FinDude

It might not be logging it. Te issue is the browser link. I go to the download page and click the link and I get a rather abrupt warning. Why is this suspicious content?:

I read the post about "Before you report a false positive" and there is no save or download option. I followed it to this link: https://blog.malwarebytes.com/detections/riskware-injector/ Image of my MalwareBytes screen is attached. I am the owner and author of this product. We are a software company that has been in business since 1998 and we provide this file to our users and to people that pay for the software products or our courses. Here are the links to download the software (three versions off the same file) all built with PaquetBuilder Installer. The Malwarebytes scanner grabbed this when the link on the website is clicked for the download: http://www.ablhelp.com/FsJ3m992Vvsf963Ms2F/ABL-Help_Classic.htm http://www.ablhelp.com/P3kwrEs28tF/JustHelp.htm http://www.ablhelp.com/KWDksjdkjelksSH0/JustHelp.htm

I did not get that blocker because I was not downloading. Of course, I would like to NOT have any users get that block. I have the file on my hard drive and the daily scanner picked it up. The log... Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/16/21 Scan Time: 12:05 PM Log File: d8287ece-1707-11ec-9ef2-60f2623d41b2.json -Software Information- Version: 4.4.6.132 Components Version: 1.0.1453 Update Package Version: 1.0.44998 License: Premium -System Information- OS: Windows 10 (Build 19043.1237) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 386181 Threats Detected: 1 Threats Quarantined: 0 Time Elapsed: 9 min, 40 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Malware.AI.3168315931, C:\PROGRAM FILES (X86)\AWRITER\EXE\ABL_HLP_PRO_OEM.EXE, No Action By User, 1000000, 0, 1.0.44998, 59B7DFAA44A06CFFBCD8AA1B, dds, 01425064, 6490D5033FBA47D2CD71C17CEA20F827, 0427464E51983259056A222D3D05C1A46F228484B4A4C258B16198974B6E3DED Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)

Thank you, it seems like a public forum. Better to ask than to be a fool about that. We are the publishers and it comes back to our Code Signing Certificate at FinSoft, LLC. Please follow these steps to get ABL-Help Pro: 1. Get the download (Follow the instructions on this page): http://www.ablhelp.com/KWDksjdkjelksSH0/JustHelp.htm 2. Once downloaded and (most likely renamed to EXE), run the installer. 3. Launch ABL-Help Pro (desktop icon or the Start menu list and look for ABLHelp) This is an EXE compiled CHM file made with https://www.htmlexe.com/Home. The MalwareBytes message noted that the EXE is suspect. Thank you for you time.

We publish ABL-Help and ABL-Help pro. We use an installer named PacquetBuilder. This is NOT a public facing installer. Contact to get access to the download site for your inspection. Joe

I agree with OneTime that this is not a good thing. The exploit indicates that MSWord is trying to run C:\Windows\System32\cmd.exe and that is a command prompt that could allow another program to run. Turning off this alleged exploit protection would let that CMD run. I have run several scanners and nothing is coming up. I also got a safe mode notice on the restart of MSWord. I do appreciate Malwarebytes and all that it has stopped and protected me with. This is either a quirk in the scanner or a real threat and turning off something that is protecting me seems to go against the purpose of both the product and my wishes to be protected. Until this is resolved as a false positive, I am NOT disabling this feature. There is a related post at this link and they should be merged.