Jump to content

How can I create exclusion for one file?


Efrain
 Share

Recommended Posts

3 hours ago, Efrain said:

I keep getting the attached detection

I would submit that file in the False Positive section to see if it can be whitelisted so you do not have to exclude it. https://forums.malwarebytes.com/forum/42-file-detections/

Add or edit exclusions in Malwarebytes Nebula platform

Edited by Porthos
Link to post
Share on other sites

  • Root Admin

No program that you use on purpose should be running from a %temp% folder

C:\Users\dalonso\AppData\Local\Temp

I would recommend that you clean out your temp folder. Delete everything in that folder.

If you need further assistance please let me know and I can write up a clean up script for your computer @Efrain

 

Link to post
Share on other sites

21 hours ago, Porthos said:

I would submit that file in the False Positive section to see if it can be whitelisted so you do not have to exclude it. https://forums.malwarebytes.com/forum/42-file-detections/

I have not seen a post in the False positive section from you yet. Please  zip and attach the following in that section. C:\Users\dalonso\AppData\Local\Temp\FlashbackPlayer.exe

Link to post
Share on other sites

52 minutes ago, AdvancedSetup said:

You can do the following from the command line @Efrain

 

CertUtil -hashfile <path to file> MD5

Example:
certutil -hashfile notepad.exe MD5

 

Would that work even if the user name is always different?  For example:  

C:\Users\AJOHNSON\AppData\Local\Temp\FlashbackPlayer.exe

C:\Users\DSMITH\AppData\Local\Temp\FlashbackPlayer.exe

Notice the folder after C:\Users is different.

Thanks!

Link to post
Share on other sites

I am thinking that you might need to have that player on each officers computers and guessing the video is on a server somewhere they have access to.

And have them open the player on the computer and use the file open command and browse to the video on the server.

image.png.baaca34da4840bb334c7590eae1ccbbc.png

Edited by Porthos
Link to post
Share on other sites

1 minute ago, Porthos said:

I am thinking that you might need to have that player on each officers computers and guessing the video is on a server somewhere they have access to.

And have them open the player on the computer and use the file open command and browse to the video on the server.

image.png.baaca34da4840bb334c7590eae1ccbbc.png

@Porthos The officers log into a website, browse for the video then click on a thumbnail to see the video.  They never see this app.  Somewhere in the process a Java script runs and the player is installed for them (if not already installed) then the video starts to play within the browser (Edge or Chrome).  The problem is that Malwarebytes thinks this is a malicious app and stops it from working so the video never plays.  It's a horrible, stupid system that we are stuck with for now.  

Link to post
Share on other sites

  • Root Admin

The issues "appears" to be due to it running from the Temp folder.

Can the organization copy the program to a location that is already in the path. Not my favorite location but if push comes to shove even the C:\Windows folder?

I could be wrong but if run from there I would think it would not be triggered

 

Link to post
Share on other sites

1 minute ago, AdvancedSetup said:

The issues "appears" to be due to it running from the Temp folder.

Can the organization copy the program to a location that is already in the path. Not my favorite location but if push comes to shove even the C:\Windows folder?

I could be wrong but if run from there I would think it would not be triggered

 

I've thought of contacting the organization but my experience with them hasn't been great.  I thought having an exclusion would be the easier route.

Thanks!

4 minutes ago, Porthos said:

i suppose they are not allowed to download the video from the site so they can run it locally?

No, they can NOT.

Link to post
Share on other sites

  • Staff

A hash identifies the file uniquely, independent of user.

Downloading EXE via browser and running from temp is what many attackers do!

Reporting a False Positive and supplying some background will get you added to 'white list'

Please submit a Support Case, stating you are a Developer and ask about process going forward.

Digitally signing your program allows more 'trust' in your program and traceability in a world where attacks are increasing.

Link to post
Share on other sites

9 minutes ago, AndrewPP said:

A hash identifies the file uniquely, independent of user.

Downloading EXE via browser and running from temp is what many attackers do!

Reporting a False Positive and supplying some background will get you added to 'white list'

Please submit a Support Case, stating you are a Developer and ask about process going forward.

Digitally signing your program allows more 'trust' in your program and traceability in a world where attacks are increasing.

I'm going to try the hash tomorrow.

I'm not a fan of the application but that's what we're stuck with for now.

I'm not a developer of this product.  We purchased it from a company called L3 (Safe Fleet Mobile Vision).

Thanks!

Link to post
Share on other sites

  • Staff

Looking at their website, they are candidates for whitelisting, or you can exclude-by-hash.
https://www.globenewswire.com/en/news-release/2019/02/05/1710983/30369/en/Safe-Fleet-solidifies-Law-Enforcement-position-with-L3-Mobile-Vision-Acquisition.html 
As previously mentioned, whilst you may find it intrusive, we have protected algorithmically due the deployment technique they have used.
You could get this company to submit the False Positive and get into the loop of how they could, perhaps, better deliver the solution in a manner which does not look like an exploit to us and maybe other similar anti-malware companies.

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.