Jump to content

Exploit.PayloadProcessBlock, how can I selectively stop this ?


d4005
Go to solution Solved by Porthos,

Recommended Posts

I've got a batch file that runs continuously while my Windows 11 machine is on and it's recently (last 2-3 days) started getting this exploit warning which stops the batch file from running. The strange thing is that it runs around twice a minute doing the same things but it's only once or twice a day that MalwareBytes decides it doesn't like what it's doing and stops it.

The batch file is looking in a directory for some filenames and if it finds them, it "processes" their filenames by replacing certain characters and then moving them to another folder. It's the renaming of the filenames that's causing MB to to halt the batch file. Here is an example of one of the commands (this one removes exclamation marks from the filenames):

PowerShell.exe -Command "dir *.m* | Rename-Item -NewName { $_.name -replace '!',''}"

I've tried adding the batch file name to the allow list but that didn't help. It's not the batch file it's unhappy with, it's the individual commands within the batch file. I think if I were to add powershell.exe to the allow list that might work, but if powershell has the power to "do bad things" then it's probably unsafe to do that.

Any ideas? Maybe I can add the full command line (PowerShell.exe -Command "dir *.m* | Rename-Item -NewName { $_.name -replace '!',''}") and each of the other commands I do to the allow list, but I'm not sure if the allow list takes command parameters into account. I might find that I'm just adding powershell.exe ten times.

Link to post
Share on other sites

1 hour ago, Porthos said:

Until this is fixed, you will have to disable exploit protection to run the script.

That seems even more extreme than what I've done. I've added powershell.exe to the allow list. It remains to be seen if that's helped because it takes hours (hundreds of executions of the script) to find out if MalwareBytes is going to stop interrupting that script. If it does help, I'll try removing it from the allow list once a month - maybe MB will decide it was a step too far, stopping powershell from doing a fairly straight forward command. I'm sure lots of people will complain and lots of programs will no longer be able to do basic things.

Link to post
Share on other sites

3 hours ago, d4005 said:

That seems even more extreme than what I've done. I've added powershell.exe to the allow list. It remains to be seen if that's helped because it takes hours (hundreds of executions of the script) to find out if MalwareBytes is going to stop interrupting that script. If it does help, I'll try removing it from the allow list once a month - maybe MB will decide it was a step too far, stopping powershell from doing a fairly straight forward command. I'm sure lots of people will complain and lots of programs will no longer be able to do basic things.

Allowing the batch file didn't work.

Allowing powershell didn't work.

You'd think that a powershell command in a batch file causing MB to complain about exploits would be satisfied by both of them on the allow list. Seems not.

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.