A client reported your software flagged our software as ransomeware

[mchenrysoftware]

This morning a client using Malwarebytes Premium 4.2.3 reported an exe which we distribute as part of our software was flagged as malware

please correct your mistake

we digitally sign our software so why would you mark as ransomware?

thank you

[miekiemoes]

Hi,

Please zip and attach the medit3dv2.exe file, so we can have a look, as we can't do much at all with a screenshot.

Also, the detection log where the detection is displayed would be needed, as this log contains additional info we need.

Thanks!

Edited to add, we have fixed an FP with this earlier today already. So this might have been fixed already. Please ask your client if they are still getting a detection on this.

Thanks!

Edited November 30, 2020 by miekiemoes

[mchenrysoftware]

i will check with client for log file and if updated today and that remedies the situation

can you send me a nonpublic email to upload the exe to? since do not want to post to a public forum

 

thank you

 

[miekiemoes]

You can send me a private message here as well.

If the file that was detected has the MD5: a7fac07ed174deaada27347a26785f75 - Then we have it already (and have fixed it). So in that case, no need for the file anymore.

Sidenote, that file isn't digitally signed though.

[mchenrysoftware]

oh yes i see (ability in a forum to send private file)

i will wait to hear form the client. it isn't that large a file (5 megs?) (oh and how we change...i've been in the business a while so seeing the exponential growth of capacity, particularly in wireless (i'm from a long while back 600/1200 baud modem daze! YIKES!)

Our updates sometimes we miss digitally signing  a file. If that tells you it isn't digitally signed then it may not have been.

(we try to be sure ALL files are digitally signed but sometimes in the rush to get things out we miss one or two)

Thanks for the heads up and i will let you know resolution or will send file if not resolved with your update today.

(waiting to hear back from client)

Thanks!

 

Brian

 

 

[miekiemoes]

Thanks, Brian.

Yes, I understand that files are occasionally not digitally signed especially when in a rush to have a new version released.  

In either way, I'll await your response, when your client gets back to you. I might not be able to respond today, as I am in the European timezone, but a colleague might take over.

Or it has to wait until tomorrow.  But I'm quite sure this has been fixed already.  

[mchenrysoftware]

hello

he sent this and mentioned he already OKd the file so no further issues

if you could check and see whether you need the exe

guess it's late in Europe! enjoy the night!

brian

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/30/20
Protection Event Time: 5:39 AM
Log File: 5a0df03a-32f8-11eb-b1a8-00a0cc5ef683.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33644
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 6
Malware.Ransom.Agent.Generic, d:\Users\shans002\Desktop\MEdit3D.lnk, Quarantined, 0, 392685, 0.0.0, C50EE4BE2BFEC6BF315D63F1356B04A9, 6D2C4E1B5519BDF1D0B99E6530F1C65C3243D53B2FB3F0EEB4EEE966B7D8BD32
Malware.Ransom.Agent.Generic, D:\USERS\SHANS001-BACKUP\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\MSoft Msmac3D.lnk, Quarantined, 0, 392685, , ,
Malware.Ransom.Agent.Generic, D:\USERS\SHANS002\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\MSoft Msmac3D (2).lnk, Quarantined, 0, 392685, , ,
Malware.Ransom.Agent.Generic, D:\USERS\SHANS002\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\TaskBar\MSoft Msmac3D.lnk, Quarantined, 0, 392685, , ,
Malware.Ransom.Agent.Generic, C:\MSoft3D\MEDIT3~1.EXE, Quarantined, 0, 392685, 0.0.0, A7FAC07ED174DEAADA27347A26785F75, 404F37FAF864D2007765A59774953989BB0EE419CF400B32B1C166381E450590
Malware.Ransom.Agent.Generic, C:\MSoft3D\medit3dv2.exe, Quarantined, 0, 392685, 0.0.0, a7fac07ed174deaada27347a26785f75, 404f37faf864d2007765a59774953989bb0ee419cf400b32b1c166381e450590

(end)

[miekiemoes]

Thanks, according to the log, this is indeed the false positive that we have fixed earlier today already, so we should be good here. I also made sure that future versions won’t be detected anymore either. 🙂

[mchenrysoftware]

thank you! here was another one that came up this afternoon on the clients computer. it may be yet another false positive (note last entry)

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/30/20
Protection Event Time: 3:48 PM
Log File: 6f5b1e18-334d-11eb-80c8-00a0cc5ef683.json

-Software Information-
Version: 4.2.3.96
Components Version: 1.0.1122
Update Package Version: 1.0.33662
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 6
Malware.Ransom.Agent.Generic, d:\Users\shans002\Desktop\M3DGraphics.lnk, Quarantined, 0, 392685, 0.0.0, 4A001F53D5756C2B57708E39AE77D3A2, B000D386B99F70C31522AA57E1CD6DEC566929614FE19F19394BBBF89713B677
Malware.Ransom.Agent.Generic, D:\USERS\SHANS001-BACKUP\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\StartMenu\McHenry3DGraphics.lnk, Quarantined, 0, 392685, , ,
Malware.Ransom.Agent.Generic, D:\USERS\SHANS002\APPDATA\ROAMING\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\User Pinned\StartMenu\McHenry3DGraphics.lnk, Quarantined, 0, 392685, , ,
Malware.Ransom.Agent.Generic, C:\MSoft3D\MCHENR~1\MCHENR~1.EXE, Quarantined, 0, 392685, 0.0.0, 1358D71E0DB9AE9158AA35CDFF643A9A, 78058CA96F5C2DEEF06D96C5AFF5EF4F6C9902FC90A9B5BAF03FFF159DC74594
Malware.Ransom.Agent.Generic, C:\MSoft3D\McHenry3DGraphics\MCHENR~1.EXE, Removal Failed, 0, 392685, 0.0.0, 1358D71E0DB9AE9158AA35CDFF643A9A, 78058CA96F5C2DEEF06D96C5AFF5EF4F6C9902FC90A9B5BAF03FFF159DC74594
Malware.Ransom.Agent.Generic, C:\MSoft3D\McHenry3DGraphics\McHenry3DGraphics.exe, Quarantined, 0, 392685, 0.0.0, 1358d71e0db9ae9158aa35cdff643a9a, 78058ca96f5c2deef06d96c5aff5ef4f6c9902fc90a9b5baf03fff159dc74594

(end)

[miekiemoes]

Thanks Brian,

I see my colleague has fixed this in a meanwhile as well, so this should no longer be detected anymore.