Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Anti-Ransomware and MSYS2 False Positives?


  • Please log in to reply
8 replies to this topic

#1 HighTide1

HighTide1

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 13 June 2017 - 11:20 PM

Hello everyone. Sorry to bother, but I wanted to get a second opinion on this, as it just happened today, and doesn't seem like it should be. For anyone who doesn't know, MSYS2 is platform on Windows that emulates a Unix environment, complete with a package manager (pacman) and a Unix file system. Last night, I was working on updating my build tools, but when updating pacman, the program first reported permission denied, followed by Malwarebytes reporting a Ransomware quarantine of pacman.exe, which then causes my MSYS2 installation to completely break, requiring a complete reinstall. I can't find any info on this online, but I'm fairly confident that pacman.exe from MSYS2 is not ransomware, despite the familiar name to the pacman ransomware. I've run MalwareBytes and ESET after these notifications and nothing comes up, so I want to get a second opinion. Is Malwarebytes just suffering from a false positive?

BC AdBot (Login to Remove)

 


#2 sasschary

sasschary

  • Malware Study Hall Senior
  • 852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:02 PM

Posted 14 June 2017 - 07:50 PM

Hi, HighTide1!
 
My name is Zach, and I generally go by sasschary but you can call me whatever you want :)
 
I personally am not familiar with MSYS2, but I am familiar with Unix systems. I, at first thoughts, agree with you that that is probably a false positive BUT we should check just to make sure. Based on the fact that the source code is all hosted on GitHub, it seems unlikely to me that a ransomware could have been injected without someone noticing.
 
Let's start out by submitting the file to VirusTotal for scanning, and then we'll run another malware scan.

 

WARNING: Take extreme caution when following these steps, as the file we are working with may be infected. Whatever you do, definitely DO NOT execute the file.
 

Let's restore a file from MalwareByte's quarantine

  • Use your start menu to search for and open MalwareBytes Anti-Malware.
  • If a User Account Control dialog box opens, click Yes to allow MalwareBytes to run.
  • Once MalwareBytes opens, click on the History tab. Then, if it is not selected already, click on the Quarantine section.
  • Click the checkbox next to pacman.exe, then click Restore.
  • MalwareBytes will show a confirmation dialog box. Click Yes to restore the file.
  • Finally, close MalwareBytes.

Let's upload a file to VirusTotal

  • Please go to VirusTotal.
  • Once on the VirusTotal homepage, click Choose File.
  • In the Open dialog box which appears, browse to pacman.exe, and click Open.
  • Click Scan it!
  • VirusTotal will start scanning your file. If a box pops up asking you if you want to reanalyze your file, please click Reanalyze.
  • Once the file analysis has completed, please copy the URL from the top of the page (It should start with something like https://www.virustotal.com/en/file/) and paste it into your next reply.

Let's run a scan using AdwCleaner

Before running this software, please save and close anything which you have open, as AdwCleaner will likely force everything to close.

  • Download AdwCleaner from here and save it to your desktop.
  • On your desktop, right click AdwCleaner and click Run as Administrator.
  • If a User Account Control dialog box appears, click Yes to allow AdwCleaner to run.
  • When AdwCleaner opens, click Scan.
  • After the scan has completed, if any threats are found, click the Clean button. Otherwise, just tell me AdwCleaner found no threats and skip down to the next section.
  • AdwCleaner will ask you to save your data and close your programs. Once you have done so, click OK to continue.
  • Once AdwCleaner has completed the cleaning process, it will ask you to restart your computer. Click OK to allow AdwCleaner to restart your system.
  • Once your system has rebooted, a notepad window should appear. Please copy and paste its contents into your next reply.

In your next reply, please include the following:

  • VirusTotal URL
  • AdwCleaner.txt

sasschary



#3 HighTide1

HighTide1
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 14 June 2017 - 08:31 PM

Hello sasschary,

     Slight issue with the first one of those, as while MalwareBytes notifies that it had "quarantined" the file, no such item appears in the quarantine in the program, nor do the notifications appear in the logs. I manually deleted the MSYS2 installation last night, so I don't have the file to give currently. It triggered on a default installation, though, as soon as the initial "pacman -Syuu" was run after installing for the first time, so unless the open source was compromised, I don't know. I verified that the installer SHA256 matched the downloaded file, but that doesn't really mean anything. As for AdwCleaner, I've attached that to this reply. Let me know if you want me to try and reinstall MSYS2 to try and trigger it again.

     As for AdwCleaner, it reports no threats found on the computer. I primarily use this computer for messing around with a Linux VM, and as my primary gaming machine, so I'm unsure of where ransomware would even come from to get to this machine.



#4 sasschary

sasschary

  • Malware Study Hall Senior
  • 852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:02 PM

Posted 14 June 2017 - 08:41 PM

Hi HighTide1,

 

I don't believe the AdwCleaner log got attached properly. You should be able to just copy and paste it into your reply rather than attaching it, as that normally works better, and it's easier for me to refer back to it if I don't have to find the file.

