Jump to content

CSProf

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hmm, don't love that solution... the one currently in question runs continuously in the background, and is launched at boot, so this would be tantamount to completely disabling exploit protection. Seems pretty extreme to have to disable a whole subsystem to run a custom app, even temporarily, but certainly not permanently. (And it has run fine before, for years, so malwarebytes is/was capable of handling it.) Seems like there ought to be some way for malwarebytes to flag a given process and its subprocess tree as allowed. Again, I realize there may be a way to fix this one particular case, sending in logs etc., but it happens often enough with custom scripts I write that I'm hoping to find (or stimulate) a general case solution.
  2. Hi, I have assorted scripts I've written, in various languages. (bat, powershell, perl, cygwin bash, etc.) Some run as background tasks, some I invoke directly (command line, desktop, etc.) Often these will get flagged and disallowed from executing. For example, I've got one now that's a perl script that does stuff, calls a legacy bat file, which calls mshta to invoke a wscript.shell object. It was working fine, until it wasn't. Malwarebytes blocked it as an exploit the other day (in this case, the mshta/wscript call). I already had my perl script and the legacy batch script in the allow list, from long ago. I don't want to add mshta itself to the allow list, since I don't want to trust all invocations of it, nor all bat scripts either -- just the ones invoked from already allowed items, like my allowed scripts. Is there some way to do that? Since I already have my custom scripts on the allow list, I can't see a way to tell malwarebytes to trust said script invoking mshta, etc. This happens periodically, so I'm not looking for a one-off solution, but some way to add a script and have malwarebytes trust it, regardless what else that script does internally. Ideas?
  3. Hi, the scan reported that my (not yet installed) download of CDWAV198.EXE from http://www.milosoftware.com/en/index.php?body=download.php -- a file dated 7 Feb 2009 -- was infected with Malware.Sandbox.23. Is that true, or a false positive? Exe is attached. Their web site even says, "CD Wave is totally free of any form of adware or malware. Some antispyware, antivirus or antitrojan programs can detect CD Wave as being infected, although the application runs perfectly safe and does not pose a threat to your system. This type of reading is called a "false positive" and it occurs when antivirus software wrongly classifies an inoffensive (safe) file as a virus. The incorrect report may be caused by heuristics or by an incorrect virus signature in a database." So, which is it? :) Thanks! cdwav198-for-mbam.zip
  4. Holy freakin' gods! Heart attack city: I was in the midst of posting on facebook this afternoon about, of all things, Russian hacking of the election -- and suddenly mbam goes berserk with alerts about malware connections from firefox. Well over 100 of them, many of them looking like legit sites (google ads) but many domains I'd never heard of. Srsly, I'm posting about Russian hacking and what, they're hacking my PC as I type?!? Sheeeee-it! I did restart firefox and check mbam for an update, which there just happened to be one, and that stopped the flood of alerts. Whew, glad to see it wasn't just me. Really bad timing to have a freak out, mbam guys! :) However, it did point out a feature that would be useful: Ability to view and especially export ALL event reports at once. Trying to look through each individually is super tedious. Thx.
  5. Hi, Arthi, I PM'd you, haven't heard back...
  6. So, I keep getting reports about ransomware regarding mv.exe from the cygwin linux tools distribution (which is then annoying deleted so I have to restore it). Here's the log info and mv.exe binary in a zip so y'all can check it out. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 3/17/18 Protection Event Time: 5:24 PM Log File: 5c080fa2-2a3a-11e8-a5e2-a4173112e420.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4396 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Ransomware Details- File: 1 Malware.Ransom.Agent.Generic, c:\cygwin\bin\mv.exe, Delete-on-Reboot, [0], [392685],0.0.0 (end) mv.zip
  7. Hi, how can I whitelist this puppy?-- I have a little script that pops up a periodic note. It's driven by a perl script called by task scheduler. Perl calls a .bat file utility I created that does a popup window with a message. The msgbox.bat file calls mshta.exe to do a WScript.Shell Popup-- mshta "javascript:var sh=new ActiveXObject( 'WScript.Shell' ); sh.Popup( '%*', 10, '', 64 );close()" Mostly this works, but every so often, MBAM blocks it. (Nothing in any of the files has changed.) I've put both the perl script and the msgbox.bat file on the file exclusions list. I don't want to whitelist all calls to mshta.exe for obvious reasons. So, how do I accomplish that? I've seen similar with some other scripts I've written (where my script calls all sorts of other scripts), and mostly it seems to work to allow the top script, though every now and then MBAM will still block them. It would be nice to have a way to whitelist a script and anything it invokes when it runs. Log file attached... Thanks! xxmbam-popup.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.