Jump to content

Doesn't recognize execeptions


Faustling

Recommended Posts

I am playing a number of games Steam that require the Vortex app.  Today I got an "Exploit blocked" notice for this program, which I have been using for years. Checking the details, I saw the problem was with a boot program called temp-vortex-setup-1.4.15.exe.  I have added this program to the allowed exceptions list, but Malwarbytes continues to block Vortex.

Exploit blocked.jpg

Exploit details.jpg

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

We need the log showing the block.

To get the log from Malwarebytes do the following:
 

Single click on the target sight above scanner window.

In the new window select Report

Double click on the Scan log which shows the Date and time of the scan just performed.

Click Export > From export you have two options:
Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 

Please use " Copy to Clipboard " then paste the contents here in your next reply

Please double-click on one of the block entries shown in the image you posted to view the report, then click the Export link on the bottom left of the report and select Copy to clipboard, then paste the contents here in your next reply so that we may take a look and advise you based on what it shows.

Thanks

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Protokolldetails-
Scan-Datum: 29.07.21
Scan-Zeit: 16:15
Protokolldatei: e6924456-f0c2-11eb-9e17-b06ebf84830d.json

-Softwaredaten-
Version: 4.4.3.125
Komponentenversion: 1.0.1387
Version des Aktualisierungspakets: 1.0.43704
Lizenz: Premium

-Systemdaten-
Betriebssystem: Windows 10 (Build 19043.1110)
CPU: x64
Dateisystem: NTFS
Benutzer: System

-Scan-Übersicht-
Scan-Typ: Bedrohungs-Scan
Scan gestartet von: Zeitplaner
Ergebnis: Abgeschlossen
Gescannte Objekte: 590099
Erkannte Bedrohungen: 0
In die Quarantäne verschobene Bedrohungen: 0
Abgelaufene Zeit: 25 Min., 45 Sek.

-Scan-Optionen-
Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Erkennung
PUM: Erkennung

-Scan-Details-
Prozess: 0
(keine bösartigen Elemente erkannt)

Modul: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 0
(keine bösartigen Elemente erkannt)

Registrierungswert: 0
(keine bösartigen Elemente erkannt)

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Daten-Stream: 0
(keine bösartigen Elemente erkannt)

Ordner: 0
(keine bösartigen Elemente erkannt)

Datei: 0
(keine bösartigen Elemente erkannt)

Physischer Sektor: 0
(keine bösartigen Elemente erkannt)

WMI: 0
(keine bösartigen Elemente erkannt)


(end)

Link to post
Share on other sites

11 hours ago, Porthos said:

Look for the log the reflect the block in your original post.

I did that. The directions you gave me were for a report of the latest scan, which reveals nothing unusual.

The zipped bug report contains the information you need.

If you want a scan report from yesterday, when the incident occurred, here it is, but since the problem was not with a scan, I don't see how it's relevant:

Malwarebytes
www.malwarebytes.com

-Protokolldetails-
Scan-Datum: 29.07.21
Scan-Zeit: 16:15
Protokolldatei: e6924456-f0c2-11eb-9e17-b06ebf84830d.json

-Softwaredaten-
Version: 4.4.3.125
Komponentenversion: 1.0.1387
Version des Aktualisierungspakets: 1.0.43704
Lizenz: Premium

-Systemdaten-
Betriebssystem: Windows 10 (Build 19043.1110)
CPU: x64
Dateisystem: NTFS
Benutzer: System

-Scan-Übersicht-
Scan-Typ: Bedrohungs-Scan
Scan gestartet von: Zeitplaner
Ergebnis: Abgeschlossen
Gescannte Objekte: 590099
Erkannte Bedrohungen: 0
In die Quarantäne verschobene Bedrohungen: 0
Abgelaufene Zeit: 25 Min., 45 Sek.

-Scan-Optionen-
Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Erkennung
PUM: Erkennung

-Scan-Details-
Prozess: 0
(keine bösartigen Elemente erkannt)

Modul: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 0
(keine bösartigen Elemente erkannt)

Registrierungswert: 0
(keine bösartigen Elemente erkannt)

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Daten-Stream: 0
(keine bösartigen Elemente erkannt)

Ordner: 0
(keine bösartigen Elemente erkannt)

Datei: 0
(keine bösartigen Elemente erkannt)

Physischer Sektor: 0
(keine bösartigen Elemente erkannt)

WMI: 0
(keine bösartigen Elemente erkannt)


(end)

Link to post
Share on other sites

1 hour ago, Porthos said:

The logs are readable, just not the one needed. we do not want a scan log. We need the log showing the exploit being blocked.

I did exactly what you told me to. I clicked on the sight and was shown a list of scan reports. That's all there is. If you want to see the exploit report, you will have to open mbst-grab-results.zip, which I have already posted above. 

scan reports.jpg

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Protokolldetails-
Datum des Schutzereignisses: 29.07.21
Uhrzeit des Schutzereignisses: 20:26
Protokolldatei: f59f2d06-f0e5-11eb-a355-b06ebf84830d.json

-Softwaredaten-
Version: 4.4.4.126
Komponentenversion: 1.0.1404
Version des Aktualisierungspakets: 1.0.43706
Lizenz: Premium

-Systemdaten-
Betriebssystem: Windows 10 (Build 19043.1110)
CPU: x64
Dateisystem: NTFS
Benutzer: System

-Einzelheiten zu Exploits-
Datei: 0
(keine bösartigen Elemente erkannt)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NonInteractive -InputFormat None -Command Get-AuthenticodeSignature 'C:\Users\Forrest\AppData\Local\Vortex\pending\temp-vortex-setup-1.4.15.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }, Blockiert, 0, 392684, 0.0.0, ,

-Exploit-Daten-
Betroffene Anwendung: Vortex
Schutzebene: Application Behavior Protection
Schutzverfahren: Exploit payload process blocked
Dateiname: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -NonInteractive -InputFormat None -Command Get-AuthenticodeSignature 'C:\Users\Forrest\AppData\Local\Vortex\pending\temp-vortex-setup-1.4.15.exe' | ConvertTo-Json -Compress | ForEach-Object { [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($_)) }
URL:

 

(end)

Link to post
Share on other sites

I had a look inside

SE stack dump checker.bat

and all it says is

@echo off
findstr /m /C:"Dumping stack" "C:\Users\%USERNAME%\Documents\My Games\Skyrim Special Edition\Logs\Script\papyrus.*.log"
if %errorlevel%==0 (>NUL powershell "(new-object -COM WScript.Shell).popup('You Had a STACK DUMP, the line in the cmd window tells you which log.')") else (>NUL powershell "(new-object -COM WScript.Shell).popup('all ok!')")

I don't know how this got identified as an exploit, but it isn't connected to Vortex. The Vortex exploit error occurs whether

SE stack dump checker.bat

is there or not.

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.