-
Posts
3,369 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by pbust
-
-
1PW had the issue with KeyScrambler. He's still running some tests to finish troubleshooting the problem. I'll point him to this thread so that he can post his findings when he's done testing.
-
Thanks for confirming that. We've only had one case of this issue happening and that's the reason it is there, just in case. It's good to know it is not happening to you. Would you mind sharing what other security products you have installed on your computer?
-
Last updated: April 16, 2020
Malwarebytes 3.0 (MB3) -- Known Issues in Anti-Exploit Module:
None
MBAE Standalone -- Known Issues and Conflicts:
- Unload protection blocks after upgrade to a new version of MBAE: Some machines with Malwarebytes Anti-Exploit upgrading from any version above 1.13.x.99 to a newer version (for example - 1.13.x.164) have been seeing "Unload protection" blocks. These are false positive alerts and from our initial analysis, we see that these blocks are triggered only during/immediately after the upgrade and do not recur after the upgrade is complete.The team is looking into providing a resolution soon.
-
FireEye Endpoint Agent Version: 24.9.0: We have identified a hooking incompatibility (specifically, LoadLibraryEx API) with FireEye Endpoint Agent on Windows 10 machines which results in Internet Explorer crashes. Please contact FireEye to report this issue.
The only known workaround is to either uninstall FireEye Endpoint Agent or unshield IE as a protected application in Malwarebytes Anti-Exploit. - Malwarebytes Anti-Exploit blocks Microsoft Office applications on VMware Horizon View. The problem comes from VMware injecting its dll (vmwsci.dll) in allocated memory from APC. We cannot exclude this behavior from within the product since it reduces the protection offered by the product. Instead, as a workaround, users can disable MBAE Settings->Advanced Memory Protection-> Malicious Return Address detection for MS Office. Please also make sure to report this issue to VMware.
- Sophos Intercept X(HitmanPro) Both MBAE and Intercept X are exploit mitigation products providing similar functionalities. However, MBAE provides a more comprehensive protection due to its Layer0 and Layer3 protections. More information here. It is not recommended to run both products alongside each other, and if done so, will result in unpredictable crashes/hangs of protected applications. We suggest that you uninstall/disable the Intercept X module of Sophos EndPoint security on computers where MBAE is installed.
- Enhanced Mitigation Experience Toolkit (EMET). Both EMET and MBAE are exploit mitigation products that apply similar protections and apply similar API hooking & techniques. However, MBAE provides a more comprehensive protection due to its Layer0 and Layer3 protections. More information here. It is not recommended to run MBAE and EMET together. Some users have reportedly managed to run both together by tweaking the EMET techniques, but this is not a Malwarebytes officially supported configuration.
- Trusteer Rapport. Trusteer's "Pinpoint technology", which tries to detect the presence of Trusteer through a webpage, introduces a conflict whereby it cannot detect the presence of Trusteer's hooks. There is a long history of complaints about IBM's lack of interest in fixing Rapport's conflicts with dozens of security applications. We've managed to make Trusteer work with most web browsers but in the case of Pinpoint technology, it does not know how to deal with basic chained API hooks. We are working on a new mechanism to handle these types of conflicts.
- ESET9. A bug exists in the API hooking mechanism of ESET9 that triggers when using ESET9 + MBAE + Firefox. The Firefox crash shows a stack overflow typically generated by ESET. This problem is likely also happening between ESET9 and other security products as well.
- New Comodo Bug. We found a second new bug in Comodo which may cause conflict with MBAE and result in browsers not being able to open correctly. It seems when MBAE injects after Comodo there is no problem, but if Comodo injects after MBAE then Comodo doesn't handle the chained hooks correctly. A fresh re-install of MBAE might temporarily solve the problem (as it sometimes makes MBAE handle the API hooks after Comodo) but the definite bug fix must come from Comodo.
-
McAfee (new): We recently identified another bug in the hooking engine of McAfee HIPS that causes crashes of protected applications.
McAfee HIPS hooking engine fails to disassemble an instruction and generates a breakpoint exception in HcThe.dll resulting in the crashes.
HcThe.dll hooks a couple of Windows APIs and in some specific cases, if a function is already hooked and McAfee HIPS attempts to hook this API, it fails to disassemble the instruction and generates a breakpoint exception. This conflict is not just with MBAE but with other security products dealing with API hooks as well. If you are experiencing this issue, please contact McAfee to report this bug to them. We are working on a new mechanism in MBAE to handle these types of issues caused by buggy third-party code. - McAfee HIPS (old). We have identified an API hooking bug in older versions of McAfee HIPS that may cause a conflict with MBAE. The bug is located in the HCTHE.DLL component of McAfee HIPS. Simply disabling McAfee HIPS does not disable the hooking or solve the bug, so the solution is to upgrade to a fixed version of McAfee HIPS. We are working on a new mechanism in MBAE to handle these types of issues caused by buggy third-party code.
