mosk Posted September 6, 2023 ID:1587474 Share Posted September 6, 2023 Hi - received notification/warning about exploit being blocked this morning. I've attached an image showing a bunch of 'RTP detection' warnings Malwarebytes has reported on Sept 4 and Sept 6. Don't know if these are legit and if there's anything I need to do about them. Thanks for any advice. Link to post Share on other sites More sharing options...
Porthos Posted September 6, 2023 ID:1587477 Share Posted September 6, 2023 @mosk Please post the logs for those You can find Scan and Protection logs within the Malwarebytes 4 program in the following location RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged If you click on the View option you should get something similar to the following with other options available. Thank you Link to post Share on other sites More sharing options...
mosk Posted September 6, 2023 Author ID:1587484 Share Posted September 6, 2023 Ok - thanks for quick response. Here are those log files from the 11 events - the first nine all say Exploit Payload File Block or Exploit Payload Process Block; the last two refer to blocked websites: 1) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/6/23 Protection Event Time: 8:05 AM Log File: 9d0905ec-4cad-11ee-afa2-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74931 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) 2) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/6/23 Protection Event Time: 8:05 AM Log File: 9d0bc534-4cad-11ee-8a45-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74931 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) 3) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/6/23 Protection Event Time: 8:05 AM Log File: 9d0e0f43-4cad-11ee-acfb-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74931 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) 4) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 9a1548d4-4b4d-11ee-89b5-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) 5) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 9a5deec2-4b4d-11ee-8e71-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) 6) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 9a6038d1-4b4d-11ee-a8a0-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) 7) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 97847810-4b4d-11ee-b55e-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) 8) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 97eb2f10-4b4d-11ee-ab77-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) 9) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 2:05 PM Log File: 97edee59-4b4d-11ee-8698-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74855 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) 10) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/4/23 Protection Event Time: 10:29 AM Log File: 7d50c598-4b2f-11ee-af51-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.74851 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: Compromised Domain: emedihealth.com IP Address: 159.223.152.119 Port: 443 Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (end) 11) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/28/23 Protection Event Time: 3:06 PM Log File: 0aa9589c-45d6-11ee-9649-a85e45542437.json -Software Information- Version: 4.6.0.277 Components Version: 1.0.2114 Update Package Version: 1.0.74573 License: Premium -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: RiskWare Domain: akpk.upnvj.ac.id IP Address: 103.147.92.68 Port: 443 Type: Outbound File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (end) Link to post Share on other sites More sharing options...
Porthos Posted September 6, 2023 ID:1587489 Share Posted September 6, 2023 @mosk What were you doing when the blocks occurred? Link to post Share on other sites More sharing options...
mosk Posted September 6, 2023 Author ID:1587506 Share Posted September 6, 2023 Nothing specific that I recall. Probably browsing the web, looking for computer gear - and I typically have many browser tabs open (on Google Chrome) - but I think it just popped up as a Malware Bytes notification. Every once in a while I will click on a link and get a notification about 'dangerous website' - in which case I'll either close the tab or X out of chrome (rather than clicking the 'proceed to website anyway' button - forget the exact wording). When I received this notification, I opened Malwarebytes to take a peek, and saw there had been a number of issues over the last few days so posted here. Link to post Share on other sites More sharing options...
Porthos Posted September 6, 2023 ID:1587514 Share Posted September 6, 2023 @mosk Can you check if the "Penetration testing" toggle in the UI is ON? If it is ON, please turn it OFF and Hit Apply If that setting is not on, click restore defaults and click Apply, and opem Adobe again. You can find it by going to Security->Exploit Protection->Advanced settings 1 Link to post Share on other sites More sharing options...
mosk Posted September 6, 2023 Author ID:1587524 Share Posted September 6, 2023 Ok - I checked and Penetration Testing was not toggled on> so I clicked Restore Defaults > Apply as instructed then closed and re-opened program, and still has Penetration Testing toggled off (looks the same as it did before) Link to post Share on other sites More sharing options...
Porthos Posted September 6, 2023 ID:1587526 Share Posted September 6, 2023 Just now, mosk said: Ok - I checked and Penetration Testing was not toggled on> so I clicked Restore Defaults > Apply as instructed then closed and re-opened program, and still has Penetration Testing toggled off (looks the same as it did before) Lets see if the blocks continue. Link to post Share on other sites More sharing options...
mosk Posted September 6, 2023 Author ID:1587530 Share Posted September 6, 2023 ok - so should I just leave things be and post back if I get new notifications or blocks showing up in Malwarebytes' history panel? Link to post Share on other sites More sharing options...
