[MS Excel blocked by Anti Exploit after W10 update]

Can you please post the MBAE logs?

Instructions in my signature.

[ALL iObit Programs]

Our Research Team has been monitoring this application for some time and has decided to add detection based on triggers against our PUP detection criteria.
https://blog.malwarebytes.com/malwarebytes-news/2016/10/malwarebytes-gets-tougher-on-pups/

The detection is correct and not a false positive. We will continue monitoring this application and if we notice a change in the behavior we will review it again.

 

[ALL iObit Programs]

Unfortunately this is the nature of our generic/signatureless remediation technology (i.e. linking engine) which finds malware artifacts related to the original detected malware/PUP. There are some PUPs that are very large in size and this is an unfortunate side effect. On the positive side, it allows us to be really good at malware remediation.

We do have an internal project ongoing to takes a different approach that might solve this for PUPs, but that project is still in incubation.

 

 

[Advanced System Care 10]

Our Research Team has been monitoring this application for some time and has decided to add detection based on triggers against our PUP detection criteria.
https://blog.malwarebytes.com/malwarebytes-news/2016/10/malwarebytes-gets-tougher-on-pups/

The detection is correct and not a false positive. We will continue monitoring this application and if we notice a change in the behavior we will review it again.

If for whatever reason you want to continue using Advanced SystemCare, you can simply uncheck the detections and click Next after a scan with MBAM, and the prompt will ask you if you want to "Ignore Once" or "Ignore Always". If you Ignore Always it won't be detected any more.

 

[Welcome to the Malwarebytes Incident Response Beta]

We are happy to announce the public beta of our upcoming cloud-based platform for Incident Response for companies.

Malwarebytes Incident Response incorporates the following key high-level features:

• Cloud-based management console
• Dashboard views
• Endpoint & asset management
• Policy and group management
• Scheduled scans
• Malware discovery and remediation

This is a great opportunity for you to get an early glimpse of our new Malwarebytes Incident Response built on our new Cloud Platform.

We are looking for beta testers who can deploy Malwarebytes Incident Response in a business environment to at least 5 endpoint Windows machines. If you want to become a Beta tester we will set you up with an account and instructions on how to get started. To sign up simply send an email to DL-NebulaBeta@malwarebytes.com.

 

 

[Additional Mitigations]

EMET has some EMET-specific mitigations and limited in nature as compared to MBAE.

For example, EMET has ASR which basically disables a bunch of content in certain applications. They do this since they cannot protect from exploits through those applications, while MBAE's Layer3 can (think Java exploits, application design abuses, etc.).

OTOH EMET has some anti-detouring since it uses Detours. But MBAE does not need those since it uses a different approach.

Last but not least, MBAE uses a multi layer approach to mitigations and the mitigations we have in place are the ones that make the most amount of sense to us to deal with exploits ITW. MBAE is also supported and maintained actively, while EMET is not.

 

[Microsoft Office and Grammarly issues]

Thanks for confirming hfike. I pushed a global exclusion a few mins ago so you don't need your local exclusion anymore. We're reaching out to Grammarly folks to see if they can give us a heads up next time before they release a new version so we can exclude it beforehand.

[Microsoft Office and Grammarly issues]

Thanks, should be fixed already!

 

[Microsoft Office and Grammarly issues]

Can you please post the C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log and mbae-default.log.bak?

 

[Feeding MBAE event data to SIEM]

We currently don't have direct integration into LogRhythm or other SIEMs. It all needs to go through a syslog first and then feed the events from the syslog to the LogRhythm SIEM. Our Sales Engineers have a library of integration scripts into a bunch of different SIEMs and other network tools (Breach Detection Systems, Endpoint manangement frameworks, etc.). Send me a PM and I'll put you in touch if you are interested in those.

 

[Feeding MBAE event data to SIEM]

Welcome to the forum cmorris.

There's two ways to do this:

1- Forward events from centralized Malwarebytes Management Console to a syslog server. This can be activated from the "Admin" pane.

2- Enable syslog support on each endpoint (by simply creating a registry key and some values) and point each endpoint to submit their MBAE events directly to the syslog server, bypassing the Management Console. Details for this can be found towards the end of the "MBAE Admin Guide".

 

 

[Years of Dedicatation]

My pleasure as always Wilpower!

We've been working on some new projects which hopefully will see the light of day soon and which I'm hoping you all will like as much as MBAE.

 

[3.0.6 automatically removed Anti-Exploit]

Try rebooting. Maybe it is in the middle of an auto-upgrade.

If that doesn't work, re-install.

[Automatic Upgrade Policy for perpetual Beta.]

MBAE standalone will continue to be pushed automatically through auto-upgrades.

Once we have a new 1.09 stable build (we've been posting intermediate builds with small improvements in each) we'll push it out through auto-upgrade.

Afterwards we'll also push out 1.10, 1.11, etc. through auto-upgrades.

[Java False Positive]

Replicate the problem again, and then send me the file mbae-default.log.

 

[Java False Positive]

Go to Settings > Protection > Advanced Settings > Java Protection > Disable the Java Inbound Shell Connection Protection.

 

[Microsoft Office and Grammarly issues]

If you remove the exclusion and reboot, does it still get blocked? (don't worry, you can add it again later).

[Microsoft Office and Grammarly issues]

It could be that Grammarly pushed out a new version and it is being blocked again. Can you post the latest entry from your mbae-alert.log?

 

[Microsoft Office and Grammarly issues]

Global exclusion added. Reboot and try again.

For future reference you can also add your own local exclusions from your MBAE UI. Simply click on the LOGS tab. Then find the block event, click it once, and then click the Exclude button.

[Microsoft Office and Grammarly issues]

Hi Harry,

 

you can use Private Message to send me the logs.

 

[MacType.dll flagged even after adding to exclusions]

The log has been cycled and doesn't show the block information any more. Can you please try to repro again and post a fresh mbae-default.log?

Also, I added this to the global exclusion, so you might not be able to repro it again.

 

[Exploit payload from UNC blocked]

This is by design as some exploits use WebDAV and UNC paths to deliver their payload. So our MBAE Layer3 Application Behavior protection blocks this generically. Since exploits ITW haven't used this technique for many many years, you can safely disable this under Advanced settings -> Application Behavior and disable the UNC protection for browsers. MBAE still has dozens of other layers that will protect against similar exploits, so you are not really reducing your effective protection.

 

 

[Malwarebytes blocking npm script run on windows console (cmd.exe)]

The mbae-default.log has cycled and doesn't include the alert information. Can you please reproduce the problem again and post a fresh new mbae-default.log?

 

 

[Mirillis Action! Recorder]

Added global exclusion for f5dc2ae9b6eff70c6d1a7377ed658049. Let me know if this is still triggering.

 

[Blocking VBscript in static local files installed in Program Files folder]

VB Scripting has been decomissioned by Microsoft some time ago due to the insecurities it introduces.

In fact during all of 2016 Exploit Kits were heavily abusing outdated computers with VBScript in order to exploit machines and execute code remotely on them. It is advisable that you do not use any products or applications that rely on VBScript.

Alternatively you can disable the VBScript enforcement technique in MB3 -> Settings -> Protection -> Advanced Settings -> Application Hardening, but it is probably safer to find an alternative to IDM that doesn't leave you more exposed to exploits.