Malwarebytes blocking npm script run on windows console (cmd.exe)

[aroberge]

I'm trying to run some simple npm run scripts  (https://www.npmjs.com/).  How do I exclude such events?

Here's the output

Malwarebytes
www.malwarebytes.com

-Détails du journal-
Date de l'événement de protection: 10/12/2016
Heure de l'événement de protection: 12:22
Fichier journal: 
Administrateur: Oui

-Informations du logiciel-
Version: 3.0.4.1269
Version de composants: 1.0.39
Version de pack de mise à jour: 1.0.680
Licence: Premium

-Informations système-
Système d'exploitation: Windows 10
Processeur: x64
Système de fichiers: NTFS
Utilisateur: System

-Détails de l'exploit-
Fichier: 0
(Aucun élément malveillant détecté)

Exploit: 1
Malware.Exploit.Agent.Generic, , Bloqué, [0], [-1],0.0.0

-Données de l'exploit-
Application concernée: cmd
Couche de protection: Application Behavior Protection
Technique de protection: Exploit payload process blocked
Nom du fichier: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c tape tests\unit_tests\**\*.js
URL: 

(end)

 

[Rsullinger]

Hello Aroberge,

 

To do this, open up the ui and then go to settings -> Exclusions-> Add Exclusion-> Exclude a previously detected Exploit-> Select the program you want to exclude and hit OK.

Can you try that on that detection and see if it will allow you to exclude it?

[aroberge]

After "Exclude a previously detected Exploit", I am presented wth a menu which asks me to select and identified exploit with two fields in which I cannot enter anything (one for an exploit hash and the other for an application). However, there is a "Select" button.  If I click on it, there are exploit shown that I can select.

 

I did try to add an exclusion for cmd.exe (which seems rather broad ... but just to see what would happen) and nothing change.

 

Note that I can run the exact same script  many times in a row and that sometiems it runs correctly, and sometimes it is prevented to run by Malwarebytes.

[Rsullinger]

Hey Aroberge,

 

It should only exclude the script that CMD was calling at that time. However, if it still gets prevented, I want to see the logs for that. Can you reproduce the issue again and when you do, collect these logs for me:

 

C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it.   There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
 

[aroberge]

Rsullinger,

Please find the files attached.

mbae-default.log

MBAMSERVICE.LOG

exploit.txt

[pbust]

The mbae-default.log has cycled and doesn't include the alert information. Can you please reproduce the problem again and post a fresh new mbae-default.log?

 

 

[aroberge]

For the past 3 week or so, the problem has gone away.  I had assumed it was an updated malware definition that took care of it ... Sorry, but I cannot reproduce it.