NightOwl

We use TicTie Calculate by SafeSend cPaperless. Yesterday we installed it on a new, fully-updated computer, but MalwareBytes keeps blocking it as an RTP exploit **after** the initial application use. TicTie Calculate is a plug-in for Adobe Acrobat Pro. First you install Adobe Acrobat Pro, then make some settings adjustments to Adobe Acrobat Pro, and finally you install the TicTie Calculate plug-in. When you open Adobe Acrobat Pro, TicTie Calculate checks for a folder at C:\cPaperless. If the folder does not exist, it will create the folder. After reading around in this forum, I tried the following unsuccessfully... Detection History > Allow List > Allow a previously detected exploit > Nothing is listed here even though history shows the record that is listed below. Enabling beta updates in General > Beta updates Disabling Exploit Protection in Security > Exploit Protection > Advanced settings > Unchecking all options under "PDF readers" All of the above settings were returned to their default values after confirming they did not resolve the issue. The only thing that I found to allow Adobe Acrobat Pro to function with the TicTie Calculate plug-in is to disable application protection in Security > Exploit Protection > Manage protected applications > Adobe Acrobat Since this computer handles a lot of sensitive documents - including a lot of PDFs - we are concerned that we are not opening ourselves up to an attack vector. Is there a better way to handle allowing TicTie Calculate to work with Adobe Acrobat Pro without completely disabling Adobe Acrobat Pro exploit detection? Here a blocked exploit log... Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 2/3/24 Protection Event Time: 3:19 AM Log File: c7471880-c27d-11ee-9ee2-168261453cae.json -Software Information- Version: 4.6.8.311 Components Version: 1.0.2242 Update Package Version: 1.0.80460 License: Premium -System Information- OS: Windows 10 (Build 19045.3996) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe \c if exist C:\cPaperless\TTCPlugin\CustomSymbols\CustomSymbols.pdf echo Folder already exists, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: Adobe Acrobat Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe \c if exist C:\cPaperless\TTCPlugin\CustomSymbols\CustomSymbols.pdf echo Folder already exists URL: (end) Thanks for your insights.

Good afternoon, eMyPeople provides hosted email and enterprise grade deep-packet inspection device firewall. We recommend Malwarebytes to many of our customers and we are getting reports from our customers that many of them are receiving block notices saying there is a danger of riskware. I am a sysadmin eMyPeople. Please PM me if you need more information and I will provide you with my work email address. Here is an example block... One relation to the firewall proxy... Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/18/21 Protection Event Time: 8:32 AM Log File: aace0520-0028-11ec-be0e-40167ea8dd58.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44224 License: Premium -System Information- OS: Windows 10 (Build 19043.1165) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Malware Domain: IP Address: 68.132.158.184 Port: 8000 Type: Outbound File: C:\Program Files\Mozilla Firefox\firefox.exe (end) One in relation to the mail server... Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/17/21 Protection Event Time: 7:57 PM Log File: 37be10de-ffbf-11eb-bec3-40167ea8dd58.json -Software Information- Version: 4.4.4.126 Components Version: 1.0.1413 Update Package Version: 1.0.44210 License: Premium -System Information- OS: Windows 10 (Build 19043.1165) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: RiskWare Domain: mail.emypeople.net IP Address: 68.132.158.180 Port: 465 Type: Outbound File: C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (end) Thanks for your help.