Porthos Posted September 6, 2023 ID:1587532 Share Posted September 6, 2023 Just now, mosk said: ok - so should I just leave things be and post back if I get new notifications or blocks showing up in Malwarebytes' history panel? Yes. Link to post Share on other sites More sharing options...
mosk Posted September 6, 2023 Author ID:1587533 Share Posted September 6, 2023 got it - thanks for the help 2 Link to post Share on other sites More sharing options...
mosk Posted September 20, 2023 Author ID:1590258 Share Posted September 20, 2023 Hi - I'm following up from a problem I noted a couple of weeks ago. Was asked to see if I had further 'exploits blocked' notifications from Malware Bytes Premium. Went for about 10 days with out a problem, then got 3 notifications on 9/15 and three more on 9/18. I've posted copies of those six log files below, since that's what I was asked to do last time. I'll also make a separate post after this one about items I've had in quarantine for a while, which are related to legitimate software I've purchased - so don't know if those are an actual issue or not. Thanks in advance for any suggestions. (logs below) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/18/23 Protection Event Time: 2:05 PM Log File: e4a44b74-564d-11ee-a13e-a85e45542437.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75431 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/18/23 Protection Event Time: 2:05 PM Log File: e4a6e3a2-564d-11ee-a353-a85e45542437.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75431 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/18/23 Protection Event Time: 2:05 PM Log File: e4a92dba-564d-11ee-8d41-a85e45542437.json -Software Information- Version: 4.6.2.281 Components Version: 1.0.2131 Update Package Version: 1.0.75431 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/15/23 Protection Event Time: 7:59 AM Log File: 64283d1a-53bf-11ee-bfab-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.75327 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadProcessBlock, C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid, Blocked, 701, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload process blocked File Name: C:\WINDOWS\sysnative\cmd.exe C:\WINDOWS\sysnative\cmd.exe \c C:\WINDOWS\System32\REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \v MachineGuid URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/15/23 Protection Event Time: 7:59 AM Log File: 642ad548-53bf-11ee-91ce-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.75327 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Blocked, 601, 392684, 0.0.0, , -Exploit Data- Affected Application: cmd Protection Layer: Application Behavior Protection Protection Technique: Exploit payload file blocked File Name: C:\WINDOWS\sysnative\cmd.exe URL: (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/15/23 Protection Event Time: 7:59 AM Log File: 642d4671-53bf-11ee-b461-a85e45542437.json -Software Information- Version: 4.6.1.280 Components Version: 1.0.2117 Update Package Version: 1.0.75327 License: Premium -System Information- OS: Windows 10 (Build 19045.3448) CPU: x64 File System: NTFS User: System -Exploit Details- File: 1 Exploit.PayloadFileBlock, C:\WINDOWS\sysnative\cmd.exe, Quarantined, 0, 392684, 0.0.0, , Exploit: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Solution Porthos Posted September 20, 2023 Solution ID:1590259 Share Posted September 20, 2023 @mosk It is a known issue and hopefully a fix will be released in a couple of weeks. Link to post Share on other sites More sharing options...
mosk Posted September 20, 2023 Author ID:1590260 Share Posted September 20, 2023 This image shows the detection history over the past couple of weeks: These next four images show programs that have been quarantined by MalwareBytes. They look like they're related to legitimate software I use. Specifically, 1) Adobe After Effects, which uses an installer from AEScripts to help manage third party plugins / scripts for After Effects. 2) Campaign Cartographer by ProFantasy which is mapping software that also works with some free plugins and libraries that can be downloaded from the internet - so I don't really have a good way of knowing if those additional files represent true malware. Link to post Share on other sites More sharing options...
mosk Posted September 20, 2023 Author ID:1590262 Share Posted September 20, 2023 6 minutes ago, Porthos said: @mosk It is a known issue and hopefully a fix will be released in a couple of weeks. Ok -great - thank you. I just posted about some files that had been quarantined. Wasn't sure if i was related to these warnings. If not, let me know if I should delete that and start a new thread. Thanks for your help. Link to post Share on other sites More sharing options...
Porthos Posted September 20, 2023 ID:1590264 Share Posted September 20, 2023 Just now, mosk said: so I don't really have a good way of knowing if those additional files represent true malware. This is a false positive as the issue was reproduced. When doing the tasks that trigger this you will have to temporarily disable exploit protection while those tasks run. No new topic needed Link to post Share on other sites More sharing options...
mosk Posted September 20, 2023 Author ID:1590266 Share Posted September 20, 2023 Regarding all those files in quarantine, are you saying those represent false positives and I can tag them as safe - or do you just mean the 'exploit blocked' warnings are safe to ignore? (I still haven't noticed anything in particular that I'm doing that triggers the warnings, except if I navigate to a site and get a warning saying site unsafe in which case I won't proceed to the site) Link to post Share on other sites More sharing options...
Porthos Posted September 20, 2023 ID:1590267 Share Posted September 20, 2023 1 minute ago, mosk said: or do you just mean the 'exploit blocked' warnings are safe to ignore? ( This The sandbox items need to be reported here to see if they are FP'as well. https://forums.malwarebytes.com/forum/42-file-detections/ Link to post Share on other sites More sharing options...
mosk Posted September 20, 2023 Author ID:1590273 Share Posted September 20, 2023 ok - thanks - I will post the quarantined items where you said and consider this thread closed. Link to post Share on other sites More sharing options...
Porthos Posted September 28, 2023 ID:1592065 Share Posted September 28, 2023 The beta that was released today has the anti-exploit fix included. You may get the beta by enabling BETA updates and checking for updates. This is the version with the fix. Link to post Share on other sites More sharing options...
mosk Posted September 28, 2023 Author ID:1592104 Share Posted September 28, 2023 Hi @Porthos - thanks for the note; will leave myself a note to update in a few days 1 Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now