Mark_Albrosco

@KDawg @Karland - so I got a fresh detection today of the same PUP. I checked my detection history and it's the same registry entry each time. I deleted it from quarantine again. After reading the article suggested by KDawg, I could not narrow it down to a specific browser; so I followed the steps suggested for a possible "root kit" infection. The policy for the endpoints has "Scan Rootkits" disabled; I enabled it and ran a scan of the specific device - results came back with 0 threats detected. How do I kick this up to "Support"?

Good day - would like to know if the following site is actually a malicious site or is it safe: <ns-1739.awsdns-25.co.uk> IP address = 205.251.198.203 This was detected on our primary domain controller; executed by dns.exe Thanks, Mark

Miekie - thanks again for the feedback.

Hi Miekie - below is the status of our endpoints re: Malwarebytes Version and Protection Update Version. Is it safe to assume that the Protection Update Version is more important than the Malwarebytes engine version? There were 15 "false-positive" detections regarding VSTAPROJECT.DLL. 9 of these were in Quarantine and restored. 5 were under "Remediation Required" - I opted to remediate: will it place the file in Quarantine and allow us to restore? What can I expect to happen here? 1 was under "Detections" - submitted a fresh scan+quarantine...or is no action required here, i.e. the file just won't be detected as malware by the newer "protection versions" Malwarebytes version 3.4.5.2470 1.0.8267 Malwarebytes version 3.5.1.2600 1.0.8217 1.0.8261 1.0.8265 Malwarebytes version 3.6.1.2716 1.0.8145 1.0.8195 1.0.8201 1.0.8215 1.0.8229 1.0.8251 1.0.8253 1.0.8261 1.0.8263 1.0.8265 1.0.8267 1.0.8269 1.0.8271 1.0.8277

Hi David - anyway to know if the analysis of the email attachment is in progress?

@KDawg issue resolved; followed your steps to the letter and scan feature returned. Thanks again!

As Malwarebytes Cloud Endpoint Protection does not automatically scan USB drives, I right click and select "Scan with Malwarebytes" from the context menu. Usually it works, but it is not launching the application. Help?

Thanks Kalrand - I followed those steps on Thursday, and the detection returned yesterday (I repeated the delete from quarantine process this morning, see below) - any thoughts?

We're using Malwarebytes Endpoint Cloud Protection. I ran the Asset Summary report for the managed Endpoints - the spreadsheet has Software Version (Endpoint Agent and Malwarebytes version 3.6.1.xxxx), as well as a Protection Update Version column. Would I be correct in assuming the database information is under the Protection Update Version column? If so then a number of my endpoints still need updating to the last published database. I may have to force an update?

Mieke - is there anything I can check to make sure that the "false-positives" won't reappear after the file is restored?

Thank you for your usual prompt...not mention stress relieving...response. Have a good day.

Received an inordinate number of detections, which have been quarantined, for the following file: C:\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 8\VSTA\BIN\VSTAPROJECT.DLL This occured rather suddenly on 30-Nov-2018, on a number of endpoints. Is this a false-positive? If yes, is it okay to restore from quarantine?

I received the following notice yesterday, and today - what do I need to do to permanently remove this issue

Received notice that IP address 192.185.148.192:56613 was blocked for the DNS service in use on the PDC. Is this a false-positive? Check with Virustotal returned the following:

Hey David - no worries. As long as the analysis is done and I can get insight on this item. Cheers

Topic moved to Malwarebytes Endpoint Protection as per email from David H. Lipman

Note: this topic was originally posted in Home > Research Center > Newest IP or URL Threats and moved to this forum as suggested by David H. Lipman Malwarebytes Cloud Protection reported a blocked website for one of my users. Investigation revealed that the user did not browse to the site, but an email received from a supplier contact when opened in the preview pane of Outlook Web Access immediately results in a series of popups from Malwarebytes Endpoint Protection as below: I checked the URL using virustotal.com and the results were as follows: I've attached a zip file containing the email - I'd like it to be analyzed so that I can report what is causing the email to attempt to make an outbound connection. I also intend to contact our supplier and alert them to this issue, so that they can take appropriate action The following was also reported by Malwarebytes Endpoint Protection in relation to this item Email-CrossBrowser-blocked.zip

The following was also reported by Malwarebytes Endpoint Protection in relation to this item

Malwarebytes Cloud Protection reported a blocked website for one of my users. Investigation revealed that the user did not browse to the site, but an email received from a supplier contact when opened in the preview pane of Outlook Web Access immediately results in a series of popups from Malwarebytes Endpoint Protection as below: I checked the URL using virustotal.com and the results were as follows: I've attached a zip file containing the email - I'd like it to be analyzed so that I can report what is causing the email to attempt to make an outbound connection. I also intend to contact our supplier and alert them to this issue, so that they can take appropriate action Mark. Email-CrossBrowser-blocked.zip

Hi Miekie - sorry I took so long. Zipped copy of the file is attached. Please let me know when it's been added to the clean file database. Mark.ADO_NET_SAMPLE.zip

Hi Miekiemoes, Unfortunately, I can't locate the file as it was quarantined by Malwarebytes. Any suggestions?

In the meantime, on the management console for Malwarebytes, I've added two exclusions: a "Registry Key" exclusion and a "Folder by Path" exclusion. I just cut and paste the Path values given in the quarantine/scan report. Can I get confirmation that this is sufficient, while the machine learning facility is updated?

We're installing SQL Anywhere 16 and Malwarebytes Endpoint Protection quarantined one of the associated .exe files. See below: Hello Mark Cockburn, Based on your preferences, you are being notified that a new event has occurred on your account: Endpoint Name: hrplusserver.AHLTT.COM Domain/Workgroup: AHLTT.COM IP: 192.168.4.7 Scan Date and Time: 11/08/2018 - 12:00:00 PM Scan Type: CustomScan Detections Cleaned: 2 Severity: warning Group: Default Group Policy: Default Policy Displaying 2 of 2 detections below - additional details can be viewed via the Scan Report. Name Type Category Status Path MachineLearning/Anomalous.100% Reg, Value Malware Quarantined HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS|C:\PROGRAM FILES\SQL ANYWHERE 16\CE\ASSEMBLY\V2\ADO_NET_SAMPLE.EXE MachineLearning/Anomalous.100% File Malware Quarantined C:\PROGRAM FILES\SQL ANYWHERE 16\CE\ASSEMBLY\V2\ADO_NET_SAMPLE.EXE The file is not a threat. It's part of the SQL Anywhere 16 application. Please update the machine learning facility to exclude this file. I would like to restore this file out of quarantine to ensure that the SQL Anywhere application is not affected and works properly. How can we have this done?

Thanks miekimoes - you've been very helpful. Glad to report nothing else was detected, and user has been advised to clear cache. Mark.

C:\USERS\DHENRI\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\029ZB3KK.DEFAULT\CACHE2\ENTRIES\D4010F84F1C96EB96CF6142843D398C2CBEFDB20 I received a MachineLearning/Anomalous.100% Malware alert for the file above. Malwarebytes Labs was very helpful with identifying for me that this is a result of efforts to protect users from zero-day threats by detecting files that do not appear to be legitimate. However, I need to know how to determine if I have a real threat on my hands, or not. The file listed above does not give me any clue as to its origin or association with a legitimate program. And I use these detections to alert the user community, and to keep them vigilant. Note: I've scheduled remediation of this file, which I expect to quarantine the file.