Jump to content

AlexLeadingEdge

Honorary Members
  • Posts

    155
  • Joined

  • Last visited

Everything posted by AlexLeadingEdge

  1. I believe this is a false positive as it is part of our SolarWinds Antivirus package (BitDefender and LanGuard). VirusTotal says there are no hits. File is attached, the password is 'infected'. https://www.virustotal.com/gui/file/69e4de45eb900381c0bb085497393f3b0ea35607f46f77436f17a23ff1b82471/detection Malware.AI.1301800893 Malware File C:\PROGRAM FILES (X86)\ADVANCED MONITORING AGENT\ASSETSCAN.EXE assetscan.zip
  2. Hi guys, We have an accountant who has lost the uninstall file for a program called BankLink. BankLink has recently been bought by MYOB, a large accounting software firm in Australasia. Details as follows... Malware.AI.4214841433 File Malware Quarantined C:\BK5\UNINS000.EXE MD5: 3ebba8c2e66a5cb61d45e2101375dd6f https://www.virustotal.com/gui/file/e88d8112447beb30652d1e6da310dc51113b5cfa1f9248bf7d2c4e00daf7c287/detection File is attached, password is 'infected'. unins000.zip
  3. Password is 'infected'. Soda_PDF_7_Installer.zip
  4. Got this today, can someone please check if this is a false positive? Name Type Category Status Path Malware.AI.3861356229 File Malware Quarantined C:\USERS\ADMIN\DOWNLOADS\SODA_PDF_7_INSTALLER.EXE
  5. I would like to second the request for an "unqarantine and whitelist" option. Trying to find out what the MD5 is (not that MD5 seems to always work) or to create a wildcard file location in the whitelist options is tedious.
  6. I'm not sure what is going on but these files keep coming back each day. I ran ADWCleaner and it found files that Malwarebytes didn't. From the location we initially thought it was due to the client using their personal Gmail account to sync with their work Chome account, but after removing all the Chrome Extensions and then turning off the sync the issue remains, the same files are picked up and quarantined every day. Interestingly, when running two scans one after the other, the first scan finds the files and quarantines them, and the second scan doesn't find anything. The next day they are back. Any ideas how to kill it off for good? (assuming it isn't a false positive). Note that I have replaced the username of the individual with USERNAME. PUP.Optional.SweetPage Folder PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB PUP.Optional.SweetPage File PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data PUP.Optional.SweetPage Folder PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001 PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000011.ldb PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000010.log PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.ldb PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.ldb PUP.Optional.SweetPage File PUP Quarantined C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb PUP.Optional.SweetPage File PUP Quarantined C:\USERS\USERNAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data
  7. I released it, scanned the computer again and the file was picked up again.
  8. Hi guys, Just a quick update, the latest version is 3.5.2 and all their machines are on that version, so it looks like it is a leftover install file of no importance to the client.
  9. Hi guys, We are seeing C:\USERS\REDACTED\APPDATA\LOCAL\DOWNLOADED INSTALLATIONS\{ECF6FE39-A8B0-411B-83AC-75A17875FE6F}\RSERV34.MSI It is a remote access tool that our client uses to access all the point of sale machines. This is a tough one, given it could probably be abused, but so could other remote access tools such as TeamViewer, and TeamViewer isn't detected as malware. Can an admin please let me know who wants to take a look at this and I will upload log files to that person.
  10. Hi cli, How do I do this in OneView? Also, is there a way I can do this without putting it on an open forum? Privacy is an issue here.
  11. Hi guys, There is an install file that are being Quarantined by Malwarebytes Endpoint. The detection name is MachineLearning/Anomalous.100% The location is: C:\CompanyData$\Itsupport\Brookers\folio432\Libmangr\libmangr.exe This is a network shared location, and we have no reason to believe it is indeed infected. What other information do you need to whitelist this?
