Jump to content

FoxitReader.tmp getting blocked?


Recommended Posts

I am trying to deploy Foxit Reader via SCCM however it is getting blocked by Malwarebytes Endpoint Protection classing it Malware.Exploit.Agent.Generic.

2019-07-26 12:21:24,964+01:00 [29] INFO  MBAMPlugin Exploit blocked Foxit Reader Application Behavior Protection Exploit payload file blocked C:\WINDOWS\TEMP\is-5V53F.tmp\FoxitReader.tmp 
2019-07-26 12:21:25,143+01:00 [29] INFO  MBAMPlugin Exploit blocked Foxit Reader Application Behavior Protection Exploit payload process blocked C:\WINDOWS\TEMP\is-5V53F.tmp\FoxitReader.tmp \SL5=$10A3E,103543466,421376,C:\Windows\ccmcache\14\FoxitReader.exe \SP- \VERYSILENT \NORESTART 

I have tried adding the following exceptions but they have not worked, any ideas? I do not want to exclude the whole of the temp folder.

C:\*\FoxitReader.exe    File by Path      
C:\*\FoxitReader.tmp    File by Path    
*\FoxitReader.tmp    File by Path    
C:\Users\*\AppData\Local\Temp\*\FoxitReader.tmp    File by Path    
C:\WINDOWS\TEMP\*\FoxitReader.tmp    File by Path    
C:\Windows\ccmcache    Folder by Path

Link to post
Share on other sites

Greetings,

To exclude something detected by Exploit Protection you must exclude the detected exploit itself, not individual files or folders because the exclusions for files and folders do not impact Exploit Protection due to the nature of how Exploit Protection works.  You must select the option to exclude a previously detected exploit and then exclude it from the list where it should show up as Malware.Exploit.Agent.Generic.

I hope this helps, but please let us know if it does not.

Thanks

Link to post
Share on other sites

I'm more familiar with the consumer product honestly, I just know that the Exploit Protection component handles exclusions differently.  There should be an option when creating an exclusion to select something like 'Exclude a previously detected exploit' or something similar; that's the option you want.  It should be in the same area as the other exclusions you created, you just have to select the right option.  You can instead try excluding based on the file's MD5 hash, but I don't know if that will work either.

Link to post
Share on other sites

@exile360 Sorted it, there is no option in the Cloud Console to 'Exclude a previously detected exploit'. So this is what I did to get it too work

Restored File within Console, this popped the file back into the right folder

Ran the following PowerShell Script 

Get-FileHash FoxitReader.tmp -Algorithm MD5

Got the MD5 Hash then added it too the exclusion list, then restarted the endpoint.

Then bam it installed, cheers for your help @exile360

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.