Jump to content

TonyCummins

Honorary Members
  • Posts

    122
  • Joined

  • Last visited

Everything posted by TonyCummins

  1. Im seeing lots of these blocks also.... Location: onedscolprdcus06.centralus.cloudapp.azure.com(13.89.179.8:443) Policy name: Desktop Policy - USB SCANNING ENABLED Process name: C:\Windows\System32\svchost.exe Report time: February 14th 2024, 22:03:53 UTC Scan time: February 14th 2024, 22:03:52 UTC Action taken: Blocked Threat name: Compromised Type: OutboundConnection
  2. Every endpoint : Reboot Summary (Simple): Updating core OS Files (pending reboot) Reboot Summary (Detailed): HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations contains... \??\C:\WINDOWS\system32\FRHook.dll{E5E381C7-BC32-4C92-8D9E-733B31F0108B} \??\C:\WINDOWS\SysWOW64\FRHook.dll{CB9D416A-6CCB-4E12-9041-67A2C6C291AB} Example:
  3. Yea i get that but their response suggests its going to drift into the black hole knows as "dev ops" never to be hread of again. "Regrettably, due to current priorities and resource allocation, it is anticipated that the resolution for your specific matter will take approximately 2 to 3 months." Sounds like support is spread thin, which I've noticed considerably over last year or so with regards to getting timely responses from support.
  4. Thanks for the response...Ill reach out to the vendor i guess. Thanks
  5. Getting the following blocked, i believe its a false positive. Can someone verify and add exclusion. scram.net / 64.190.63.111
  6. Is anyone else seeing Malwarebytes adding restart flags to endpoints ?? This is affecting my patch management with PDQ. I have this ticket opened since December 14th and ONLY got it addressed by level 2 / development on Jan 4th. All all my endpoints show they need restarted in the console, i have worked with that vendor and it seems malwarebytes is adding flags that it needs restart to delete FRHook.dll. I ran a script to remove that flag from ALL end points but they are all back now. Here is an example of what I'm seeing: Reboot Summary (Simple): Updating core OS Files (pending reboot) No matter how many restarts I do that flag never clears. I ran a manual cmd to remove flags on endpoints only to have it reappear almost instantly. This is the last response by level 1 support: After 4 weeks of back and forth with very bad support this is the final response i received to shut me up: Feeling frustrated
  7. @HCHTech I too recently got sold the EDR, can you share the video please?
  8. Getting a bunch of detections for vast-prod-sfo3.zentrick.com and vast-prod-sfo2.zentrick.com (see pic) Anything to be concerned about?
  9. Thanks for the heads up. I have gone and turned off the rootkit in the scan options. Appreciate it Tony
  10. Hi Blender, How do i acquire a log file of the detection. Using Nebula cloud console. The 2 tablets in question are in deputy vehicles so i dont have physical access to hardware right now tony
  11. Seeing multiple endpoints flag following files with detection name of Malware.AI.1204675391 C:\WINDOWS\SYSTEM32\PROUNSTL.EXE HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PROSET Is this a known issue? We are using Cloud Malwarebytes Tony
  12. @Atribune Here is the file attached. Located in following location: C:\Program Files (x86)\fiScanner\PaperStream Capture\PSCPDFLib\AdobeXMP.dll Thanks AdobeXMP.zip
  13. Got hit with this this morning...i thought it was fixed? Users complain they cant "scan" this AM C:\Program Files (x86)\fiScanner\PaperStream Capture\PSCPDFLib\AdobeXMP.dll
  14. If you haven't already, create a support ticket and gather logs. You could also search the forums for "High CPU". We've had issues on and off but the answers seem to be a little different for many.
  15. I'd wait until someone more knowledgeable chimes in But to me it looks like the original sender wanted to know if / when the email was opened / read, kinda like the read receipt you can turn on in outlook. Instead they used a blank image to track that info, unfortunately for you the image is on a domain that malware bytes does not like. Maybe @Zynthesist can confirm for you as id hate to give you false information
  16. Hi Mark, I'm no expert but i think whats happening with that email is that there are "tracking" url's embedded in the email associated with that gnway domain. As soon as the email is opened it tries to pull the blank image to show it was opened. As soon as the mail is opened malwarebytes picks up the gnway parent domain and alerts you. <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=QHQ913p6-201809246115858102" style="display:none"></div> <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=ng9115S4-201809253135548505" style="display:none"></div> <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=267K13dg-201809254163115188" style="display:none"></div> <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=Y8y085zK-201811310161302596" style="display:none"></div> <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=6n646BVh-201811316135019799" style="display:none"></div> <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=75h10c11-201811318181622204" style="display:none"></div> <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=09A96795-201811320173828967" style="display:none"></div>
  17. @AndrewPP...Thanks for posting the excel add-in !! I was not aware of that.
  18. Thanks for your continued help...hopefully this will clear it up.
  19. I got tired waiting on this to be pushed out (in the hopes it fixed the memory leak) i went and created a policy with no protection turned on. Moved the endpoints into that policy...ran a check for updates...it removed the old version...then i moved the endpoints back into the policy with protection enabled and it grabbed the 3.6.1.2716 version
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.