Jump to content

pbust

Staff
  • Posts

    3,369
  • Joined

  • Last visited

Reputation

21 Excellent

4 Followers

About pbust

Contact Methods

  • Website URL
    https://www.malwarebytes.com

Profile Information

  • Location
    Earth

Recent Profile Visitors

119,890 profile views
  1. The scanner that we have in VirusTotal is a command-line version of the Malwarebytes engine, which is very different in nature than the Desktop product that all our customers install. In addition, the command-line scanner in VirusTotal has some aggressive heuristics enabled which are not enabled in the Desktop product. Also, our Desktop product includes some additional whitelisting checks which are not present in the command-line version. In summary, certain heuristic detections from VirusTotal do not necessarily reflect the detections end-users would see from the Desktop version of Malwarebytes. This is not specific for Malwarebytes, as many other antivirus vendors in VirusTotal have a similar situation, where their VirusTotal cmdline scanner enables aggressive heuristics which are disabled by default in the Desktop product. These discrepancies typically solve themselves over time, as our files processing and engine training backend picks these files up and marks them as goodware, and VirusTotal clears their cache and re-scans those files. If you are a software vendor affected by this issue and after a few days it is not solved automatically, please re-submit the file to VirusTotal for re-scanning. If the problem persists after waiting a few days and submitting for re-scan, please post in this forum for a researcher to investigate further.
  2. ProcessHacker is used in targeted attacks to companies more lately, used manually, not packaged with mass-malware. It's true it's not malicious, but when abused by malware if becomes riskware. Based on shifts in the threat landscape we sometimes have to change our minds to protect our users against shifts in thread landscape. If attackers switch to using alternatives to ProcessHacker, we might have to evaluate adding some form of detection for those as well. Likewise, if they stop using it, we can also remove the detection in the future. For those of you who use it, which I understand completely as I've used it extensively myself in the past, adding an exclusion for the path where ProcessHacker resides should be fairly straightforward.
  3. It's not really a false positive per se. It's a new hard block for Office applications spawning dangerous programs such as LOLbins (living off the land binaries), which are heavily abused in today's threat landscape. Most abuse is done for Word and Excel, so disabling the MSAccess shield is not as risky if you have an Access app that does this on purpose.
  4. Go to Settings -> Security -> Exploit Protection -> Manage protected applications -> disable Microsoft Access shield.
  5. pbust

    False positive

    Wow, sorry this fell through the cracks for so long. I think this shouldn't be happening anymore in the latest version of Malwarebytes. In your log I see 4.4.4.126. Please upgrade to the latest version and try again.
  6. Please note that exploits in the wild are actively using this technique. Please be careful not to open any Word docs from the Internet (downloads, attachments, phishing, etc.) if you've disabled this setting. The chances of becoming infected with this setting disabled is HIGH if you open docs from the Internet.
  7. The Malware.Heuristic.100X detection names come from a new aggressive heuristic which detects malformations in PE headers which are typically found in malware and viruses. If a file or application is detected as Malware.Heuristic.100X it does not necessarily mean that the file is malicious. It simply means that it's PE structure is similar to that of malware and viruses. This setting, which can be found under ["Settings > Security > Expert systems algorithms"], is OFF BY DEFAULT. You should only enable this aggressive heuristic if you suspect your computer has a malware infection which is not detected regularly by Malwarebytes, and want to run a more paranoid scan. If you have enabled this aggressive heuristic on purpose or by accident, and Malwarebytes detects some of your legitimate files or applications as Malware.Heuristic.100X, you should either: Disable the Expert Systems Algorithms setting Add your detected files to the Malwarebytes exclusions ["Settings > Allow List"]
  8. Nope, it does not protect other PDF readers not mentioned in the Shields tab. You need to add custom shields for those.
  9. The fix is being deployed to MB4. In the meantime, resetting the "pentesting mode" toggle should fix it.
  10. Yes, MBAE internally recognizes a dozen or so email clients and applies different application hardening logic (although similar) than the browser family. No need to create custom shield for email clients.
  11. Welcome. Please replicate the block again and then attach here the mbae-default.log file from C:\ProgramData\Malwarebytes\MBAMService\LOGS directory.
  12. We'll see what we can do @hake. I have a similar experience as you since early 90's and even if just for the memories I'd like MBAE standalone to continue protecting XP machines.
  13. Thanks for confirming Ian. We are still investigating as it might not have been your fault. It might have accidentally turned itself on for some time during an upgrade or config change condition.
  14. Thanks for reproducing it again without pentesting and providing fresh set of logs. Team is looking into it.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.