Jump to content

RTP DETECTION - Exploit.PayloadProcessBlock + Exploit.PayloadFileBlock


Xarple

Recommended Posts

I had been getting RTP detections a couple days ago while scrolling through Youtube, are they false positives?

Example 1:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/30/23
Protection Event Time: 5:09 PM
Log File: 6c477016-5fa3-11ee-90a5-088fc32d2a3c.json

-Software Information-
Version: 4.6.3.282
Components Version: 1.0.2158
Update Package Version: 1.0.75821
License: Trial

-System Information-
OS: Windows 11 (Build 22621.2283)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\Windows\System32\Wbem\WMIC.exe wmic bios get serialnumber, Blocked, 701, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\System32\Wbem\WMIC.exe wmic bios get serialnumber
URL: 

(end)

Example 2:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/24/23
Protection Event Time: 1:39 PM
Log File: 0d042cb2-5acf-11ee-b605-088fc32d2a3c.json

-Software Information-
Version: 4.6.3.282
Components Version: 1.0.2151
Update Package Version: 1.0.75617
License: Trial

-System Information-
OS: Windows 11 (Build 22621.2283)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c ver, Blocked, 701, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c ver
URL: 

(end)

 

I have disabled the Penetration Testing option after the last detection and so far I am not getting those type of detections anymore. But I am not sure it stopped because of that.

 

 

 

 

 

malwarebytes.png

Link to post
Share on other sites

1 hour ago, Xarple said:

Exploit: 1
Exploit.PayloadProcessBlock, C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c ver, Blocked, 701, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c ver
URL: 

(end)

The above detections can be corrected by the latest beta.

Please open Malwarebytes and go to Settings by clicking the small gear icon and go to the General tab, scroll down and enable Beta updates 

You may need to wait up to about 5 minutes or so, but then check for updates on that same General tab or the About tab and let it update to the latest Beta version 4.6.4

Once it has updated, RESTART the computer again and let us know if you're still having an exploit block

Please report back with an update.

After updating to 4.6.4 you may turn off the beta updates and wait for the release to catch up with you.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.