Real threat or false positive?

Discussion in 'sandboxing & virtualization' started by Acadia, Jun 29, 2020.

  1. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,192
    Location:
    SouthCentral PA
    Something weird has been happening to me three times now in the past 2 weeks. First the stats: Windows 10 1909 18363.836; Malwarebytes 4.1.0.56; Sandboxie 5.33.6; Firefox 77.0.1.

    I am surfing away on Firefox inside of Sandboxie. Suddenly they both die and I get a popup from Malwarebytes: Ransomeware blocked, Malware.Ransom.Agent.Generic. I delete the contents of Sandboxie and try to start over again. I always do this by clicking on the Sandboxed Web Browser that Sandboxie puts on the desktop. I get a Sandboxie error: Cannot run iexplore.exe due to restrictions, etc. I have NEVER run Internet Explorer on this system since the day I bought it. Somehow the Sandboxie icon is trying to bring up IE instead of Firefox. So I go to the Firefox icon on my desktop, the reddish fox, and try to bring up Firefox WITHOUT being inside of Sandboxie. But now the reddish fox is gone and there is only a blank white icon but I click on it anyway. Firefox fails to appear and I get a message: Windows cannot access the specified path, etc.

    I recover my entire system with a backup and everything is OK, until the next time this happens. This can happen on any website. This has also happened to my wife's system once. Our systems are not connected, we even use different printers; her versions of above software are all the same. Puzzled: is this real Ransomeware that was blocked, or I know that sometimes false positive reactions can sometimes really mess up a system.

    But finally and most important: No matter what it was, real or false, shouldn't being inside of Sandboxie have cancelled it all out once I deleted the contents. Shouldn't getting out of Sandboxie returned things to normal, or don't I quite know has SB works?
    Thanks much, Acadia
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,281
    Location:
    UK
    @Acadia
    Just wondering, does the same thing happen if you turn on Defender as a test and use that instead of MBAM? (I presume you are using MBAM realtime)
    If you right-click on your sandboxie desktop icon and select properties at the bottom, what does it say the target is?
    Also is Firefox set as your default (undo it and redo it perhaps)
     
  3. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,192
    Location:
    SouthCentral PA
    @stapp
    I use both Windows Defender and MBAM in real time together. I have never had any problems until now, and I've been doing it that way for a long time.
    Thanks, Acadia
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,753
    Location:
    Slovenia
    When MBAM blocks attack does it delete any file? If Firefox shortcut is broken it could be that Firefox executable was deleted (or quarantined) by MBAM.
     
  5. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    130
    I would take a look what file exactly MBAM is finding suspicous. I don't think ransomware should spawn out of nowhere again and again in a browser. Maybe MBAM is blocking parts of sandboxie (as a fp) and sandboxie can't delete it's content then (since MBAM gets in the way).
     
  6. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,192
    Location:
    SouthCentral PA
    Thanks for all replies. I am going to wait for it to happen again and take more careful notes. It is happening about every 5-6 days.

    But if anyone has more ideas, keep posting, thanks.
    Acadia
     
  7. Krabbath

    Krabbath Registered Member

    Joined:
    Jun 24, 2020
    Posts:
    49
    Location:
    Earth
    [Next time] you can also check the Malwarebytes log files to find out which finds are/were reported:
    View Reports and History in Malwarebytes for Windows v4

    Malware finds are also often listed in the Windows Event Viewer.

    The fact that your Firefox shortcut shows a white standard icon instead of the Firefox icon indicates that the Firefox exe has been deleted, moved, quarantined, blocked or becoming corrupted (what @Minimalist wrote).

    Windows then has obviously recognized that Firefox is no longer available and has made MS Edge the default browser.

    Because Sandboxie is not or was not compatible with MS Edge it is the expected behaviour, that the sandbox shortcut "Run Web browser sandboxed",

    Code:
    "C:\Program Files\Sandboxie\Start.exe" default_browser
    opens Internet Explorer instead. Sandboxie does the same on my system, but without error message.

    The Internet Explorer has an entry in the Windows Start menu, under "Windows accessories". Can you start it from there without error message?
     
  8. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,192
    Location:
    SouthCentral PA
    Yes, I can start up IE without problems.

    This "bug" hit my wife again last night. Appears Malwarebytes is "attacking" C:\Program Files\Mozilla Firefox\firefox.exe. This has to be a false positive because it has now hit the two of us a total of 5 times, and it is always the same result exactly. Also, this has now happened on five different websites. Configured MBAM, added Firefox to "Allow List" to ignore Ransomware detection. We'll see what happens.
    Thanks EVERYONE, Acadia
     
  9. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    527
    Location:
    Nottingham
    You should post on the MB forum. There is another thread which indicates the problem occurs when firefox updates. However there must be many people running F.F and MBAM who are not affected. I guess it's a process of elimination, you are running W.D , MBAM , S.B . I think S.B protects the browser from ransomware pretty well without any need from M.B https://forums.malwarebytes.com/topic/258157-mbam-41-flagging-firefox-7401/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.