Exploit Process Blocked wscript

[marka2k]

Have one user that I receive around ten reports a day with the following:

Alert Time: 8/17/2016 6:29:50 AM

Server Hostname: XXXXXXXXX

Server Domain/Workgroup: my.company.com Server IP: 172.XXX.XXX.XXX Notification Catalog: Client

Description:

Exploit threat detected, see details below:

 

8/17/2016 6:28:45 AM  IT-12-03                172.XXX.XXX.XXX     Exploit payload process blocked BLOCK                C:\Windows\system32\wscript

 

I have regular scans scheduled and running but nothing else shows up. Did a search in the forum and did not find anything. Looking for ideas please and thank you

 

 

[Rsullinger]

Hello Marka2k!

 

A program opening up wscript is a common way that exploit based attacks are done which is why we are blocking that type of attack. So if you are not sure where it is coming from then it may be a real exploit. However, I want to have you collect me the logs so I can see what is triggering this:

 

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

Thank you,

 

[marka2k]

Rsullinger

I will find the logs and post however I want to point out that I may have posted in the wrong section we are using the Business Suite, if I need to post in a different area please let me know.

Thank you

[marka2k]

Rsullinger

 

Attached is the info requested

Thank you again for the assistance.

Malwarebytes Anti-Exploit.zip

[pbust]

You are running the old 1.07 version. From the Management Console, go to Policies, Anti-Exploit, and enable auto-upgrade of clients.

 

 

[marka2k]

1 hour ago, pbust said:

You are correct, I should have caught that - Thank you

 

 

You are running the old 1.07 version. From the Management Console, go to Policies, Anti-Exploit, and enable auto-upgrade of clients.