Jump to content

explorer malware potentially, false positive or actual threat caught?


RevivalTech
 Share

Recommended Posts

image.png.85e0b16d46a84c1840747ce40913edb2.png

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/25/22
Protection Event Time: 2:52 PM
Log File: 0dd748fe-ac75-11ec-8a7f-04d4c454afd5.json

-Software Information-
Version: 4.5.6.180
Components Version: 1.0.1634
Update Package Version: 1.0.52850
License: Premium

-System Information-
OS: Windows 11 (Build 22000.588)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, explorer.exe, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Windows Control Panel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office WMI abuse blocked
File Name: explorer.exe
URL: 

(end)

Link to post
Share on other sites

20 minutes ago, RevivalTech said:

image.png.85e0b16d46a84c1840747ce40913edb2.png

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 3/25/22
Protection Event Time: 2:52 PM
Log File: 0dd748fe-ac75-11ec-8a7f-04d4c454afd5.json

-Software Information-
Version: 4.5.6.180
Components Version: 1.0.1634
Update Package Version: 1.0.52850
License: Premium

-System Information-
OS: Windows 11 (Build 22000.588)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, explorer.exe, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Windows Control Panel
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office WMI abuse blocked
File Name: explorer.exe
URL: 

(end)

Please turn off the following non default setting in advanced exploit settings. Then click Apply.

image.png.e8fa206664ad9241fdebdca96f7b4146.png

Edited by Porthos
Link to post
Share on other sites

Ahhhhh, I didn't recent decide to try out the "use expert systems' option. Sounds pretty expert! haha. Well, still curious why it's a false positive, if anyone has more in depth answers! Looking to enhance things past laymen defaults when ever possible. 

UPDATE: Actually, I hadn't turned out that setting on this machine I got the alert yet.... Don't have rootkit of expert systems on... Nor block pen testing.... 

UPDATE: Seems it pops the block alert up after I hit view settings for software updates, when alerting me they're turned off. This is new alert I've seen last weekish that I believe is a false positive because I have patch management RMM on my machines. Been meaning to post about here and make bug report support ticket to find out what's up, and likely alert the detection needs a tweaking for when the win updates are managed by an RMM / group policy... 

Edited by RevivalTech
Link to post
Share on other sites

9 minutes ago, RevivalTech said:

Looking to enhance things past laymen defaults when ever possible. 

Defaults are created by the developers for balance of maximum protection and system usability.

I suggest using the Malwarebytes Support Tool to clean install Malwarebytes on this system and do not change defaults. Restart the system and then try to reproduce the issue.

image.png.9ecffa0ade1271a6dc29dfc46e029ed4.png

Link to post
Share on other sites

7 hours ago, Porthos said:

Defaults are created by the developers for balance of maximum protection and system usability.

I suggest using the Malwarebytes Support Tool to clean install Malwarebytes on this system and do not change defaults. Restart the system and then try to reproduce the issue.

image.png.9ecffa0ade1271a6dc29dfc46e029ed4.png

For sure for sure, but how would I help with future default development by not tinkering with moooore settings! haha. 

P.S. Can't tell if I've presented myself as a 20yr long IT guy, malwarebytes reseller, and current MSP... Heads up. 

Edited by RevivalTech
Link to post
Share on other sites

4 minutes ago, RevivalTech said:

Can't tell if I've presented myself as a 20yr long IT guy, malwarebytes reseller, and current MSP... Heads up. 

Techbench tells me some. I also have 20yrs, a reseller but do not do MSP. I support the home user sector.

5 minutes ago, RevivalTech said:

but how would I help with future default development by not tinkering with moooore settings! haha. 

Do it on your own test computer. Not on any client computers.

Link to post
Share on other sites

On 3/26/2022 at 8:32 PM, Porthos said:

Techbench tells me some. I also have 20yrs, a reseller but do not do MSP. I support the home user sector.

Do it on your own test computer. Not on any client computers.

Yup, read your bio which is what made me think to mention I have similar long term experience, and am here to test things out alternate enhanced settings! haha. 

Precisely! This is my personal desktop we're reviewing lol. 

So still very curious if this has come up yet and is a KNOWN false positive or not. If not, time to figure it out together yea?!

Link to post
Share on other sites

13 minutes ago, Porthos said:

It depends on "what" you were trying to do and with what. Penetration testing will highly affect MS Office activities.

No pentesting. just notice alert of of no where. Now continuing on, I noticed it pops up immediately after selecting the "view settings" link in mb where it's alerting windows updates are off and I should address it. They are not off, they are managed by my RMM via I believe a group policy. So I think we may have found an additional side effect to the newly introduced false positive of win updates being off. This is what I was trying to say previously too, that I need to make a post  / ticket on. I noticed all my machines having a mb alert that windows updates are off, but when I click view settings it immediately turns green and says everything's alright then pulls up win updates settings, that is all up to date and fine. Well on this one desktop, when I click view settings, it turns green, opens win update settings, and also pops alert it block the windows control thing. I'll try to grab screen shot of that specific alert, but I thought the log dump would help us get moving in the direction of figuring something out. 

Link to post
Share on other sites

7 minutes ago, RevivalTech said:

n mb where it's alerting windows updates are off and I should address it. They are not off, they are managed by my RMM via I believe a group policy.

With that screen in MB, If you purposely do things to affect one of the monitored settings, you have to permanently dismiss the warning.

For example I have no scheduled scans. I have to dismiss it.

image.png.bf5d267aa37645e0f8eecb737929532b.png

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.