Jump to content

Recommended Posts


We use Compumatic's Computime101 time clock and software. MBAM started false IDing it as an exploit sometime within a week before 8/23/21.

The Log details will be below.

I've tried whitelisting  :

regsvr32 in system32 folder

C:\CT101\ folder

 C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE  folder

and syswow64 folder


It seems to say it quarantined something but there's nothing in quarantine.

-Log Details-
Protection Event Date: 9/16/21
Protection Event Time: 3:51 PM
Log File: 7efdccda-1727-11ec-a5e3-8cec4bc5a4a2.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.45000
License: Trial

-System Information-
OS: Windows 10 (Build 19043.1237)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 1
Malware.Exploit.Agent.Generic, C:\Users\fred2\Documents\regsvr32 \s C:\CT101\zkemkeeper.dll -u, Quarantined, 0, 392684, 0.0.0, , 

Exploit: 0
(No malicious items detected)


(end

Link to post
Share on other sites

  • Staff

It's not really a false positive per se. It's a new hard block for Office applications spawning dangerous programs such as LOLbins (living off the land binaries), which are heavily abused in today's threat landscape. Most abuse is done for Word and Excel, so disabling the MSAccess shield is not as risky if you have an Access app that does this on purpose.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.