-
Posts
53 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by ottchris
-
Indeed! The "Website blocked due to Trojan" notification for cs9.wac.phicdn.net listed ESET ekrn.exe as the 'File' which I assume means the application generating the GET for the domain in question. I thought I had ESET excluded from Malwarebytes checks but it appears not. I couldn't find any comparable entry in the ESET logs. At the time of the notification I had just accessed a file editor software change log at its site using Edge. The previously downloaded, by a minute or so, installation file checked out as clean by both ESEt and Malwarebytes.
-
I use a little application called zmover which I have had installed for at least a decade. It checks basta.com for updates every seven days. It was blocked a few minuted ago. Begin Quote. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 3/1/20 Protection Event Time: 7:05 PM Log File: 9f7f879a-5bef-11ea-8652-00ff21366bd3.json -Software Information- Version: 4.1.0.56 Components Version: 1.0.835 Update Package Version: 1.0.20076 License: Premium -System Information- OS: XXXXXXXXXXXXX CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 ,XXXXXX\ BastaUpdaterAI.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: basta.com IP Address: 70.32.29.35 Port: 80 Type: Outbound File: XXXXXX (end) END Quote. Virus Total Current Check: http://basta.com/ No engines detected this URL. Not urgent.
-
Much appreciated.
-
Many Thanks LiquidTension. Don't think reducing "Advanced Memory Protection" (see quoted workarounds in your reply and my first post) is a sensible idea. I need Copernic at the moment so I shall have to leave Chrome uninstalled until the permanent fix is implemented. So far, the only impact on Firefox appears minimal and avoidable, whereas just running a bare-boned freshly downloaded and installed copy of Chrome triggered the exploit detection. Chris
-
For the record: 1. I raised the above topic in "Malwarebytes for Windows Support Forum" because the topic I was quoting was from that forum, not this one. 2. It would have been polite to have left a pointer in " Malwarebytes for Windows Support Forum" to let me know it had been moved! Chris
-
To 'cut to the chase', in topic "[ RESOLVED ] How do I get rid of this Malware.Exploit.Agent.Generic, , Blocked, [0], [39", https://forums.malwarebytes.com/topic/253258-resolved-how-do-i-get-rid-of-this-malwareexploitagentgeneric-blocked-0-39/, the 'workaround is as follows: My question is, has the permanent solution been implemented yet? I'm on Malwarebytes Premium v 4.0.4.49, update package 1.0.17804, component package 1.0.785. Background. I ran into this issue the for the first time on the 22nd November 2019: Unfortunately, although I did check Malwarebytes Forums at the time I did not spot the aforementioned topic. :-( I spent several days removing extensions etc and ended up removing chrome including all registry entries entirely and reinstalling from freshly downloaded installation file but even then, within a minute or so of running chrome, the 'exploit' was triggered again. I ditched chrome completely at that point and instead used Firefox as primary browser with Opera as an alternate. Move forward to today and the dreaded Malware.Exploit.Agent.Generic reappeared, this time associated with Firefox: This time however, the trigger event was identifiable. Until last night I had been running Firefox beta versions without any problems, but the latest beta disabled most of my add-ins without any option to re-enable. Consequently I decided to reinstall the latest production version. For one add-in that involved installing it from file, i.e. initially 'saving link as'. It turned out that creating a new folder from within the Firefox 'save link as' process was triggering the 'exploit' detection. I created the a new folder outside of Firefox and the link was saved and add-in installed without any problem. Now, although I have had Copernic Desktop search installed for many years I had not been using it for some time. I needed it again late last year and I now note in the firewall log , 'first network activity' was recorded on the 20th November at 5:31 pm, possibly caused by a new version update and probably a good indication of its first loading for many months. Then, the next day the first Malware.Exploit.Agent.Generic is triggered! At the moment, I know what caused the Firefox event and am not using chrome so I have decided to hold back on changing the Advanced Memory Protection settings (both browser and Chrome columns). That being said, I would like to reinstall Chrome at some point which is the reason for my opening question. Regards, Chris
-
ESET + Malwarebytes using up resources
ottchris replied to ottchris's topic in Malwarebytes for Windows Support Forum
Much appreciated. Will see if I can spot the trigger when the issue next occurs. -
To muddy the water, for the last few days, I have seen some occasions of ESET (not AVAST) services running at 25% CPU seemingly forever, until I quit Malwarebytes that is. Restart MB and all back to normal again. Just got around to checking here so haven't tried disabling MB web protection or any other workaround apart from quitting/restarting MB. Only offering this as an observation for the moment, i.e. not expecting any assistance as haven't uploaded any logs etc.
