Keybase false positive

[stefanc]

Incidentally, is there a way to back out of the false positive? I have "alert user" set wherever possible, and I got a pop-up saying keybase was going to be blocked - but it went by too fast and now Keybase won't run unless I disable Exploit protection in Malwarebytes. How to I reset it (so I get the pop-up again), or find out where I need to make an exclusion?

 

For this false positive in particular, it looks like cscript.exe is really what was flagged. Can this be white-listed? Or does that bypass the purpose of programs like MWB?

Thanks

------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/10/17
Protection Event Time: 10:35 PM
Log File: 14377dfe-96b3-11e7-aba4-00256490a632.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2771
License: Premium

-System Information-
OS: Windows 10 (Build 14393.1593)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: keybase
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\system32\cscript.exe cscript.exe
URL: 

(end)

 

[Rsullinger]

Hello Stefanc,

 

I will want to see some of the logs to see why this is happening. Can you follow the instructions here to collect the logs I will need:

 

https://support.malwarebytes.com/docs/DOC-1375

 

Also, to answer your question, if it is not popping up again, then we may have blocked the process it needed to run and it is not calling it again until our protection is disabled. We won't know if we will be able to exclude it until I get the logs though unfortunately.