Jump to content

AlexLeadingEdge

Honorary Members
  • Posts

    120
  • Joined

  • Last visited

Reputation

2 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I have emailed the diagnostic files, please confirm you got both, Gmail doesn't seem happy to be sending them, something inside the zip files is on Gmail's banned list or contains something that is triggering the Gmail antivirus.
  2. Hi jtodd234, I already have Ticket 3478426 open :) I will gather the logs now and submit to the ticket mentioned :)
  3. Hi Porthos, We are using OneView for all our clients. No exclusions set for this URL. The components are exactly the same. One difference is that one is a workstation and the other is a server (respectively): Agent Information (Working - Website blocked) Endpoint Protection: 1.2.0.876 Endpoint Protection Protection Update: 1.0.41253 Protection service version: 4.3.2.106 Component package version: 1.0.1251 Asset Manager: 1.2.0.331 Brute Force Protection: 1.2.0.31 Agent Information (Not Working - Website not blocked) Brute Force Protection: 1.2.0.31 Asset Manager: 1.2.0.331 Endpoint Protection: 1.2.0.876 Endpoint Protection Protection Update: 1.0.41253 Protection service version: 4.3.2.106 Component package version: 1.0.1251 Endpoint Detection and Response: 1.2.0.305
  4. Hi JPopovic, This is worrying. Not only that there is a malicious script in this website, but also that we have several machines running the latest version of Malwarebytes that isn't blocking the website as infected. Is there a reason why two installs of Malwarebytes would have different results?
  5. The website is: www.soyang.net (173.255.213.202:80) Interestingly it is blocked on some machines but not on others. Soyang is a supplier for one of our clients. The block page claims the website "may contain a trojan". Can you please confirm this, and if nothing is found, please whitelist.
  6. All the download options say that it is the "lightweight version", but there is no full installer. What if I need the full installer? https://i.postimg.cc/8CVWSRvR/Malwarebytes-Lightweight01.jpg
  7. Just had another hit. Same software, different version, also flagged as a trojan: https://www.virustotal.com/gui/file/dcdbc648dcbf6be3f3328fdc9a899aa77195dd89c7b6a768dc7d9096a53c08ae/detection RPM_DataExtract.zip
  8. Thanks cli. How do you determine if a file is good (or not)?
  9. Hi guys, Just had one of the data extraction elements of RPM quarantined, and the registry key associated with it. Malware.AI.1361592252 Reg, Value Malware Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|C:\RPM\BIN\RPM_DATAEXTRACT.EXE Malware.AI.1361592252 File Malware Quarantined C:\RPM\BIN\RPM_DATAEXTRACT.EXE Running it through VirusTotal there are 6 out of 69 vendors that flag it as a trojan, but it has been sitting on this machine for 13 years (2008) so I believe it is most likely a false positive. https://www.virustotal.com/gui/file/7ef5fe6d8555252f6677c420b94da27d566b64f786b773ebcd58e8f3c4f856ab/detection RPM_DataExtract.zip
  10. Ok. I don't know what to say to that. Perhaps someone else reported it over the weekend?
  11. Same problem again today. The bottom one is whitelisted ("Exclusions") and yet it has been quarantined. The other one is RdpGuard, a security program we use to block IPs after several failed RDP attempts. Malware.AI.2838036267 Reg, Key Malware Quarantined HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RdpGuard_is1 Malware.AI.2838036267 File Malware Quarantined C:\PROGRAM FILES (X86)\RDPGUARD\UNINS000.EXE Malware.AI.2838036267 Reg, Key Malware Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F88FE7C0-2B64-405B-9197-25F8BE135460}_is1 Malware.AI.2838036267 File Malware Quarantined C:\PROGRAM FILES\ADVANCED MONITORING AGENT NETWORK MANAGEMENT\UNINS000.EXE Two are Registry entries, attached are the two uninstallers. unins000_SolarWinds_Advanced_Monitoring_Agent.zip unins000_RdpGuard.zip
  12. Cheers Cli, I have PM'd you the logs. I see the machine is on our repair bench, which probably means Malwarebytes was re-installed sometime in the last four day, but I see no emails notifying me of a new install so I can't be certain.
  13. Hi Cli, This detection has come back, same detection name: Malware.AI.1301800893 We even Whitelisted the whole folder it was in, so I don't know why it could have Quarantined it:
  14. Depends on the size of the business and the management software used. Without central management many computers will update themselves at any given day, which may result in dozens of different versions of the same software across a network. Computers that are offline or not on the network cannot be updated, so they have a different version from the majority. We use SolarWinds RMM to control Windows Updates, and PDQ to try and standardise the versions of programs, but there is only so much that you can do. If you look at the likes of Teamviewer, there are literally hundreds (thousands?) of versions, going from version 1 to version 15, with small build changes in each major version, which means different files, different MD5 hashes.
  15. Interesting, I didn't know that. Unfortunately it still requires releasing potentially infected files back into the wild just to get the MD5.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.