Jump to content
MLap

Need help with exploit threat exclusion

Recommended Posts

I have an alert for an exploit threat but it's not a threat. I don't know how I can put an exclusion on this because it's flag everytime we use the software. Here is an example of the alert :

11/29/2017 8:06:14 AM               COMPUTERNAME   X.X.X.X         Exploit payload process blocked               BLOCK                C:\Windows\SYSTEM32\cmd.exe \C FOR %a In (C:\Users\USERNAME\AppData\Local\Oracle\BIPublisher\TemplateBuilderforWord\tmp\tmp\SOMEFILENAME.PDFDOCXLS) DO START %~sa

We are using Malwarebytes Anti-Exploit for business. In the console, if I right click and choose add to anti-exploit exclusion list, I received an error of no payload checksum. Is there way to have an exclusion on this without excluding all cmd.exe ?

Share this post


Link to post
Share on other sites

Hey MLAP,

 

Exclusions are usually only done if there is an md5 of the file that can be excluded. I am not 100% sure why that block is occurring so I will need to see the full logs for the product. Do you mind collecting the logs from the instruction here:

 

https://forums.malwarebytes.com/topic/191468-readme-first-posts-here-need-to-include-mbae-logs/

 

You can send me the data in a PM if you do not wish to post it in the forum. 

Share this post


Link to post
Share on other sites

Thank you for the logs!

 

So I reviewed it and it may be due to a setting we have that causes cmd to not be ran if Java calls it. Sometimes infections use this vector so we have that setting to block it on by default. However, you can disable this setting if you know for sure this script is good. To do this, open up the mbae UI on the users machines (or go into the mbae tab in the policy if you are using mbmc) and go to the settings tab. Click on the advanced settings button and go to the java protection tab. Disable that first option for 'prevent web-based java command line' and test to see if it works. If you are pushing it from the console, it may take a bit to be pushed down to the client. 

 

Share this post


Link to post
Share on other sites

Hi,

Thanks, that make sense.  I don't see the option, but I have an old version, 1.6.1.2897 of mbmc. What is the latest version and how I update it ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.