Jump to content

P42 as ransomeware


12Polizei
 Share

Recommended Posts

Hey, not sure waht went wrong but installing the P42 vst3 plguin will still result in a fiasko through Malewarebytes. BTW what kind of silly forum software is this please? The name of the plugin is "P42 Cl1m4x (without the 1 or 4, but the real alphabeth letters. If i write it the forum will tell me hey its most likely spam and wont let me post it. This is the name of the software i have to report here. Is this all a joke)

For those unfamiliar with Audio Plugins: A Plugin is being loadeed by the host DAW application (Digital Audio Workstation) during the initial start or a plugin scan. In this case Malwarebytes will quaranteen the host software (the plugin remains now untouched though) Without the plugin there is no issue whatsoever with the host software.

Tested with Reaper (latest version) and Bitwig.#Malwarebytes team - you can download Reaper (by Cokos ) for free to test the behavior. The plugin developer started this thread, please contact him or use the vst3 plugin he provided to test the behavior. As said, the plugin itself is not being quaranteened but scanning it will result the host DAW to be quaranteened that otherwise has no issue (different Hosts, different companies).

The bahvior is not only here on this system but general, thus it can be excluded that its an issue with malware on my system either.

Here the log what happens when Bitwig studio (latest version 4.1.3 loads p42 plugin). I can only repeat its not a problem with Bitwig. It will only happen when the HOST DAW (that loads the plugin) tries to load the plguin.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/14/22
Protection Event Time: 3:11 PM
Log File: e9b9dd0a-7543-11ec-a270-dc41a9a05117.json

-Software Information-
Version: 4.5.0.152
Components Version: 1.0.1538
Update Package Version: 1.0.49797
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1466)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Bitwig Studio\4.1.3\bin\BitwigPluginHost-X64-SSE41.exe, Quarantined, 0, 392685, 0.0.0, 9d6d3c925765d635814b2e3b521303ff, 9510e9511683c25e0752b1a312693d00686d6de8c4b78207cca0dbac64b2d896


(end)

 

Link to post
Share on other sites

Quote

For those unfamiliar with Audio Plugins: A Plugin is being loadeed by the host DAW application (Digital Audio Workstation) during the initial start or a plugin scan. In this case Malwarebytes will quaranteen the host software (the plugin remains now untouched though) Without the plugin there is no issue whatsoever with the host software.

just to clarify with scanning for it i mean the DAW scanning for new plugins in this case. A Digital Audio workstation will scan for new plugins in the plugin folders either automatically or by initiating it. Either upon scanning or when loading this specific plugin (p42) inside the DAW the DAW itself (the hosting environment) will be quarantined by Malwarebytes. The Plguing itself will "survive" it. But this caused it. So theres soemthing going wrong either way that triggers Malewarebytes reaction.

Link to post
Share on other sites

Hi, thank you for the swift reply. But the problem will happen with every DAW i guess that scans or includes this plugin.

If we add Bitwig Plugin Host to the whitelist, the same would still happen with Reaper, Pro Tools, Bitwig, Studio one and other hosts. I know it will happen for reaper.

Usually in music production we use a DAW for tracking or producing (like ableton live, bitwig, studio one) and another one for mastering or mixing often Pro Tools, Reaper and so on.

MalwareBytes basically removes the DAW application or part of when  the DAW tries to include the plugin. This seems to happen with every daw. So only whitelisting Bitwig will not help. There is some kind of Behavior detection issue here.

Please advise how to proceed.

Here is the Download for the Reaper DAW (it can be freely downlaoded and installed) https://www.reaper.fm/download.php. Your team should best install 1) Repaer DAW than 2) P42 plugin and than start the DAW. The DAW will scan for the plugin and your team can see what goes wrong when the DAW tries to include it. If nothing happens for some reason try to include the Plugin on one track in Reaper

Same goes for Bitwig. You can download for free a simple 8 track version of any kind for 30 days: https://www.bitwig.com/download/  . You will notice that a part of it will get quaranteened once you try to insert P42 into one of the tracks after entering the demo clode (after it was authorized). 

In any case please advise how to proceed. The DAWs are getting regular updates, so the exe files itself from Reaper and Bitwig may just be a work around but if thats how you like to proceed i can attach them too.

cheers

Link to post
Share on other sites

  • Staff

Hi,

I can't reproduce detection when I install. Can you please provide (zip&attach) the exact BitwigPluginHost-X64-SSE41.exe that was detected in your case? Yes, our antiransomware component is behavior detection. We can whitelist this in a broader way, but that's why we need the exact file that was detected, so we can have a look what's the best way to whitelist, so it won't affect future versions either.

Thanks!

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.