Jump to content

[SOLVED] WebX false possitive


Weyoun
 Share

Recommended Posts

Hi all,

 

I believe MBAE had a false positive when I was at the Cisco WebX website for an online meeting. I got the "exploit blocked" message and in the log, it shows up twice:

"2013-10-14 12:41:57 atcliun.exe blocked from executing through Firefox."

The funny thing is though, even though it says it was blocked, the file did successfully execute. I know it is a non-malicious file, but had it been a real exploit, might it have gotten around MBAE?

Link to post
Share on other sites

  • Staff

It could be that the WebX tries to launch the file in different ways and the more normal way was allowed to execute as it was not using typical exploit techniques.

 

Which version of MBAE are you using?

 

When you click on the blocked event in the UI under LOGS, do you get the option of adding the file to the exclusions?

Link to post
Share on other sites

Hi Pedro,

 

I am using Version 0.09.3.1000

 

Yes, I do (did) have the option to exclude the file, but for some reason the logs cleared themselves, so now I do not even see the event in the log.

 

What if an actual malicious site used the same 'more normal' way to attempt a file? I realize that's probably a bit of a dumb question :P

Link to post
Share on other sites

  • Staff

We are about to release version 0.09.4.1000 in the next few hours/days. Once it is released download and install it and try again. If you still get a false positive come back and post the steps to replicate it.

 

The disappearing log after reboot is a known issue which we will fix in the next beta after 09.4.

 

Regarding the normal way for downloading files, if a malicious site uses that then it won't be an exploit, it will be a normal download where it will prompt you if you want to save the file to your computer.

Link to post
Share on other sites

Hi all,

I apologize for not responding earlier, I was not able to get on my computer until today.

 

I already saw the release of the new version, but I don't know when I will have another WebX meeting, so I don't know when I can tell if the issue has been fixed.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.