Jekko

February 24, 2017

Thanks TempLost!

I'll look into that more in the future .

February 24, 2017

Do you have CryptoPrevent 8.0 Free or Premium?

February 24, 2017

3 hours ago, Acrobaze said:

Hi @TempLost,

I was in the same case as you and after launching the .bat file, chameleon is visible now and the protection button has become active again.
But since I had renamed the desktop icon, I can not test the auto-protection easily anymore. Have you done it?

@Acrobaze - That was my mistake! Previously in MBAM 2.x we protected the desktop shortcut for malwarebytes. Another way to test if self-protection is working is, while it's turned on, to create a new folder in the Malwarebytes Program Files directory. C:\Program Files\Malwarebytes\Anti-Malware

@TempLost - Thank you for your response! I'll look into the 2 sets of logs you've sent, but if you have any clear instructions on program compatibility or conflict please don't hesitate to respond. You originally opened this thread for Web Protection issues so we can continue the conversation here.

February 23, 2017

I've modified the batch script I sent earlier. Based on the logs you sent with Event Logging on, we think this may solve your issue. Please run this file as admin again, and let us know how the results are.

Do not worry about uninstalling Avast or CryptoPrevent yet.

SP_Replace.zip

February 23, 2017

Thanks for the logs @TempLost. Unfortunately nothing clear has been found from procmon. We did see there were accesses by aswidagenta.exe which is Avast Identity Protection software. Could you try disabling Avast temporarily and running the batch script I gave you to see if self-protection can be enabled?

Also, can I ask you to enable Event Log Data in MBAM's Application settings? This will give more advanced logging to the MBAMSERVICE.log file.

Please try those steps and attach your mbamservice.log file afterwards.

February 23, 2017

Here is the process to get logs from ProcessMonitor:

Run procmon.exe.
Agree to the License Agreement.
Process Monitor will open and being collecting events from your computer.
Follow the other steps I've outlined earlier regarding SP_Replace.bat:
1. Run SP_Replace.bat as Administrator.
2. Wait for MBAM's UI to open.
3. Turn on/off self-protection in MBAM's Protection Settings.
Click on the save icon.
Look at the path for Logfile.PML.
Click OK.
Zip and Attach Logfile.PML back here on the forums.

If the file is too big, I can provide a box.com folder for you to upload to. Please let me know if you have any questions.

February 23, 2017

Thanks for the logs @TempLost. Your cooperation has been great! For some reason it looks like mbamchameleon.sys is being blocked when it should be created. Could you try the following?

Download ProcessMonitor.
Run ProcessMonitor.
Run SP_Replace.bat as Administrator.
Wait for MBAM's UI to open.
Turn on/off self-protection in MBAM's Protection Settings.

February 23, 2017

@templost

We're still looking into the issue, but if you could provide your latest mbamservice.log, that would be very helpful.

February 22, 2017

3 hours ago, TempLost said:

No difference, I'm afraid - and no sign of MBAMChameleon.sys. I ran the .bat file as Administrator.

@TempLost

Do you still see self-protection enabled in the UI?

Can you rename the shortcut for MBAM on desktop? This would prove to us if chameleon is protecting MBAM's files correctly.

February 22, 2017

Could you try the following?

Open cmd.exe with admin credentials and run the command: net stop mbamservice
Delete the file C:\ProgramData\Malwarebytes\MBAMService\config\SpConfigFile.json
Open MBAM.

Adversely, if you do not know how to do those steps, I am also attaching a file "SP_Replace.bat" which will do those steps listed. You will need to run SP_Replace.bat as administrator for it to work correctly.

After doing those steps, and MBAM is running again, please check if MBAMChameleon.sys has been replaced.

SP_Replace.zip

February 22, 2017

Yes, that is the correct path.

C:\Windows\System32\drivers

February 22, 2017

@Firefox

MBAM 3 also uses the mbamchameleon.sys file. It's for self-protection functionality.

February 22, 2017

Ok. Thanks for the reply. Please keep us updated

February 22, 2017

The only time you get a block notification is when you navigate to http://52.21.84.70/ ?

February 22, 2017

@Acrobaze

Thanks for the quick reply!

When you visit iptest.malwarebytes.org, do you get a block notification?

web_block.png.134f85b9e10f462a34a5424dfd548192.png

Do you see it added to your reports section from MBAM's UI?

web_reports.png.8159b035d1086904c155caed3e8d694e.png

First I want to confirm that you are getting visual confirmation from MBAM that a block is happening.

February 22, 2017

@TempLost,

Thank you for the reply. Please try turning off self-protection, then turn it on again. This should replace mbamchameleon.sys. Then attempt to turn on self-protection early start. If that does not turn on still, that means something is blocking mbam from replacing mbamchameleon.sys.

February 22, 2017

Acrobaze,

Have you tried clearing your browser's cache, or using CTRL+F5 to revisit the test block pages? If the browser has a cache on the website, it's possible you will see a block notification, but the webpage will not be redirected to https://block.malwarebytes.org/

February 21, 2017

Thanks for the links Super Dave.

As dcollins stated here we are still internally testing and looking for a solution.

February 21, 2017

Also question from our developers: Does the file C:\Windows\System32\drivers\mbamchameleon.sys exist?

February 21, 2017

Hello TempLost,

Do you see Web Protection turn off regularly? Are you able to turn self-protection on/off from the protection tab (Not only early start)?

February 21, 2017

Acroblaze,

Can you elaborate more on the issue? You are saying all protection layers are on, but you navigate to one of the test websites listed, and you see a notification stating protection is disabled?

Do you see this on your screen? protection_off_dashboard.png.e51f57a29d8af51de787037209cf4b24.png protection_off.png.3d3aeee5420b313a63404d29cff3639e.png

According to the logs you've attached, it shows Web Protection is enabled.

December 22, 2016

Please keep it enabled. It will protect your Malwarebytes files from being modified or deleted.

The Engineering team has identified which file is causing this issue. "AOL Downloads\<subfolder>\comps\vwpt\Vwpt.exe"

Until we can fix this, as @dcollins mentioned, please keep your exclusion for the AOL Downloads folder.

Thank you so much for your help with us on this issue!

December 21, 2016

Agreed. Thanks for being patient with us @TOH. We'll keep you informed with our progress.

December 21, 2016

@TOH,

Try these steps for running Procdump.

Download the following Procdump.zip file: Procdump.zip
Place procdump.zip in C:\
Extract procdump.zip.
Check that the extracted files are in the directory "C:\Procdump"
Right click "mbamservice_procdump.bat" and select Run as administrator.
- If you did the steps correctly you will see the following:
Run a threat scan with MBAM 3.0.
When MBAMSERVICE.exe crashes it should close that command window and generate a memory dump file in "C:\Procdump".

Please follow these directions because "mbamservice_procdump.bat" needs to be run in the directory "C:\Procdump" for it to work correctly.

December 20, 2016

For now, can you get me all the files in this folder?

C:\PROGRAMDATA\AOL DOWNLOADS\SUD4577\COMPS\TOOLBAR

Events

Profiles

Forums

Posts posted by Jekko

Important Information