Jump to content

Recommended Posts

I have some courses for my engineering study that use a password protected video. Every time i run any video, i get an alert from the behavior blocker. so i create an exception for the whole folder in the behavior blocker module but i still get the same alert for every video. Thanks in advance. 

Screenshot (1).png

Screenshot (2)_LI.jpg

Link to post
Share on other sites

I assume that when you run one of the .exe files shown in your first screenshot it unpacks another .exe, then runs that.  The problem is that the second .exe - in a subfolder of  \temp\  is the one that gets the BB detection.  I expect that the subfolder has a different random name every time something is unpacked.  

There's probably not a satisfactory solution, since although you could set up an exception for files in \temp\, that's a really bad idea because malware is also quite likely to get unpacked and run there and if that happens you definitely want to know about it.

Sometimes .exe's that contain packed files can be inspected or unpacked using a tool like 7z; if that's possible with these files you could at least unpack them into a specific folder whose name you determine, and have an exclusion for that folder.

  • Like 1
Link to post
Share on other sites
11 hours ago, JeremyNicoll said:

There's probably not a satisfactory solution, since although you could set up an exception for files in \temp\, that's a really bad idea because malware is also quite likely to get unpacked and run there and if that happens you definitely want to know about it.

Actually our exclusions support wildcards, so a path like the following should work:

%TEMP%\????????-????-????-????-????????????\pro*.exe

The question marks are a form of wildcard and each takes the place of a single character, unlike the asterisk which will match with more than one character at the same time. Assuming that the number of characters is always the same then it should work just fine.

To add that exclusion, if you're not using the management console via MyEmsisoft, then just add a monitoring exclusion for a program (it doesn't matter which one), then click on the new rule to edit it, and paste the example exclusion I gave you above to replace it. Once you click anywhere outside of the list of exclusions it will save and apply your changes.

  • Like 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...