Jump to content
aroberge

Malwarebytes blocking npm script run on windows console (cmd.exe)

Recommended Posts

I'm trying to run some simple npm run scripts  (https://www.npmjs.com/).  How do I exclude such events?

Here's the output

Malwarebytes
www.malwarebytes.com

-Détails du journal-
Date de l'événement de protection: 10/12/2016
Heure de l'événement de protection: 12:22
Fichier journal: 
Administrateur: Oui

-Informations du logiciel-
Version: 3.0.4.1269
Version de composants: 1.0.39
Version de pack de mise à jour: 1.0.680
Licence: Premium

-Informations système-
Système d'exploitation: Windows 10
Processeur: x64
Système de fichiers: NTFS
Utilisateur: System

-Détails de l'exploit-
Fichier: 0
(Aucun élément malveillant détecté)

Exploit: 1
Malware.Exploit.Agent.Generic, , Bloqué, [0], [-1],0.0.0

-Données de l'exploit-
Application concernée: cmd
Couche de protection: Application Behavior Protection
Technique de protection: Exploit payload process blocked
Nom du fichier: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c tape tests\unit_tests\**\*.js
URL: 

(end)

 

Share this post


Link to post
Share on other sites

Hello Aroberge,

 

To do this, open up the ui and then go to settings -> Exclusions-> Add Exclusion-> Exclude a previously detected Exploit-> Select the program you want to exclude and hit OK.


Can you try that on that detection and see if it will allow you to exclude it?

Share this post


Link to post
Share on other sites

After "Exclude a previously detected Exploit", I am presented wth a menu which asks me to select and identified exploit with two fields in which I cannot enter anything (one for an exploit hash and the other for an application). However, there is a "Select" button.  If I click on it, there are exploit shown that I can select.

 

I did try to add an exclusion for cmd.exe (which seems rather broad ... but just to see what would happen) and nothing change.

 

Note that I can run the exact same script  many times in a row and that sometiems it runs correctly, and sometimes it is prevented to run by Malwarebytes.

Share this post


Link to post
Share on other sites

Hey Aroberge,

 

It should only exclude the script that CMD was calling at that time. However, if it still gets prevented, I want to see the logs for that. Can you reproduce the issue again and when you do, collect these logs for me:

 

C:\ProgramData\Malwarebytes\MBAMService\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it.   There is also a post here from Microsoft on how to do this for the more recent OS: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files
 

Share this post


Link to post
Share on other sites

The mbae-default.log has cycled and doesn't include the alert information. Can you please reproduce the problem again and post a fresh new mbae-default.log?

 

 

Share this post


Link to post
Share on other sites

For the past 3 week or so, the problem has gone away.  I had assumed it was an updated malware definition that took care of it ... Sorry, but I cannot reproduce it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.