Jump to content
Posted 13 June 2017 - 11:20 PM
Posted 14 June 2017 - 07:50 PM
My name is Zach, and I generally go by sasschary but you can call me whatever you want
I personally am not familiar with MSYS2, but I am familiar with Unix systems. I, at first thoughts, agree with you that that is probably a false positive BUT we should check just to make sure. Based on the fact that the source code is all hosted on GitHub, it seems unlikely to me that a ransomware could have been injected without someone noticing.
Let's start out by submitting the file to VirusTotal for scanning, and then we'll run another malware scan.
WARNING: Take extreme caution when following these steps, as the file we are working with may be infected. Whatever you do, definitely DO NOT execute the file.
Let's restore a file from MalwareByte's quarantine
Let's upload a file to VirusTotal
Let's run a scan using AdwCleaner
Before running this software, please save and close anything which you have open, as AdwCleaner will likely force everything to close.
In your next reply, please include the following:
Posted 14 June 2017 - 08:31 PM
Slight issue with the first one of those, as while MalwareBytes notifies that it had "quarantined" the file, no such item appears in the quarantine in the program, nor do the notifications appear in the logs. I manually deleted the MSYS2 installation last night, so I don't have the file to give currently. It triggered on a default installation, though, as soon as the initial "pacman -Syuu" was run after installing for the first time, so unless the open source was compromised, I don't know. I verified that the installer SHA256 matched the downloaded file, but that doesn't really mean anything. As for AdwCleaner, I've attached that to this reply. Let me know if you want me to try and reinstall MSYS2 to try and trigger it again.
As for AdwCleaner, it reports no threats found on the computer. I primarily use this computer for messing around with a Linux VM, and as my primary gaming machine, so I'm unsure of where ransomware would even come from to get to this machine.
Posted 14 June 2017 - 08:41 PM
I don't believe the AdwCleaner log got attached properly. You should be able to just copy and paste it into your reply rather than attaching it, as that normally works better, and it's easier for me to refer back to it if I don't have to find the file.
Don't install it again on your machine, just in case it truly is infected. I don't think I'm going to have time tonight, but tomorrow I will try and replicate this on a VM on my machine. For me to do that, I'll need a bit of information about your system and such, so can you please provide me with the following information:
Posted 14 June 2017 - 08:53 PM
Posted 14 June 2017 - 09:12 PM
No problems with the mixup, I probably should have realized myself that if there are no threats the log wouldn't show much. Thanks for the other information, I'm going to try and recreate this situation tomorrow, and then I'll get back to you with anything I find.
In the meantime, I would like to suggest that you make a backup of anything important on your system if you don't have one already. This will give you a way to get your files back in case you are hit with a ransomware, and it's just a good idea to keep backups in general. I use COMODO Backup, which you can download here, but there are other solutions as well. If possible, I would backup your files to an external drive of some sort.
I will get back to you tomorrow with my findings concerning MSYS2, assuming I have time, which I should.
Posted 15 June 2017 - 02:52 PM
Hi again HighTide1,
MBAM doesn't seem to find anything wrong in MSYS2 under my VM, and 0 of 59 antivirus softwares found the file to be malicious on VirusTotal.
Before going on, I would again suggest that you backup all of your data just in case anything bad does happen, but I do not think anything here is malicious.
Go ahead and try installing MSYS2 again, and redownload it from the website just to ensure its validity. If Malwarebytes pops up again, see if you can then follow my instructions from earlier about restoring the file and submitting it to VirusTotal. If Malwarebytes doesn't flag the file, then I believe what happened the other day was just a fluke, and that it is safe to keep using the program.
Posted 15 June 2017 - 06:26 PM
Posted 16 June 2017 - 12:49 PM
I am still unable to replicate this issue. However, I am quite confident that this is only a false positive, so you do not need to worry about having any infections.
As far as moving on from this, I suggest posting in the antivirus support forum here, where there are other users who may know more about Malwarebytes specifically and can help you in getting MSYS2 working again.
0 members, 0 guests, 0 anonymous users