Jump to content
DeanAnderson

VLC Media Player update triggerin Anti-Exploit

Recommended Posts

For the last couple of months or so, we have been getting these alerts every week or two regarding a few computers when they attempt to update VLC Media Player.  I removed irrelevant information about our computers.  Is this a true exploit or a false positive?  How can we address it?

Malwarebytes Management Server Notification
--------------------------------------------
Alert Time: 2/24/2020 3:23:55 PM
Server Hostname: *****
Server Domain/Workgroup: *****
Server IP: *****
Notification Catalog: Client
Description:
Exploit threat detected, see details below:

2/24/2020 3:22:25 PM    *****               *****     Exploit payload process blocked                BLOCK                C:\Users\*****\AppData\Local\Temp\1\vlc-3.0.8-win32.exe               *****            VLC Player           C:\Program Files (x86)\VideoLAN\VLC\vlc.exe           Attacked application: C:\Program Files (x86)\VideoLAN\VLC\vlc.exe; Parent process name: explorer.exe; Layer: Application Behavior Protection; API ID: 205; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

2/24/2020 3:22:25 PM    *****             *****    Exploit payload file blocked         BLOCK                C:\Users\*****\AppData\Local\Temp\1\vlc-3.0.8-win32.exe             *****            VLC Player           C:\Program Files (x86)\VideoLAN\VLC\vlc.exe           Attacked application: C:\Program Files (x86)\VideoLAN\VLC\vlc.exe; Parent process name: explorer.exe; Layer: Application Behavior Protection; API ID: 205; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

Total count: 2.

Share this post


Link to post
Share on other sites

Hi @DeanAnderson,

This does appear to be a false-positive, but we'll need additional information to confirm.

What Malwarebytes product and version do you have installed?
What version of Windows was this encountered on?

Please zip up and provide the contents of the C:\ProgramData\Malwarebytes Anti-Exploit folder.

Share this post


Link to post
Share on other sites

We will obviously be replacing these Windows Server 2008 R2 computers in the near future with computers with newer OS.  These are non-persistent VMs, by the way.

Share this post


Link to post
Share on other sites

Hello @DeanAnderson

 

Currently, the latest version of Anti-Exploit is 1.13.2.146.  I'd like to make sure you have this version installed and see if you are able to still replicate this issue.


Warm Regards,

Edited by CHMOD_777

Share this post


Link to post
Share on other sites

Hi DeanAnderson,

I checked your logs, the MD5 to exclude this version of VLC player from being blocked was added on our side in Aug 2019 and has been working since then for all our customers.

As Jason suggests, it will be good if you can update to our latest Anti-Exploit. Please check the auto-update checkbox in your client settings to get the latest product updates.

Thank you.

Share this post


Link to post
Share on other sites

Arthi and Jason,

I started to do that on one of our VMs, but the box is greyed out.  I believe I will have to check that box on our "parent VM" and recompose our VM pools.  I will reply here with an update tomorrow afternoon. Thank you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.