.jpg.9677e5689bab176f751e57ec4ce6e9a4.jpg)
Rsullinger
-
Posts
533 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Rsullinger
-
-
Hello Sampei_Nihira,
The reason why you are not seeing it injected there or you are not able to add the shield (also what cutting_edgetech mentioned as well) is because 7zip/winrar/winzip apps are protected internally but they work differently from regular shields. So you won't see the normal behavior as you would with a regular mbae shield. This is something that has always been in the product. So you are still protected using those apps.
I do apologize for the delay with this. I was getting the information clarified by our team to make sure I was giving you the correct information.
-
Hey Johnny,
I always hate when that happens, just 1 minute behind yours. But that makes sense that lastpass interference with it could be causing that issue. Let me know if you run into any other issues!
-
Hello,
The main issue with the suggestion of trying other browsers is Johnny will not run into that issue on another browser. Google and Firefox for example do not use client side vbscripting.
However, it is not uncommon for websites with a portal to use a vbscript to load it in IE like banking websites or e-mail clients. Unfortunately from the log I won't be able to tell if its malicious or not since we block the action that it is doing not the script itself. The script could be perfectly fine and we just block the first instance of it. So if it is something the bank website is doing, it should be able to continue the log in so you can navigate your bank like normal. Just to confirm as well, it is only this bank log in correct? You don't get it from going to any other site?
One thing you can do to see if it is something in IE is just restore IE back to default.
-
Hello Sandy,
Do you mind taking a screenshot of of the programfiles(x86) directory of anti-exploit? If there is a tmp folder in there, do you mind taking a screenshot of what is in there as well? If a reboot does not fix it, then it can sometimes mean that the files did not transfer correctly on the upgrade. So I want to see if any files did not swap over and what files they are.
I also had a separate question, did the machines you have deployed (with or without 1.8 mb console) have 1413 on them already?
-
Hey Simon,
I do apologize for that. I was out of the office and did not see these messages until I came back today. If the files are small enough, you can safely send me a PM and I can look into that file to see what it is attempting to do.
-
Hey SImon,
I am not seeing any errors in those logs. Do you happen to have any network firewall restriction that prevents .exe's from being downloaded from CDN's like that? From a few customers I worked with this is not uncommon and will stop our program from updating. It reaches out to those addresses when a service is restart happens (or through the day) to check if it has the latest version. If it doesn't, it pulls the .exe package directly and runs it under the system account. If you don't, we may need to get a wireshark log next after a service restart occurs. But lets look into the .exe possibility first.
-
Hey Simon,
It may because of this one:
https://sirius.mwbsys.com
Sirius is where anti-exploit goes to check in and get updates as well. So make sure that is added along with all of them being allowed outbound 443. That should allow you to connect and get it. Once you do that, restarting the computer should prompt it to reach out to the server and update. If it doesn't update after about 10 minutes, collect the C:\Programdata\Malwarebytes anti-exploit log directory from one of the computers and I can take a look at why that is occurring!
-
Hey Simon,
I understand now, thank you. So aside from the deployment of what MBMC currently has in it and doing a manual install like you did, the only other way of updating endpoint agent clients is to use the automatic update feature that is in mbae. With the setting enabled your clients will reach out and get the latest version and install it without you having to do anything manual. If you go into the policy your clients are on in the management console, you should see the anti-exploit tab at the top. In the upper right corner should be the option for automatic updates. If you want to enable that, it will allow your clients to update when the latest version is released automatically. So if you set that and have your clients check in and get the policy update, they will reach out and get the newest anti-exploit version shortly after that.
-
Hey Dgar,
It was in one of the logs that we use for troubleshooting that is encrypted. Let me reach out to the team to get more eyes on this to make sure what I am seeing is correct.
-
Hey Simon,
I wanted to confirm something. By upgraded the anti-exploit on the same management server, you meant the client on the server itself correct? If so, how did you upgrade it?
-
Hey Dgar,
Just wanted to confirm something based on what I was seeing in the log. Is this powershell script using Vbscript to launch the intended file? If so, you may just need to disable the vbscript protection in the advanced settings (the one under application behavior protection) and you shouldn't see this issue.