  12. Hi guys, I have just installed Malwarebytes Endpoint Protection on an Exchange server and it is trying to force a reboot. It gives me the option to postpone, but says it will reboot in ~540 minutes regardless, which is about 9 hours from now. I want to set the reboot time to a time of my choosing, not when Malwarebytes declares it will happen. It is a production server which will affect hundreds of people, so the timing has to be carefully managed so it is out of hours but doesn't reboot during the daily backups. I can't seem to see anything in the OneView or Nebula consoles to control this. Unless I'm missing something, the lack of granular control for this is appalling, and does not meet business class standards.
  13. Thanks for you reply Exile360. I had a chat with a senior technician at Malwarebytes Support and they said just to Control + Right click on the Malwarebytes icon and select "Stop Malwarebytes Service" and turn it on again when I'm done.
  14. Hi guys, We asked Malwarebytes Support how to temporarily disable Malwarebytes while we do server upgrades but they came back with this long-winded multi-step answer (below). Can I make a request for a simple button / Action that allows us to pause the Real-Time Protection for 15-60 minutes? ******************************* Incident Response for Endpoint ProtectionIncident Response is a component of Endpoint Protection with all the real-time protection layers disabled. This can be utilized when RTP is not required but you would still like to run threat scans. Login to your cloud console, and navigate to Settings>Policies then click the "New" button in the upper-right. Name the policy "Incident Response - RTP disabled" to distinguish this policy from others. Navigate into Windows>Settings, then disable all switches under the category "Real-Time Protection" Save the policy. Now navigate to Settings>Groups, then click "New". Name the group "Troubleshooting" and select the newly created policy for this group. To move a machine into this group, please navigate to Manage Endpoints then select the move option and select the newly created group. From the machine itself, restart the service "Malwarebytes Endpoint Agent" to force an immediate policy/group change. Now, move the endpoint back into its original policy and the "Malwarebytes Service" gets re-added to services.msc and is started.
  15. Hi Alex, Sorry about the delay in replying. We have multiple Malwarebytes installs with Malwarebytes certificate errors and the install isn't actually working, so I can't rule out it is one of these. Malwarebytes Support seem to be calling it "Error 577". We are in the process of moving several hundred computers from Nebula to OneView so we are a little busy at the moment, but will investigate again after Christmas.
  16. Hi Alex, No, we used one network we control to RDP into another network we also control, using incorrect RDP login authentication details. The Event Viewer shows the failed logins, but Malwarebytes didn't block us. The only thing I have noticed that may be a problem is that we haven't defined the RDP port as 3389, we left it blank so Malwarebytes would figure it out on its own.
  17. Hi guys, We turned on the new Brute Force Protection / RDP Blocking feature on, but doing simple tests that should have got us blocked, by connecting with incorrect username and password, shows that the Brute Force Protection doesn't actually seem to do anything. Any ideas why this isn't working?
  18. I have the same issue. Every time I do a scan roughly 176 computers will email me saying they failed to scan (machine.command.failed , command.threat.scan). I asked Malwarebytes Support once before about this but they said it is caused by computers being offline or being powered off during the scan, but this is obviously not correct as I have servers that are online 24/7/365 that are also giving this error. I have opened a ticket with Support and hope to hear from them soon.
  19. This seems to be a part of an old install of Attache Pro, an accounting system. The client installed Attache Pro way back in 2006, but the client needs access to it for historical purposes. Here are the VirusTotal results, both say three AI have picked it up as malware, though interestingly Malwarebytes isn't in the list: https://www.virustotal.com/gui/file/0d81ced30afcc8a7b19d77b5e755e3de4002f5590959a6a43f7db2aaea945c86/detection https://www.virustotal.com/gui/file/5787ec365a04000058832dc9f0d1f4197beaa2cd2d87a160971991a6a24f1efc/detection
  20. How do I unquaratine the file without releasing it back to the end user? How do I run a VirusTotal scan against a file I haven't un-quarantined? i.e. if it is a virus I don't want to reinfect the end user's machine. Surely Malwarebytes can generate an MD5 hash from a Quarantined file?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.