Jump to content
MagCCB

Looking for help with making an exception for an "exploit"

Recommended Posts

Hello all, I've done some searching through the forums and found a few similar threads but I'm still not finding a solution for this, short of disabling exploit protection altogether.

 

My company's Desktop Engineering team has deployed a powershell script to various computers to perform a task. Malwarebytes is blocking it, labeling it as an exploit-

 

Malware.Exploit.Agent.Generic

Affected Applications: Mshta

 

I set up an exclusion for the .ps1 file itself but as I learned you can't exclude files from exploit protection. I've attempted adding Mshta.exe to the list of protected applications in the policy of these workstations and disabling protection to it (which I didn't really want to do) but that didn't help. I'm hoping that I'm just completely overlooking something, rather than needing to disable exploit protection completely for this policy. Any help would be appreciated!

Share this post


Link to post
Share on other sites

Adding a filename would accomplish nothing, because any file -- regardless of what it is -- could be given a name that matches an exclusion, and could then prove fatal to your computer.  Download a program that will generate an MD5 hash, determine the hash value for your Powershell file,. then enter it as an exclusion.  That should work.

Share this post


Link to post
Share on other sites

I've done this in the command line and it didn't work, it's still getting blocked. I got a clean copy of the file from the guy that's pushing it out and verified the hash matched. I read somewhere else in these forums that I would need the md5 hash of the exploit rather than the file itself? This would seem rather difficult if it's just getting flagged as a generic exploit.

Share this post


Link to post
Share on other sites

You may end up needing to disable one of the system hardening or policy based protections instead of creating an exclusion.  If it is being blocked based on a generic rule/violation and not being detected as a specific exploit then this is probably the case, at least based on my observations of similar issues in the past.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.