- Websense Endpoint hooks KernelBase!LoadLibraryExW API via QIPCAP64.DLL. MBAE also hooks this API. However, due to a bug in Websense's hooking mechanism, it improperly handles the hook and may create crashes when opening Word, Excel or other applications. If you are experiencing this issue please contact Websense to report this bug to them ("bad attempt to copy jmp qword instruction rip based"). We are working on a new mechanism to handle these types of conflicts.
- Ghostery Add-on for Internet Explorer 11 alongside MBAE, or any other product that hooks wininet APIs, makes IE crash. This is because Ghostery is making incompatible API hooks, i.e. without taking into consideration that there might be other products hooking the same APIs.
-
Nope, no need to disable MBAE while running scans with your other security products.
Other than a few exceptions (Sandboxie, KeyScrambler, etc) MBAE can be run alongside most security software.
-
Thanks Weyoun for the confirmation and thanks everyone who submitted the FP to Microsoft!!
-
Yes, known problem. We will make MBAE Windows 8.1 compatible in the next build.
-
This is a known issue that happens sometimes. It will be fixed with the new GUI.
In the meantime as a workaround kill mbae.exe and start it again or exit it and re-install it altogether.
-
Coo, thanks for testing and for the confirmation WideGlide!!!
-
Microsoft confirmed to me they have fixed the FP. Can anyone please re-install MBAE next to an updated MSE or Windows Defender and confirm?
-
Great, thanks for confirming Wilpower!
-
The file they are detecting is mbae-test.exe.
Please report it here to help us get Microsoft to remove this detection:
https://www.microsoft.com/security/portal/submission/submit.aspx
Make sure you choose the option "I believe this file should not be detected as malware".
The more people report it the more likely and quicker they will resolve it, so please take the time to report it to them.
Thanks!!
-
Maybe they haven't pushed out the fixed update yet. If you can please try installing MBAE again tomorrow after Avast updates and let me know if it is still FP'ing.
-
Glad I could be of help!
-
Avast fixed this issue about 6 hours ago. Please update Avast and try again. If you are still getting a detection post back here.
-
The Windows Help version that MBAE protects is HelpCtr.exe which is found in older versions of Windows and which has been used in the past by exploits.
The new Windows Help you are showing is HelpPane.exe which is not targeted by exploits nor has any known remote code execution vulnerabilities. If (or when) hackers find a vulnerability with HelpPane.exe we will add it to MBAE.
-
Glad to be of help! Drop by anytime.
-
Yes, this is a known issue. It will be fixed in the next MBAE release.
-
Malwarebytes Anti-Exploit protects against exploits, which are typically the infection vector of choice for cyber-crime gangs who install banking trojans. So yes from that perspective it will protect your online transactions. Also it will help if you install Malwarebytes Anti-Malware to scan your computer to make sure it is clean from trojans and other malware.
-
OK I see what you mean now. It is normal that MS Office apps are not showing up in the LOGS tab of MBAE. This is known issue #3:
https://forums.malwarebytes.org/index.php?showtopic=134888
We will work in improving the inter-process communication of MBAE shortly and probably fix this soon. In the meantime if you open Adobe Acrobat Reader, Windows Media Player, Foxit Reader, VLC, etc they should all show up in MBAE's LOG tab.
As for sandboxed applications, it is normal that they are not injected (i.e. protected) by MBAE as they are sandboxed.
-
Thanks for pointing it out! It seems both Avast and Rising have a false positive with mbae-test.exe. I will contact them immediately.
-
It seems you have bigger problems in your computer. If I were you I'd uninstall some applications one by one, starting with the security apps, and try again until you find the culprit of the conflict. Once you're kosher then start adding them again, one by one, and verifying everything stays kosher.
-
mbae.dll should not be injected into DefenseWall. Try turning one and the other on and off to see if you can find some steps for replicating the issue.
-
That's weird. What third-party security applications are you running? Does this also happen without MBAE installed?
Also might be helpful to try using two or three different anti-rootkit apps to scan your system.
-
Welcome to the forum.
Please uninstall MBAE completely, reboot, and install again.
Once installed download and run (as admin) SysInternals Process Explorer. Once running open a couple of browsers, Word, Excel, Windows Media Player, Adobe, etc and then search within ProcessExplorer using the binoculars icon for "mbae.dll". Does it find anything? Under normal situation it should find mbae.dll injected into every process you opened. Take a screenshot of the search result windows and post it here.
Then run C:\Program Files\Malwarebytes Anti-Exploit\mbae-test.exe and press the Exploit button. Does MBAE block the test?
[SOLVED] MBAE and KeyScrambler conflict
in Anti-Exploit Beta
Posted
Thanks for confirming ritchie! The issue was reported after an upgrade to 0.09.4 so please do post back if you see anything after upgrading.