Jump to content

How do you create an exclusion for a Exploit Detection False Positive?


drshock
Go to solution Solved by Porthos,

Recommended Posts

I have a professional automotive diagnostic program, used by those of us in the automotive technican field, that triggers Malwarebytes as an Exploit.   The program is a paid software application from General Motors, so it's not something I'm concerned about at all security wise.  If Exploit Detection is disabled it of course runs fine, but I'm looking for how to create an exclusion for this rather than completely disable exploit protection.   Of course GM recommends not installing Malwarebyres in the first place, so that path is a non-starter.  Can anyone suggest how to get past this without fully disabling exploit protection or uninstalling Malwarebyes completely?

The exported Malwarebytes exploit log contents is:

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.46890
License: Premium

-System Information-
OS: Windows 10 (Build 19042.1288)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, C:\WINDOWS\System32\WScript.exe C:\WINDOWS\System32\WScript.exe C:\Users\user\AppData\Local\Temp\getadmin.vbs, Blocked, 0, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\System32\WScript.exe C:\WINDOWS\System32\WScript.exe C:\Users\user\AppData\Local\Temp\getadmin.vbs
URL:

I've looked in Advanced Settings under Security, but the VBScript entries in some tabs there appear browser specific and this program is a Java applet.  I tried them anyway, and no effect.  Restored to defaults.

 

 

Link to post
Share on other sites

  • Solution
6 minutes ago, drshock said:

I just checked and no, that setting switch is greyed out just like your screenshot shows.

I also see the app runs from a temp folder which is a bad thing because a lot of malware run from there and are VBS file as well.

I think you are going to have to temporally disable just the exploit protection when running the software. Turn it on again when done.

There 2 ways of doing that.

image.png.ba2dac7eaab331ab46df1140bc41f447.pngimage.png.e1c930b3c24721e334fc13ceb904ed5d.png

 

Edited by Porthos
Link to post
Share on other sites

  • Root Admin

Hello @drshock

Agree with @Porthos, running anything like that from a %temp% folder is not a best practice and Anti Exploit is doing it's job to protect you.

I would recommend using another method or placing the file into another fixed folder and then if needed see if adding the file to exclude works or adding an MD5 hash for exclusion

In either case the temp folder is a bad idea period.

You can use the following method to obtain the MD5 hash of the file

 

CertUtil -hashfile <path to file> MD5

Example:
certutil -hashfile notepad.exe MD5

 

 

Link to post
Share on other sites

Thanks guys, I don't have any control or influence over this commercial software or how it operates.  I'm just a subscriber/licensee.  Taht VBS file is getting created and removed with each run of the software, so no way to really mark it or move it.   So it seems here heading into 2022 there are still commercial enterprise software vendors who think launching Visual Basic scripts from a temp folder is good programming practice.   ;-)

Link to post
Share on other sites

  • Root Admin
7 hours ago, drshock said:

So it seems here heading into 2022 there are still commercial enterprise software vendors who think launching Visual Basic scripts from a temp folder is good programming practice.   ;-)

It is not and has never been a good practice even going back 20 years ago in the XP days.

Most real programmers rarely use a VB script file. There is nothing a VB script file can do that cannot be coded within a compiled program. For the sake of argument PowerShell has become the standard for Windows today but even PowerShell should not be running scripts from a temp folder.

I would email the vendor and ask them to update their program to a more secure program.

In any case, did adding the MD5 hash help?

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.