RTP Detection - Exploit.PayloadprocessBlock and FileBlock false positive?

[BBGuy2023]

Hello all. This is my first time posting here so apologies if I made some sort of error.

 

Today I woke my Windows 10 laptop and was shortly later was greeted by 6 "RTP Detections" from Malwarebytes, all at the exact same time - 3 of the entries appear to be duplicates/repeats.

The Exploit.PayloadProcessBlock alert reads (two times) as follows: 

-Log Details-

Protection Event Date: 9/1/23

Protection Event Time: 10:22 AM

Log File: f40d7334-48d2-11ee-a14d-98bb1e1cc822.json

-Software Information-

Version: 4.6.1.280

Components Version: 1.0.2117

Update Package Version: 1.0.74721

License: Premium

-System Information-

OS: Windows 10 (Build 19045.3324)

CPU: x64

File System: NTFS

User: System

-Exploit Details-

File: 0

(No malicious items detected)

Exploit: 1

Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 

-Exploit Data-

Affected Application: cmd

Protection Layer: Application Behavior Protection

Protection Technique: Exploit payload process blocked

File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid

URL:

 

The Exploit.PayloadFileBlock reads (twice) as follows: 

-Log Details-

Protection Event Date: 9/1/23

Protection Event Time: 10:22 AM

Log File: f4107e6c-48d2-11ee-97b1-98bb1e1cc822.json

-Software Information-

Version: 4.6.1.280

Components Version: 1.0.2117

Update Package Version: 1.0.74721

License: Premium

-System Information-

OS: Windows 10 (Build 19045.3324)

CPU: x64

File System: NTFS

User: System

-Exploit Details-

File: 0

(No malicious items detected)

Exploit: 1

Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 

-Exploit Data-

Affected Application: cmd

Protection Layer: Application Behavior Protection

Protection Technique: Exploit payload file blocked

File Name: C:\WINDOWS\sysnative\cmd.exe

URL:

 

It also says cmd.exe was quarantined (twice) but I'm not seeing anything in my quarantined items.

 

Could this be a false positive?

At the time, I had just opened Google Chrome and was attempting to navigate to a sports team's website to return an item as per an email sent by a customer support rep, but it appeared that the hyperlink in the support rep's email signature was incorrect/had a typo, http instead of https. I'm like 99.9% sure the support rep was legitimate, but maybe this typo somehow caused it?

I've ran a few general scans since then and detected nothing.

I also just checked and I have "exploit protection" turned on, but I was using the Windows Mail application at the time, not Outlook, if that makes a difference. 

Any help would be appreciated. 

 

[Porthos]

@Arthi Could you assist?

[BBGuy2023]

Hello again, I wonder if it's a similar issue to what's reported on in this forum post? I'm not an expert of course! I did a search of the forums and found this.--> 

 

[Porthos]

3 minutes ago, BBGuy2023 said:

I wonder if it's a similar issue to what's reported on in this forum post? I'm not an expert of course! I

Please wait for the staff member I tagged.

Edited September 1, 2023 by Porthos

[p060477]

hi, same behaviour for me.....how to solve...??...this is a real bug isn't it...??... :(

[Porthos]

We are on a holiday weekend in the US, Most staff are off until Tuesday.

[p060477]

so we have to take this bug issue on our pc till the end of the -holiday-...what a real pity... :(

[BBGuy2023]

As a quick update: I've been using the laptop all weekend (including turning off/on, waking from sleep, running periodic scans with Malwarebytes and Webroot), and have had no other detections. So while i'm not an expert of course I think it's looking pretty good that it's some sort of glitch/false positive etc.

[Porthos]

1 minute ago, BBGuy2023 said:

have had no other detections.

Exploit protection is not a detection like malware, it is a straight block. all stop of a process that is considered an exploit.

[BBGuy2023]

Ah, I see. I've had no stoppages, detections etc. or anything from Malwarebytes in the last few days!

