Happened again today. Had to put javaw.exe on the exclusion list.

[ma-tor]

Same happened to me. javaw.exe signature seems okay, virustotal result is negative. For now I've added it to the allowlist for ransomware only.

It might be of interest that it only occours after ~30m - 2h of running, seemingly randomly.

[tetonbob]

Greetings, all affected customers in this topic. Could one or all of you please provide the logs as indicated below?

Can you please collect and upload as an attachment the diagnostic data using our MBST?

• Download and run the Malwarebytes Support Tool
• Accept the EULA and click Advanced tab on the left (not Start Repair)
• Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply

Thank you.

[CatPasswd]

Note that I have not done an exclusion. I simply exit Malwarebytes when it decides I'm no longer allowed to minecraft.

mbst-grab-results.zip

[tetonbob]

Thanks for the logs @CatPasswd!

It's of course your choice, but adding an exclusion from Ransomware only for this executable would keep your system safer, and should address the issue.

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130862359\javaw.exe

https://support.malwarebytes.com/hc/en-us/articles/360038479234-Add-to-the-Allow-List-in-Malwarebytes-for-Windows-v4

Our developers will be investigating this issue.

[RGuatta]

Remember that I added javaw.exe to the exclusion list on June 21 and did not chage it since then. 

I hope the logs will still tell you something

mbst-grab-results.zip

[tetonbob]

@RGuatta - thank you, this does provide data which can be used for analysis. Please do maintain your exclusion for javaw.exe

 

[Phlarx]

This just occurred for me today. This is on a new system (less than 2 weeks old).

mbst-grab-results.zip