tsmith

The same file that was previously listed as Trojan.MZCrypt.MSIL.Generic is now listed as Trojan.MalPack. The file is the same as it was before: C:\Windows\Installer\8B7E556.MSI Trojan.MalPack.txt

File is C:\Windows\Installer\8B7E556.MSI Submitted to VT and there was one detection by "VBA32" listing it as "BScope.Backdoor.MSIL.Crysan" SHA-256 is 014741cef0207b5f3de667a5e3dd3dca5c819d0465d1afc45f22f34bd8e0be97 Filename is listed as "PinPoint-7.0-setup.msi.exe" Crowdsourced YARA rules said, "Matches rule Windows_API_Function by InQuest Labs from ruleset Windows_API_Function at https://github.com/InQuest/yara-rules-vt This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted." Trojan.MZCrypt.MSIL.Generic.txt

Dave, Trimmed log file attached. Thanks. MWB.txt

Got a scan result on several files, two are 7z and one is RAR. The archives were flagged, not the contents. Detection name is "Malware.AI.4042065387" with type "Malware" and object type of "File". One of the archives is attached. GDPMUMonitor_V1.4.1.11649.7z

So I'm answering my own question. I was kind of hoping someone at Malwarebytes would chime in, but oh well. I turned off "Malicious return address detection" for "MS Office" in "Advanced memory protection" and now I'm able to leave MBAM Exploit Protection on without my Office 365 applications crashing. Hope it helps anyone in the same situation. Tom

I disabled Exploit Detection and can now run Office 365 applications normally, but I can't help but wonder what the correct solution to this would be. I see a number of options in Advanced Exploit Protection settings, but I'm not sure which ones to turn off in what categories. I see these categories: Application hardening Advanced memory protection Application behavior protection Java protection Penetration Testing Columns within Application hardening, Advanced memory protection and Application behavior protection are: Non-Chromium browsers Chromium browsers PDF readers MS Office Media players Other Rows within Application hardening are: DEP enforcement Anti-heap spraying environment Dynamic anti-heap spraying enforcement BottomUp ASLR enforcement Disable loading of VBScript libraries Anti-Exploit fingerprint attempt detection Rows within Advanced memory protection are: Malicious return address detection DEP bypass protection Memory patch hijack protection Stack pivoting protection CALL ROP gadget detection (32 bit) RET ROP gadget detection (32 bit) CALL ROP gadget detection (64 bit) RET ROP gadget detection (64 bit) Rows within Application behavior protection are: Malicious LoadLibrary prevention Internet Explorer VBScripting protection MessageBox payload protection Office WMI abuse prevention Office VBA7 abuse prevention Office VBE7 abuse prevention Office scripting abuse prevention Office loading points abuse prevention Office spawning batch command prevention Excel macro 4.0 abuse prevention Email client scripting abuse prevention There's also the Java protection category with these items: Prevent web-based Java command line operations Prevent malicious inbound shell attacks Use Metasploit/Meterpreter generic protection Use Metasploit/Meterpreter command execution protection Allow insecure Java operation in internal IP Ranges Penetration testing only has one item: Block penetration testing attacks I'm attaching the current settings from the five categories. Thanks.

I recently updated Office 2019 to Office 365. My addins work fine except for Classic Menu. Every time I try to use any part of the menu, the Office application freezes and Malwarebytes pops up "Exploit blocked" and says it blocked this: Affected Application: Microsoft Office {insert program name such as Excel, Word, etc} Protection Layer: Malicious Memory Protection Protection Technique: Exploit code executing from Heap memory blocked The notification history for MWB says, "Exploit blocked" "Exploit attempt detected and blocked. It is no longer a threat. Open quarantine to learn more." When I go to quarantine, nothing is there. ??? I added the entire Office directory to the exclude list. I added the Classic Menu directory to the exclude list. The issue remains. What's the next step? Details from the last detection: Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 11/7/21 Protection Event Time: 9:30 PM Log File: 4345696e-4044-11ec-b8fd-9c5c8ebc0d92.json -Software Information- Version: 4.4.10.144 Components Version: 1.0.1499 Update Package Version: 1.0.46948 License: Premium -System Information- OS: Windows 10 (Build 19043.1320) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Office Excel Protection Layer: Malicious Memory Protection Protection Technique: Exploit code executing from Heap memory blocked File Name: URL: (end)

Got a false positive this evening. Checked the file on VT and it shows clean. File and log.zip

MB 4.30 claims it is Malware.AI.3468067484 Only 1 detection on VT (SecureAge APEX) from 5 years ago. Nothing else claims the file as risky. nsis-2.50-setup.rar

Listed by MBAM as Malware.AI.1029223214. Tested on Jotti and VirusTotal with zero detections. -Software Information- Version: 4.1.2.73 Components Version: 1.0.972 Update Package Version: 1.0.26239 License: Premium -System Information- OS: Windows 10 (Build 18362.900) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect File: 1 Malware.AI.1029223214, C:\WINDOWS\INSTALLER\78E8.MSI, No Action By User, 1000000, 0, 1.0.26239, AE3058576C8438F43D58B32E, dds, 00788257 78e8.rar

I updated MBAM Pro from v1.75 to v2.01 today and was taken aback by the banner ads. Is there any way to turn them off? I like Malwarebytes, but the constantly-changing ads are something I really don't like. The new appearance will take some getting used to. It reminds me of the GUI styles used by trojan anti-malware, ironically, but I can live with it. Just get rid of the banners...

The site is http://www.getforecastfox.com/ It's a legitimate site that is the home for Forecastfox. Not sure how it got on the "bad" list.

I do fix computers, but they're not customers: they're my friends, family and co-workers. I fix them for free. I just like helping people get their computers working right.

Thanks for the reply. As I said, I was just curious, but it would be nice to see something else take the #2 spot for memory usage. If I had a suggestion, it would be about something completely different: I like to carry MBAM around on a thumb drive for fixing up infected computers. The problem is, there's no easy way to keep the latest detection database on the drive. Even with the latest version of MBAM, the database is usually quite out of date. I've been getting around that problem by copying it from a working (and updated) computer, but it would be nice to simply download the latest version (or a reasonably late version). Quite often, I must use MBAM on a computer without web access (either due to malware or because someone brought their PC to work for me to look at -- can't connect to the company network, of course). After getting a computer cleaned up, I always recommend that the owner get the pro version of MBAM to help keep the PC clean, so having a recent version of the database would make my life easier and would provide a more impressive demonstration of MBAM's abilities. Just a suggestion.

I've been a happy MBAM user for years, recommending it to many and purchasing multiple licenses for the family. I am quite happy with the performance of the software, but I have one question: why such high memory usage? On my current machine, running Windows 7 x64, mbamservice.exe is using 102mb of memory. This isn't an issue on my current machine, since I have 8gb of available memory. But mbamservice is the second-highest user of memory on the PC. Only svchost uses more (about twice as much). In comparison, Explorer uses 54mb, SearchIndexer only uses 51mb, my Antivirus uses 13mb, and Acronis TrueImageMonitor uses 10mb. Again, no issues here, but just curious about it.

Scanned by Jotti and apparently clean. Log and files attached. FP_Log.txt FP.zip