Jump to content
Malwarebytes Endpoint Security reached End of Life on August 4th 2021. Click for more details.

AntiMalware and Slack false positives, crashing machines

ganniii
 Share

Recommended Posts

ganniii

ganniii

Posted
Posted (edited)

We recently bought some 30 Endpoint licenses to cover a part of our Windows network but are hitting some bad snags when it comes to using it. Our main communication system here Slack and apparently it's url/IPs get flagged as malware by Malwarebytes. All our Windows users who use the Slack application get 10 minute long hangs on black screens when Slack is opened/switched. Those who use Slack in the browser, get very slow loading times and we receive alerts that an IP was blocked.

We spoke with the local reseller here and upon opening a case with Malwarebytes, we were told that this is a known problem and to exclude the Slack IPs from scanning. Now, Slack are on AWS and after spending 15 minutes trying to figure out their IPs, I got some 10 diff ones, with these changing daily so it doesn't make any sense to stay whitelisting these. Whitelisting whole AWS ranges one by one (the list doesn't support masks) doesn't work either as there are thousands.

Because of this, we ended up disabling the scanning and have a very expensive anti malware which we cannot use. I'd appreciate if there's someone who worked around this or atleast know if there's something in the pipeline to fix this? It seems such an absurd issue that should have been fixed by now.

Thanks

Edited by ganniii
Link to post
Share on other sites
ganniii

ganniii

Posted
  • Author
Posted
On 07/06/2017 at 0:59 AM, djacobson said:

Are you also using Symantec or Bit9 by chance? This issue is known but still being actively researched to discover the root cause.

We have clean Windows 10 Pro with inbuilt defender. We tried disabling it but to no avail. 

Any idea why this is happening? No real malware is involved right? We were also told that this month the business application will be merged into one... iz there a timeframe for this? And will that fix this particular issue?

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted

No malware, this is a conflict. What makes it more difficult is that Slack's running location is not able to be ignored globally due to the user path location. Our ignore list is fairly limited and unable to take wildcards or path variable's, you'll potentially need an ignore entry for every user on Slack with MBAM. If Slack ran from Program Files or ProgramData, this wouldn't be an issue.

C:\Users\[username]\Desktop\Slack.lnk
C:\Users\[username]\AppData\Local\slack\app-2.6.0
C:\Users\[username]\AppData\Local\slack\app-2.6.0\locales
C:\Users\[username]\AppData\Local\slack\app-2.6.0\resources
C:\Users\[username]\AppData\Local\slack\app-2.6.0\slack.exe

The Malwarebytes Endpoint Protection (EPP) with the cloud console is still in beta, I have no timeframe for release that I can share. I do not know if it would have the same conflict or not, although if it did, its ignore list is less limited and can take those variable path locations.

Link to post
Share on other sites
djacobson

djacobson

Posted
Posted

If you'd be willing to record the hang conflict between MBAM and Slack, that can help our Engineering team identify the root cause. 

ProcMon Log
I’d like to have you run a tool called Process Monitor, ProcMon for short, that will capture all of the events that happens during the issue. Please follow these steps:

  1. Download ProcMon from this link: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
  2. Extract ProcMon to your desktop
  3. Turn off all other programs except slack and mbam
  4. Double-click ProcMon to run it
  5. Once ProcMon begins running, reproduce your issue with slack
  6. When you get the error, go to ProcMon and click File ? Capture Events (this should be checked by default, we want to uncheck it to stop the capture)
  7. Afterwards, still in ProcMon, click File ? Save, leave the “Events” as default but you can change where the log goes at the bottom. Save the ProcMon log in default or somewhere you are familiar with, like your desktop.
  8. Upload the ProcMon log to https://www.malwarebytes.com/support/business/businessfileupload/
Link to post
Share on other sites
  • 3 weeks later...
  • 2 months later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.