Jump to content


  • Content Count

  • Joined

  • Last visited

About torrey

  • Rank
    New Member

Recent Profile Visitors

492 profile views
  1. torrey

    False positive wscript.exe

    Me too. I had one group that is managed by a VB script evangelist and almost everything they do relies on scripting....sigh. They are the only group I deployed the fix to because they could not even print unless I turned MBAE off.
  2. torrey

    False positive wscript.exe

    All they said was that it would be pushed out in a future release.
  3. torrey

    False positive wscript.exe

    Rob_B if you engage MWB support they have a newer version of anti-exploit that stops the false positives - at least in our case.
  4. torrey

    False positive wscript.exe

    We have had several machines producing alerts for wscript.exe on documents that do not contain an exploit. I can get you log files if needed. Here is the content of the alert email: Exploit code executing from Heap memory blocked BLOCK SYSTEM Wscript.exe C:\WINDOWS\System32\Wscript.exe Attacked application: C:\WINDOWS\System32\Wscript.exe; Parent process name: svchost.exe; Layer: Malicious Memory Protection; API ID: 301; Address: 0x7FC8038F; Module: ; AddressType: 0x00020000; StackTop: 0x7BD90000; StackBottom: 0x7BD88000; StackPointer: 0x7BD8DFA8; Extra: Thanks!
  5. We have also been getting this error from different machines over the last week: 5/16/2018 3:38:39 AM MACHINENAME IPADDRESS Exploit attempt blocked BLOCK USERNAME microsoftedgecp.exe C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe Attacked application: C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe; Parent process name: RuntimeBroker.exe; Layer: Application Behavior Protection; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.