The file is EXCEL.EXE in the install folder for Office 2019.
Windows 10
It my own personal machine and I am an administrator.
First, Malwarebytes reported EXCEL.EXE as a ransomware file. When this alert occurred I was in the middle of running an Excel file with macros. It’s a routine file that I’ve been using for a couple of years. Here is the report from Malwarebytes:
The Excel process was killed. Now I am unable to run Excel. I opened it in Explorer to check security. It shows that I do not have Read permission. For “owner” it says “Unable to display current owner.” If I click “Change” this heading information disappears and I have no options to view or change permissions. When I try to run it as administrator it tells me I do not have appropriate permissions. When I try to delete it, it tells me I do not have permission.
Why would MWB identify this file as ransomware? Have I been hacked? Or is it a false positive?
It did not quarantine this file, it just removed all permissions. Even as Administrator I cannot take any actions. I can’t even delete it, so now I can’t reinstall Microsoft Office.
How do I recover from this?
Thank you so much for that. I had posted to that forum but did not find that particular thread. I applied the workaround and it worked. Somewhere in there they said it is a known false positive, which is a bit of a relief.
This. A thousand times this. I would delete MWB immediately and NEVER install it again. No software should have the ability to take away my ability to manage my computer.
If you (MWB) want an extra layer of safety, have me set up a secondary passphrase to use to get control back, but that kind of shit could brick a computer and cost huge amounts of time and money to recover from.
If anything in this scenario is ransomware or a malicious actor, it’s Malwarebytes.
No, this is complete nonsense. Malwarebytes is a well-known and legitimate program. Quarantining (restricting access) to suspect files is a typical feature of antivirus software. It prevents accidental activation of potentially malicious software before it is reviewed.
Moreover, Malwarebytes or any other security software does not “exercise more control over a file than an Administrator can”.
You are misunderstanding how administrative privileges work on Windows, and to be blunt, you have the same abilities but don’t understand how to do it or how it works.
First off, even when logged into an administrator account, you don’t have admin privileges active at all times. You have to elevate via UAC, which is a mechanism that inhibits malicious software from altering your system without your knowledge.
When Malwarebytes quarantines a file it puts restrictive ACLs onto the file that block access. You could do this manually through the Windows file permission dialog in the file properties, and inspect the ACLs it uses yourself. Malwarebytes is not doing anything backhanded by doing this.
Microsoft Excel is an even more well-known and legitimate program, and arguably more essential. One would think that Malwarebytes would know this and not serve it up as a false positive, the solution for which is to turn off the protection that it is ostensibly offering.
You’ve never heard of a false positive? It unfortunately happens from time to time with heuristic detection, used by virtually all antivirus software. No one sat down and decided to add Excel to a malware database.
I don’t have any problem with the fact that it identified a file called EXCEL.EXE as malware. Note that I said “a file called EXCEL.EXE,” and not “Microsoft Excel,” because Malwarebytes does not and should not know how to recognize every executable for every legitimate application. This is exactly why I have installed it. There is a scenario where malware could overwrite EXCEL.EXE with something malicious. The file name doesn’t mean anything.
This is the first time in all my years of using Windows that I have tried to change the owner of a file and have been unable to do so. I right-clicked on Properties and opened the Security tab. At the top, normally it shows the owner, and there is a link to change the owner with a shield icon that indicates this is an Administrator action. In this case, it would not even show me who the owner is and would not let me take any action at all. I have used this method in the past to things like regain control over a boot drive that was moved from a different computer.
I submit to your expertise and would be happy to learn from you how it works. A link would be sufficient.
I was not able to duplicate what you describe with Malwarebytes quarantine, because when I quarantined a test PUP it renamed and moved the file into its quarantine folder at C:\ProgramData\Malwarebytes\MBAMService\Quarantine. The file in the quarantine was saved into some kind of encoded format that is not executable. So I’m not able to see exactly what was going on.
That said, in most circumstances, files do not have explicitly defined permissions and owners. File permissions are inherited from the folder they are in, and this can be done recursively through many subfolders. It is necessary to identify the parent folder that sets the restrictive permissions and change the permissions at that level so they can propagate down to the files inside them. In some cases, “access denied” errors are really the result of some other issue, such as the file being locked by another process. I suspect the reason Excel was quarantined was related to your macros, with MB detecting the macros in memory and it triggering a heuristic.
It’s also possible for permissions to be so complex the GUI’s incremental approach to viewing and editing is insufficient and a command-line tool like icacls is the optimal tool.
That said, for any antivirus software, if a file is falsely detected and quarantined the first and best thing to do is going to be unquarantining through the software and adding an exception for it.
The file was not quarantined; it was left in place with all permissions disabled. I have had other malware detected and moved into a quarantine folder, but that is not what happened here.
I cannot reproduce it myself because Malwarebytes issued a patch for this which I’ve already applied. I turned ransomware detection on again and have had no further incidents. I do not even know how to deliberately create the situation I encountered to able to show a screenshot of it.
Did you not read where I said that Malwarebytes served up Excel as a false positive? Yes, I know what a false positive is. I said Excel was a false positive for Malwarebytes.
I’m implying that Malwarebytes released their program into the wild without sufficient testing. You know, testing against well-known and legitimate programs like Microsoft Excel or other Microsoft Office applications.
WIndows has the ability to create security settings (a DACL in the argot) that prohibits everything to everybody except the owner. Including the right to see or change the owner. That’s about the only way to lock an Administrator out of a file or directory.
Knowing how many end-users run as Administrator (with or without UAC elevation), I could easily see an anti-malware app using its service account to take ownership of suspicious files then hard locking everybody, including Administrators, out of the suspect file. Because any malware running under the end-user’s Administrator-enabled account is also an Administrator and could trivially undo any lesser degree of locking. Just as you tried to do through the file Properties UI.
None of that excuses MWB falling for a false positive on a common app like Excel. But it does explain how the lockout trick is performed.
Understanding all the mumbo jumbo under the hood of Windows security isn’t easy. What you see in a file Properties >> Security tab or even the >> Advanced tab is more than the tip of an iceberg, but its still only maybe half of the iceberg. Unfortunately over the years MSFT has chopped their documentation into every smaller chunks that effectively bury key concepts in the unstated linkages between a dozen much-too-narrowly-focused doc pages. They document every pine needle in isolation and leave you to figure out how the trees add up to a forest.