Jump to content

False Positive - Shell.exe


Recommended Posts

 

Thanks......while i have you...i continually get another file quarantined all the time EVEN though i have exclusions in place. I had a ticket for this last year when i first reported it.

This is the exe in quarintine

Location: C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe

 

This is the exclusion

Wildcards C:\Program Files (x86)\Zuercher Suite\*

 

Any thoughts?

Link to post
Share on other sites
1 hour ago, shadowwar said:

confirmed the file is whitelisted. Let me know if its still detected but you should be fine now. Worse case shutdown and restart mbam.

 

ok...ill remove the manual exclusions again. Can you tell me what the deal is with this one?
C:\Program Files (x86)\Zuercher Suite\production\launcher\launch_leds.exe

ive whitelisted that months and months ago manually and it still gets popped...even after i was told they added it to the whitelist

Link to post
Share on other sites
  • Staff

Tony,

Is this machine in question staying connected to the internet?

We have set the files to do not detect, but it may still be flagged offline.

In those cases, we would rely on the local exclusions you had in place.

Let us know if the local exclusions do not hold, or you have any questions on these detections.

Many Thanks,

Kevin 

Link to post
Share on other sites
7 minutes ago, KDawg said:

Tony,

Is this machine in question staying connected to the internet?

We have set the files to do not detect, but it may still be flagged offline.

In those cases, we would rely on the local exclusions you had in place.

Let us know if the local exclusions do not hold, or you have any questions on these detections.

Many Thanks,

Kevin 

yes, every machine has internet access and have no issues staying connected to the internet when it is powered up. (or my end users would be kicking up a storm).

Obviously the local ones are NOT holding or i wouldn't be getting the the excluded files put in quarantine.

Link to post
Share on other sites
15 hours ago, KDawg said:

My apologies I thought you had said you manually removed your local exclusion.

Even a momentarily being without internet, or the exclusions could cause this to hit.

 

After been told that the files where white-listed i DID remove the manual exclusions, immediately it got flagged and quarantined..i was remoted into the offending computer via team viewer so it had internet. I then re added the manual exclusions and restored from quarantine. 

Link to post
Share on other sites
  • Staff

I didn't see anyone suggest this yet so I thought I'd add it just in case it helps:

  1. Totally exit/shutdown Malwarebytes.
  2. Go to here in explorer:
  3. C:\ProgramData\Malwarebytes\MBAMService
  4. and delete the following file only: hubblecache. it doesn't have a file extension
  5. Then you can restart Malwarebytes and the cache file will rebuild on the next scan (make sure you're connected to the internet).

That should correct the issue going forward assuming the whitelist is cached locally, which as I understand it, it should be, so this procedure should eliminate this detection once and for all, without the necessity of any exclusions.

Link to post
Share on other sites
3 minutes ago, exile360 said:

I didn't see anyone suggest this yet so I thought I'd add it just in case it helps:

  1. Totally exit/shutdown Malwarebytes.
  2. Go to here in explorer:
  3. C:\ProgramData\Malwarebytes\MBAMService
  4. and delete the following file only: hubblecache. it doesn't have a file extension
  5. Then you can restart Malwarebytes and the cache file will rebuild on the next scan (make sure you're connected to the internet).

That should correct the issue going forward assuming the whitelist is cached locally, which as I understand it, it should be, so this procedure should eliminate this detection once and for all, without the necessity of any exclusions.

All my users locally and remotely are non admin users. Over half my endpoints are in remote locations..
Doing a quick test on a machine i do have access to as a non admin, i opened task manage and killed the endpoint agent tray process and then tried deleting, it requires elevation to delete the "hubblecache" file.
Also, there is no way that i know of to "turn off" malwarebytes temporally from the cloud or even have the end user shut down Malwarebytes from his end?

Link to post
Share on other sites
  • Staff

Yeah, since I've only used the consumer build I don't know how you'd accomplish this in a managed environment, though I suppose if there is a way to temporarily turn it off remotely, deleting the file could be accomplished via a remote script with sufficient privileges using something like psexec from Sysinternals, but with self-protection enabled you probably won't be able to terminate Malwarebytes manually unless you do something like booting into Safe Mode/Safe Mode with Networking to where Malwarebytes shouldn't run on boot.

Link to post
Share on other sites
On 10/21/2018 at 6:59 AM, shadowwar said:

Ok i whitelisted these files in a different way. Your logs show its being whitelisted so not sure whats going on. Hopefully this will solved it. It will be out in next database update so 3-4 hours from now.

 

again tonight i get a call from my end users the leds.exe picked up and the software disabled !! And thats with my manual exclusions still in place AND the so called cloud ones that support said were in place. !! 

Capture.PNG

Capture.PNG

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.