Jump to content

Recommended Posts

Hi guys,

This Javascript was picked up by Malwarebytes:

C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe C:\Users\jamesc\Downloads\mm_ue_conversations_button.js

When I look inside the Javascript file I see references to "NApiVersion 2.0" which is a part of the NetSuite Applications Suite, which is what our client uses extensively.

VirusTotal also doesn't pick it up:

https://www.virustotal.com/gui/file/daf80dca4face075bd0727a96c0d4188a5699189ecd9589b1caea8eadf313041

mm_ue_conversations_button.zip

Link to post
Share on other sites

17 minutes ago, AlexLeadingEdge said:

This Javascript was picked up by Malwarebytes:

C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe C:\Users\jamesc\Downloads\mm_ue_conversations_button.js

Was this an exploit block? Malwarebytes does not detect script files in a scan.

Link to post
Share on other sites

  • Root Admin

If you post back the following logs it will show us.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

15 minutes ago, Porthos said:

Did you enable any non default policy's in the advanced exploit settings? For example penetration testing?

Where do I see this in OneView or Nebula? I think the answer is 'no', but as I didn't set it up originally I cannot say without checking.

Everything except for Boot Process is turned on under Policies > Default > Protection Settings.

Edited by AlexLeadingEdge
Link to post
Share on other sites

51 minutes ago, AlexLeadingEdge said:

Where do I see this in OneView or Nebula?

That I can not say as I am not familiar with the product. And also not familiar with the logs from it to advise further.

I can say that exploit protection has been more aggressive lately. and some times you have to change things to let somethings work correctly.

For example, anything that makes a call to C:\Windows\System32\WScript.exe to execute something is probably going to be blocked since malware can do the same.

If you have not tried, you could exclude mm_ue_conversations_button.js from the protection.

Also you can Submit  Business Support Ticket  as well.

Edited by Porthos
  • Thanks 1
Link to post
Share on other sites

20 minutes ago, Porthos said:

That I can not say as I am not familiar with the product. And also not familiar with the logs from it to advise further.

I can say that exploit protection has been more aggressive lately. and some times you have to change thins to let somethings work correctly.

For example, anything that makes a call to C:\Windows\System32\WScript.exe to execute something is probably going to be blocked since malware can do the same.

If you have not tried, you could exclude mm_ue_conversations_button.js from the protection.

Also you can Submit  Business Support Ticket  as well.

Thanks Porthos, I have opened a business support ticket.

Link to post
Share on other sites

3 minutes ago, AlexLeadingEdge said:

Is there a False Positives section for Business Customers?

This is in the right section but I think support will have to offer you some changes to make so this stops being an issue.

34 minutes ago, Porthos said:

I can say that exploit protection has been more aggressive lately. and some times you have to change things to let somethings work correctly.

 

Edited by Porthos
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.