Jump to content

AlexLeadingEdge

Honorary Members
  • Posts

    155
  • Joined

  • Last visited

Everything posted by AlexLeadingEdge

  1. Sorry about that, I went into the Malwarebytes 3.0 forum from a link in my browser history and didn't see any sub-forum for false positives. I should have gone up one level! Lesson learned!
  2. Hi guys, I was doing my daily backup check and saw a popup about a website blocked by Malwarebytes 3.0.6. GFI Software / LogicNow / SolarWinds is the company that provides our Advanced Monitoring Agent and Managed Antivirus products, so I believe this to be a false positive.
  3. Ok, thanks for letting me know, I hadn't realised that verson 2 didn't have rootkit scanning enabled all this time
  4. Yes, rootkit scanning is turned off by default. Rootkit scanning is a very good thing, especially with most cutting edge viruses using this, and so it should be on.
  5. So we have a scanning speed of "three to four times faster" because Malwarebytes is no longer scanning for rootkits?
  6. Yesterday Webroot listed the file SDKDBUPDATR.DLL with the MD5 of 48D9F8FDA751B5C209A02AF4C68E9332 as a Trojan. I got them to whitelist it but once again their heuristic has picked it up as suspicious and blocked it.
  7. Hi guys, Is there a reason why the Rootkit Scan is turned off by default? Just wondering.
  8. That is one of the antivirus systems that our client uses: https://www.maxfocus.com/remote-management/managed-antivirus I have no idea why it would be calling that script. I don't believe it has a reason too. Is it possible the Managed Antivirus was scanning that script and it was picked up by Malwarebytes?
  9. Is this the file you want? It looks encrypted? mbae-default.zip
  10. Just had two more: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 12/13/16 Protection Event Time: 11:20 AM Logfile: Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.706 License: Trial -System Information- OS: Windows Server 2012 R2 CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, , Blocked, [0], [-1],0.0.0 -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage | Where Name -match Line | Select-Object -Expand Version URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 12/13/16 Protection Event Time: 11:21 AM Logfile: Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.706 License: Trial -System Information- OS: Windows Server 2012 R2 CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, , Blocked, [0], [-1],0.0.0 -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage | Where Name -match PiipCorporation.PiipMessenger | Select-Object -Expand Version URL: (end)
  11. Hi guys, Since upgrading to Malwarebytes v3 we are seeing a popup saying that a powershell script is being called and blocked. I can't see where it is being called from to kill the process, any ideas on how to track down this (possible) infection? It says that it was logged in this JSON file, which I have opened and copy and pasted here: BF9D0ABCC47F1F768A74D037871D81282A5284035F1CAF1E6DD38687061FFCCD { "applicationVersion" : "3.0.4.1269", "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "1.0.39", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "1.0.706", "detectionDateTime" : "2016-12-12T22:20:16Z", "fileSystem" : "NTFS", "id" : "289c33a0-c0b9-11e6-9d2e-00155d091702", "isUserAdmin" : true, "licenseState" : "trial", "linkagePhaseComplete" : false, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows Server 2012 R2", "schemaVersion" : 1, "sourceDetails" : { "type" : "ae" }, "threats" : [ { "linkedTraces" : [ ], "mainTrace" : { "cleanAction" : "block", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2016-12-12T22:20:16Z", "exploitData" : { "appDisplayName" : "cmd", "blockedFileName" : "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Get-AppxPackage | Where Name -match ICQ | Select-Object -Expand Version", "layerText" : "Application Behavior Protection", "protectionTechnique" : "Exploit payload process blocked", "url" : "" }, "generatedByPostCleanupAction" : false, "id" : "289c33a1-c0b9-11e6-a4d6-00155d091702", "linkType" : "none", "objectMD5" : "", "objectPath" : "", "objectSha256" : "", "objectType" : "exploit" }, "ruleID" : -1, "rulesVersion" : "0.0.0", "threatID" : 0, "threatName" : "Malware.Exploit.Agent.Generic" } ], "threatsDetected" : 1 }
  12. Webroot has whitelisted the SDKDBUPDATR.DLL file with MD5 signature 6A3773DC5414B66D3541731807AB7EA6.
  13. We have opened a case with Webroot to have the file checked and whitelisted.
  14. We have had 12 computers BSOD with the error message KMODE_EXCEPTION_NOT_HANDLED. Webroot Antivirus sees SDKDBUPDATR.DLL as W32.Trojan.Gen and causes the machine to BSOD.
  15. Jacob from Malwarebytes said this: Looks like the issue has been resolved. There are probably a few machines that are using the old database and just need an update.
