Jump to content

Exclusions not working properly?


Recommended Posts

Hey All,

We've recently configured and deployed Malwarebytes using the installer package we created from the Policy in the Malwarebytes Management Console. However, for some reason, the exclusions don't seem to be working properly. We have several GPO's in place and we are trying to avoid these policies to be shown in our logs as PUM false positives.

We found the following article:

https://support.malwarebytes.com/docs/DOC-1417

Applied the corresponding exclusions in the Management Console, however, as you can see in the screenshot below this is still not working

image.thumb.png.2e48703ca7ede65d6cf244442af067e5.png

Does anyone have any insight on how can we correct this? 

Thanks,

Luis Chavez

 

Link to post
Share on other sites

Greetings,

As a short term solution you might consider disabling PUM detections for the time being until you get the exclusions issue sorted out.  PUM detections (Potentially Unwanted Modifications) really only apply to system settings modifications which are sometimes altered by malware, however as long as your environment is sufficiently protected there is very little likelihood of any threats getting in and therefore being able to compromise any of the settings on your endpoints.  The option that controls PUM detections should be under Protection and includes a drop-down menu where you can configure your Malwarebytes deployments not to detect them.

Link to post
Share on other sites

By the way, if the primary issue is with Malwarebytes detecting and removing/changing these during scheduled scans you might consider configuring PUMs to "Warn user" instead of "Ignore" that way you'll still see all PUM detections in your logs and may review them should you have the need/in case some PUM you desire to be detected is found, that way you'll be aware of it and may address it.  When set to warn Malwarebytes will simply detect the items and list them in the scan logs but will not change or remove them and will list the action taken as "No action by user".

Link to post
Share on other sites

Hey Samuel! thanks for the prompt response! I followed the exact format provided in the article posted by Malwarebytes but it doesn't seem to be working. I thought it was just us not configuring the exclusions correctly. Does this mean that there is a known issue with exclusions not working?

Link to post
Share on other sites

I'm not aware of any known issues, however it is possible so I've contacted a member of our business product support team to review your case.  He should be able to offer additional insight and assistance.  In the meantime, did changing the setting for PUM detections work or did it continue to find and change/remove the excluded items/entries?

Link to post
Share on other sites

We haven't disabled PUM detections because we want to ensure that if Malwarebytes detects a PUM that was not set by a GPO we are aware of it. That's the main reason why we added the GPO settings or registry fixes we have implemented as part of the exclusions list, unfortunately, they still show up :(

Link to post
Share on other sites
11 hours ago, Luis_Chavez said:

We haven't disabled PUM detections because we want to ensure that if Malwarebytes detects a PUM that was not set by a GPO we are aware of it. That's the main reason why we added the GPO settings or registry fixes we have implemented as part of the exclusions list, unfortunately, they still show up :(

Right, but you can set it to "Warn User" that way it still detects them/shows them in your logs but doesn't actually remove/change them, at least for the time being while you're working this issue out.  Obviously it means you'll have to review the logs with all those detections until the issue is corrected, but at least if anything else is changed that shouldn't be, you'll be made aware of it.

Edited by exile360
Link to post
Share on other sites

@djacobson The main registry keys showing up in the logs are the following:

HKEY_USERS\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage
HKEY_USERS\*\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DisableCMD
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\GOOGLE\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\GOOGLE\UPDATE|DisableAutoUpdateChecksCheckboxValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE|DisableAutoUpdateChecksCheckboxValue

 

image.png

Edited by Luis_Chavez
Link to post
Share on other sites
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.