Jump to content

Regularly getting "Exploit"-Detection Windows Server 2019

Go to solution Solved by Intucom,

Recommended Posts

Hi @all,

we are using Endpoint Protection for our Windows Server 2019 machines. Since last week we are receiving several "Exploit"-Detections (see attached screenshot) on different machines on different networks in regular intervals (all affected machines have TerminalServer-Services enabled and more than 20 users are working on them).

Thankfully those "Exploits" are getting blocked, but obviously the cause cannot be removed or suppressed - which is quite unfortunate. The "Location"-Attribute of the detections is making me nervous (ComSpec=C:\Windows\system32\cmd.exe seems pretty dangerous) - any idea how to track down the cause or the corrupt program/file (if there is any)?

Any idea how to prevent those Exploit-Detections?

Thanks in advance


Link to post
Share on other sites

  • Staff

@bw2868 I found a Nebula/Endpoint Protection subscription under your e-mail. I'll open up a support ticket and reach out to you from there.

@Roadrunner562 Are you using our enterprise/business products? I only found a consumer product subscription under your e-mail address, so you may have a similar issue but the procedures for resolution would be different. As I only support our enterprise products, please reach out to our consumer support team, or post in the appropriate forum section. Here is the link to open a ticket or reach consumer support - https://support.malwarebytes.com/hc/en-us/requests/new (Select Home User)

If I'm incorrect and you do have a business subscription, could you please direct message me the e-mail address I would find it under? 

Link to post
Share on other sites

  • Solution

According to @knguyen1, who sent me a direct message. It IS a bug, which will be fixed in an upcoming version update.


In regards to the issue itself, it is a bug from a recent update and there is one option you can disable, but a more permanent fix should be released in a couple weeks.

For us, it is sufficient enough to know that those are just false positives, so we do not need to disable this warning. If you want to disable this you can reach out to @knguyen1

I will mark this topic as solved.

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.