-
Hey dgar,
Do you mind collecting the logs from this post:
https://forums.malwarebytes.com/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/
I should be able to take a look at the logs and see why it is blocking that script.
-
Hello JulianHaines,
In the folder that is dropped on the machine, there should be a logs folder in there. Can you collect the logs from that and attach it here?
-
Hey PC22,
Did you happen to get the FRST logs that was at the bottom of the post as well? I will need those to confirm any conflicts that may be causing the issue.
-
Hey Iambry,
It seems like the tool didn't gather the logs which is strange since there should have been an alert generated for this. I apologize for this, but can you collect the C:\ProgramData\Malwarebytes Anti-Exploit directory for me so I can be sure the logs are collected. If an alert was indeed created, it should be in that directory.
-
Hey Iambry,
You may need to run the tool as an admin, however it will collect the logs from the C:\Programdata which is shared by all users. So you don't need to run it on the user that had the issue.
-
Hello Iambry,
I want to have you collect some logs from the event so I can look into this further. To do this:
Please download our diagnostic tool, MB-Check to your Desktop from this link: https://downloads.malwarebytes.com/file/mb3_check
Double-click it to run it. A black command prompt window will appear momentarily and you will see a message appear telling you to locate the zipped log files.
A zip file named mb-check-results.zip will be saved to your Desktop.
Please attach this file to your next reply. -
Hello dfkosek,
Do you mind collecting the logs found from this post:
https://forums.malwarebytes.com/topic/191468-readme-first-posts-here-need-to-include-mbae-logs/
I want to see if this has to do with the issue that is fixed in our latest version.
-
Hello PC22,
Please collect the logs found from this post:
https://forums.malwarebytes.com/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/
This may be due to a browser addon so please make sure you get the FRST logs from the instructions at the bottom of that post along with the anti-exploit logs!
-
Hey Billmobile1 and all,
There will be a new update pushed out for mbae later today through our automatic updates. It will include the fix for this issue reported in this thread. If you have automatic update enabled, your clients will receive this build as well.
-
Hello @spnkzss,
Did you just recently upgrade to 1.8.0.3443? If so, did you push out the updated managed client to the machines that were having this problem yet? This seems like it may be an issue caused by the managed client not using the policy you currently set. It is recommended you upgrade the managed client if you have not done so already. If this has already been done, then I want to see some logs from a client in question to see why our policy is not applying that auto upgrade setting. To do this:
-Locate the this folder on the client computer: C:\Program Files (x86)\Malwarebytes' Managed Client
-In this folder, right click the 'CollectClientLog.exe' utility and run it as admin.
-Save these logs to the desktop of the computer.
-Zip up this folder and attach it here.@StewOMC A new version has not been released yet unfortunately. Our Technical product manager for anti-exploit responded on this post with an update. I do apologize for the delay in that and the frustration it is causing:
-
Hey ZZyzx,
We have been getting a few reports of this. I am going to reach out to you in a PM to collect some debug logs from you. Please go ahead and send them back in the PM so I can get this over to the team!
-
Hey KippyKip,
That may have something to do with it. I am going to see about having the team reproduce it with the information you provided. I am also going to send you a PM to collect some debug logs. Go ahead and send them back int he Pm!
-
Hey Hake,
I unhid the post in the experimental link. I usually hide them when a new build is out and ready to be tested. You can find the download link here however:
https://malwarebytes.box.com/s/ax18zkhp0mg1me96m28kpi3fh5suw1l2
LSI/AVAGO/Broadcom Megaraid Storage Manager (MSM)
in Exploit
Posted
Hello IvanIvanovich,
That setting that is causing this was something that was disabled in prior versions but enabled in this one. It is something that can be disabled again so you can get your managing software up and running again. To do this, open up mb3 and go to the settings pane on the left. From here, click on the Protection tab and click on Advanced settings. From there, click on the Java Protection tab. The option you want to deselect is 'Java malicious inbound shell protection'.
Disabling that will allow you to continue to use the product without an issue.