-
Repetitive error reports in MBAMSERVICE.LOG
ottchris replied to ottchris's topic in Malwarebytes for Windows Support Forum
About every 15 minutes or so MBAMService.exe sends a couple of MB to an Amazon AWS address e.g ec2-54-69-202-72.us-west-2.compute.amazonaws.com:443. The address varies. I'll try to organise a cumulative log but I don't have an appropriate tool to hand; once upon a time you could access detailed user-friendly logs but everything is dumbed down these days! Assuming this is the same issue, prior to the issue that is the subject of this topic, I had been able to correlate the transmissions with MBAMService log entries reporting re-transmitting whitelisted 'ransomware'. Since the 'multiple error notifications' issue appeared I am unable to locate any record of the transmissions, at least in the MB plain text logs. -
Repetitive error reports in MBAMSERVICE.LOG
ottchris replied to ottchris's topic in Malwarebytes for Windows Support Forum
Great! While I'm here and this should really be under a separate topic but the evidence should be in the same logs you already have. I've recently noticed periodic outgoing transmit activity associated with MBAMservice.exe. The logs appear to suggest Malwarebytes ransomware component while detecting items that have been whitelisted (by Malwarebytes, not the user) still sends copies back to your servers. In my case, this means the same two whitelisted executables are being sent to your servers multiple times every day. It's an issue because I keep seeing significant transmit activity when there shouldn't be any. -
Repetitive error reports in MBAMSERVICE.LOG
ottchris replied to ottchris's topic in Malwarebytes for Windows Support Forum
X drive is Boxcryptor (. Not familiar with bitlocker apart from the name. I assume it's a product rather than an encryption standard. Boxcryptor Technical Overview https://www.boxcryptor.com/en/technical-overview/ -
Repetitive error reports in MBAMSERVICE.LOG
ottchris replied to ottchris's topic in Malwarebytes for Windows Support Forum
Logs sent via message. -
Malwarebytes Version information ================================== "controllers_version" : "1.0.421", "db_version" : "2018.08.21.06", "dbcls_pkg_version" : "1.0.6441", "installer_version" : "3.5.1", I was about to gather information in order to query what appear to be repetitive uploads of whitelisted false positive ransomware (the subject of a future topic) when I discovered the following error messages have been filling the log files. Here is a sample: Begin Quote. 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.144" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.145" 7592989 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/21/18 " 14:56:03.146" 7593005 121c 17cc ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f2)" End Quote I traced back to their first appearence: Begin Quote. 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f3)" 08/19/18 " 01:17:59.499" 43935996 05d8 3f70 ERROR MBAMProtection BuildWin32FileName "util.c" 133 "No FinalComponent in path" 08/19/18 " 01:17:59.500" 43935996 05d8 3f70 ERROR MBAMProtection WorkItemCallback "filter.c" 223 "Unknown volume (\Device\000000f3)" End Quote. The preceding entries appear to reflect a Malwarebytes update. Suggestions?
-
Both now scanned negative. Slightly odd as all the version numbers (Components, Update Package etc) are unchanged between the latest scan and the original "Ransomware blocked" report (timestamped 1:07 am). Anyway, many thanks again for the super fast response. Best Regards, Chris PS. It occurs to me that the whitelisting may have been the outcome of the automatic 'post-detection' upload I observed. If that is the case it begs the question of how the whitelisting mechanism is updated?
