ottchris

Much appreciated.

Many Thanks LiquidTension. Don't think reducing "Advanced Memory Protection" (see quoted workarounds in your reply and my first post) is a sensible idea. I need Copernic at the moment so I shall have to leave Chrome uninstalled until the permanent fix is implemented. So far, the only impact on Firefox appears minimal and avoidable, whereas just running a bare-boned freshly downloaded and installed copy of Chrome triggered the exploit detection. Chris

For the record: 1. I raised the above topic in "Malwarebytes for Windows Support Forum" because the topic I was quoting was from that forum, not this one. 2. It would have been polite to have left a pointer in " Malwarebytes for Windows Support Forum" to let me know it had been moved! Chris

To 'cut to the chase', in topic "[ RESOLVED ] How do I get rid of this Malware.Exploit.Agent.Generic, , Blocked, [0], [39", https://forums.malwarebytes.com/topic/253258-resolved-how-do-i-get-rid-of-this-malwareexploitagentgeneric-blocked-0-39/, the 'workaround is as follows: My question is, has the permanent solution been implemented yet? I'm on Malwarebytes Premium v 4.0.4.49, update package 1.0.17804, component package 1.0.785. Background. I ran into this issue the for the first time on the 22nd November 2019: Unfortunately, although I did check Malwarebytes Forums at the time I did not spot the aforementioned topic. :-( I spent several days removing extensions etc and ended up removing chrome including all registry entries entirely and reinstalling from freshly downloaded installation file but even then, within a minute or so of running chrome, the 'exploit' was triggered again. I ditched chrome completely at that point and instead used Firefox as primary browser with Opera as an alternate. Move forward to today and the dreaded Malware.Exploit.Agent.Generic reappeared, this time associated with Firefox: This time however, the trigger event was identifiable. Until last night I had been running Firefox beta versions without any problems, but the latest beta disabled most of my add-ins without any option to re-enable. Consequently I decided to reinstall the latest production version. For one add-in that involved installing it from file, i.e. initially 'saving link as'. It turned out that creating a new folder from within the Firefox 'save link as' process was triggering the 'exploit' detection. I created the a new folder outside of Firefox and the link was saved and add-in installed without any problem. Now, although I have had Copernic Desktop search installed for many years I had not been using it for some time. I needed it again late last year and I now note in the firewall log , 'first network activity' was recorded on the 20th November at 5:31 pm, possibly caused by a new version update and probably a good indication of its first loading for many months. Then, the next day the first Malware.Exploit.Agent.Generic is triggered! At the moment, I know what caused the Firefox event and am not using chrome so I have decided to hold back on changing the Advanced Memory Protection settings (both browser and Chrome columns). That being said, I would like to reinstall Chrome at some point which is the reason for my opening question. Regards, Chris

Much appreciated. Will see if I can spot the trigger when the issue next occurs.

To muddy the water, for the last few days, I have seen some occasions of ESET (not AVAST) services running at 25% CPU seemingly forever, until I quit Malwarebytes that is. Restart MB and all back to normal again. Just got around to checking here so haven't tried disabling MB web protection or any other workaround apart from quitting/restarting MB. Only offering this as an observation for the moment, i.e. not expecting any assistance as haven't uploaded any logs etc.

About every 15 minutes or so MBAMService.exe sends a couple of MB to an Amazon AWS address e.g ec2-54-69-202-72.us-west-2.compute.amazonaws.com:443. The address varies. I'll try to organise a cumulative log but I don't have an appropriate tool to hand; once upon a time you could access detailed user-friendly logs but everything is dumbed down these days! Assuming this is the same issue, prior to the issue that is the subject of this topic, I had been able to correlate the transmissions with MBAMService log entries reporting re-transmitting whitelisted 'ransomware'. Since the 'multiple error notifications' issue appeared I am unable to locate any record of the transmissions, at least in the MB plain text logs.

Great! While I'm here and this should really be under a separate topic but the evidence should be in the same logs you already have. I've recently noticed periodic outgoing transmit activity associated with MBAMservice.exe. The logs appear to suggest Malwarebytes ransomware component while detecting items that have been whitelisted (by Malwarebytes, not the user) still sends copies back to your servers. In my case, this means the same two whitelisted executables are being sent to your servers multiple times every day. It's an issue because I keep seeing significant transmit activity when there shouldn't be any.

X drive is Boxcryptor (. Not familiar with bitlocker apart from the name. I assume it's a product rather than an encryption standard. Boxcryptor Technical Overview https://www.boxcryptor.com/en/technical-overview/

Logs sent via message.

Malwarebytes Version information ================================== "controllers_version" : "1.0.421", "db_version" : "2018.08.21.06", "dbcls_pkg_version" : "1.0.6441", "installer_version" : "3.5.1", I was about to gather information in order to query what appear to be repetitive uploads of whitelisted false positive ransomware (the subject of a future topic) when I discovered the following error messages have been filling the log files. Here is a sample: Begin Quote. 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" End Quote I traced back to their first appearence: Begin Quote. 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f3)" 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/19/18 " 01:17:59.500" 43935996 05d8 3f70 ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f3)" End Quote. The preceding entries appear to reflect a Malwarebytes update. Suggestions?

Both now scanned negative. Slightly odd as all the version numbers (Components, Update Package etc) are unchanged between the latest scan and the original "Ransomware blocked" report (timestamped 1:07 am). Anyway, many thanks again for the super fast response. Best Regards, Chris PS. It occurs to me that the whitelisting may have been the outcome of the automatic 'post-detection' upload I observed. If that is the case it begs the question of how the whitelisting mechanism is updated?

Thanks for the very quick response. I made a judgement call (as one of the applications is borderline critical) to reboot a basic system, restore the items from quarantine and then temporarily close MB while I posted the report here. I will now run MB, make sure it is up to date, scan the files and report back. Best Regards, Chris

Two unrelated executables (and two associated registry entries) suddenly quarantined in the early hours of this morning. As far as I am aware neither has recently been modified and bth are run every day. Here is the report: -Log Details- Protection Event Date: 7/21/18 Protection Event Time: 1:07 AM Log File: 00bd97f0-8c7a-11e8-919e-00ff21366bd3.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.5993 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Ransomware Details- File: 2 Malware.Ransom.Agent.Generic, C:\PROGRAM FILES (X86)\WINSTEP\WORKSHELF.EXE, Quarantined, [0], [392685],0.0.0 Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Creative\Sound Blaster E-Series\Sound Blaster E-Series Control Panel\SBE.exe, Quarantined, [0], [392685],0.0.0 End Following quarantine, I observed upload activity which appeared to be from Malwarebytes so I suspect you already have the files in question but I have also included them in the attached zip file. MBReport20180721.zip

Log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 6/3/18 Protection Event Time: 6:26 PM Log File: 32b6cfa2-6753-11e8-9fd8-00ff21366bd3.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.365 Update Package Version: 1.0.5342 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: RiskWare Domain: ipv4.icanhazip.com IP Address: 69.162.69.148 Port: [50977] Type: Outbound File: *****\Shift.exe (end) This has been blocked/reviewed/removed before (October 23, 2017) https://forums.malwarebytes.com/topic/213216-false-positive-icanhazipcom/ Regards, Chris