soldieroffortune

Actually it does work now all of a sudden. It's super weird seems like it's not behaving consistently.

I restarted the PC, still happening. I tried on a different PC as well, same thing. If I can't figure this out soon I'll have to give up on malwarebytes and replace it with a different antivirus that allows me to run legit programs.

Unfortunately that doesn't solve the issue. Malwarebytes still blocks my script from running. The layer that does it is : "Application Behavior Protection" and the technique is "Exploit payload process blocked". Why is this so difficult?

Thanks. Look forward to hear what can be done to whitelist my script in malwarebytes so that I can keep using it.

I'm uploading the log files as instructed.

I can do this, but I don't feel comfortable uploading all these logs to a public website. Is there a way i can send you this directly and not upload logs so they're visible on this website?

It is off and it was always off.

This solves the issue in the 2nd log. But look at my first log, I can't find a way to get rid of that.

Nobody else has any suggestions? There has to be a way to whitelist a legit program.

Yes, as i wrote, disabling the exploit protection "fixes" the issue. But it's not really a fix, as it leaves my computer theoretically vulnerable. I run these tools and scripts many times a day, so I would have to permanently uncheck the "exploit protection on" in order to be able to do what I need to do. This is not a workable long term solution. As someone who's used malwarebytes for 10+ years or so, I have to say that Malwarebytes is EXTREMELY confusing. The whole process of white-listing an application or a script is a disaster, at least from my specific use-case. 1) The GUI contradicts itself. Exploits are shown in the history tab but then in Allow section the GUI says no prior exploits (?!) 2) Explicitly allowing a program/script doesn't appear to change anything either. Malwarebytes still complains about the program which was explicitly added to the "allow" list (?!) 3) The same script is allowed to run if i type the command manually in the command prompt, but it is not allowed to run if triggered by MS Excel (?!) Can you help me make some sense out of all this?

As i wrote in my original post "Previously Detected Exploit" doesn't show anything. See the attached screenshot.

After i reset the settings - Now it complains about excel spawning batch commands. I was able to bypass this complaint in the past by changing some settings related to MS Office, But now that i reset them, it's complaining about it again. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/10/2024 Protection Event Time: 12:46 AM Log File: 51fe2292-f6f5-11ee-9c4f-8cc84b0ed3a0.json -Software Information- Version: 5.1.2.109 Components Version: 1.0.1207 Update Package Version: 1.0.83259 License: Premium -System Information- OS: Windows 11 (Build 22621.3447) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.OfficeSpawningBatchCommands, C:\WINDOWS\SYSTEM32\cmd.exe \k python \syn-nas-2\storage\config-files\windows\scripts-and-tools\msmoney\qfxtomoney.py %homepath%\Desktop\, Blocked, 725, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Office Excel Protection Layer: Application Behavior Protection Protection Technique: Exploit Office spawning batch command blocked File Name: C:\WINDOWS\SYSTEM32\cmd.exe \k python \syn-nas-2\storage\config-files\windows\scripts-and-tools\msmoney\qfxtomoney.py %homepath%\Desktop\ URL: (end)

The log doesn't have much more in it than what I described above: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 4/10/2024 Protection Event Time: 12:34 AM Log File: 8e17016a-f6f3-11ee-a983-8cc84b0ed3a0.json -Software Information- Version: 5.1.2.109 Components Version: 1.0.1207 Update Package Version: 1.0.83257 License: Premium -System Information- OS: Windows 11 (Build 22621.3447) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\Users\userxyz\AppData\Local\Programs\Python\Python312\python.exe python \syn-nas-2\storage\config-files\windows\scripts-and-tools\msmoney\qfxtomoney.py \Users\userxyz\Desktop\, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\Users\userxyz\AppData\Local\Programs\Python\Python312\python.exe python \syn-nas-2\storage\config-files\windows\scripts-and-tools\msmoney\qfxtomoney.py \Users\userxyz\Desktop\ URL: (end)

I'm running Malwarebytes 5.1.2. This issue has been driving me nuts. I've written a python script which gets launched from an excel spreadsheet when a user clicks a button in the spreadsheet. The excel VBA code launches a windows command prompt that executes a python script which i wrote myself and is 100% legit. The command invoked is this: "cmd /k python \\my-nas-path\path-to-script\script.py" But Malwarebytes blocks my desired workflow from executing. In a History I see "RTP Detection" and in the details it shows "Exploit payload process blocked" and the Layer says "Application Behavior Protection". I've tried adding to the "allow list" the folder where my python script resides and the python.exe executable. This doesn't change anything, malwarebytes still blocks my script from executing. Further to this, if I try to add an item to the "allow list" by selecting "previously detected exploit", the malware bytes GUI doesn't show any previously detected exploits. They appear in the history tab, but they don't appear in "previously detected exploits" section when trying to add something to the "Allow List" To make matters even more confusing, If i actually type "cmd /k python \\my-nas-path\path-to-script\script.py" in the command prompt in windows my script is allowed to run. But if the identical command is executed via clicking on an excel button, then malwarebytes complains. One way i can get my script to run when laucnhed via excel is if uncheck "Explit protection" in malwarebytes. But i don't want to disable all exploit protection. I just want to tell malwarebytes that this particular script when launched via excel button click is ok to run. There is nothing unsafe about it, i wrote the script myself. So how can i "whitelist" this so that malwarebytes doesn't complain about it?