Exclusion by MD5 Hash doesn't work

[AlexLeadingEdge]

Hi guys,

Malwarebytes is quarantining Free File Sync, including the Donation Edition which removes all the ads, so we attempted to add the MD5 Hash to Malwarebytes Cloud / Nebula but it doesn't seem to replicate through and stop Malwarebytes from quarantining our install file.

In the new Exclusions window the Exploit Protection option is ticked, but Malware Protection, Ransomware Protection and Website Protection is grayed out as options to select. I'm wondering if this file comes under Malware Protection and therefore doesn't automatically stop the blocking of the file?

[AdvancedSetup]

Hello @AlexLeadingEdge

Can you please create a support ticket so that someone can follow up with  you on this.

Contact Support

Once you've created a support ticket if you let me know the ticket number I'll check and let someone on the team know.

Thank you

 

[AlexLeadingEdge]

Malwarebytes Support Ticket 3125424

[AdvancedSetup]

Thanks, I will let someone know @AlexLeadingEdge

 

[AlexLeadingEdge]

Cheers.

[AdvancedSetup]

Someone should reach out to you by tomorrow

Thank you @AlexLeadingEdge

 

[exile360]

Exclusions by MD5 only apply to Exploit Protection.  This is why the item may still be detected by other components of Malwarebytes.  If the item is being detected as malware or PUP (Potentially Unwanted Program) then excluding the file itself or the folder where it is installed should prevent it from being detected.

[xristo]

On 7/23/2020 at 7:59 PM, AlexLeadingEdge said:

Hi guys,

Malwarebytes is quarantining Free File Sync, including the Donation Edition which removes all the ads, so we attempted to add the MD5 Hash to Malwarebytes Cloud / Nebula but it doesn't seem to replicate through and stop Malwarebytes from quarantining our install file.

In the new Exclusions window the Exploit Protection option is ticked, but Malware Protection, Ransomware Protection and Website Protection is grayed out as options to select. I'm wondering if this file comes under Malware Protection and therefore doesn't automatically stop the blocking of the file?

AlexLeadingEdge, where did you obtain the MD5 hash for your exclusion? Did you ever get this method functioning as desired / expected? I don't even know where to find the MD5 hash within our MBAM Cloud console but have been awaiting that functionality since a 2019 feature request.  🤓

[AdvancedSetup]

Hello @xristo

Did you open a Customer Support Ticket for this?
That would really be the best way to get further advice and even possibly escalate future enhancement.

 

[AlexLeadingEdge]

59 minutes ago, xristo said:

AlexLeadingEdge, where did you obtain the MD5 hash for your exclusion? Did you ever get this method functioning as desired / expected? I don't even know where to find the MD5 hash within our MBAM Cloud console but have been awaiting that functionality since a 2019 feature request.  🤓

I find I have to release the file out of quarantine and then upload it to VirusTotal.com, which gives me the MD5 hash, which I then can use in the Exclusions section of Malwarebytes OneView. If it is on a domain I can access the computer over the network without annoying the end users.

It is long-winded approach but seems to work, but as mentioned above, the MD5 hash only works against Exploit Protection, not all the other components. I have pretty much given up on using MD5 hashes as half the time it will still pick up the file, so I open a forum thread here under False Positives and upload the quarantined file.

Edited May 10, 2021 by AlexLeadingEdge

[AdvancedSetup]

On Windows 10 you can get the MD5 from a command prompt

certutil -hashfile notepad.exe MD5

Returns the following

MD5 hash of notepad.exe:
423d3ade2f14572c5bd5f546973eb493
 

[AlexLeadingEdge]

13 minutes ago, AdvancedSetup said:

On Windows 10 you can get the MD5 from a command prompt

Interesting, I didn't know that. Unfortunately it still requires releasing potentially infected files back into the wild just to get the MD5.

[AdvancedSetup]

I don't disagree with you, but in a business normally you'd have dozens or hundreds of systems with the same files. You should be able to check and validate from another computer.

I know there is ongoing discussions for improving this in the program.

 

[AlexLeadingEdge]

6 minutes ago, AdvancedSetup said:

I don't disagree with you, but in a business normally you'd have dozens or hundreds of systems with the same files. You should be able to check and validate from another computer.

I know there is ongoing discussions for improving this in the program.

Depends on the size of the business and the management software used. Without central management many computers will update themselves at any given day, which may result in dozens of different versions of the same software across a network. Computers that are offline or not on the network cannot be updated, so they have a different version from the majority.

We use SolarWinds RMM to control Windows Updates, and PDQ to try and standardise the versions of programs, but there is only so much that you can do. If you look at the likes of Teamviewer, there are literally hundreds (thousands?) of versions, going from version 1 to version 15, with small build changes in each major version, which means different files, different MD5 hashes.

[AdvancedSetup]

Yes, understood. As mentioned the team is aware and have said they are working on improvements.

Thank you again for your feedback