P42 as ransomeware

[12Polizei]

Hey, not sure waht went wrong but installing the P42 vst3 plguin will still result in a fiasko through Malewarebytes. BTW what kind of silly forum software is this please? The name of the plugin is "P42 Cl1m4x (without the 1 or 4, but the real alphabeth letters. If i write it the forum will tell me hey its most likely spam and wont let me post it. This is the name of the software i have to report here. Is this all a joke)

For those unfamiliar with Audio Plugins: A Plugin is being loadeed by the host DAW application (Digital Audio Workstation) during the initial start or a plugin scan. In this case Malwarebytes will quaranteen the host software (the plugin remains now untouched though) Without the plugin there is no issue whatsoever with the host software.

Tested with Reaper (latest version) and Bitwig.#Malwarebytes team - you can download Reaper (by Cokos ) for free to test the behavior. The plugin developer started this thread, please contact him or use the vst3 plugin he provided to test the behavior. As said, the plugin itself is not being quaranteened but scanning it will result the host DAW to be quaranteened that otherwise has no issue (different Hosts, different companies).

The bahvior is not only here on this system but general, thus it can be excluded that its an issue with malware on my system either.

Here the log what happens when Bitwig studio (latest version 4.1.3 loads p42 plugin). I can only repeat its not a problem with Bitwig. It will only happen when the HOST DAW (that loads the plugin) tries to load the plguin.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/14/22
Protection Event Time: 3:11 PM
Log File: e9b9dd0a-7543-11ec-a270-dc41a9a05117.json

-Software Information-
Version: 4.5.0.152
Components Version: 1.0.1538
Update Package Version: 1.0.49797
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1466)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Bitwig Studio\4.1.3\bin\BitwigPluginHost-X64-SSE41.exe, Quarantined, 0, 392685, 0.0.0, 9d6d3c925765d635814b2e3b521303ff, 9510e9511683c25e0752b1a312693d00686d6de8c4b78207cca0dbac64b2d896

(end)

 

[12Polizei]

Quote

For those unfamiliar with Audio Plugins: A Plugin is being loadeed by the host DAW application (Digital Audio Workstation) during the initial start or a plugin scan. In this case Malwarebytes will quaranteen the host software (the plugin remains now untouched though) Without the plugin there is no issue whatsoever with the host software.

just to clarify with scanning for it i mean the DAW scanning for new plugins in this case. A Digital Audio workstation will scan for new plugins in the plugin folders either automatically or by initiating it. Either upon scanning or when loading this specific plugin (p42) inside the DAW the DAW itself (the hosting environment) will be quarantined by Malwarebytes. The Plguing itself will "survive" it. But this caused it. So theres soemthing going wrong either way that triggers Malewarebytes reaction.

[miekiemoes]

Hi,

I split your thread since you posted this in another thread.

Can you zip and attach the BitwigPluginHost-X64-SSE41.exe file please? This so we can have a look to whitelist this. Thanks!

[12Polizei]

Hi, thank you for the swift reply. But the problem will happen with every DAW i guess that scans or includes this plugin.

If we add Bitwig Plugin Host to the whitelist, the same would still happen with Reaper, Pro Tools, Bitwig, Studio one and other hosts. I know it will happen for reaper.

Usually in music production we use a DAW for tracking or producing (like ableton live, bitwig, studio one) and another one for mastering or mixing often Pro Tools, Reaper and so on.

MalwareBytes basically removes the DAW application or part of when  the DAW tries to include the plugin. This seems to happen with every daw. So only whitelisting Bitwig will not help. There is some kind of Behavior detection issue here.

Please advise how to proceed.

Here is the Download for the Reaper DAW (it can be freely downlaoded and installed) https://www.reaper.fm/download.php. Your team should best install 1) Repaer DAW than 2) P42 plugin and than start the DAW. The DAW will scan for the plugin and your team can see what goes wrong when the DAW tries to include it. If nothing happens for some reason try to include the Plugin on one track in Reaper

Same goes for Bitwig. You can download for free a simple 8 track version of any kind for 30 days: https://www.bitwig.com/download/  . You will notice that a part of it will get quaranteened once you try to insert P42 into one of the tracks after entering the demo clode (after it was authorized). 

In any case please advise how to proceed. The DAWs are getting regular updates, so the exe files itself from Reaper and Bitwig may just be a work around but if thats how you like to proceed i can attach them too.

cheers

[miekiemoes]

Hi,

I can't reproduce detection when I install. Can you please provide (zip&attach) the exact BitwigPluginHost-X64-SSE41.exe that was detected in your case? Yes, our antiransomware component is behavior detection. We can whitelist this in a broader way, but that's why we need the exact file that was detected, so we can have a look what's the best way to whitelist, so it won't affect future versions either.

Thanks!

[12Polizei]

thanks for checking. Please find the file attached. I also included the x86 version of the file as i would expect it happens for 32bit users too

 

cheers

bin.rar

[miekiemoes]

Sorry for the delay, for some reason, I didn't receive a notification that you posted. In either way, this has been whitelisted.

[12Polizei]

awesome news. will update and check! cheers

[12Polizei]

roger, works perfect now. tested in Bitwig Studio and Reaper (2 Digital Audio Workstations). The issue is resolved. 

Cheers and thanks for the swift action !!

[miekiemoes]

Glad to hear!! 🙂

[12Polizei]

it just happened again. Newest Bitwig 4.3 Beta4 version, newest P42 version..  This shouldnt happen again with the same programs. Its unloading work on the users.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 09/06/2022
Protection Event Time: 14:36
Log File: c8252184-e7f0-11ec-a79c-10050142ca7d.json

-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1676
Update Package Version: 1.0.55974
Licence: Premium

-System Information-
OS: Windows 10 (Build 18363.1556)
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Bitwig Studio\4.3 Beta 4\bin\BitwigPluginHost-X64-SSE41.exe, Delete on Reboot, 0, 392685, 0.0.0, 5355b53f45a3eef7f52f8e3c8d29ff65, efd2ffee4cb10da07a5454b981252ef09adaa4e70210924d6d1944c18b860176

(end)

BitwigPluginHost-X64-SSE41.zip

[12Polizei]

what i mean with it just happened now was that after the original fix in january it was fine until now.

[miekiemoes]

Hi,

I have adjusted the whitelist to whitelist it broader for this.

[12Polizei]

great, thank you!