False positive wscript.exe

[torrey]

We have had several machines producing alerts for wscript.exe on documents that do not contain an exploit. I can get you log files if needed. 

Here is the content of the alert email:

Exploit code executing from Heap memory blocked          BLOCK                   SYSTEM Wscript.exe                C:\WINDOWS\System32\Wscript.exe     Attacked application: C:\WINDOWS\System32\Wscript.exe; Parent process name: svchost.exe; Layer: Malicious Memory Protection; API ID: 301; Address: 0x7FC8038F; Module: ; AddressType: 0x00020000; StackTop: 0x7BD90000; StackBottom: 0x7BD88000; StackPointer: 0x7BD8DFA8; Extra:

Thanks!

[Arthi]

Hi torrey,

I have sent you a PM. Thanks.

[Rob_B]

We have been experiencing this same issue for months.  Its awful with 98.6% of malwarebytes alerts being a false positive. 

[torrey]

Rob_B if you engage MWB support they have a newer version of anti-exploit that stops the false positives - at least in our case.

[Rob_B]

Is it being released as a maintenance release?  

[torrey]

All they said was that it would be pushed out in a future release.

[Rob_B]

Well.. I guess we can go out of the primary maintenance stream but I really like to stay in line with their production releases. 

[torrey]

Me too. I had one group that is managed by a VB script evangelist and almost everything they do relies on scripting....sigh. They are the only group I deployed the fix to because they could not even print unless I turned MBAE off.

 

 

[Arthi]

Hi All,

yes, We do have a newer version of Anti-Exploit that fixes this issue. It will be released in Malwarebytes end of this month. Until then, you can disable Exploit Protection in Malwarebytes and install the below tool in parallel. Starting February, you can uninstall this tool and enable Exploit protection back in Malwarebytes when this fix will be rolled over.

https://malwarebytes.box.com/s/3c0phipczdzijp9lfn1rjf7v31jlw1fz

Let me know if you have any questions. Thanks.