Jump to content
TonyCummins

Exclusions being ignored !!

Recommended Posts

Back on 10/31/17 i had bunch of tablets get detected for the following:
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CMD.EXE
 

after getting with support and submitting reg keys etc i was confirmed it was not malware...and it was suggested i add an exclusion...i did

Today its getting detected again....same exact path.

What gives??

Edited by TonyCummins

Share this post


Link to post
Share on other sites

Tony, have you added any new exclusions? EP will stop on incorrect exclusions and fail to continue to process the rest, if a new one is not processed right it could make the rest not be able to apply.

Share this post


Link to post
Share on other sites
Quote

EP will stop on incorrect exclusions and fail to continue to process the rest

Could you PLEASE put that as a significant note in the documentation?!?!

This is the first time I've ever heard of something like that.

Should I ask for a "request for enhancement:"  What would it take for EP to continue if an erroneous entry was encountered?

Share this post


Link to post
Share on other sites
On 12/22/2017 at 9:51 AM, djacobson said:

Tony, have you added any new exclusions? EP will stop on incorrect exclusions and fail to continue to process the rest, if a new one is not processed right it could make the rest not be able to apply.

No new exclusions since i was told to add the reg key one by support. I sent screenshots of my exclusions / my detection etc to support.
Here is the correspondence from support i received this morning in case anyone else is experiencing the same issue

He requested a screenshot of settings and replied they appeared correct. Requested hostname of offending endpoint. Replied after receiving the name that it was NOT showing up on his end and therefore would possibly explain why maybe the exclusions have not propagated to this particular endpoint. He asked me to Please uninstall and reinstall the endpoint with the prerequisites exe package downloaded from the Endpoints > Add section of your cloud console.

I replied that i was confused…as the tablet is currently up and running. It is also showing as online in my dashboard. so I asked : Are you saying that is not the case?

He replied Its showing up now, were  you able to reinstall? I don't see any hits for this reg key on the endpoint, but did see the capture of this machine you had sent. 
Now that this appears to be successfully communicating, we should no longer be getting hits for excluded items.

I replied: No, I haven’t changed anything on my end, that is why I responded with the fact it was showing as online……as I was concerned that if it was showing online on my end, but not yours, how many others were effected. 
So are you sating that this endpoint had not been communicating successfully until just now.? (when I’ve changed nothing on my end)

and that's where we are at currently ! so i'm none the wiser as to what happened.

Edited by TonyCummins
grammar

Share this post


Link to post
Share on other sites
On 12/22/2017 at 11:51 AM, djacobson said:

Tony, have you added any new exclusions? EP will stop on incorrect exclusions and fail to continue to process the rest, if a new one is not processed right it could make the rest not be able to apply.

Wasn't this resolved in the latest update?

Share this post


Link to post
Share on other sites

Just wanted to add my two cents. We also had this issue, Case #:0004825. Out of the couple hundred we have installed, two ignored registry exclusions on different days. One about 2 days after installation, the other a week after (different groups and policies). The exclusions were checked out as being OK and no other endpoint has had this issue for the last week.

Share this post


Link to post
Share on other sites
1 minute ago, Kalrand said:

Just wanted to add my two cents. We also had this issue, Case #:0004825. Out of the couple hundred we have installed, two ignored registry exclusions on different days. One about 2 days after installation, the other a week after (different groups and policies). The exclusions were checked out as being OK and no other endpoint has had this issue for the last week.

So to add my last response from support...."The endpoint is showing on our end now and so is applying the exclusions and therefore is working."

I was never asked to produce any logs from the endpoint that was having the issues to "actually" troubleshoot the root cause, and so i'm no wiser what the problem was and more to the point, i'm no wiser 'IF" its going to reoccur.

 

Share this post


Link to post
Share on other sites

Nor am I. We did supply logs, but no concrete answer as to why or if it will happen again. The last I was told was to downgrade the client, however we didn't feel this would resolve the issue so we did not do this step. One thing that may or may not be different; in our case the registry keys were re-added by GPO on the next refresh and was not picked up as a threat on following scheduled scans, I verified the keys were present on both endpoints and also not in quarantine.

Share this post


Link to post
Share on other sites
On 12/26/2017 at 8:02 AM, kahml said:

Could you PLEASE put that as a significant note in the documentation?!?!

That's what this forum is for, not the documentation. The technical writing team is not going to add a note in the documentation for a bug in the product that wasn't intentional. This was discovered by an agent helping a customer during a call. A more graceful failure for incorrectly input exclusions is being worked on. The update was supposed to be part of the recent push, but as you guys may know, that update was pulled for the restart looping.

You will not be able to tell what exclusions are failing with a normal log collection process, the application must be put into debug mode, create a support ticket for how to do that, the process is not shared publicly. If you already know how to do that feel free to let it rip, it will list the entry that is failing. Note that it can be pretty tedious to do this as you need to wait for the changes to get pulled down to the machine so you can see what the next failing entry is, keep this up until you have all of them.

Some tips for exclusions on cases where we have seen this problem:

  • Keep your exclusion entries case sensitive.
  • Only use wildcards in the "Exclude a file by path (Windows & Mac)", "Exclude files or folders by wildcards (Windows)" and the "Exclude a registry key (Windows)" areas.
  • Keep exclusions to one entry per exclusion, do not try to stack a bunch of entries on one line separated by commas. We see this most often with file extension exclusion attempts.

Share this post


Link to post
Share on other sites

This happened again to one of our endpoints, all three quarantined items were in the exclusions and the endpoint had MEP installed for about a month. It doesn't happen that often, first one since last month. Since the registry keys are re-added by GPO it's little more than a nuisance but would like to know why.