 

Don't install it again on your machine, just in case it truly is infected. I don't think I'm going to have time tonight, but tomorrow I will try and replicate this on a VM on my machine. For me to do that, I'll need a bit of information about your system and such, so can you please provide me with the following information:

  • The operating system you are running
  • The Malwarebytes version number
  • The MSYS2 version number

Thanks,

sasschary



#5 HighTide1

HighTide1
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 14 June 2017 - 08:53 PM

Hello sasschary.

Sorry for the mixup. AdwCleaner had no log, as it reported no threats on the system. I could have it generate a log file, but wouldn't that just be a blank file?

For further information, my OS is Windows 7 Professional 64bit, with MalwareBytes Premium 3.1.2 detecting pacman.exe on msys2-x86_64-20161025. I'm not sure if that's the exact version number, but its just the latest from the webpage.

#6 sasschary

sasschary

  • Malware Study Hall Senior
  • 852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:02 PM

Posted 14 June 2017 - 09:12 PM

Hi HighTide1,

 

No problems with the mixup, I probably should have realized myself that if there are no threats the log wouldn't show much. Thanks for the other information, I'm going to try and recreate this situation tomorrow, and then I'll get back to you with anything I find.

 

In the meantime, I would like to suggest that you make a backup of anything important on your system if you don't have one already. This will give you a way to get your files back in case you are hit with a ransomware, and it's just a good idea to keep backups in general. I use COMODO Backup, which you can download here, but there are other solutions as well. If possible, I would backup your files to an external drive of some sort.

 

I will get back to you tomorrow with my findings concerning MSYS2, assuming I have time, which I should.

 

sasschary



#7 sasschary

sasschary

  • Malware Study Hall Senior
  • 852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:02 PM

Posted 15 June 2017 - 02:52 PM

Hi again HighTide1,

 

MBAM doesn't seem to find anything wrong in MSYS2 under my VM, and 0 of 59 antivirus softwares found the file to be malicious on VirusTotal.

 

Before going on, I would again suggest that you backup all of your data just in case anything bad does happen, but I do not think anything here is malicious.

 

Go ahead and try installing MSYS2 again, and redownload it from the website just to ensure its validity. If Malwarebytes pops up again, see if you can then follow my instructions from earlier about restoring the file and submitting it to VirusTotal. If Malwarebytes doesn't flag the file, then I believe what happened the other day was just a fluke, and that it is safe to keep using the program.

 

sasschary



#8 HighTide1

HighTide1
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 15 June 2017 - 06:26 PM

Hi sasschary,

After backing up my data, I tried the installation procedure again, scanning the files through VirusTotal and my local antivirus (ESET and MalwareBytes) in order to try and determine where the issued lied. After downloading the installer, all checks came clean, and initial installation proceeded without any issue. After I subsequently ran pacman through the initial setup (i.e. doing "pacman -Syuu" for the first time, I didn't have an issue, unlike what happened last time. VirusTotal and antivirus came clean again as well. When I tried "pacman -Syuu" again, though, I faced the same issue, but it progressed differently.

Unlike what happened before, where it seemed that MalwareBytes quarantined (but didn't actually move the file) pacman and then it reported "permission denied", this run first reported "permission denied", and then a couple seconds later, MalwareBytes reported it quarantined (but did not move the file away). Subsequent attempts at both submission to VirusTotal and Antivirus Scans failed due to requiring administrator access, despite my own account being the administrator. Antivirus scans reported it clean, but showed no files scanned. Any attempts to move or otherwise change the file also failed due to this. After restarting my computer, I was able to scan the file through VirusTotal and my antivirus, but it came up clean.

For how I see it, I think that, for some reason, my installations of MSYS2 seem to suddenly swap to super-administrator access, and the sudden appearance of a non-accessible file that was overwriting other files triggered the Anti Ransomware component of MalwareBytes. As of writing this, the popup has not appeared again, so it seems to be tied to when the program is launched. As an aside from this, I'm not sure if its related, but my computer's performance seems to be a bit "wonky" after restarting from the issue, with it stuttering to keep up for some operations (I have 16 GB ram and a 2.5 GHz processor, so I don't think launching Windows Explorer should result in everything going non-responsive for 15 seconds).

Sorry for the wall of text, but I wanted to let you know the step-by-step of what happened. Any advice on what I should try next, or more scans I could run?

#9 sasschary

sasschary

  • Malware Study Hall Senior
  • 852 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:02 PM

Posted 16 June 2017 - 12:49 PM

Hi HighTide1,

 

I am still unable to replicate this issue. However, I am quite confident that this is only a false positive, so you do not need to worry about having any infections.

 

As far as moving on from this, I suggest posting in the antivirus support forum here, where there are other users who may know more about Malwarebytes specifically and can help you in getting MSYS2 working again.

 

sasschary






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users