Jump to content
jgco2005

MD5 hash exclusion not working

Recommended Posts

We are trying to create exclusions so remote actions from Lansweeper can be run to remote control and also remote launch and see the computers C drive. the file plaths are below. I created MD% exclusions as well as several other file and path exclusions , but it still blocks it. any ideas?

\\lansweeper\lansweeper$\lsremote.exe

\\lansweeper\lansweeper$\shellexec.vbs

Share this post


Link to post
Share on other sites

if the \\ is a to a network drive we would not expect it to hit unless that is possibly a mapped drive?

If that is the case can you please Exclude using the drive letter mapped to that location on the endpoints?

Otherwise please provide a capture of the detection as it appears in the console and we should be able to help exclude

Share this post


Link to post
Share on other sites

all that is , is the folder patch and filename executing. \\Lansweeper is the domain server name, it is not a mapped drive, here take a look.

I try to click remote control, and the command from the program "lansweeper" is blocked as an exploit attempt

Capture.JPG

Capture2.JPG

Share this post


Link to post
Share on other sites

Please review in the Settings > Policy for the affected endpoints the Shielded Application list under the Anti-Exploit options we can temporarily disbale the anti-exploit module to see if this is able to resolve temporarily.

To continue attempting a more narrow exclusion we would need to collect some logs as follows 

Anti-Exploit Cloud agent debug logs :

 

https://malwarebytes.box.com/s/kzoo8u6jq7n82e0uji909y7pnuozx77z

 

Press the Windows + R keys, type "services.msc" and hit Enter.

 

Find the service named "Malwarebytes service" and use the right click menu to stop the service.

 

Extract the contents of the ZIP to a sub-folder in your Desktop.

Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.

Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.

 

After you replace the files, start the "Malwarebytes service" service again or reboot the computer.

 

Reproduce the problem and collect and send back to us these files:

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

C:\ProgramData\MBAE_minidumps\

 

Please upload to this site referencing the case#00000000
https://www.malwarebytes.com/support/business/businessfileupload/

 

Share this post


Link to post
Share on other sites

I have submitted the logs. I did make a test policy disabling protection from IE vbs , and of course that worked, however that is a security concern as well. I would prefer a proper exclusion.

Share this post


Link to post
Share on other sites

That is actually going to be as narrow of an exclusion as we can provide MD5 exclude wont work because its not being detected as an MD5. Its a fileless block on suspicious behavior. It would be allowing that on your environment, but please consider that the legitimate program you are using is acting in the same exact way a malicious one could that could exploit your network. If you want to continue using that in your environment our best practice would be to disable the individual hook and leave the rest of the protection enabled.

Security is a balance and its up to you if the risk is worth it and whether to disable that hook, or stop using a program that acts in the same way a malicious program could.

 

 

Edited by KDawg

Share this post


Link to post
Share on other sites

thank you! yea we were concerned about that. This new version has a lot more built in prevention and protection than the old version we just migrated from that was installed and managed on premise.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.