Jump to content

TonyCummins

Members
  • Posts

    110
  • Joined

  • Last visited

Posts posted by TonyCummins

  1. On 12/12/2020 at 5:35 AM, shadowwar said:

    I have requested the rule be removed.  This should be done in a couple hours. This is known goodware in our cloud and has been for a while. If you have rootkit on it will sometimes ignore the cloud on detections.  If so i recommend it only be turned on where there is a problem removing something. Rootkit mode because of its aggressive nature lowers some of the protection against false positives. 

    Thanks for the heads up. I have gone and turned off the rootkit in the scan options. Appreciate it

     

    Tony

  2. I'd wait until someone more knowledgeable chimes in :)  But to me it looks like the original sender wanted to know if / when the email was opened / read, kinda like the read receipt you can turn on in outlook. Instead they used a blank image to track that info, unfortunately for you the image is on a domain that malware bytes does not like. Maybe @Zynthesist can confirm for you as id hate to give you false information :)

  3. 2 hours ago, Mark_Albrosco said:

    Below is an image of the only area that contains any links in the email - hovering over the URLs shows a link that matches the hypertext (so it's not a redirect to a bad site). The section above the contact info, is an image - hovering over it does not show any link.

    Would you be willing to look directly at the attachment in one of my earlier posts? Maybe I'm missing something?

    image.png.7d14d35213b294c02435d3ec1ea30eb9.png

    Hi Mark,

    I'm no expert but i think whats happening with that email is that there are  "tracking" url's embedded in the email associated with that gnway domain. As soon as the email is opened it tries to pull the blank image to show it was opened. As soon as the mail is opened malwarebytes picks up the gnway parent domain and alerts you.

     

    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=QHQ913p6-201809246115858102" style="display:none"></div>
    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=ng9115S4-201809253135548505" style="display:none"></div>
    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=267K13dg-201809254163115188" style="display:none"></div>
    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=Y8y085zK-201811310161302596" style="display:none"></div>
    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=6n646BVh-201811316135019799" style="display:none"></div>
    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=75h10c11-201811318181622204" style="display:none"></div>
    <img alt="" src="http://onlykem.gnway.cc:6060/mailTrack?trackCode=09A96795-201811320173828967" style="display:none"></div>

     

  4. I got tired waiting on this to be pushed out (in the hopes it fixed the memory leak) i went and created a policy with no protection turned on. Moved the endpoints into that policy...ran a check for updates...it removed the old version...then i moved the endpoints back into the policy with protection enabled and it grabbed the 3.6.1.2716 version

  5. 1 minute ago, djacobson said:

    I forgot if we had to use any wildcards on your setup Tony, but a reminder that wildcard use will render the exclusion un-usable to ARW aka Behavior Protection.

    832532833_ignorelistmatrix.png.56b28eb2ea7b1392a6f1af96eb0530c7.png

     

    No I was not aware of that! I was instructed to use wildcards by tech support in a ticket i created back in May. You think they would have known.....
    So remove the wildcard exclusion and exclude by file path? 

    C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe)

    Also, the deputy is off shift that was having the exclusions ignored....probably because they where excluded by wildcards? So still haven't been able to grab those log files.

  6. 1 minute ago, KDawg said:

    Tony,

    I want to apologize again for this situation, I can see how seriously it is affecting you.

    We would need logs from the problem endpoint before uninstalling to determine how this may have happened.

    With the exclusion in place and once again re-activated we should not be getting the block perhaps this machine did not receive the update once you re-enabled the exclusion. Logs would help us determine for sure.

    https://support.malwarebytes.com/docs/DOC-1818

     Many Thanks

     

    I will try get logs from the offending machine when he comes back on shift. 

    The exclusion was not re activated...as u can see its been in place (manual one) since May 1st when support showed me how to correctly add it to the entire Zuercher folder.

  7. @djacobson  @KDawg  This got caught again on one of my end users and disabled the software.
    This software is a CAD / Dispatch in car software that my deputies use to run NCIC queries...to have my deputy out in the field and be without the in car software is unacceptable!!

    As you can see from screen shot, the manual exclusions are still in my exclusion list.

    In order to fix his issue i had to have him drive back to our facility, me drive in from home. Remove the policy from the endpoint to stop it flagging the repair / install., uninstall the corrupted software and re download and install. I left the endpoint without protection overnight as i didn't want a repeat of it getting flagged and quarantined again.

    This is unacceptable behavior of the endpoint protection when i have manual exclusion rules in place AND support assured me the cloud exclusions are in place and correct.

    Capture.PNG

    Capture.PNG

  8. On 10/21/2018 at 6:59 AM, shadowwar said:

    Ok i whitelisted these files in a different way. Your logs show its being whitelisted so not sure whats going on. Hopefully this will solved it. It will be out in next database update so 3-4 hours from now.

     

    again tonight i get a call from my end users the leds.exe picked up and the software disabled !! And thats with my manual exclusions still in place AND the so called cloud ones that support said were in place. !! 

    Capture.PNG

    Capture.PNG

  9. 3 minutes ago, exile360 said:

    I didn't see anyone suggest this yet so I thought I'd add it just in case it helps:

    1. Totally exit/shutdown Malwarebytes.
    2. Go to here in explorer:
    3. C:\ProgramData\Malwarebytes\MBAMService
    4. and delete the following file only: hubblecache. it doesn't have a file extension
    5. Then you can restart Malwarebytes and the cache file will rebuild on the next scan (make sure you're connected to the internet).

    That should correct the issue going forward assuming the whitelist is cached locally, which as I understand it, it should be, so this procedure should eliminate this detection once and for all, without the necessity of any exclusions.

    All my users locally and remotely are non admin users. Over half my endpoints are in remote locations..
    Doing a quick test on a machine i do have access to as a non admin, i opened task manage and killed the endpoint agent tray process and then tried deleting, it requires elevation to delete the "hubblecache" file.
    Also, there is no way that i know of to "turn off" malwarebytes temporally from the cloud or even have the end user shut down Malwarebytes from his end?

  10. 15 hours ago, KDawg said:

    My apologies I thought you had said you manually removed your local exclusion.

    Even a momentarily being without internet, or the exclusions could cause this to hit.

     

    After been told that the files where white-listed i DID remove the manual exclusions, immediately it got flagged and quarantined..i was remoted into the offending computer via team viewer so it had internet. I then re added the manual exclusions and restored from quarantine. 

  11. 7 minutes ago, KDawg said:

    Tony,

    Is this machine in question staying connected to the internet?

    We have set the files to do not detect, but it may still be flagged offline.

    In those cases, we would rely on the local exclusions you had in place.

    Let us know if the local exclusions do not hold, or you have any questions on these detections.

    Many Thanks,

    Kevin 

    yes, every machine has internet access and have no issues staying connected to the internet when it is powered up. (or my end users would be kicking up a storm).

    Obviously the local ones are NOT holding or i wouldn't be getting the the excluded files put in quarantine.

  12. 1 hour ago, shadowwar said:

    confirmed the file is whitelisted. Let me know if its still detected but you should be fine now. Worse case shutdown and restart mbam.

     

    ok...ill remove the manual exclusions again. Can you tell me what the deal is with this one?
    C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe

    ive whitelisted that months and months ago manually and it still gets popped...even after i was told they added it to the whitelist

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.