False positive

[Dinac23]

False positive when installing QueryStorm runtime. Logs and installer are in the attached zip file.

https://www.virustotal.com/gui/file/a6bb7648a5789165096dd103a9b12765db8e45e5d2974a5b5af2bd1b97d8c26e/detection

 

 

QueryStorm.zip

[cli]

I scanned the file and did not get a detection, it may have been fixed automatically. Do you have a scan log?

[Porthos]

15 minutes ago, cli said:

Do you have a scan log?

It was in the OP's zip.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/03/2021
Protection Event Time: 11:29
Log File: fa96528c-825c-11eb-9496-c8f733c5dddd.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.37995
Licence: Premium

-System Information-
OS: Windows 10 (Build 19041.804)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\Users\M\AppData\Local\Temp\QueryStorm2\Runtime\0d2773a1725846c58afe74ed0beeb92a\SQLite.Interop.QS.dll, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: Microsoft Office Excel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit LoadLibrary attempt blocked
File Name: C:\Users\M\AppData\Local\Temp\QueryStorm2\Runtime\0d2773a1725846c58afe74ed0beeb92a\SQLite.Interop.QS.dll
URL:

 

(end)

[cli]

Oh sorry, was working on multiple threads and got confused. Staff from the exploit team will take a look.

[AdvancedSetup]

Hello @Dinac23

Can you please upload the following log

C:\ProgramData\Malwarebytes\MBAMService\LOGS\mbae-default.log 

Thank you

 

[Dinac23]

Here's the log.

mbae-default.log

[AdvancedSetup]

Hello @Dinac23

I just ran the installer and had no issues with detection or blocking.

What product are you using? A standalone version of MBAE or a Business product or the Malwarebytes 4 Consumer product?

Can you run the following please to get me a full set of logs

Upload Malwarebytes Support Tool logs offline

Thank you

 

 

[Dinac23]

Hi @AdvancedSetup,

I can tell you in a day or two, our client reported the issue so I need to contact them first and then respond here.

I'll post the results and @ you when they respond.

Thanks for helping out!

[AdvancedSetup]

Sounds good, perhaps a reboot or cleaning of the users temporary files may also help.

I'll await to hear more details then @Dinac23

Cheers

 

[Dinac23]

Hey @AdvancedSetup, sorry for the delay, but the client has not replied to my email so I had to give it some time before giving up on expecting a reply.

The only thing that I didn't mention from the beginning of our conversation is that the client mentioned the following:
 

Quote

Loading of SQLite.Interop.QS.dll was blocked by the "Application Behavior Protection" part of Malwarebytes rather than a scan.

So maybe the false positive occurs when using QueryStorm? If I had to guess, it would occur when clicking on the SQL button in the QueryStorm tab in Excel.

Is this helpful information? 

[AdvancedSetup]

They may have had a non-default setting in the program settings.

Typically you can click on the Restore Defaults under the Advanced setting via the main Settings

We've also made some changes to the meta-data that may also help prevent the block. If they're still getting a block though please let us know and gather logs.

 

Thank you @Dinac23