topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • July 21, 2018, 02:10 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: I hate False Positives and need help correcting one  (Read 1154 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,550
    • View Profile
    • Donate to Member
I hate False Positives and need help correcting one
« on: March 07, 2018, 10:23 AM »
First a disclaimer: I run malwarebytes.  I don't really think that given my habits its a necessity, but I do it anyway.  Mostly for ransomware as my server got hit with it a while ago, though it wasn't user error, rather an exploit of RDP.  That was a real nightmare, so I continue to run it.

I was installing some things in msys2 and hadn't thought to exclude my dev tools directory.  MB incorrectly identified Pacman.exe as ransomware, and removed all rights from the file, and changed the owner to noone.  I have now added an exclusion, but is there a way to reverse the actions of MB, i.e. make pacman accessible?  Deleting it wouldnt' have been worse than this. 

I really don't want to start from scratch with a new installation of msys2.  Does anyone know of a way to regain access to a file that's been locked down like this?

pacman.pngI hate False Positives and need help correcting one
pacman2.pngI hate False Positives and need help correcting one

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,465
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #1 on: March 07, 2018, 11:12 AM »
You should just be able to take ownership of the file and then renable inheritance (and/or assign whatever permissions you like/need) for it.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,550
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #2 on: March 07, 2018, 11:26 AM »
You should just be able to take ownership of the file and then renable inheritance (and/or assign whatever permissions you like/need) for it.

Nope.  The owner was set to nothing, and since there was no owner and I didn't have permissions, I couldn't take ownership.

I did keep going as this was pretty critical and figured it out with the help of Malwarebytes techs.

I disabled antiransomware, and it restored the permissions.  Then I was able to enable it, and with the exclusions in place it didn't detect it.  With that work around in place, it makes it a lot less questionable what they did, but it did almost give me a heart attack.  I was up until 2 AM my time trying before I gave up.

Also for anyone interested, the logs are there- they just don't show up in the protection log.  You have to look in C:\ProgramData\Malwarebytes\MBAMService\ArwDetections to see if it's there.  If it's not, it's in the mbamservice.log located in C:\ProgramData\Malwarebytes\MBAMService\LOGS

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,343
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #3 on: March 07, 2018, 09:40 PM »
Is the Admin account on your system not capable of changing ownership of files and/or folders?  This account is by default disabled, but enabling it is done in a second or so.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,550
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #4 on: March 07, 2018, 10:53 PM »
Is the Admin account on your system not capable of changing ownership of files and/or folders?  This account is by default disabled, but enabling it is done in a second or so.

Again, they had removed (or apparently changed to an account that they created) the ownership.  The admin account couldn't access it either, as all rights had been removed.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 38,725
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #5 on: March 08, 2018, 12:09 AM »
It's nice that these security programs are trying to protect us, but it's absolutely unacceptable for these programs not to be designed with the assumption that they are going to make false positive mistakes.  They should make it super easy to undo any action they might take.  Any program that doesn't do that is not ready for public use.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,465
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #6 on: March 08, 2018, 06:57 AM »
It's nice that these security programs are trying to protect us, but it's absolutely unacceptable for these programs not to be designed with the assumption that they are going to make false positive mistakes.  They should make it super easy to undo any action they might take.  Any program that doesn't do that is not ready for public use.

Agreed, especially if they're going to break basic system recovery functions in the process ... Forcing you to call them to get your files back. That's just having you files hijacked by a different entity...not protecting them.

Any administrative account on the system should be able to take ownership of a file.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,550
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #7 on: March 08, 2018, 08:13 AM »
Didn't work  That screen grab was from an admin aacount. And it always gave me some error related to the fact that there was no owner, than an access denied. I tried takeown, accesschk, takeown as the system user, icacls, some tool that I downloaded and forget the name of- in other words I did all of the obvious things.

Thinking on it from tge perspective of a developer, what is the one thing you can do to always give an access is denied message- put a lock on a file.  Then no one can change the file unless you remove the locks, and I didn't think to check that.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,465
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #8 on: March 08, 2018, 11:19 AM »
Didn't work  That screen grab was from an admin account.

Yeah, they actually look pretty normal for a - that type of - permissions issue. but the change owner link should have let you (as an admin) set it to whatever you wanted/needed.

Thinking on it from tge perspective of a developer, what is the one thing you can do to always give an access is denied message- put a lock on a file.  Then no one can change the file unless you remove the locks, and I didn't think to check that.

Agreed ... And along the lines of what I was referring to as a hijack in the last post.

We really are getting into an era where the cure is worse that the disease more often than not.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,550
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #9 on: March 09, 2018, 01:06 AM »
We really are getting into an era where the cure is worse that the disease more often than not.

I don't think we're there for ransomware.  Which is the reason I keep running it.  I don't really think I need it.  But my server got hit with it (through an RDP exploit) last year, and that experience is making me leery...

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,469
    • View Profile
    • The Blog of Deozaan
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #10 on: March 11, 2018, 11:52 PM »
I think the solution for ransomware is to just make regular backups of everything that's important. If you get hit by some ransomeware, just format everything and restore from backup.

There are so many free (or inexpensive) cloud services available that the only real excuse (for the average person) for not having good backups is ignorance (e.g., not knowing how, or not understanding the risks) or apathy (e.g., laziness, understanding the risks but not caring or not thinking they're probable).

As for me, I fit in the laziness category. :D

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 38,725
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #11 on: March 12, 2018, 05:29 AM »
I think the solution for ransomware is to just make regular backups of everything that's important. If you get hit by some ransomware, just format everything and restore from backup.

Bingo.
In my view this is the proper solution to almost any security breach. Trying to "repair" the damage is an uphill battle.  Better to just restore from a known good state.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 9,550
    • View Profile
    • Donate to Member
Re: I hate False Positives and need help correcting one
« Reply #12 on: March 12, 2018, 08:14 AM »
I think the solution for ransomware is to just make regular backups of everything that's important. If you get hit by some ransomeware, just format everything and restore from backup.

There are so many free (or inexpensive) cloud services available that the only real excuse (for the average person) for not having good backups is ignorance (e.g., not knowing how, or not understanding the risks) or apathy (e.g., laziness, understanding the risks but not caring or not thinking they're probable).

As for me, I fit in the laziness category. :D

Free services?  I haven't made images and just back up my critical files (documents, code) because of the fact that I've not found one that I (a) trust to be around (b) that's reasonable.  Doing it on my own servers is a lot more work and cost because of the need for more infrastructure at home. 

That's the reason I run anti-ransomware.  I wouldn't be crippled by it long term and wouldn't lose critical files, but it would be a pain to get up and running.