ScottQ

Ok thanks for clarifying that

Thanks.

I understand you are saying "Exploit Protection" is about hardening specific functions. I need more detailed information on how "Exploit Protection" works to understand why this is not a plausible enhancement request - MB's developers can clarify this. Here is what I do know, the message reported in json log entry file see https://pastebin.com/gfyHRKiL describes EXACTLY what the command line was that it classified as an "exploit" see "blockedFileName" value but in this case for my system it is a false positive. I fail to see why it would be so difficult to enhance the "Exploit Protection" to read an exception table rule like: "if command line begins with **** then allow". This would occur after detection and before it cancels processes. You cite untick box "disable loading of VBscript libraries" for "MSoffice" products but the issue is with Firefox browser, so why do I need to allow it for MSoffice products like (Word,Excel,Powerpoint etc)? Why not untick "Non-Chromium browsers" column? // // Contents of C:\ProgramData\Malwarebytes\MBAMService\AeDetections\fc9cad20-e17f-11ea-96aa-5cff3502cfcc.json: // F8582147D180AE24710978ED66FD29EA3C881AD5DE322FB8A86B6BA225A84478 { "applicationVersion" : "3.5.1.2522", "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "1.0.365", "cpu" : "x86", "dbSDKUpdatePackageVersion" : "1.0.17626", "detectionDateTime" : "2020-08-18T08:47:47Z", "fileSystem" : "NTFS", "id" : "77d815c0-e12f-11ea-9705-5cff3502cfcc", "isUserAdmin" : true, "licenseState" : "trial", "linkagePhaseComplete" : false, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows Vista Service Pack 2", "schemaVersion" : 9, "sourceDetails" : { "type" : "ae" }, "threats" : [ { "linkedTraces" : [ ], "mainTrace" : { "cleanAction" : "block", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2020-08-18T08:47:47Z", "exploitData" : { "appDisplayName" : "Mozilla Firefox (and add-ons)", "blockedFileName" : "C:\\Windows\\System32\\WScript.exe C:\\Windows\\System32\\WScript.exe C:\\cmdpath-redacted\\openwith_tc2.vbs E:\\redacted.ext", "layerText" : "Application Behavior Protection", "protectionTechnique" : "Exploit payload process blocked", "url" : "" }, "generatedByPostCleanupAction" : false, "id" : "7ddf5be0-e12f-11ea-a7da-5cff3502cfcc", "linkType" : "none", "objectMD5" : "", "objectPath" : "", "objectSha256" : "", "objectType" : "exploit" }, "ruleID" : 392684, "rulesVersion" : "0.0.0", "threatID" : 0, "threatName" : "Malware.Exploit.Agent.Generic" } ], "threatsDetected" : 1 }

Not a technical issue as nothing is broken so assume this is right forum ??

I have a script blocked by "exploit protection" detecting VBscript started by browser. The add on starts the command line: WScript.exe C:\cmdpath-redacted\openwith_tc2.vbs E:\redacted.ext" Looking for someone on Malwarebytes development team to clarify the json log report file - https://pastebin.com/gfyHRKiL line: "blockedFileName" : "C:\\Windows\\System32\\WScript.exe C:\\Windows\\System32\\WScript.exe C:\\cmdpath-redacted\\openwith_tc2.vbs E:\\redacted.ext" Question #1: Why is the reported value of "blockedFileName" : ""C:\\Windows\\System32\\WScript.exe" repeated twice ? Question #2: Why is the reported value of "blockedFileName" a command line and not a file name? (for now I will go on the assumption that also doubles as meaning "blocked command line".) I only need information about these two questions.

Malwarebytes answer https://forums.malwarebytes.com/topic/223638-need-to-run-vbs-script-specific-permissions/ indicates you can't have a specific exception. Why is it not possible to enhance MB so a specific command line prefix can an exception? For example all command lines that begin with "C:\Windows\System32\WScript.exe C:\cmdpath-redacted\openwith_tc2.vbs " would be allowed to run if listed as an exception. That is these commands would pass: C:\cmdpath-redacted\openwith_tc2.vbs file1.ext C:\cmdpath-redacted\openwith_tc2.vbs file2.ext but c:\cmdpath-redacted\openwith_tc.vbs file1.ext would be stopped as not the same script. It is an issue for me I am using Firefox with the downloadstatusbar addon setup to run the command "C:\cmdpath-redacted\openwith_tc2.vbs %1" automatically after each download, and where "%1" is replaced with the name download file.