Jump to content

Need help with exploit threat exclusion

Recommended Posts

I have an alert for an exploit threat but it's not a threat. I don't know how I can put an exclusion on this because it's flag everytime we use the software. Here is an example of the alert :

11/29/2017 8:06:14 AM               COMPUTERNAME   X.X.X.X         Exploit payload process blocked               BLOCK                C:\Windows\SYSTEM32\cmd.exe \C FOR %a In (C:\Users\USERNAME\AppData\Local\Oracle\BIPublisher\TemplateBuilderforWord\tmp\tmp\SOMEFILENAME.PDFDOCXLS) DO START %~sa

We are using Malwarebytes Anti-Exploit for business. In the console, if I right click and choose add to anti-exploit exclusion list, I received an error of no payload checksum. Is there way to have an exclusion on this without excluding all cmd.exe ?

Link to post
Share on other sites

  • Staff



Exclusions are usually only done if there is an md5 of the file that can be excluded. I am not 100% sure why that block is occurring so I will need to see the full logs for the product. Do you mind collecting the logs from the instruction here:




You can send me the data in a PM if you do not wish to post it in the forum. 

Link to post
Share on other sites

  • Staff

Thank you for the logs!


So I reviewed it and it may be due to a setting we have that causes cmd to not be ran if Java calls it. Sometimes infections use this vector so we have that setting to block it on by default. However, you can disable this setting if you know for sure this script is good. To do this, open up the mbae UI on the users machines (or go into the mbae tab in the policy if you are using mbmc) and go to the settings tab. Click on the advanced settings button and go to the java protection tab. Disable that first option for 'prevent web-based java command line' and test to see if it works. If you are pushing it from the console, it may take a bit to be pushed down to the client. 


Link to post
Share on other sites

  • Staff



sorry for the delay. Here is the link for the latest mbmc:




In the mean time, see if you can change the setting on the user side (as long as you are an admin you should be able to change it) and see if it works. I would hate to have you go through all of that work for it to not ultimately fix it. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.