Something weird has been happening to me three times now in the past 2 weeks. First the stats: Windows 10 1909 18363.836; Malwarebytes 4.1.0.56; Sandboxie 5.33.6; Firefox 77.0.1. I am surfing away on Firefox inside of Sandboxie. Suddenly they both die and I get a popup from Malwarebytes: Ransomeware blocked, Malware.Ransom.Agent.Generic. I delete the contents of Sandboxie and try to start over again. I always do this by clicking on the Sandboxed Web Browser that Sandboxie puts on the desktop. I get a Sandboxie error: Cannot run iexplore.exe due to restrictions, etc. I have NEVER run Internet Explorer on this system since the day I bought it. Somehow the Sandboxie icon is trying to bring up IE instead of Firefox. So I go to the Firefox icon on my desktop, the reddish fox, and try to bring up Firefox WITHOUT being inside of Sandboxie. But now the reddish fox is gone and there is only a blank white icon but I click on it anyway. Firefox fails to appear and I get a message: Windows cannot access the specified path, etc. I recover my entire system with a backup and everything is OK, until the next time this happens. This can happen on any website. This has also happened to my wife's system once. Our systems are not connected, we even use different printers; her versions of above software are all the same. Puzzled: is this real Ransomeware that was blocked, or I know that sometimes false positive reactions can sometimes really mess up a system. But finally and most important: No matter what it was, real or false, shouldn't being inside of Sandboxie have cancelled it all out once I deleted the contents. Shouldn't getting out of Sandboxie returned things to normal, or don't I quite know has SB works? Thanks much, Acadia
@Acadia Just wondering, does the same thing happen if you turn on Defender as a test and use that instead of MBAM? (I presume you are using MBAM realtime) If you right-click on your sandboxie desktop icon and select properties at the bottom, what does it say the target is? Also is Firefox set as your default (undo it and redo it perhaps)
@stapp I use both Windows Defender and MBAM in real time together. I have never had any problems until now, and I've been doing it that way for a long time. Thanks, Acadia
When MBAM blocks attack does it delete any file? If Firefox shortcut is broken it could be that Firefox executable was deleted (or quarantined) by MBAM.
I would take a look what file exactly MBAM is finding suspicous. I don't think ransomware should spawn out of nowhere again and again in a browser. Maybe MBAM is blocking parts of sandboxie (as a fp) and sandboxie can't delete it's content then (since MBAM gets in the way).
Thanks for all replies. I am going to wait for it to happen again and take more careful notes. It is happening about every 5-6 days. But if anyone has more ideas, keep posting, thanks. Acadia
[Next time] you can also check the Malwarebytes log files to find out which finds are/were reported: View Reports and History in Malwarebytes for Windows v4 Malware finds are also often listed in the Windows Event Viewer. The fact that your Firefox shortcut shows a white standard icon instead of the Firefox icon indicates that the Firefox exe has been deleted, moved, quarantined, blocked or becoming corrupted (what @Minimalist wrote). Windows then has obviously recognized that Firefox is no longer available and has made MS Edge the default browser. Because Sandboxie is not or was not compatible with MS Edge it is the expected behaviour, that the sandbox shortcut "Run Web browser sandboxed", Code: "C:\Program Files\Sandboxie\Start.exe" default_browser opens Internet Explorer instead. Sandboxie does the same on my system, but without error message. The Internet Explorer has an entry in the Windows Start menu, under "Windows accessories". Can you start it from there without error message?
Yes, I can start up IE without problems. This "bug" hit my wife again last night. Appears Malwarebytes is "attacking" C:\Program Files\Mozilla Firefox\firefox.exe. This has to be a false positive because it has now hit the two of us a total of 5 times, and it is always the same result exactly. Also, this has now happened on five different websites. Configured MBAM, added Firefox to "Allow List" to ignore Ransomware detection. We'll see what happens. Thanks EVERYONE, Acadia
You should post on the MB forum. There is another thread which indicates the problem occurs when firefox updates. However there must be many people running F.F and MBAM who are not affected. I guess it's a process of elimination, you are running W.D , MBAM , S.B . I think S.B protects the browser from ransomware pretty well without any need from M.B https://forums.malwarebytes.com/topic/258157-mbam-41-flagging-firefox-7401/
