Jump to content


Honorary Members
  • Posts

  • Joined

  • Last visited

Everything posted by AlexLeadingEdge

  1. I believe this is a false positive. Malware.AI.1798124113 C:\Program Files (x86)\PuTTY\pscp.exe Zip file password protected with password 'infected' VirusTotal says no issues: https://www.virustotal.com/gui/file/538353c0c525796801b370d08202d7b541b37c4291c774a5e40663d67d0d0c47/detection pscp.zip
  2. Ok, rebooted now, will PM you the two files.
  3. I see the workstation now wants to reboot to complete the Quarantining of the two files, which explains why I couldn't release them.
  4. Looking in Events I see "Failed to Restore from Quarantine" down the page.
  5. I released the file from Quarantine but it hasn't shown up on the client's machine :( I believe it is a false positive, but I can't use VirusTotal or upload the file until it is returned to the client.
  6. Hi guys, I believe this is a false positive. https://www.virustotal.com/gui/file/ee4124dc566acdd3b334afd88072851807c2abff7b1f3d6f2229818b5ef13c7f/detection Zip file has been locked with the password 'infected' just in case. FoxitReader545.0124_enu_Setup.zip
  7. I have emailed the diagnostic files, please confirm you got both, Gmail doesn't seem happy to be sending them, something inside the zip files is on Gmail's banned list or contains something that is triggering the Gmail antivirus.
  8. Hi jtodd234, I already have Ticket 3478426 open :) I will gather the logs now and submit to the ticket mentioned :)
  9. Hi Porthos, We are using OneView for all our clients. No exclusions set for this URL. The components are exactly the same. One difference is that one is a workstation and the other is a server (respectively): Agent Information (Working - Website blocked) Endpoint Protection: Endpoint Protection Protection Update: 1.0.41253 Protection service version: Component package version: 1.0.1251 Asset Manager: Brute Force Protection: Agent Information (Not Working - Website not blocked) Brute Force Protection: Asset Manager: Endpoint Protection: Endpoint Protection Protection Update: 1.0.41253 Protection service version: Component package version: 1.0.1251 Endpoint Detection and Response:
  10. Hi JPopovic, This is worrying. Not only that there is a malicious script in this website, but also that we have several machines running the latest version of Malwarebytes that isn't blocking the website as infected. Is there a reason why two installs of Malwarebytes would have different results?
  11. The website is: www.soyang.net ( Interestingly it is blocked on some machines but not on others. Soyang is a supplier for one of our clients. The block page claims the website "may contain a trojan". Can you please confirm this, and if nothing is found, please whitelist.
  12. All the download options say that it is the "lightweight version", but there is no full installer. What if I need the full installer? https://i.postimg.cc/8CVWSRvR/Malwarebytes-Lightweight01.jpg
  13. Just had another hit. Same software, different version, also flagged as a trojan: https://www.virustotal.com/gui/file/dcdbc648dcbf6be3f3328fdc9a899aa77195dd89c7b6a768dc7d9096a53c08ae/detection RPM_DataExtract.zip
  14. Thanks cli. How do you determine if a file is good (or not)?
  15. Hi guys, Just had one of the data extraction elements of RPM quarantined, and the registry key associated with it. Malware.AI.1361592252 Reg, Value Malware Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|C:\RPM\BIN\RPM_DATAEXTRACT.EXE Malware.AI.1361592252 File Malware Quarantined C:\RPM\BIN\RPM_DATAEXTRACT.EXE Running it through VirusTotal there are 6 out of 69 vendors that flag it as a trojan, but it has been sitting on this machine for 13 years (2008) so I believe it is most likely a false positive. https://www.virustotal.com/gui/file/7ef5fe6d8555252f6677c420b94da27d566b64f786b773ebcd58e8f3c4f856ab/detection RPM_DataExtract.zip
  16. Ok. I don't know what to say to that. Perhaps someone else reported it over the weekend?
  17. Same problem again today. The bottom one is whitelisted ("Exclusions") and yet it has been quarantined. The other one is RdpGuard, a security program we use to block IPs after several failed RDP attempts. Malware.AI.2838036267 Reg, Key Malware Quarantined HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RdpGuard_is1 Malware.AI.2838036267 File Malware Quarantined C:\PROGRAM FILES (X86)\RDPGUARD\UNINS000.EXE Malware.AI.2838036267 Reg, Key Malware Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F88FE7C0-2B64-405B-9197-25F8BE135460}_is1 Malware.AI.2838036267 File Malware Quarantined C:\PROGRAM FILES\ADVANCED MONITORING AGENT NETWORK MANAGEMENT\UNINS000.EXE Two are Registry entries, attached are the two uninstallers. unins000_SolarWinds_Advanced_Monitoring_Agent.zip unins000_RdpGuard.zip
  18. Cheers Cli, I have PM'd you the logs. I see the machine is on our repair bench, which probably means Malwarebytes was re-installed sometime in the last four day, but I see no emails notifying me of a new install so I can't be certain.
  19. Hi Cli, This detection has come back, same detection name: Malware.AI.1301800893 We even Whitelisted the whole folder it was in, so I don't know why it could have Quarantined it:
  20. Depends on the size of the business and the management software used. Without central management many computers will update themselves at any given day, which may result in dozens of different versions of the same software across a network. Computers that are offline or not on the network cannot be updated, so they have a different version from the majority. We use SolarWinds RMM to control Windows Updates, and PDQ to try and standardise the versions of programs, but there is only so much that you can do. If you look at the likes of Teamviewer, there are literally hundreds (thousands?) of versions, going from version 1 to version 15, with small build changes in each major version, which means different files, different MD5 hashes.
  21. Interesting, I didn't know that. Unfortunately it still requires releasing potentially infected files back into the wild just to get the MD5.
  22. I find I have to release the file out of quarantine and then upload it to VirusTotal.com, which gives me the MD5 hash, which I then can use in the Exclusions section of Malwarebytes OneView. If it is on a domain I can access the computer over the network without annoying the end users. It is long-winded approach but seems to work, but as mentioned above, the MD5 hash only works against Exploit Protection, not all the other components. I have pretty much given up on using MD5 hashes as half the time it will still pick up the file, so I open a forum thread here under False Positives and upload the quarantined file.
  23. Cheers. How do you know if it is infected or not?
  24. Software used to monitor the UPS for power failures. VirusTotal flags it twice but I believe it is a false positive. File is attached, password is 'infected'. https://www.virustotal.com/gui/file/6f2f3affa35c13bd3852adf12c2655cf04756f03c97ad0747f92e999a9142576/detection Malware.AI.2068222834 File Malware Quarantined C:\PROGRAM FILES (X86)\UPSMONPRO\SCAPOWERREG.EXE SCAPowerReg.zip
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.