Jump to content

'pip install peewee' triggers APT Behavior Protection with portable Python


Alwyn
 Share

Recommended Posts

With Python on Windows, when attempting to install peewee, Malwarebytes blocks and deletes sqlite3.h during the build process. I think this might just get triggered on sqlite3.h?

Reproduce:

  1. Install Python with scoop on Windows (I don't know why but it doesn't get triggered with a 'normally' installed Python setup. The setup.exe is the same, however)
  2. Create a virtualenv with python -m venv venv-test
  3. Activate the virtualenv with .\venv-test\Scripts\Activate.ps1
  4. Install peewee: pip install peewee
  5. Notice error and Malwarebytes pop up

I get the same results each time. It works if I disable Exploit protection.

 

Detection log export:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 01/06/2021
Protection Event Time: 23:46
Log File: ce33a6de-c322-11eb-bcec-38d547138eae.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1308
Update Package Version: 1.0.41227
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: D:\Programs\Scoop\apps\python\current\python.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1003 - Credential Access
File Name:
URL:

 

(end)

mbst-grab-results.zip

Link to post
Share on other sites

Just now, pbust said:

Welcome to the forums Alwyn.

Can you please confirm that you don't have "pentesting mode" enabled under the anti-exploit settings?

Thanks!

Pentesting mode is disabled, should it be enabled? That seems like it would only further restrict things.

Link to post
Share on other sites

  • Staff

No, it should be disabled by default. The weird thing is that the block you are reporting should only occur if pentesting mode is enabled.

Can you please verify that pentesting is disabled, then reboot, replicate the problem again, and upload a fresh set of logs?

Thanks for all your help!

Link to post
Share on other sites

Thanks for the help so far, pbust.

  • there is no custom anti-exploit shield for python
  • I verified "Block penetration testing attacks" is off and rebooted
  • retried with a fresh venv
  • same results (below)

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 02/06/2021
Protection Event Time: 12:24
Log File: bd5cb34a-c38c-11eb-8bc1-38d547138eae.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1308
Update Package Version: 1.0.41247
Licence: Premium

-System Information-
OS: Windows 10 (Build 19042.985)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: D:\Programs\Scoop\apps\python\current\python.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1003 - Credential Access
File Name:
URL:

 

(end)

 

Also find attached both a new mbst-grab-results.zip as well as a log of the reproduction steps on my end.

mbam-peewee.log mbst-grab-results.zip

Link to post
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.