'pip install peewee' triggers APT Behavior Protection with portable Python

[Alwyn]

With Python on Windows, when attempting to install peewee, Malwarebytes blocks and deletes sqlite3.h during the build process. I think this might just get triggered on sqlite3.h?

Reproduce:

1. Install Python with scoop on Windows (I don't know why but it doesn't get triggered with a 'normally' installed Python setup. The setup.exe is the same, however)
2. Create a virtualenv with python -m venv venv-test
3. Activate the virtualenv with .\venv-test\Scripts\Activate.ps1
4. Install peewee: pip install peewee
5. Notice error and Malwarebytes pop up

I get the same results each time. It works if I disable Exploit protection.

 

Detection log export:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 01/06/2021
Protection Event Time: 23:46
Log File: ce33a6de-c322-11eb-bcec-38d547138eae.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1308
Update Package Version: 1.0.41227
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: D:\Programs\Scoop\apps\python\current\python.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1003 - Credential Access
File Name:
URL:

 

(end)

mbst-grab-results.zip

[pbust]

Welcome to the forums Alwyn.

Can you please confirm that you don't have "pentesting mode" enabled under the anti-exploit settings?

[Alwyn]

Just now, pbust said:

Welcome to the forums Alwyn.

Can you please confirm that you don't have "pentesting mode" enabled under the anti-exploit settings?

Thanks!

Pentesting mode is disabled, should it be enabled? That seems like it would only further restrict things.

[pbust]

No, it should be disabled by default. The weird thing is that the block you are reporting should only occur if pentesting mode is enabled.

Can you please verify that pentesting is disabled, then reboot, replicate the problem again, and upload a fresh set of logs?

Thanks for all your help!

[pbust]

Can you also check if you created a custom anti-exploit shield for python.exe?

[Alwyn]

Thanks for the help so far, pbust.

• there is no custom anti-exploit shield for python
• I verified "Block penetration testing attacks" is off and rebooted
• retried with a fresh venv
• same results (below)

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 02/06/2021
Protection Event Time: 12:24
Log File: bd5cb34a-c38c-11eb-8bc1-38d547138eae.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1308
Update Package Version: 1.0.41247
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: D:\Programs\Scoop\apps\python\current\python.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1003 - Credential Access
File Name:
URL:

 

(end)

 

Also find attached both a new mbst-grab-results.zip as well as a log of the reproduction steps on my end.

mbam-peewee.log mbst-grab-results.zip

[pbust]

Thanks for reproducing it again without pentesting and providing fresh set of logs. Team is looking into it.

[Alwyn]

This is still occurring. Has there been any news?

Thanks.

[pbust]

The fix is being deployed to MB4. In the meantime, resetting the "pentesting mode" toggle should fix it.