
muciqi
-
Content Count
4 -
Joined
-
Last visited
Posts posted by muciqi
-
-
Hallo LiquidTension,
that's encountered two machines till now.
Attached you can find the logs you required.
Thank you for your help!
-
Thats happend serveral times to our clients since tomorrow even though the file direction (C:\Windows\System32\userinit.exe) is included to Anti-Malware and Anti-Ransomware Exclusion List
Any help?
Thanks in advance
Malwarebytes Management Server Notification
--------------------------------------------
Alert Time: 12.02.2020 16:01:30
Server Hostname:
Server Domain/Workgroup:
Description:
Ransomware threat detected, see details below:
Time HostName IPAddress ThreatName Operation Clean Result ObjectScanned
12.02.2020 16:01:23 Malware.Ransom.Agent.Generic QUARANTINE SUCCESSFUL HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit
12.02.2020 16:00:49 Malware.Ransom.Agent.Generic QUARANTINE WHITELISTED userinit.exe
Total count: 3.
-------------------------------------------
Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.
-
We just rolled out the last Anti-Exploit Version: 1.12.2.147 to our test Endpoints
One of the Clients (windows-10 virtual machine) got this alert-message as soon as he tries to open Internet Explorer.
Malwarebytes management server emailed over a notice about this alert every times the client tries to open IE.
Below is the alert-message from Server and attached are the MBAE Logs from that VM.
Malwarebytes Management Server Notification
--------------------------------------------
Alert Time: 22.05.2019 10:29:46
Server Hostname: *****
Server Domain/Workgroup: ****
Description:
Exploit threat detected, see details below:
22.05.2019 10:28:02 VM**** 161.110.7.139 Exploit memory HeapSpray attempt blocked BLOCK user Internet Explorer C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Attacked application: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE; Parent process name: iexplore.exe; Layer: Application Hardening; API ID: 900; Address: 0x0D0D78D0; Module: ; AddressType: ; StackTop: 0x0B200000; StackBottom: 0x0B1F2000; StackPointer: ; Extra:
Total count: 1.
Could someone tell me what the anti-exploit took exception to?
Thanks in advance for your help.
False Positive - userinit.exe
in Ransomware
Posted
Hi LiquidTension
The issue is repeated again to the same Clients a few more times.
Currently I am out of Office. I will come back to you on Monday and I will provide the logs you requiered.