-
Thanks for the very quick response. I made a judgement call (as one of the applications is borderline critical) to reboot a basic system, restore the items from quarantine and then temporarily close MB while I posted the report here. I will now run MB, make sure it is up to date, scan the files and report back. Best Regards, Chris
-
Two unrelated executables (and two associated registry entries) suddenly quarantined in the early hours of this morning. As far as I am aware neither has recently been modified and bth are run every day. Here is the report: -Log Details- Protection Event Date: 7/21/18 Protection Event Time: 1:07 AM Log File: 00bd97f0-8c7a-11e8-919e-00ff21366bd3.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.5993 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Ransomware Details- File: 2 Malware.Ransom.Agent.Generic, C:\PROGRAM FILES (X86)\WINSTEP\WORKSHELF.EXE, Quarantined, [0], [392685],0.0.0 Malware.Ransom.Agent.Generic, C:\Program Files (x86)\Creative\Sound Blaster E-Series\Sound Blaster E-Series Control Panel\SBE.exe, Quarantined, [0], [392685],0.0.0 End Following quarantine, I observed upload activity which appeared to be from Malwarebytes so I suspect you already have the files in question but I have also included them in the attached zip file. MBReport20180721.zip
-
Log entry: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 6/3/18 Protection Event Time: 6:26 PM Log File: 32b6cfa2-6753-11e8-9fd8-00ff21366bd3.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.365 Update Package Version: 1.0.5342 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: RiskWare Domain: ipv4.icanhazip.com IP Address: 69.162.69.148 Port: [50977] Type: Outbound File: *****\Shift.exe (end) This has been blocked/reviewed/removed before (October 23, 2017) https://forums.malwarebytes.com/topic/213216-false-positive-icanhazipcom/ Regards, Chris
-
RAM usage - what is going on?
ottchris replied to Malwarebytes's topic in Malwarebytes for Windows Support Forum
I admit I didn't consider the option of disabling the service and decided to uninstall until the problem is fixed. Security-related applications are by their nature designed not to make it easy to close them down anyway. Having spent the last few days trying to pin down an SSD TRIM issue, I could have done without Malwarebytes suddenly deciding to eat up all my VM. Having said that I'm a little surprised at the reactions in this thread. If and when we know what triggered the issue, we can then decide whether it was reasonably avoidable or not. -
RAM usage - what is going on?
ottchris replied to Malwarebytes's topic in Malwarebytes for Windows Support Forum
Indeed. I had tried killing it but not unexpectedly it came back to life and started committing virtual memory again. Just before that Windows (7) had stepped in and closed a few processes in order to keep running but nearly all of VM remained committed. As I run Malwarebytes as secondary protection after ESET Internet security I have just uninstalled Malwarebytes as a temporary solution in order to keep working. -
Not sure what process it killed but following an overnight 'power reset' (should really have been a simple Windows restart but I forgot the pending update install) Boxcryptor update completed successfully. I understand the 'not quarantined' aspect and it's possible the pop-up may have stated that (it didn't stay up for long) but the event should have been logged. An complete event audit trail should be a minimum requirement of any security application.
-
Reason for the question-mark is I can find no trace of the event. An hour or so ago got a prompt for a new version of Boxcryptor. All the subsequent prompts appeared to be normal for a Boxcryptor software update and I chose the 'restart later' option as I had already done a windows restart for an Acronis True Image software update. Maybe a minute or so after the Boxcryptor update completed (short of restarting windows) a MalwareBytes pop-up appeared. I'm 99 per cent sure it was Malewarebytes and it included the text "Boxcryptor" and "Ransomware" and I think "quarantine". Problem is there is no record in the log of the event and quarantine is empty. I won't know the state of Boxcryptor until I restart windows later today. I also run ESET Smart Security and although I pretty sure the pop-up was from MB I have checked ESET logs just in case and as expected found no record of the event. So this is a tentative report to see if anyone else has experienced the same event.
-
Well, I have been experiencing problems such as various real-time protection components turning themselves off for no obvious reason or not starting up in the first place. I now discover that despite MalwareBytes reporting it's all up to date I also was still on components package 1.0.75. I have now remedied that (simple uninstall and reinstall latest package, no 'mb-clean tool but Revo Uninstaller Pro found no remnants left lying around) but it's a situation that should never have been allowed to happen. It would not seem to be a big ask to have the software check its component levels against a central database at start-up and at least warn the customer that something is out of date if automatic updating is not possible for some reason. The "throttled upgrades" explanation is just not acceptable as it means customers can be running with flawed protection for some time without even knowing it. As a last resort you ought to warn customers by some other means (you have my email address as you periodically send me security related information).
-
I'll bare that in mind as there is the question of why the component package did not update of its own accord. However, I've just lost enough time already today, so I took the chance that just running the install would be sufficient in this instance.
-
Thanks. Downloaded and ran latest install *without* prior uninstall and/or running Malwarebytes mb-clean tool. Component package version updated to 1.0.75 successfully. Thanks again for the suggestion.
-
Just an observation: according to 'Settings | About' I'm still on 'Component package version' 1.0.50 and update to 'Update package version' 1.0.1404 solved the issue for me..