Jump to content

MWB and Win Security: Attack Surface Reduction?


Recommended Posts

I'm running MWB Windows 4.6.8.311 on win 10 with Windows security activated.  The latter is generating alerts that MWB doesn't:

"Your administrator has blocked this action:

App or process blocked: lsass.exe

Blocked by: Attack surface reduction

Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Affected items: C:\windows\System32\taskhostw.exe"

I have scoured the system and there's only one lsass.exe that is properly signed.  I run MWB full scans weekly.  It's not clear to me if Win Security's action is superfluous or if MWB is missing an infection somewhere that is trying to hijack taskhostw.exe to get at local credentials.

Any ideas?

Thank you.

Link to post
Share on other sites

@Docfiddle

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove pesky malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • image.png.79d4442a821713608fa60808a98c2e69.png
  • image.png.98d86a6c3017d2bbba48877ea4f6ba45.png
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

    Then be patient for the next expert to take your case.

Thank you

Link to post
Share on other sites

mbst-grab-results.zip

Folks: I'm simply wondering if MWB has anything similar to WinSecurity's "attack surface reduction."  That feature has been activated often recently, but my MWB scans come out clean.  

When I ran the Support Tool, WinSecurity responded:

"Block executable files from running unless they meet a prevalence, age, or trusted list criteria

Affected items: C:\Users\pbk\AppData\Local\Temp\mwb1F16.tmp\FRSTEnglish.exe"

Link to post
Share on other sites

7 minutes ago, Docfiddle said:

"Block executable files from running unless they meet a prevalence, age, or trusted list criteria

Affected items: C:\Users\pbk\AppData\Local\Temp\mwb1F16.tmp\FRSTEnglish.exe"

Something either blocked the download of FRST (part of the support tool) or you may have some type of issue with your networking setup.

Get a screenshot of the block when the above happens as it seems you have some non-default feature of Windows security enabled.

Please manually download and run the tool

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

Link to post
Share on other sites

Perhaps, but this isn't a business-controlled PC, and I don't recall activating exploit protection.  The question for me is whether this duplicates an MWB feature, or if it is additive and finding something MWB hasn't.  I'm trying to determine whether this wave of content blocks and interventions requires attention, or if it can be ignored, or Exploit Protection disabled (or some of its sub features disabled).

2024-02-19_17-32-29.jpg

Link to post
Share on other sites

3 minutes ago, Docfiddle said:

I'm trying to determine whether this wave of content blocks and interventions requires attention, or if it can be ignored, or Exploit Protection disabled (or some of its sub features disabled).

Overkill, and will prevent some safe programs from functioning.

I would put it back to default.

Link to post
Share on other sites

You're right, I did use Configure Defender some time ago to set Defender settings.  I just reloaded it and reset to defaults.

Pulse Secure is an old VPN tunnel for my work years ago.  Easy to remove -- just the setup file?  Or is Pulse somehow running and causing trouble?

Link to post
Share on other sites

1 minute ago, Docfiddle said:

You're right, I did use Configure Defender some time ago to set Defender settings.  I just reloaded it and reset to defaults.

Hopefully, that corrects it. Test some of the things that were being blocked.

2 minutes ago, Docfiddle said:

Pulse Secure is an old VPN tunnel for my work years ago.

Are they the ones who provided Microsoft 365 Apps for enterprise? They could have set additional group policy settings for additional security.

Since you are not using pulse secure uninstall it if you can.

Link to post
Share on other sites

Thank you, resetting WinSecurity to its defaults stopped the misbehavior.  You mentioned that those settings constitute "overprotection."  I take it that MWB's exploit protection doesn't go as far?  The Pulse security is a Juniper VPN program for tunneling into work -- it didn't download with M365 far as I can tell.  I don't need it and have deleted it.  Again, thank you for your assistance.

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.