[AdvancedSetup]

Glad to hear @BBGuy2023

I will go ahead and close this topic now

Take care

 

[Arthi]

Hi, thanks for posting.

Can you please

1. Turn on "Event log data" toggle Refer the below screenshot:
2. Reproduce the block
3. and then grab the below files:
4. Please get us the following two files

• C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
• C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log  

  

[Arthi]

Customer confirmed that the issue is not happening anymore, in case it does, please feel free to DM me. Thank you.

[BBGuy2023]

Hello again, 

I just direct messaged Arthi the details, but this happened again today. As far as I can tell it's the same pattern: Six total "RTP" detections, two saying exploit process blocked, two saying exploit file blocked, and two saying sysnative\cmd.exe was quarantined (but nothing is in quarantine)

This happened literally immediately after i woke my Windows 10 laptop from sleep mode, so I'm pretty sure it's not an actual malicious thing... and it's been 10 days since it last happened.

All the same any thoughts etc. would be appreciated.

[Maurice Naggar]

Hello @BBGuy2023 Take a few moments & check to see whether this system has installed a program / applet named "Powerengage". If it does, then Uninstall it and Restart Windows. Then see if the Exploit message goes away.

[BBGuy2023]

@Maurice Naggar Yes, I think I do have that program - I have a Brother printer, and when I search "apps and features" in Windows settings, it says I have "Brother PowerENGAGE" installed. 

So you're saying I should uninstall this? Just want to be 100% sure we're referring to the same thing. 

Thanks!

[Maurice Naggar]

Yes, uninstall "Brother PowerENGAGE"  & then Restart Windows.

[BBGuy2023]

@Maurice Naggar Ok I just uninstalled "Brother PowerENGAGE" through Windows settings, and I just restarted. 

But it's looking promising that this program is the cause of this - I say this because, just as I uninstalled the program before I restarted, I got the "Exploit" popup from Malwarebytes again!

This is the first time I've been able to re-create this block.

So it's looking to me like this Brother program is indeed the issue. 

Now that it's uninstalled, I will keep an eye out, and will see if it occurs again. But this is pretty promising that this Brother program was the cause, right?

Thanks!

 

[Maurice Naggar]

The "applet" is apparently by Aviata. Used by different printer manufacturers. Brother and Epson are two of them. The applet is not needed for a printer to work. And if one does some extra outside tech reading, the "powerengage" causes some other issues. All that said, it is not a malicious malware. I suspect the software developers used some ill-advised ways to do inquiries. which "inquiries" then triggered the Exploit messages. Let us know for sure, if over the next 2 or so days, whether the Exploit notices are all gone away.

[BBGuy2023]

I will do that, i'll post again here if there are any other exploit notices. Thanks!

[BBGuy2023]

@Maurice Naggar Hello again. I'm sorry to say that this happened again today - the same pattern, "exploit process block," "exploit file block" and sysnative\cmd.exe quarantined, with nothing in the quarantine. 

Not sure what is causing this - i'm seeing no results from any scans from Malwarebytes and Webroot.

 

 

[BBGuy2023]

I should say, i had another brother program installed, i think it was called "brother iprint&scan" - I uninstalled it too a moment ago.

[Arthi]

Hi,

Thank to everyone who reported this issue and worked with us in providing logs, etc. We have now fixed this issue and it is going through internal testing. If everything goes well, we should be releasing the fix in the next 2 weeks or so. Please bear with us. Thank you.

[p060477]

let me say i'm a little bit upset...so strange how long you have to ask us to wait....when and if it will finally fixed this BUG....

and also so very upset of all tons of megabytes of logs gifted to you....

for ex. the mbae-default.log is about more then 13 mb of data...and in terms of text data is a very very large quantity...of OUR data.....

we have to cross our fingers so hard....really do not really know what they are worth to.....

i repeat i'm very very upset

[skeppley]

Following this thread as i am getting the same thing as the OP