mosk

Hi - thanks so much for the follow-up and the link. I appreciate the great support that Malwarebytes provides!

Thanks for the response. I installed the things I mentioned (WSL2, Docker, and DDEV), but I don't know if I installed Ngrok per se. Is there a way to tell if this is a legitimate installation vs malware? Or is ngrok inherently subject to misuse once it's on your system? I wasn't sure if its functionality was required by one of those things I installed and thus included/bundled into the installation. I think I'll quarantine the two files listed for now just to be on the safe side. Thanks for any additional information/recommendations you can provide.

Hi. over the past two days, I installed Docker, WSL2, and DDEV so I can set up a more robust environment for building and testing my websites. This morning I received a warning about Riskware Ngrok. Wasn't sure if this was a problem and if I should quarantine these files - or if these are appropriately used by my new installations. I'm attaching a copy of the text file/warning to this message. Thanks in advance for any help. MB_7-7-24_ngrok_warning.txt

Hi @Porthos - thanks for the note; will leave myself a note to update in a few days

I have several files that have been quarantined by Malwarebytes Premium, which look like they're related to legitimate software I use. 1) AEScripts.com uses an installer to help manage third party plugins / scripts for Adobe After Effects. (first two in images below are for aescripts updater) 2) Campaign Cartographer by ProFantasy is mapping software that also works with some free plugins and libraries that can be downloaded from the internet. Some of these add-ons/plugins/scripts are directly from the ProFantasy site (such as symbol sets and annual volumes) while others are from unrelated sites on the internet that maintain some large predefined libraries of images/symbols to use with the mapping software). As far as I know, almost all the things listed below are related to this mapping software, but I have no way of knowing if any of these represent true threats or if they're all false positives. Would welcome any recommendations on what I should do. Should I simply leave all these files in quarantine and ignore them? Wasn't having any problems with the software as far as I know. Thanks

ok - thanks - I will post the quarantined items where you said and consider this thread closed.

Regarding all those files in quarantine, are you saying those represent false positives and I can tag them as safe - or do you just mean the 'exploit blocked' warnings are safe to ignore? (I still haven't noticed anything in particular that I'm doing that triggers the warnings, except if I navigate to a site and get a warning saying site unsafe in which case I won't proceed to the site)

Ok -great - thank you. I just posted about some files that had been quarantined. Wasn't sure if i was related to these warnings. If not, let me know if I should delete that and start a new thread. Thanks for your help.

This image shows the detection history over the past couple of weeks: These next four images show programs that have been quarantined by MalwareBytes. They look like they're related to legitimate software I use. Specifically, 1) Adobe After Effects, which uses an installer from AEScripts to help manage third party plugins / scripts for After Effects. 2) Campaign Cartographer by ProFantasy which is mapping software that also works with some free plugins and libraries that can be downloaded from the internet - so I don't really have a good way of knowing if those additional files represent true malware.

Hi - I'm following up from a problem I noted a couple of weeks ago. Was asked to see if I had further 'exploits blocked' notifications from Malware Bytes Premium. Went for about 10 days with out a problem, then got 3 notifications on 9/15 and three more on 9/18. I've posted copies of those six log files below, since that's what I was asked to do last time. I'll also make a separate post after this one about items I've had in quarantine for a while, which are related to legitimate software I've purchased - so don't know if those are an actual issue or not. Thanks in advance for any suggestions. (logs below) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/18/23 Protection Event Time: 2:05 PM Log File: e4a44b74-564d-11ee-a13e-a85e45542437.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75431 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/18/23 Protection Event Time: 2:05 PM Log File: e4a6e3a2-564d-11ee-a353-a85e45542437.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75431 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/18/23 Protection Event Time: 2:05 PM Log File: e4a92dba-564d-11ee-8d41-a85e45542437.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75431 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/15/23 Protection Event Time: 7:59 AM Log File: 64283d1a-53bf-11ee-bfab-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.75327 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/15/23 Protection Event Time: 7:59 AM Log File: 642ad548-53bf-11ee-91ce-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.75327 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/15/23 Protection Event Time: 7:59 AM Log File: 642d4671-53bf-11ee-b461-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.75327 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end)

got it - thanks for the help

ok - so should I just leave things be and post back if I get new notifications or blocks showing up in Malwarebytes' history panel?

Ok - I checked and Penetration Testing was not toggled on> so I clicked Restore Defaults > Apply as instructed then closed and re-opened program, and still has Penetration Testing toggled off (looks the same as it did before)

Nothing specific that I recall. Probably browsing the web, looking for computer gear - and I typically have many browser tabs open (on Google Chrome) - but I think it just popped up as a Malware Bytes notification. Every once in a while I will click on a link and get a notification about 'dangerous website' - in which case I'll either close the tab or X out of chrome (rather than clicking the 'proceed to website anyway' button - forget the exact wording). When I received this notification, I opened Malwarebytes to take a peek, and saw there had been a number of issues over the last few days so posted here.

Ok - thanks for quick response. Here are those log files from the 11 events - the first nine all say Exploit Payload File Block or Exploit Payload Process Block; the last two refer to blocked websites: 1) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/6/23 Protection Event Time: 8:05 AM Log File: 9d0905ec-4cad-11ee-afa2-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74931 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) 2) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/6/23 Protection Event Time: 8:05 AM Log File: 9d0bc534-4cad-11ee-8a45-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74931 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) 3) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/6/23 Protection Event Time: 8:05 AM Log File: 9d0e0f43-4cad-11ee-acfb-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74931 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) 4) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 9a1548d4-4b4d-11ee-89b5-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) 5) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 9a5deec2-4b4d-11ee-8e71-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) 6) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 9a6038d1-4b4d-11ee-a8a0-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) 7) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 97847810-4b4d-11ee-b55e-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) 8) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 97eb2f10-4b4d-11ee-ab77-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) 9) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 97edee59-4b4d-11ee-8698-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) 10) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 10:29 AM Log File: 7d50c598-4b2f-11ee-af51-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74851 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: emedihealth.com IP Address: 159.223.152.119 Port: 443 Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (end) 11) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/28/23 Protection Event Time: 3:06 PM Log File: 0aa9589c-45d6-11ee-9649-a85e45542437.json -Software Information- Version: 4.6.0.277 Components Version: 1.0.2114 Update Package Version: 1.0.74573 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: RiskWare Domain: akpk.upnvj.ac.id IP Address: 103.147.92.68 Port: 443 Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (end)