.jpg.9677e5689bab176f751e57ec4ce6e9a4.jpg)
Rsullinger
-
Posts
533 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Rsullinger
-
-
Hey Sheend111,
So like i thought, that application is not protected normally so I think it was just a false positive on our side. If you don't know how you triggered it then it may have just been something was trying to launch it and we monitored it at that point. Unfortunately, it looks like the logs over wrote the information about what happened during that time so I can't check. If it happens again, can you try collecting those logs again? I don't think it will happen based on what I was able to see in the logs. However, since I am not sure what triggered it, It is is hard to say for certain.
-
Hey Scut1,
Thank you for the logs. It does look like it is hooking a bit abnormally. To be on the safe side, can you run the clean tool found here:
https://forums.malwarebytes.org/applications/core/interface/file/attachment.php?id=199258
and then re-install using this link:
https://malwarebytes.box.com/s/xhbp0e8xyj4iom093gdtwyervxva0zxh
That should resolve the issues I am seeing.
-
Hey Scut1,
That does not sound right. While there is way to hide the GUI, mbae.exe should still be running. Do you mind collecting the logs from here so I can confirm there is no issue with the downgrade:
-
Hey Sheend111,
Do you mind collecting the logs from this article:
https://support.malwarebytes.com/docs/DOC-1375
That block is a bit strange since it looks like that Jriver application is the process getting blocked. I want exactly it is getting blocked for in the logs.
-
Hey Iam-Mike,
I want to assist further with the ROP block issue you are having in chrome/firefox. I am going to shoot you a PM to collect some additional information and get this fixed!
-
Hey Slack,
In the case of mbae 1.11, the build that is posted on the forum is a build that is updated more frequently then what we push out through automatic updates. These usually include 1 or 2 fixes that we are putting in the forum to test before deploying it out. We will push it out through automatic update at a later time and it will most likely be another build number down the line.
For ARW, the build that you have put are functionally the same. 0.9.18.807 as it is the official release version. The numbers after that are our CU updates which do get pushed out automatically when we release them. It is not like with mbae where it is a whole new version, those are updates to our software that can be served without you needing to install a new version. So if you are seeing one that is behind, it may be it haven't reached out and made connection to our server yet to get that update.
-
Hey Craig Leach,
I am going to send you a PM with a test build that should fix this issue. I want to get some feedback if it fixes it. You should be seeing it shortly.
-
Hey StuartWake,
No problem, I assumed that may have been the case. I am going to have you collect one more log for me so I can send this to the team for more informaiton. You can send me these logs in a PM if you want since it does give information like installed programs and such:
1: Please download FRST from the link below and save it to your desktop:
FRST 32-bit version: https://downloads.malwarebytes.com/file/FRST
FRST 64-bit version: https://downloads.malwarebytes.com/file/FRST64
2: Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.
3: Click the Scan button
4: When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files in your reply.
-
Hey StuartWake,
It seems like the service is failing to install. All the other files looks to have swapped correctly, just the install on that service is not happening. On the installations you attempted, did you use the 1.10 version directly or try to upgrade from the prior version?
Use this link if you have not been using the 1.10 directly:
-
Hey Stuartwake,
Sometimes this can occur if the files we install for the update do not swap over correctly. Do you mind zipping up the C:\ProgramFiles(x86) directory of anti-exploit so I can see if any of the files failed to swap?
Thank you,
-
Hey Firefox,
It does seem similar to that report that we have seen from that other user. I am going to send you a PM to enable debug logging so I can get this over to the team.
-
Hello rstran,
I want to have you collect some logs for this issue so I can get this over to the team. To collect these, please follow the instructions from this article:
https://support.malwarebytes.com/docs/DOC-1375
Thank you,
Ron S
-
Hey Cutting_edgetech,
Thank you for reporting this. I am going to reach out to you in a PM to collect some debug logging for this event. It should help us collect any data for that memory leak without you having to do anything special on this.
-
Hello Adam,
Thank you for those initial logs. I am going to send you a Pm to collect me some debug logs so I can get this over to our team to examine the issue further.
-
Go ahead and send me them in a PM. I will see if the team can get anything from them.
-
Hey All,
DO you mind collecting these logs after the issue occurs:
I am going to get this over to our team to look into the issue. Thank you for anyone that has already uploaded the logs in this thread.
-
Hey Johnny,
I have not heard of any memory leakage issues like that with the latest build. When it happens, do you mind collecting these logs:
-
Hey QasimAzam,
On one of the machines having the issue, can you try removing anti-exploit with this tool:
https://malwarebytes.box.com/s/6oqwak9n6m85ps2ccou2lfhxtsfwphbo
and try re-installing 1.10 on the machine again with this link:
https://malwarebytes.box.com/s/r90csauab5broqn7ngnr8nh77knl5m90
I want to confirm if this is something that occurred from an upgrade/install issue since no alerts are being generated.
-
Hey TheRidingMan,
I will see if I can get that part tweaked a little bit. I do see what you are saying and it is not that clear in scenarios you would use it.
Let me know if you have any other issues!
-
Hello TheRidingMan,
So to answer the first one, as long as the management software is installed, you just need to restart the service (or computer) and it will re-query the installed products and send the status to the server. It acts like a standalone installation that is managed by the management software on the machine. So it will show up after the restart is done.
I do not need any logs. You hit the nail on the head to what the issue is. So what is happening is since you are deploying out the management software without anti-exploit packaged, it is deploying it without the key. So when you deploy it standalone through your GP, it installs just fine but doesn't get activated. This prevents the UI from being launched and running. So you can easily push out those registry entries you see to get it activated on all the computers you are deploying. I have used a simple .bat like this before to push it out as well:
https://malwarebytes.box.com/s/6oqwak9n6m85ps2ccou2lfhxtsfwphbo
In the script, just replace the x's in the ID and key entries with your own id and key.
This can technically be done at any time pre or post install. But I would do it after you have deployed the GP with the .msi.
-
Hello TheRidingMan,
Here is the link to that clean tool you were mentioning:
https://forums.malwarebytes.org/applications/core/interface/file/attachment.php?id=199258
Can you try that? After doing the removal, can you try installing it manually on the machine as a test? I want to see if it works when you do the manual install. I want to confirm a few things with the manual install.
-
Hey Hake,
Go ahead and send them to me. If possible, can you get the logs from anti-exploit and the C:\programfiles directory of anti-exploit. Want to get this over to our team to investigate.
-
Hello CeeBee,
Here is the link to try it. Let me know if it still works. We may want to look into the issue on 41 but I want to make sure your machines are working first:
https://malwarebytes.box.com/s/8umd458hglerj1apq52jy76rd52temqm
-
Hey RegitDept,
That is strange. If you happen to run into the issue again after that re-install, go ahead and follow the instructions in my PM and I can get this over to our team.
Heap Memory Blocked
in Malwarebytes Anti-Exploit for Business
Posted
Hey Sheend111,
No problem! It may be trying to call something that could have been malicious. If you notice anything else like that, feel free to reach out and I can confirm what is happening!