  16. Jacob at Malwarebytes just sent me this: Is there a website I can go to to see which vendors have done this?
  17. Softcnapp involves ads, yet Clover doesn't have any ads that I know of. I have never seen one at least.
  18. Malwarebytes Anti-Malware www.malwarebytes.org Protection, 6/12/2016 5:08 a.m., SYSTEM, MACH14, Protection, Malware Protection, Starting, Protection, 6/12/2016 5:08 a.m., SYSTEM, MACH14, Protection, Malware Protection, Started, Protection, 6/12/2016 5:08 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Starting, Protection, 6/12/2016 5:08 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Started, Update, 6/12/2016 9:09 a.m., SYSTEM, MACH14, Scheduler, IP Database, 2016.12.4.1, 2016.12.5.1, Update, 6/12/2016 9:09 a.m., SYSTEM, MACH14, Scheduler, Domain Database, 2016.12.4.3, 2016.12.5.7, Update, 6/12/2016 9:09 a.m., SYSTEM, MACH14, Scheduler, Malware Database, 2016.12.5.1, 2016.12.5.14, Protection, 6/12/2016 9:09 a.m., SYSTEM, MACH14, Protection, Refresh, Starting, Protection, 6/12/2016 9:09 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Stopping, Protection, 6/12/2016 9:09 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Stopped, Protection, 6/12/2016 9:10 a.m., SYSTEM, MACH14, Protection, Refresh, Success, Protection, 6/12/2016 9:10 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Starting, Protection, 6/12/2016 9:10 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Started, Detection, 6/12/2016 10:00 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 61755, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 10:00 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 61755, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 10:20 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 61932, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 10:48 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 62419, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 11:08 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 62566, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 11:28 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 63230, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 11:48 a.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 63344, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 12:08 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 63576, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 12:28 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 63739, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 12:48 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 64315, Outbound, C:\Program Files (x86)\Clover\clover.exe, Update, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Scheduler, Malware Database, 2016.12.5.14, 2016.12.5.15, Protection, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Protection, Refresh, Starting, Protection, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Stopping, Protection, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Stopped, Protection, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Protection, Refresh, Success, Protection, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Starting, Protection, 6/12/2016 1:00 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Started, Detection, 6/12/2016 1:28 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 64900, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 1:28 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 64900, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 1:48 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 65365, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 2:08 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 50168, Outbound, C:\Program Files (x86)\Clover\clover.exe, Detection, 6/12/2016 2:28 p.m., SYSTEM, MACH14, Protection, Malicious Website Protection, Domain, 103.245.222.133, ejie.me, 50478, Outbound, C:\Program Files (x86)\Clover\clover.exe, (end)
  19. Sorry, correction, it is just the website that is being blocked. The program itself isn't an issue.
  20. The computer is in use and will be available in 6 hours time.
  21. This is the website: http://ejie.me/ And the link to the download: http://ejie.me/download/ I will post the logs shortly.
  22. It appears it isn't just the program that is being picked up but also the website.
  23. We have computers running a program called Clover, which turns File Explorer into a tab environment rather than having multiple windows. Malwarebytes has recently added Clover to it's malware list, can we get it removed? I have never seen an ad using Clover and I don't know why it is considered a PUA. It has become a headache because we install it on every machine and we have end-users calling up to ask if they have an infection.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.