Jump to content

chedbe_EMA

Members
  • Posts

    11
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hello, I started seeing MBAM alerts today while deploying an application to many computers. Not all computers generated a MBAM alert. The ones that did generate an alert and the hstart.exe was quarantined caused the software installation to fail. Below is an example of the alert. I have also attached a sample of the hstart.exe for your analysis. The software package I'm installing is called Newforma Project Center Client. 1/7/2018 1:31:37 PM [Computer Name Removed] [IP Removed] HackTool.HiddenStart Quarantined C:\Users\[UserName Removed]\AppData\Local\Temp\{D5E81AB8-284A-4475-AEA4-A717F51FB273}\hstart.exe 1/7/2018 1:31:37 PM [Computer Name Removed] [IP Removed] HackTool.HiddenStart Quarantined C:\Users\[User Name Removed]\AppData\Local\Temp\{0E5865BC-FBF7-460E-A874-D5E62DD5A41A}\hstart.exe Please advise. Thanks, Chad hstart.zip
  2. We too have been seeing this IP address getting blocked at an unusually high rate today by MBAM. Processes involved are iexplorer.exe and firefox.exe (browsers) but more importantly to me, we are also seeing the swi_fc.exe process involved (Sophos Web filtering process). MBAM Support, can you please elaborate? 1/3/2018 10:22:22 AM [computer name omitted] [Internal IP omitted] Type: outgoing, Port: 53938, Process: swi_fc.exe Blocked web site 50.19.237.142
  3. Good Morning, I think I am seeing a false-positive detection after the definitions updated for MBAM. Below is the alert message. I also have attached the DLL that was detected and quarantined. 12/23/2017 5:23:00 AM [computer name removed] [IP removed] Trojan.Agent Quarantined C:\Program Files\Autodesk\Navisworks Manage 2014\lcdbx2011\AcSceneRes.dll Please advise. Thank you! AcSceneRes.zip
  4. Sorry for not closing the loop on this sooner. The false-positive went away, again, after computers started receiving signature db version greater than v2017.10.26.6. We seem to be good now. Thanks for you assistance.
  5. I can confirm that signature db v2017.10.31.13 does not detect ARPPRODUCTICON.exe anymore as malicious (Trojan.FakePDF). I attached ARPPRODUCTICON.exe for Support's reference. For others, I did have to restart the affected computers before I could restore the files from Quarantine and properly rescan. Thank you Mieke and others! ARPPRODUCTICON.zip
  6. Is this a false-positive? After clients updated with signature db v2017.10.31.11 we are seeing a high rate of detection of Trojan.FakePDF on ARPPRODUCTICON.exe across many computers. The detection path is C:\Windows\Installer\[[sub folder varies but is usually an ID]]\ARPPRODUCTICON.exe Below are some sample alerts. I am working on collecting a log with mbam.exe /developer mode but I am not confident the log will show the detection since I wasn't able to restore the quarantined files. No errors try to restore the files, just nothing happens. I'll post the log when the scan finishes. 10/31/2017 1:23:38 PM [computernameremoved] [IPaddressremoved] Trojan.FakePDF Quarantined C:\Windows\Installer\23ff09e3.msi 10/31/2017 1:23:38 PM [computernameremoved] [IPaddressremoved] Trojan.FakePDF Quarantined C:\Windows\Installer\{7ECCF990-6516-4563-85AC-1CAD4DB88781}\ARPPRODUCTICON.exe Thank you for your insights.
  7. Here is the log file. mbam-log-2017-10-26 (16-44-08)_.txt
  8. Hi Tammy, I'm working on getting you that log file. The scan to produce it is taking a while. When I tested this morning on a couple of computers and no longer had the false-positive detection the computers had db version 2017.10.26.3 and I think .2. When computers started receiving v2017.10.26.6 we started seeing the false-positive again along with the new statement of "Delete-on-Reboot". Thanks again for your replies.
  9. Hey Tammy or whomever is listening, The problem is back. We were doing well until v2017.10.26.06. With that version of the definitions the file is getting quarantined again but flagged for Delete on Reboot. Spyware.Pony delete-on-reboot C:\Program Files\Rhinoceros 5 (64-bit)\Plug-ins\rdk.rhp Please advise!
  10. Thank you Tammy. I verified that the 2017.10.26.# definitions do not detect the rdk.rhp file as malicious.
  11. With MBAM database version 2017.10.25.11 we are seeing c:\program files\rhinoceros 5 (64-bit)\plug-ins\rdk.rhp being detected as Spyware.Pony and Quarantined. I'm suspicious that this is a false-positive. The scan log and sample are attached. The log file was generated using mbam.exe /developer. The log file says "no action taken" but the file was quarantined. Please advise. MBAM-log-2017-10-25 (19-15-53)_.txt rdk.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.