Jump to content

Exclusion by MD5 Hash doesn't work


Go to solution Solved by xristo,

Recommended Posts

Hi guys,

Malwarebytes is quarantining Free File Sync, including the Donation Edition which removes all the ads, so we attempted to add the MD5 Hash to Malwarebytes Cloud / Nebula but it doesn't seem to replicate through and stop Malwarebytes from quarantining our install file.

In the new Exclusions window the Exploit Protection option is ticked, but Malware Protection, Ransomware Protection and Website Protection is grayed out as options to select. I'm wondering if this file comes under Malware Protection and therefore doesn't automatically stop the blocking of the file?

Link to post
Share on other sites
  • Staff

Exclusions by MD5 only apply to Exploit Protection.  This is why the item may still be detected by other components of Malwarebytes.  If the item is being detected as malware or PUP (Potentially Unwanted Program) then excluding the file itself or the folder where it is installed should prevent it from being detected.

Link to post
Share on other sites
  • 9 months later...
  • Solution
On 7/23/2020 at 7:59 PM, AlexLeadingEdge said:

Hi guys,

Malwarebytes is quarantining Free File Sync, including the Donation Edition which removes all the ads, so we attempted to add the MD5 Hash to Malwarebytes Cloud / Nebula but it doesn't seem to replicate through and stop Malwarebytes from quarantining our install file.

In the new Exclusions window the Exploit Protection option is ticked, but Malware Protection, Ransomware Protection and Website Protection is grayed out as options to select. I'm wondering if this file comes under Malware Protection and therefore doesn't automatically stop the blocking of the file?

AlexLeadingEdge, where did you obtain the MD5 hash for your exclusion? Did you ever get this method functioning as desired / expected? I don't even know where to find the MD5 hash within our MBAM Cloud console but have been awaiting that functionality since a 2019 feature request.  🤓

Link to post
Share on other sites
Posted (edited)
59 minutes ago, xristo said:

AlexLeadingEdge, where did you obtain the MD5 hash for your exclusion? Did you ever get this method functioning as desired / expected? I don't even know where to find the MD5 hash within our MBAM Cloud console but have been awaiting that functionality since a 2019 feature request.  🤓

I find I have to release the file out of quarantine and then upload it to VirusTotal.com, which gives me the MD5 hash, which I then can use in the Exclusions section of Malwarebytes OneView. If it is on a domain I can access the computer over the network without annoying the end users.

It is long-winded approach but seems to work, but as mentioned above, the MD5 hash only works against Exploit Protection, not all the other components. I have pretty much given up on using MD5 hashes as half the time it will still pick up the file, so I open a forum thread here under False Positives and upload the quarantined file.

Edited by AlexLeadingEdge
Link to post
Share on other sites
13 minutes ago, AdvancedSetup said:

On Windows 10 you can get the MD5 from a command prompt

Interesting, I didn't know that. Unfortunately it still requires releasing potentially infected files back into the wild just to get the MD5.

Link to post
Share on other sites
  • Root Admin

I don't disagree with you, but in a business normally you'd have dozens or hundreds of systems with the same files. You should be able to check and validate from another computer.

I know there is ongoing discussions for improving this in the program.

 

Link to post
Share on other sites
6 minutes ago, AdvancedSetup said:

I don't disagree with you, but in a business normally you'd have dozens or hundreds of systems with the same files. You should be able to check and validate from another computer.

I know there is ongoing discussions for improving this in the program.

Depends on the size of the business and the management software used. Without central management many computers will update themselves at any given day, which may result in dozens of different versions of the same software across a network. Computers that are offline or not on the network cannot be updated, so they have a different version from the majority.

We use SolarWinds RMM to control Windows Updates, and PDQ to try and standardise the versions of programs, but there is only so much that you can do. If you look at the likes of Teamviewer, there are literally hundreds (thousands?) of versions, going from version 1 to version 15, with small build changes in each major version, which means different files, different MD5 hashes.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.