msys-2-0.dll quarantined by Malwarebytes

[N6REJ]

upon extracting PortableGit-2.37.0-32-bit.7z.exe malware bytes throws an immediate quarantine on mysys32 severe enough that a forced reboot is required.

[rimrul]

What exactly does Malwarebytes quarantine and how does that lead to a forced reboot?

[dscho]

https://www.virustotal.com/gui/url/56943470194302e45bd24362d1eddb92208189e9b3875987a3d5cd6e5cac3f77/detection disagrees with the anti-malware's assessment.

[N6REJ]

@rimrul
malwarebytes is an anti-virus ( and a very very good one ) and when it detects malware or virus's it removes the file from the normal place and locks it in a place where the system can't touch it. "Quarantine". Apparently whatever it found was bad enough that it said I needed to do a "forced reboot" before it would do anything further. This is not normal for malwarebytes. Normally it just lets you know it was quarantined and you carry on.

[N6REJ]

just ran a 7z extract instead of .exe and everything was fine until I ran the git-bash command as written in post-install.bat
The error/issue is as follows

just as an fyi I use and have used git-for windows for years without this problem. both portable and windows installed version.
I'm assuming its related to git-for-windows/msys2-runtime#37

I'm contacting malwarebytes was I type to try to sort this out.

[N6REJ]

update:
I just dl's the 64 bit version and it doesn't have the issue. I noticed it uses mingw64 instead of msys-2.

[rimrul]

I noticed it uses mingw64 instead of msys-2.

No. It has some native parts (in /mingw64) and some parts that rely on the MSys2 runtime to provide a Unix like environment.
The 32 bit version also has these native parts (in /mingw32).

just ran a 7z extract instead of .exe and everything was fine until I ran the git-bash command as written in post-install.bat
The error/issue is as follows

Ok, so It quarantines /usr/bin/msys-2.0.dll. I've ran that same dll through virus total and all 67 AV vendors on there (including malwarebytes) seem to agree, the file is fine.

https://www.virustotal.com/gui/file/336af34f22de41cac7d8f615264e98ecc4075933a256269125dd4b8594dd963c/detection

[dscho]

@N6REJ it is unfortunate that you simply deleted the bug reporting template, instead it would have been much better to take the hint to include as much information as possible. Now we have a time-consuming back-and-forth instead, which is frustrating to all involved. One thing that strikes me as a very likely culprit is that your copy of Malwarebytes might be different from (and I suspect: it is older than) VirusTotal's copy.

Since VirusTotal labels this safe (and has Malwarebytes' blessing to do so), I will close this ticket as a false positive.

[N6REJ]

@dscho sorry for erasing the template, it seemed irrelvant since it was asking what I was doing that triggered it. since I hadn't even run it at the time there were no answers I could give. I understand your frustration. My copy of malwarebytes is up-to-date and is their premium version.
What I find interesting is that the 64bit version doesn't have the issue.

[dscho]

Right, it's probably a good question for Malwarebytes' support team.

[N6REJ]

I spoke with malwarebytes and they investigated things and stated it was caused by the "expert" feature activated. This is a "non-default" setting. Turning it off did infact solve the issue.
Sorry for long delay I forgot to update the ticket.

[dscho]

@N6REJ thank you for adding that information!

I am curious, though, why their expert system algorithm triggers. Maybe there is something in the MSYS2 runtime we can change so that Malwarebytes gets less trigger-happy?

[N6REJ]

I'm not sure... you want their ticket #?

[dscho]

I'm not sure... you want their ticket #?

I am not a customer, therefore I have no chance of getting their attention.

[N6REJ]

let me see if I can get them to participate. I'll fire off a response to them.
I don't know if its relevant but a friend tried my beta release today
and got a trigger...

Hey Troy. I attempted to install your stack but my antivirus blocked a VBS script it noted as infected. Not sure if it is a false positive or if something may be considered malicious.

The file C:...\Bearsampp-2022.07.23-beta\core\tmp\registrySetValue-UVjbfbiN496kt5BI1G6sPbuvuh4k5cIT.vbs is infected with VBS:Electryon.625
I'm VERY confident its not infected and even tested again just to make sure...

[N6REJ]

@dscho ok, fired it off with details. hope this helps.

[dscho]

@N6REJ not sure whether you intended to paste the report about a VBS script? I thought we were talking about msys-2.0.dll...

[rimrul]

These expert algorithms seem to be a family of aggressive heuristics that

detects malformations in PE headers which are typically found in malware and viruses.

https://forums.malwarebytes.com/topic/278532-malwareheuristic100x-detections-and-explanation/

They also note that these heuristics commonly produce false positives.

[rimrul]

not sure whether you intended to paste the report about a VBS script? I thought we were talking about msys-2.0.dll

That's just a tangent about another recent experience where malwarebytes seemingly produced a false positive.