Jump to content
u2berggeist

MalwareBytes throws up Exploit whenever cmder is run

Recommended Posts

Every time I run cmder, Malwarebytes gives me an exception error. I have no idea why it does, and it only just recently started happening (ie Previously I had run cmder and no exploit blocked notification was received).

I can't directly tell whether it's impeding cmder's performance, but it's sure damn annoying. I can't make an exception for it because it doesn't show up in "Exclude a Previously Detected Exploit" page.

How do I stop this?

Here's the output of the report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/28/18
Protection Event Time: 9:54 AM
Log File: 57c7570a-1c97-11e8-ae99-ecf4bb518a2b.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.4144
License: Premium

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe \c ver
URL: 

(end)

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Farbar Recovery Scan Tool (FRST)
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
  • MB-Check
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • This file will include the FRST logs generated from the previous set of instructions
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

I've no encountered an actual error inside cmder after trying to launch. See below:

image.png.bcb048682e0df60642a518acbcc9252d.png

Also, other random notes:

  • This "Exploit Block" doesn't happen on my Windows 10 machine when running cmder.
  • The "Exploit Block" also occurs when using the integrated terminal in VS Code, but I believe that's simply tied to the fact that it's literally running the exact same code in a cmd window.

image.png

Edited by u2berggeist
Left personal info in the error message

Share this post


Link to post
Share on other sites

@u2berggeist

Could you get us some logs to look into so we can better troubleshoot this issue. See the second post for help with getting logs (under technical issues)

 

Also--Double check the following settings for me and see if they are at default values, thanks

Capture.PNG.e8340cf120c5a0005838b55a9bb8e095.PNG

 

Edited by vbarytskyy

Share this post


Link to post
Share on other sites

@u2berggeist

Do you run any specific commands when you get a trigger?

Do you run it as admin?

Any other information that can be useful in reproducing this problem would be much appreciated.

Share this post


Link to post
Share on other sites

I don't run any special commands. I'm simply launching the executable.

It doesn't start up in admin mode.

The only slightly weird thing is I have the cmder folder placed in the C drive (so C:\cmder). 

Share this post


Link to post
Share on other sites

It looks like there is a "user-aliases" file that this script is looking for as well, could you provide a copy of that as well please. Also--What is the purpose of this script? 

Share this post


Link to post
Share on other sites

There is no file named `user-aliases.cmd` like in the `init.bat`. Looking at the script, it looks like if there isn't one there, then it will copy `user-aliases.cmd.example`. I've attached that below.

As far as what the script does, you're guess is as good as mine. I just use cmder, I don't mod it very much at all. Their documentation might be helpful.

Side note: it's really annoying that the forum has file type limits. I've had to save both the `init.bat` and the `user-aliases.cmd.example` as a text file to upload.

user-aliases.cmd.example.txt

Share this post


Link to post
Share on other sites

While I am looking over these, can you upgrade to MB3.4 that we released today and let me know if you are still experiencing the issue? 

Go to Settings > Click "Install Application Updates" under Application. 

Share this post


Link to post
Share on other sites

Upgrading to MB3.4 seems to have fixed the issue. I no longer have the exploit warnings anymore and cmder is working fine now.

 

Thanks for your help!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.