-
Posts
3,369 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by pbust
-
Server Unresponsive - MBAE 1.10.2.41
pbust replied to BRAM's topic in Malwarebytes Anti-Exploit for Business
Try creating a separate policy and assign just this server to the new policy. In the policy set the check-in interval to something like an hour or two. Does that alleviate the problem? -
Server Unresponsive - MBAE 1.10.2.41
pbust replied to BRAM's topic in Malwarebytes Anti-Exploit for Business
Hi BRAM. The MBAE CLI are the configuration commands being executed from the Management Server. Those should only show up momentarily and then disappear by themselves. Try changing the check-in internal in the Management Console policy to something greater. That should ease up on the amount of commands being sent to the machine. -
This is probably due to anti-cheat protection system of Zula. If you added a custom shield for Zula, you can configure the shield to use the "Other" family, and turn off the ROP techniques for that shield family.
-
What's the pop-up you are seeing? Is it a balloon notification from the system tray saying that "XYZ application is protected" or something to that effect? If this is the popup you are referring you, please check the Anti-Exploit settings, specifically the "Show system tray notification tooltips" checkbox.
-
From here: https://forums.malwarebytes.com/topic/191650-malwarebytes-3-frequently-asked-questions/#comment-1077438
-
You don't have to change the server executable or its execution method through UNC. All you have to change is the anti-exploit settings. Go to MBAE advanced settings, Application Behavior Protect, and disable the LoadLibrary Protection for Browsers.
- 4 replies
-
- false positive
- malware.exploit.agent.generic
- (and 5 more)
-
Unfortunately, you cannot exclude by MD5 for files executed through UNC. The workaround is to go to MB3 Protection settings, advanced anti-exploit settings, and disable the UNC LoadLibrary technique. This technique is disabled by default in our corporate products, so this problem should only appear in the consumer builds of Malwarebytes.
- 4 replies
-
- false positive
- malware.exploit.agent.generic
- (and 5 more)
-
Unable to add to Anti-Exploit Exclusion List
pbust replied to AR_RCG's topic in Malwarebytes Anti-Exploit for Business
The latest is 1.10. Go to the Management Console -> Policies -> Anti-Exploit -> enable the checkbox "automatically upgrade MBAE agents". The agents will then upgrade themselves from the Internet to the latest version. -
Unable to add to Anti-Exploit Exclusion List
pbust replied to AR_RCG's topic in Malwarebytes Anti-Exploit for Business
This should have been fixed a while back. Please update your MBAE version to the latest available to verify the fix. -
Exploit Threat Detected - gsyncit outlook add-in
pbust replied to Imperator's topic in Malwarebytes Anti-Exploit for Business
Try upgrading to 1.10 to see if the problem persists: https://forums.malwarebytes.com/topic/208007-betapreview-malwarebytes-anti-exploit-110-build-24/ -
Yes, I know. All efforts lately by the bad guys are focusing on malspam tricks. Make sure anti-exploit is turned on. Related reading: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-anti-sandbox-feature/ Stay safe!
-
That's one of the tactics the latest ransomware malspam campaigns are using. That's a legit block of an attack. It was blocked before the powershell payload could even run (and before the ransomware was even attempted to be downloaded into the endpoints).
-
7-zip is not protected by the latest beta.
pbust replied to Sampei_Nihira's topic in Anti-Exploit Beta
Like Ron said, the internal shields for the compressor family works in a different way than regular shields. It cannot be tested the same way as the regular shields (i.e. looking for dll injection, renaming the tool, etc.). -
Microsoft Office Exclusions
pbust replied to rcorley's topic in Malwarebytes Anti-Exploit for Business
That's a hard block. You don't want to allow Word to perform those types of actions. Its one of the top 3 malspam infection vectors. The only way to allow it is to deactivate the Word shield, which we obviously don't recommend. Seems like the parent is Java. Could this be by some in-house or third-party application? If that's the case, I'd be having a conversation about basic security best practices with the vendor. I know this puts you between a rock and a hard place and am sorry for that, but unfortunately from our perspective allowing this type of Word behavior would practically equate to allowing our customers to become infected.- 2 replies
-
- office
- exclusions
-
(and 1 more)
Tagged with:
-
Would MBAE have prevented the WannaCry ransomware?
pbust replied to ikjadoon's topic in Anti-Exploit Beta
Correct, network exploits like SMB/NetBios are outside the scope of MBAE. Btw IPS/IDS engines would also be blind to it at 0-day without a signature to apply to it. -
Sorry it took so long. The MB 3.1 beta has just been published here: https://forums.malwarebytes.com/topic/200230-new-beta-malwarebytes-3101716/ It includes the fix for the Office issue. FWIW I think you are all right. We've had a lot of issues in the past for how to deal with conflicts with betas and 3rd party software, but OTOH MSFT started throttling Win10 CU and MB3 should be compatible out of the gate. Let's keep it civil and thanks for keeping us honest.
-
David, I can assure you we are giving this issue top priority.There are a couple of other big moving parts with the impending release of 3.1 which includes this fix and is almost code complete. As soon as we have the build we will post it here and release an automatic Component Update to the entire user base. Sorry for the problem this has caused all of you. It was triggered due to an unforeseen last minute change in the Win10 Creators Update. We have been in communication with Microsoft since the first time this was reported and are working with them on a daily basis to deploy the fix asap.
-
This is a false positive by Spyshelter. See if you can exclude MBAE from Spyshelter.
-
Avast reports issue after scanning mbae-setup-1.09.1.1346.exe
pbust replied to hake's topic in Anti-Exploit Beta
Thanks! It is not unheard of for signature-based products to trigger on certain characteristics of an exploit mitigation product. But that's just it, another draw-back of failed attempts of using signature approaches to trying to detect exploits, like the vast majority of the traditional AV vendors do. -
Avast reports issue after scanning mbae-setup-1.09.1.1346.exe
pbust replied to hake's topic in Anti-Exploit Beta
It's obviously an Avast FP. -
We're in touch with Grammarly and hope to have a more permanent solution for our common customers soon. Please stay tuned.