EXPLOIT Payload Process Blocked & Quarantined but nothing in Quarantine??

[KEL1]

Beginning on 8/31/2023 MWB Started frequently executing “ EXPLOIT  Payload Process Block”.

Message says:

Expoit Blocked

Exploit attempt detected and blocked. It is no longer a threat. Open quarantine to learn more.

 

This is documented :

1. Under the BELL(Notifications) there is a note documenting it.
2. Under Detection History: 

•          Nothing is listed under Quarantined Items
•          Under History there is a list of items that state the date the time and that something was blocked and quarantined.

 

It happened :

1. Logging into GMAIL
2. Logging into Bank site
3.  5 Other times since 8/31/2023 that I am not sure of what was happening.
   1. If the time listed for each item are correct, one I was not even using the computer at the time.

MWB Version:                              4.6.1.280

Update Package Version:           1.0.7.4843

Component Package  Version:   1.0.21187

 

Messages List these as the Blocked & Quarentined:

c:\WINDOWS\sysnative\cmd.exe

c:\WINDOWS\sysnative\cmd.exe C:Windows\sysnative\cmd.exe \c C:\WindowSystem32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid

 

I ran all PC Scans to detect Malware and found none.

Is this a false negative situation?

Or am I missing something?

Can you please help?

 

Thankyou.

[Porthos]

33 minutes ago, KEL1 said:

Exploit attempt detected and blocked. It is no longer a threat.

Exploit blocks are not something that quarantines any file. It just stops a process from running.

Please post some logs showing the block,

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

 

If you click on the View option you should get something similar to the following with other options available.

 

 

 

 

Thank you

[KEL1]

Thankyou for your reply.

Attached are 3 logs:

      1- Block of cmd.exe

     2- Quarantine of cmd.exe

     3- Block of MachineGuid

 

Blocked cmd exe 9-4-2023.txt Blocked MachineGuid 9-4-2023.txt Quarantined cmd exc 9-4-2023.txt

[Porthos]

Sysnative folder in Windows 64-bit explained

Exploit protection has become very aggressive in order to block the current exploits.

I am waiting for @Arthi to return from the long holiday to advise us. Yours is not the only report like this.

[Arthi]

Hi KEL1,

Can you check if the "Penetration testing" toggle in the UI is ON ? If it is ON, please turn it OFF and Hit Apply

You can find it by going to Security->Exploit Protection->Advanced settings 

[KEL1]

The "Block Penetration Testing attacks WAS NOT TURNED ON.

 

Also, a second topic for me on this issue was opened by  Maurice Nagger,. If you look at it you will see what has taken place over the last day.

I really don't want to have two topics to address the same issue.

Maybe they can be combined somehow.

That would be great!

 

[Arthi]

Hi KEL1,

I will send you a DM now. Thank you.

[Tim242]

Good day,

I am also now seeing this issue beginning on 9/10.  This process is false reporting on a Windows system where I have a script running in response to system events.  The .cmd batch file calls powershell.exe to perform some calculations and write to some files/generate disk activity.  Should I try to whitelist the .cmd batch file that's being called?  I don't necessarily want to whitelist all cmd.exe or powershell.exe activity.  Is there a specific security setting I should disable?  Like the previous user I currently have the "Penetration Testing" option turned off.  Thanks for any tips!

--Tim Leech

[Porthos]

1 minute ago, Tim242 said:

Thanks for any tips!

Please do the following so that we may take a closer look at your system.

Please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
   

Thank you

[NgtFlyer]

I had the same false positives as documented here and in another thread. I found the source.
Looking at my log, my issue started earlier this month. The event always showed up every 12 hours. Once at 1:34 AM and 1:34 PM. so, I went and looked at Windows Scheduler. 
Repeating task every 12 hours at 1:34 AM and PM was Brother PowerENGAGE. (It's written by a third party vendor. This same software is also included with drivers for certain Epson printers). 
The day my events started showing up also happened to be on September 10th.
PowerENGAGE is a marketing tool produced by Aviata. It provides no actual function for the printer itself. The word salad on their website talks about "expanding your marketing universe". This program has its own entry in add/remove programs.
I uninstalled it last night and the alerts have stopped. If you are still getting these alerts in Malwarebytes, look in add/remove and see if you have Aviata PowerENGAGE installed. If so, uninstall it and see if this solves the issue for you.

I hope this is helpful. 

-Ngt

[Gib6717]

I'm having similar issues starting 9/11. I just uninstalled PowerENGAGE and will report back if it fixed the issue.

Is there any chance Citrix workspace could be causing the issue?

[Porthos]

For all future posters please start your own topics. Each computer is different.

 

[Arthi]

Hi,

Thank you to everyone who reported this issue and worked with us in providing logs, etc. We have now fixed this issue and it is going through internal testing. If everything goes well, we should be releasing the fix in the next 2 weeks or so. Please bear with us. Thank you.

Edited September 15, 2023 by Arthi

[Porthos]

The beta that was released today has the anti-exploit fix included.

You may get the beta by enabling BETA updates and checking for updates.

This is the version with the fix.