BBGuy2023

Yes that's what i'm getting basically. A quick update from me: I ran a scan and some files were quarantined of the same type as above. After deleting them it seems I can open the paradox launcher up again. Not sure what's going on - I saw a few other people post with similar reports.

Hello - I believe the Paradox launcher (used for such games as Europa Universalis 4) may be throwing up false positive detections in Malwarebytes. Today every time I tried to run EU4 through Steam, I got an RTP detection, called "Malware.AI.2616805100" Can you please look into this? Thank you!

I should say, i had another brother program installed, i think it was called "brother iprint&scan" - I uninstalled it too a moment ago.

@Maurice Naggar Hello again. I'm sorry to say that this happened again today - the same pattern, "exploit process block," "exploit file block" and sysnative\cmd.exe quarantined, with nothing in the quarantine. Not sure what is causing this - i'm seeing no results from any scans from Malwarebytes and Webroot.

I will do that, i'll post again here if there are any other exploit notices. Thanks!

@Maurice Naggar Ok I just uninstalled "Brother PowerENGAGE" through Windows settings, and I just restarted. But it's looking promising that this program is the cause of this - I say this because, just as I uninstalled the program before I restarted, I got the "Exploit" popup from Malwarebytes again! This is the first time I've been able to re-create this block. So it's looking to me like this Brother program is indeed the issue. Now that it's uninstalled, I will keep an eye out, and will see if it occurs again. But this is pretty promising that this Brother program was the cause, right? Thanks!

@Maurice Naggar Yes, I think I do have that program - I have a Brother printer, and when I search "apps and features" in Windows settings, it says I have "Brother PowerENGAGE" installed. So you're saying I should uninstall this? Just want to be 100% sure we're referring to the same thing. Thanks!

Hello again, I just direct messaged Arthi the details, but this happened again today. As far as I can tell it's the same pattern: Six total "RTP" detections, two saying exploit process blocked, two saying exploit file blocked, and two saying sysnative\cmd.exe was quarantined (but nothing is in quarantine) This happened literally immediately after i woke my Windows 10 laptop from sleep mode, so I'm pretty sure it's not an actual malicious thing... and it's been 10 days since it last happened. All the same any thoughts etc. would be appreciated.

Ah, I see. I've had no stoppages, detections etc. or anything from Malwarebytes in the last few days!

As a quick update: I've been using the laptop all weekend (including turning off/on, waking from sleep, running periodic scans with Malwarebytes and Webroot), and have had no other detections. So while i'm not an expert of course I think it's looking pretty good that it's some sort of glitch/false positive etc.

Hello again, I wonder if it's a similar issue to what's reported on in this forum post? I'm not an expert of course! I did a search of the forums and found this.-->

Hello all. This is my first time posting here so apologies if I made some sort of error. Today I woke my Windows 10 laptop and was shortly later was greeted by 6 "RTP Detections" from Malwarebytes, all at the exact same time - 3 of the entries appear to be duplicates/repeats. The Exploit.PayloadProcessBlock alert reads (two times) as follows: -Log Details- Protection Event Date: 9/1/23 Protection Event Time: 10:22 AM Log File: f40d7334-48d2-11ee-a14d-98bb1e1cc822.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74721 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: The Exploit.PayloadFileBlock reads (twice) as follows: -Log Details- Protection Event Date: 9/1/23 Protection Event Time: 10:22 AM Log File: f4107e6c-48d2-11ee-97b1-98bb1e1cc822.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74721 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: It also says cmd.exe was quarantined (twice) but I'm not seeing anything in my quarantined items. Could this be a false positive? At the time, I had just opened Google Chrome and was attempting to navigate to a sports team's website to return an item as per an email sent by a customer support rep, but it appeared that the hyperlink in the support rep's email signature was incorrect/had a typo, http instead of https. I'm like 99.9% sure the support rep was legitimate, but maybe this typo somehow caused it? I've ran a few general scans since then and detected nothing. I also just checked and I have "exploit protection" turned on, but I was using the Windows Mail application at the time, not Outlook, if that makes a difference. Any help would be appreciated.