[False Positive - userinit.exe]

Hi LiquidTension

The issue is repeated again to the same Clients a few more times. 
Currently I am out of Office. I will come back to you on Monday and I will provide the logs you requiered. 

 

[False Positive - userinit.exe]

Hallo LiquidTension,

that's encountered two machines till now.

Attached you can find the logs you required.

Thank you for your help!

Logs1.zip

[False Positive - userinit.exe]

Thats happend serveral times to our clients since tomorrow even though the file direction (C:\Windows\System32\userinit.exe)  is included to Anti-Malware and Anti-Ransomware Exclusion List

Any help?

 

 

Thanks in advance

 

Malwarebytes Management Server Notification

--------------------------------------------

 

Alert Time: 12.02.2020 16:01:30

Server Hostname:

Server Domain/Workgroup: 

Description:

Ransomware threat detected, see details below:

Time  HostName    IPAddress   ThreatName  Operation   Clean Result      ObjectScanned

12.02.2020 16:01:23           Malware.Ransom.Agent.Generic      QUARANTINE  SUCCESSFUL  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit

12.02.2020 16:00:49           Malware.Ransom.Agent.Generic      QUARANTINE  WHITELISTED userinit.exe

Total count: 3.

-------------------------------------------

Comment: This email was generated by Malwarebytes Management Server. Please do not reply to this message.

 

logs.zip

[Exploit memory HeapSpray attempt blocked - Internet Explorer]

We just rolled out the last Anti-Exploit Version: 1.12.2.147 to our test Endpoints

One of the Clients (windows-10 virtual machine) got this alert-message as soon as he tries to open Internet Explorer.

 

Malwarebytes management server emailed over a notice about this alert every times the client tries to open IE.

Below is the alert-message from Server and attached are the MBAE Logs from that VM.

 

Malwarebytes Management Server Notification

--------------------------------------------

Alert Time: 22.05.2019 10:29:46

Server Hostname: *****

Server Domain/Workgroup: ****

Description:

Exploit threat detected, see details below:

 

22.05.2019 10:28:02     VM****      161.110.7.139     Exploit memory HeapSpray attempt blocked     BLOCK       user    Internet Explorer C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE   Attacked application: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE; Parent process name: iexplore.exe; Layer: Application Hardening; API ID: 900; Address: 0x0D0D78D0; Module: ; AddressType: ; StackTop: 0x0B200000; StackBottom: 0x0B1F2000; StackPointer: ; Extra:

Total count: 1.

 

Could someone tell me what the anti-exploit took exception to? 

Thanks in advance for your help.

logs.7z