Jump to content
ottchris

Copernic Desktop Search and Malware.Exploit.Agent.Generic

Recommended Posts

To 'cut to the chase', in topic "[ RESOLVED ] How do I get rid of this Malware.Exploit.Agent.Generic, , Blocked, [0], [39", https://forums.malwarebytes.com/topic/253258-resolved-how-do-i-get-rid-of-this-malwareexploitagentgeneric-blocked-0-39/, the 'workaround is as follows:

Quote

We've identified the cause - Copernic Desktop Search. We'll be releasing an update to address this issue permanently in the future.

In the meantime, to mitigate this issue you can either temporarily uninstall Copernic Desktop Search or make the following changes below to your Exploit Settings.

  • Open Malwarebytes.
  • Click Settings -> Protection -> Advanced Settings.
  • Click Advanced Memory Protection.
  • Under the Chrome Browsers column, uncheck both rows with "CALL ROP" in.
  • Click Apply.

My question is, has the permanent solution  been implemented yet? I'm on Malwarebytes Premium v 4.0.4.49, update package 1.0.17804, component package 1.0.785.

Background.

I ran into this issue the for the first time on the 22nd November 2019:

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/22/19
Protection Event Time: 12:20 PM
Log File: 63d5d5e4-0d22-11ea-9803-00ff21366bd3.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.750
Update Package Version: 1.0.15266
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0

-Exploit Data-
Affected Application: Google Chrome (and plug-ins)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked
File Name:
URL:

 

(end)

Unfortunately,  although I did check Malwarebytes Forums at the time I did not spot the aforementioned topic. :-( I spent several days removing extensions etc and ended up removing chrome including all registry entries entirely and reinstalling from freshly downloaded installation file but even then, within a minute or so of running chrome, the 'exploit' was triggered again.

I ditched chrome completely at that point and instead used Firefox as primary browser with Opera as an alternate.

Move forward to today and the dreaded Malware.Exploit.Agent.Generic reappeared, this time associated with Firefox:

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/16/20
Protection Event Time: 12:40 PM
Log File: 64abc684-385d-11ea-90a1-00ff21366bd3.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.785
Update Package Version: 1.0.17796
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0

-Exploit Data-
Affected Application: Mozilla Firefox (and add-ons)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked
File Name:
URL:

 

(end)

This time however, the trigger event was identifiable. Until last night I had been running Firefox beta versions without any problems, but the latest beta disabled most of my add-ins without any option to re-enable. Consequently I decided to reinstall the latest production version. For one add-in that involved installing it from file, i.e. initially  'saving link as'. It turned out that creating a new folder from within the Firefox 'save link as' process was triggering the 'exploit' detection. I created the a new folder outside of Firefox and the link was saved and add-in installed without any problem.

Now, although I have had Copernic Desktop search installed for many years I had not been using it for some time. I needed it again late last year and I now note in the firewall log , 'first network activity' was recorded on the 20th November at 5:31 pm, possibly caused by a new version update and probably a good indication of its first loading for many months. Then, the next day the first Malware.Exploit.Agent.Generic is triggered!

At the moment, I know what caused the Firefox event and am not using chrome so I have decided to hold back on changing the Advanced Memory Protection settings (both browser and Chrome columns). That being said, I would like to reinstall Chrome at some point which is the reason for my opening question.

Regards,

Chris

Share this post


Link to post
Share on other sites
6 hours ago, ottchris said:

To 'cut to the chase', in topic "[ RESOLVED ] How do I get rid of this Malware.Exploit.Agent.Generic, , Blocked, [0], [39", https://forums.malwarebytes.com/topic/253258-resolved-how-do-i-get-rid-of-this-malwareexploitagentgeneric-blocked-0-39/, the 'workaround is as follows:

My question is, has the permanent solution  been implemented yet? I'm on Malwarebytes Premium v 4.0.4.49, update package 1.0.17804, component package 1.0.785.

Background.

I ran into this issue the for the first time on the 22nd November 2019:

Unfortunately,  although I did check Malwarebytes Forums at the time I did not spot the aforementioned topic. 😞 I spent several days removing extensions etc and ended up removing chrome including all registry entries entirely and reinstalling from freshly downloaded installation file but even then, within a minute or so of running chrome, the 'exploit' was triggered again.

I ditched chrome completely at that point and instead used Firefox as primary browser with Opera as an alternate.

Move forward to today and the dreaded Malware.Exploit.Agent.Generic reappeared, this time associated with Firefox:

This time however, the trigger event was identifiable. Until last night I had been running Firefox beta versions without any problems, but the latest beta disabled most of my add-ins without any option to re-enable. Consequently I decided to reinstall the latest production version. For one add-in that involved installing it from file, i.e. initially  'saving link as'. It turned out that creating a new folder from within the Firefox 'save link as' process was triggering the 'exploit' detection. I created the a new folder outside of Firefox and the link was saved and add-in installed without any problem.

Now, although I have had Copernic Desktop search installed for many years I had not been using it for some time. I needed it again late last year and I now note in the firewall log , 'first network activity' was recorded on the 20th November at 5:31 pm, possibly caused by a new version update and probably a good indication of its first loading for many months. Then, the next day the first Malware.Exploit.Agent.Generic is triggered!

At the moment, I know what caused the Firefox event and am not using chrome so I have decided to hold back on changing the Advanced Memory Protection settings (both browser and Chrome columns). That being said, I would like to reinstall Chrome at some point which is the reason for my opening question.

Regards,

Chris

For the record:

1. I raised the above topic in "Malwarebytes for Windows Support Forum" because the topic I was quoting was from that forum, not this one.

2. It would have been polite to have left a pointer in " Malwarebytes for Windows Support Forum" to let me know it had been moved!

Chris

Share this post


Link to post
Share on other sites

Hi Chris,

Thank you for your patience.

The permanent fix (mentioned in the quotation included in your first post) is not yet available in Malwarebytes for Windows. We have been working on a fix and hope to make it available in an upcoming component update. In the meantime, we recommend sticking with one of the two known workarounds for the issue.
 

Quote

Temporarily uninstall Copernic Desktop Search or make the following changes below to your Exploit Settings.

  • Open Malwarebytes.
  • Click Settings -> Protection -> Advanced Settings.
  • Click Advanced Memory Protection.
  • Under the Chrome Browsers column (or non-Chromium for dealing with Firefox), uncheck both rows with "CALL ROP" in.
  • Click Apply.
Edited by LiquidTension

Share this post


Link to post
Share on other sites
34 minutes ago, LiquidTension said:

Hi Chris,

Thank you for your patience.

The permanent fix (mentioned in the quotation included in your first post) is not yet available in Malwarebytes for Windows. We have been working on a fix and hope to make it available in an upcoming component update. In the meantime, we recommend sticking with one of the two known workarounds for the issue.
 

Many Thanks LiquidTension. Don't think reducing "Advanced Memory Protection" (see quoted workarounds in your reply and my first post) is a sensible idea. I need Copernic at the moment so I shall have to leave Chrome uninstalled until the permanent fix is implemented. So far, the only impact on Firefox appears minimal and avoidable, whereas just running a bare-boned freshly downloaded and installed copy of Chrome triggered the exploit detection.

Chris

Share this post


Link to post
Share on other sites

That's certainly understandable. I will provide an update in this forum topic once we release the update containing the fix.

Share this post


Link to post
Share on other sites
1 hour ago, LiquidTension said:

That's certainly understandable. I will provide an update in this forum topic once we release the update containing the fix.

Much appreciated.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.