Jump to content

MD5 hash exclusion not working


Recommended Posts

We are trying to create exclusions so remote actions from Lansweeper can be run to remote control and also remote launch and see the computers C drive. the file plaths are below. I created MD% exclusions as well as several other file and path exclusions , but it still blocks it. any ideas?

\\lansweeper\lansweeper$\lsremote.exe

\\lansweeper\lansweeper$\shellexec.vbs

Link to post
Share on other sites
  • Staff

if the \\ is a to a network drive we would not expect it to hit unless that is possibly a mapped drive?

If that is the case can you please Exclude using the drive letter mapped to that location on the endpoints?

Otherwise please provide a capture of the detection as it appears in the console and we should be able to help exclude

Link to post
Share on other sites
  • Staff

Please review in the Settings > Policy for the affected endpoints the Shielded Application list under the Anti-Exploit options we can temporarily disbale the anti-exploit module to see if this is able to resolve temporarily.

To continue attempting a more narrow exclusion we would need to collect some logs as follows 

Anti-Exploit Cloud agent debug logs :

 

https://malwarebytes.box.com/s/kzoo8u6jq7n82e0uji909y7pnuozx77z

 

Press the Windows + R keys, type "services.msc" and hit Enter.

 

Find the service named "Malwarebytes service" and use the right click menu to stop the service.

 

Extract the contents of the ZIP to a sub-folder in your Desktop.

Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.

Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.

 

After you replace the files, start the "Malwarebytes service" service again or reboot the computer.

 

Reproduce the problem and collect and send back to us these files:

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

C:\ProgramData\MBAE_minidumps\

 

Please upload to this site referencing the case#00000000
https://www.malwarebytes.com/support/business/businessfileupload/

 

Link to post
Share on other sites
  • Staff

That is actually going to be as narrow of an exclusion as we can provide MD5 exclude wont work because its not being detected as an MD5. Its a fileless block on suspicious behavior. It would be allowing that on your environment, but please consider that the legitimate program you are using is acting in the same exact way a malicious one could that could exploit your network. If you want to continue using that in your environment our best practice would be to disable the individual hook and leave the rest of the protection enabled.

Security is a balance and its up to you if the risk is worth it and whether to disable that hook, or stop using a program that acts in the same way a malicious program could.

 

 

Edited by KDawg
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.