Edit:

I noticed this through the cloud portal. It installed today which makes me wonder if it's a post install scan, in this case a scheduled scan at 6 am, before looking up exclusions.

Malwarebytes version 3.3.2.2243 3.3.2.2243 01/25/2018 Malwarebytes
Edited by Kalrand

Share this post


Link to post
Share on other sites
14 hours ago, djacobson said:

@kalrand How do you have your GPO keys entered?

 

User policy from domain controller.

Policies > Administrative Templates > Control Panel > Always open All Control Panel Items when opening Control Panel (MEP lists this as Malware)

Policies > Administrative Templates > Control Panel > Personalization > Prevent changing desktop background (MEP lists this as PUM)

 

Share this post


Link to post
Share on other sites

I apologize @Kalrand, I meant, how do you have your GPO keys entered into the the program's ignore list?

This?

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper

Or this?

HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel
HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper

Share this post


Link to post
Share on other sites

That is the correct way to do them, we'll need to see if any other ignores are incorrect, leaving the machine to not process the ones that follow the incorrect entries. To put the module into debug mode and collect logs, follow this process. Go to C:\Program Files\Malwarebytes Endpoint Agent. Find MBCloudEA.exe.Config, right click to edit it or open with notepad.

pastedImage_1.jpg.e5d9c37b183c6eafff59e5da9d7e9ba9.jpg

Ctrl+F and look for the word "INFO", you'll see this line, 

pastedImage_4.thumb.jpg.996d8f1b023d2ad31d2fce904ae8c688.jpg
 

Change INFO to DEBUG,  and save the file.
pastedImage_8.jpg.fc7d872203ba5ead8da60d398cac8f8a.jpg

Once this is done, open up Services and restart the Malwarebytes Endpoint Agent service. Let the EA run and try to replicate your issue to build up new data. Once you have let it run and replicated the issue, open an elevated CMD prompt as admin. Change the directory to C:\Program Files\Malwarebytes Endpoint Agent

  • cd C:\Program Files\Malwarebytes Endpoint Agent

Once there, run this command

  • MBCloudEA.exe –diag

pastedImage_21.jpg.ed21cd80e7bb8d586be4adc4f2aa4c6d.jpg

That will create a folder on the desktop called MBDiagnostics. Send this zipped folder back to us.
pastedImage_20.jpg.aff1fc1eeaa39fc9b87fab88230ec8bb.jpg

Edited by djacobson
fixing broken pictures

Share this post


Link to post
Share on other sites

The odd thing is it happens once and not again, three different endpoints not all at the same time either.

Share this post


Link to post
Share on other sites

Are you down to try a delayed start on the service? The realtime protection might be starting quickly for you and hitting the GPO keys during logon before the application has a chance to process its policy.

Settings -> Policies -> your policy -> Endpoint Protection -> Startup Options -> Delay Real-time Protection when Malwarebytes starts.

Share this post


Link to post
Share on other sites

Hi,

  I just started a trial and I'm having almost this exact problem.  A banking website my company uses downloads and runs a temporary agent program.  Malwarebytes is flaging this as "Malware.Exploit.Agent.Generic", blocking it from running, and putting the file in quarantine.

  Malwarebytes Endpoint Protection had no exceptions.  I added an exception for the specific path and filename that was being stopped. It is still getting blocked and quarantined.
  I came here, read the comments, and altered the exception to match the displayed case of the folder name.  It is still getting blocked and quarantined.

  I'm pretty much at a loss as this is the only exception and it's as specific as one could get.

Share this post


Link to post
Share on other sites
On 1/26/2018 at 5:03 PM, djacobson said:

Are you down to try a delayed start on the service? The realtime protection might be starting quickly for you and hitting the GPO keys during logon before the application has a chance to process its policy.

Settings -> Policies -> your policy -> Endpoint Protection -> Startup Options -> Delay Real-time Protection when Malwarebytes starts.

I've made the changes. After the Web Protection issue this weekend, which crippled our DFS servers since they had that on, we received roughly 16 alerts (two per endpoint). Hopefully setting delayed helps.

Share this post


Link to post
Share on other sites

@Riley your issue involves an exploit and will be a much different process. Anti-Exploit exclusions can only work if the hit is on a certain layer of its protection, we will need to review your hit to determine if exclusion, setting change, or new MBAE revision will be correct for your situation. Follow the steps to put your client into debug mode, replicate the hit a few times, then immediately collect the MB Diag.

Share this post


Link to post
Share on other sites

@Kalrand let us know if the delay helped or not, I expect you may want to wait for everything has settled down from the bad web blocker signature, Update us when you can.

Share this post


Link to post
Share on other sites
7 minutes ago, djacobson said:

@Kalrand let us know if the delay helped or not, I expect you may want to wait for everything has settled down from the bad web blocker signature, Update us when you can.

Will do, thank you.

Share this post


Link to post
Share on other sites

Unfortunately I had two endpoints over the weekend quarantine the keys again. One of them during the scan schedule late Friday night, the other however at 2:15 am Saturday morning not during a scan schedule. Upon further inspection it would appear the latter one isn't following the scan schedules at all nor are the quarantined items visible in the detection panel.

Share this post


Link to post
Share on other sites

We can check your machine, but what I've found with other customers, is if the the cloud backend is not accessible, the program will run on with a default last known, which has shown to not include a few items in people's ignore list. We'd need new client logs to see if this is the case for you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.