Jump to content

Malwarebytes blocked exploit attempt on Acronis updater


Go to solution Solved by Zynthesist,

Recommended Posts

This was an interesting episode and I wonder if I need to make changes. I have an old Western Digital outboard drive for backup. WD shifted support for that to Acronis. (Prior to that I'd also installed Acronis Disk Director.) Right now in background processes the following Acronis programs are running:

Acronis Active Protection Service
Acronis Agent Core
Acronis Alert Manager Service
Acronis Cyber Protect Agent
Acronis File Level CDP (Time Machine) Service (32 Bit)
Acronis Task Manager (32 Bit)
Acronis TIB Mounter Monitor (32 Bit)
Acronis True Image for Western Digital (32 Bit)

Seems like a bit of an octopus; reminds me of Norton products. Anyway, a few days ago a MWB alert popped up, and this is the report:

-Log Details-
Protection Event Date: 4/26/22
Protection Event Time: 1:53 PM
Log File: cfe20696-c589-11ec-9777-10604b79598e.json

-Software Information-
Version: 4.5.7.186
Components Version: 1.0.1645
Update Package Version: 1.0.54221
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1645)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Acronis\Agent\bin\updater.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 45.155.205.49
Port: 6888
Type: Inbound
File: C:\Program Files (x86)\Acronis\Agent\bin\updater.exe
(end)

Details of that IP address:

WHOIS Lookup ( 45.105.255.49 )

% This is the AfriNIC Whois server.
% The AFRINIC whois database is subject to  the following terms of Use. See https://afrinic.net/whois/terms

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '45.104.0.0 - 45.107.255.255'

% No abuse contact registered for 45.104.0.0 - 45.107.255.255

inetnum:        45.104.0.0 - 45.107.255.255
netname:        Orange-EG
descr:          Orange-EG
country:        EG
admin-c:        MMK2-AFRINIC
tech-c:         MMK2-AFRINIC
status:         ASSIGNED PA
mnt-by:         MOBINIL
source:         AFRINIC # Filtered
parent:         45.104.0.0 - 45.111.255.255

person:         Mohamed Mahmoud Kamel
address:        K28 Cairo-Alex Desert Road, 6th October, Egypt
phone:          tel:+20-122-320-1124
nic-hdl:        MMK2-AFRINIC
mnt-by:         GENERATED-QUXLIXC8VMKMFWFAOTMZVRYCESJMWJDN-MNT
source:         AFRINIC # Filtered

% Information related to '45.105.224.0/19AS37069'

route:          45.105.224.0/19
descr:          Orange Egypt IP address
origin:         AS37069
mnt-by:         MOBINIL
source:         AFRINIC # Filtered

I'm not a Windows expert, but I thought that if I restricted permissions for updater.exe that I'd be safe for the time being. "Owner" of the object is now Administrator and just viewing its properties is restricted. I'm not sure if that was the right move. 

I thought I'd check with Acronis, but an account is required for support, so I tried a shortcut and sent them a Facebook message. No reply. Meanwhile, I think I might as well ask the Forum for opinions or help. I'm pretty sure Malwarebytes experts are the best resource in any case.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.