Jump to content
okretzer

Excluding out false positive that hits everytime Loging script runs

Recommended Posts

Ever since last update last w weeks ago some time, everytime someone logs in ( windows show) running a vbs login script malwarybytes fires with the following alers

Exploit code executing from Heap memory blocked        BLOCK  C:\Windows\System32\WScript.exe       Attacked application: C:\Windows\System32\WScript.exe; Parent process name: taskeng.exe; Layer: Malicious Memory Protection

We tried the exlusion list with the hash - that does not work, when I try to exclude form the threats list it states - Selected thread does not contain a valid paylod checksum, it cannot be added into the exclusion list.

 

I read its probably due to it not happening at the layer 3, but this is obviously happening for every machine during every login so we are getting hundreds of these every second,. how can we exclude this wscript from firing every time the login script runs during a user logon?

 

thanks

 

 

Share this post


Link to post
Share on other sites

Greetings,

I know how to exclude this in the consumer version so this might at least help to guide you in how to exclude it in the business product.

First, open Malwarebytes and navigate to Settings>Exclusions and click the Add Exclusion button.  Next, select Exclude a Previously Detected Exploit and click Next.  On the next screen, click the Select... button and you should be presented with a list of previously detected exploits; select the exploit from the list that shows the login script block and click OK.  For Application enter WScript.exe and then click Next or OK and it should be added to your exclusions and should no longer be detected.

If you've already tried this and it did not work then we'll have to wait for a member of the staff to assist or you may contact Malwarebytes Support directly to expedite things by using one of the methods found on this page and they will assist you as soon as they are able.

Share this post


Link to post
Share on other sites

yes we tried that option, that's when it comes back and tells me

 

Selected thread does not contain a valid payload checksum, it cannot be added into the exclusion list.

Definately need support help on this

 

Share this post


Link to post
Share on other sites

OK, thanks for the info.  Did you create a support ticket already or would you like me to ping someone to respond here?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.