Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes blocks threat, where did the file go?


  • Please log in to reply
11 replies to this topic

#1 cornflakes2

cornflakes2

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 04 April 2015 - 11:04 PM

Sometimes malwarebytes will block a threat but it is isn't, and then the file disappears right before my eyes.

 

I'm trying to retrieve that file that malwarebytes blocked but can't find it.  Where did it go?  Is it deleted or quarantined in some folder that I can simply "restore" back to it's original folder?

 

 



BC AdBot (Login to Remove)

 


#2 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:03:45 PM

Posted 04 April 2015 - 11:58 PM

Hello cornflakes2:

 

If your computer has Malwarebytes Anti-Malware Premium installed and running, and an identified file was blocked while downloading, then the file in question is not able to be conventionally retrieved. If found by on-access or on-demand scanning then, by option, the file can be quarantined in an encrypted form, deleted or ignored.

 

If the file in question was deleted by MBAM, standard file recovery actions can still retrieve it if attempted immediately, and where no HDD defragmentation, optimization or other write activities are allowed.

 

If you can bring somewhat more clarity to your post, more details could follow.


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 PM

Posted 05 April 2015 - 06:34 AM

It would also be helpful if you could create and post a screenshot of the threat detection...

How do I post a screen shot?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 cornflakes2

cornflakes2
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 06 April 2015 - 02:25 AM

It would also be helpful if you could create and post a screenshot of the threat detection...

How do I post a screen shot?

 

Oh, unfortunately it's a polka-roo thing. It happens so quickly that I can't possibly grab a screenshot of it in time unless I was to re-do it (that is, reinstall the program again, then have MB scan for it, quarantine it and make my file disappear).

 

Basically, let's say my file is called "file 1" in the folder "A".  When I opened my folder A, I can see file 1 there, but when I execute it, MB will tell me that it blocked it (threat) and then suddenly file 1 vanishes like it was raptured!   

 

I couldn't find it ever again so I would just rein-stall the program and shut off MB next time.  I believe I have found the solution.  MB has a quarantine folder and I can find it there and simply restore it (also add it to exclusion list so next time it won't quarantine it again).



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 PM

Posted 06 April 2015 - 05:29 AM

If you think that this file is a false positive, you should submit it in the proper section of Malwarebytes Forums so they can whitelist it and add it in the next database update.

https://forums.malwarebytes.org/index.php?/forum/42-file-detections/

However, are you sure that this file is harmless? What is it exactly? What does it do? If you upload it on VirusTotal, does it comeback with suspicious detections from other vendors? Could you share the VirusTotal report URL here?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 PM

Posted 06 April 2015 - 10:19 AM

....I believe I have found the solution.  MB has a quarantine folder and I can find it there and simply restore it (also add it to exclusion list so next time it won't quarantine it again).

That's one solution but still you should report this in the Malwarebytes false positive forum for the Research Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cornflakes2

cornflakes2
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 07 April 2015 - 01:47 AM

Oh, sorry, it's an executable file (cheat) for a game, but MB keeps deleting it or moving it somewhere.  I checked in the history section of MB but there's no file there.  So I'm still not sure where it went.   I've used it many times before with no problems but when I got MB, it started to just remove it from the folder and I still have no idea where it went.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 PM

Posted 07 April 2015 - 04:16 AM


What is the name of the file (.exe) and where was it original located? If you cannot submit the file, the logs will show the detection, file path and what action was taken. You can post the log in the Malwarebytes forum when reporting this detection.

Refer to this topic for instructions on how to properly save/export a Scan log...How do I access and save logs from Malwarebytes Anti-Malware?.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 cornflakes2

cornflakes2
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 07 April 2015 - 06:47 AM

ok, I think I know what I have to do in the future so it doesn't just delete the files.  I will go into settings and under 'detection and protection' will change "PUP detections" from "treat detections as malware" which just deletes them to 'warn user about detection' so i can have the chance to exclude it before MB auto deletes it without asking me first.

 

Thanks so much for you guys taking the time to respond!



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 PM

Posted 07 April 2015 - 07:02 AM

That will work but I am not sure why you don't report this. If the MBAM research team can remove the detection, you would not have to change the PUP settings to warn only.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:45 PM

Posted 07 April 2015 - 09:22 AM

Oh, sorry, it's an executable file (cheat) for a game, but MB keeps deleting it or moving it somewhere.


That "cheat" is most likely getting detected and removed by Malwarebytes because it have malware-like behaviors (such as process injection), since it's the case with most cheats that exists (or "hacks"). There's also a chance that this cheat could also be malicious, but unless one of their Research Engineer analyse it, we cannot say.

Edited by Aura., 07 April 2015 - 09:22 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:45 PM

Posted 07 April 2015 - 10:51 AM

As I said the file should be submitted but that is cornflakes2's choice.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users