MD5 hash exclusion not working

[jgco2005]

We are trying to create exclusions so remote actions from Lansweeper can be run to remote control and also remote launch and see the computers C drive. the file plaths are below. I created MD% exclusions as well as several other file and path exclusions , but it still blocks it. any ideas?

\\lansweeper\lansweeper$\lsremote.exe

\\lansweeper\lansweeper$\shellexec.vbs

[KDawg]

if the \\ is a to a network drive we would not expect it to hit unless that is possibly a mapped drive?

If that is the case can you please Exclude using the drive letter mapped to that location on the endpoints?

Otherwise please provide a capture of the detection as it appears in the console and we should be able to help exclude

[jgco2005]

all that is , is the folder patch and filename executing. \\Lansweeper is the domain server name, it is not a mapped drive, here take a look.

I try to click remote control, and the command from the program "lansweeper" is blocked as an exploit attempt

[KDawg]

Please review in the Settings > Policy for the affected endpoints the Shielded Application list under the Anti-Exploit options we can temporarily disbale the anti-exploit module to see if this is able to resolve temporarily.

To continue attempting a more narrow exclusion we would need to collect some logs as follows 

Anti-Exploit Cloud agent debug logs :

 

https://malwarebytes.box.com/s/kzoo8u6jq7n82e0uji909y7pnuozx77z

 

Press the Windows + R keys, type "services.msc" and hit Enter.

 

Find the service named "Malwarebytes service" and use the right click menu to stop the service.

 

Extract the contents of the ZIP to a sub-folder in your Desktop.

Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.

Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.

 

After you replace the files, start the "Malwarebytes service" service again or reboot the computer.

 

Reproduce the problem and collect and send back to us these files:

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

C:\ProgramData\MBAE_minidumps\

 

Please upload to this site referencing the case#00000000
https://www.malwarebytes.com/support/business/businessfileupload/

 

[jgco2005]

I have submitted the logs. I did make a test policy disabling protection from IE vbs , and of course that worked, however that is a security concern as well. I would prefer a proper exclusion.

[KDawg]

That is actually going to be as narrow of an exclusion as we can provide MD5 exclude wont work because its not being detected as an MD5. Its a fileless block on suspicious behavior. It would be allowing that on your environment, but please consider that the legitimate program you are using is acting in the same exact way a malicious one could that could exploit your network. If you want to continue using that in your environment our best practice would be to disable the individual hook and leave the rest of the protection enabled.

Security is a balance and its up to you if the risk is worth it and whether to disable that hook, or stop using a program that acts in the same way a malicious program could.

 

 

Edited March 22, 2018 by KDawg

[jgco2005]

thank you! yea we were concerned about that. This new version has a lot more built in prevention and protection than the old version we just migrated from that was installed and managed on premise.