Jump to content

pbust

Staff
  • Content Count

    3,389
  • Joined

  • Last visited

Posts posted by pbust

  1. Try unchecking it for browsers.

    Also, check under Advanced Settings -> App Behavior Protection and uncheck for Office VBA7 to see if that makes a difference.

    WARNING: You will be unchecking core protections which are actively abused by malware gangs.

  2. This is a block due to Malwarebytes system-hardening technique. The block should only happen when a page is visited that tries to load the vbscript.dll component. VBScript has been deprecated by Microsoft years ago. It is a gaping security hole and actively abused by web-based exploits and drive-by downloads.

    If you would like to take the risk (not recommended!) you can disable this hardening technique under the Advanced settings of Anti-Exploit, Application Hardening, "Prevent loading of VBScript Library".

  3. Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

    This file has been whitelisted for our commercial products and it is not detected anymore.

     

     

    • Thanks 1
  4. Really sorry for the late reply here. I was just made aware of this post.

    For transparency, the aggressive gTLD blocking was introduced when our browser extension was in prototype mode and as a way to test a bunch of really aggressive approaches and heuristics in order to come up with a good balanced blacklist-plus-whitelisting approach. Those gTLDs were selected due to the high ratio of malicious to legitimate websites found in those gTLDs. Many of those aggressive detection approaches are still in the browser extension but some of the whitelisting approaches never solidified as originally intended. The result is an unbalanced aggressive blocking as you're correctly pointing out.

    Having said that, now that the extension is not prototype/beta anymore and it is being pushed by the Premium product, we should revisit and fine-tune a lot of those aggressive detection blocks and heuristics to strike the right balance.

    Thanks for raising this topic. We are investigating fine-tunings based on your feedback.

     

    • Like 2
    • Thanks 1
  5. Unfortunately this is a hard block for the time being. The anti-exploit component prevents any automated execution of scripting apps from Internet-facing applications. If you save the script to disk and execute it from a command line with a non-browser and non-mailclient parent process, it will be allowed to execute.

    We are evaluating some future enhancements to the anti-exploit component to allow more granularity around allowed/blocked dangerous actions.

     

     

  6. 12 hours ago, hake said:

    I regret to say that I am unable to use MBAE 1.13.1.186 or 164 because of the inability of those versions to start reliably with XP.

    It is actually XP that starts unreliably and sometimes it takes longer than others, triggering the MBAE service timeout.

    If you really want to run the latest, try switching the MBAE service to Manual, and then creating a batch script that runs at boot, sleeps for a few minutes, then starts the MBAE service and then runs the mbae UI executable.

  7. Hey hake, long time no talk. Hope you're doing ok.

    Pen-testing is a legitimate activity when done correctly. Some pen-testing tactics mimic malware activity and some don't. We've basically created this option for people who want to detect pen-testing activity even if it is not found in-the-wild in malware attacks.

     

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.