Jump to content

exile360

Experts
  • Content Count

    24,016
  • Joined

  • Last visited

Everything posted by exile360

  1. Well, so far Microsoft has acknowledged it and Intel has released a patch for it and at least one of the BIOS vendors is preparing to issue patches for it, so I'm guessing their claims are legit. If you didn't read the PDF, I'd highly recommend doing so as it provides a lot more details about this threat and its potential impact.
  2. That's the problem, this vulnerability provides ring 0 access to user mode processes; that's why I'm so concerned. Not only that, but it also potentially gives them write access to the firmware of affected devices (UEFI/BIOS from the likes of Phoenix and American Megatrends among others; two of the most prominent BIOS makers for motherboards) so they could literally write their own malicious firmware to the devices in question, so it's not a matter of finding a vulnerability within the firmware/BIOS to exploit because this vulnerability gives them everything they need, so all they have to do is compile malicious firmware for the devices they're targeting and it's game over. This vulnerability has a lot of potential to be very bad because of the privileged access it gives them directly from user mode; levels of access not even given to AV/AM providers I might add, nor even admin/root admin users (in other words, not even the hidden administrator account logged into Safe Mode has this level of access/permissions). Maybe we'll get lucky as we have so far with the likes of Spectre and Meltdown and no one will exploit it widely in the wild, but such a gaping hole that potentially affects so many devices makes me very nervous, especially when it could potentially mean the installation of an undetectable rootkit in firmware that can only be removed by flashing/rewriting the firmware because it survives a full system/OS format.
  3. By the way, I found this article on how to disable it. It's for XP and Vista but it likely applies to more current versions of Windows/Office as well.
  4. I don't know about that. It never caused any issues when I would break it, and I've been using MS Office 2010 for years now and it hasn't ever installed/enabled CTFMON on my systems (even though I stopped breaking it back in the XP days, specifically because it no longer gets activated in Windows 7, at least it never has for me). It is used for alternate input methods like text-to-speech, tablet input devices and onscreen keyboards, so if you use such an input device then it's likely best to leave it alone, and I'm sure this is why MS Office would enable it (sometimes, though as I said, it doesn't always) because of Office's speech to text functionality and the like that Microsoft has been building in to MS Office for some time now.
  5. I have always and continue to terminate/disable/cripple CTFMON as I have never had any use for it and was always infuriated by the fact that it would always return to memory after being terminated. In fact, back in the XP days I went as far as replacing the ctfmon.exe executable with a fake/dummy file just to keep it out of memory. In newer Windows versions (at least in Vista and 7; I don't know about 8/8.1/10) it seems as though ctfmon does not run unless the text to speech functions are enabled/active, though I do recall that it would enable itself whenever Microsoft Office was installed and I believe that in most cases, this is the reason for its presence in memory on most systems because I don't believe it is enabled/active by default otherwise.
  6. Greetings, Please restart the system and then try the following to see if it corrects the issue: Run the Malwarebytes Support Tool Accept the EULA and click Advanced tab on the left (not Start Repair) Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here If the issue still persists then please try disabling AVG temporarily to see if that makes any difference. You might also try disabling Fast Startup if it is enabled. You will find instructions on how to do so here as well as here. I would also strongly recommend against terminating Malwarebytes' processes via Task Manager and the like as this can actually cause the software and system to become unstable due to its drivers and services not shutting down from memory properly. Instead, either try exiting Malwarebytes by right-clicking the Malwarebytes tray icon and selecting Quit Malwarebytes and clicking Yes to the User Account Control prompt, and if it still remains running, try restarting the computer. Please let us know how it goes. Thanks
  7. It could be. I was checking the PDF and it showed an Intel advisory from a while back connected to this issue. It looks like it's been known about for a while but they just recently went public with their findings (though they have yet to disclose everything as they mentioned they're working with certain vendors who operate in highly sensitive areas). Honestly I think the scariest thing about this whole issue is the fact that the bad guys could potentially use this vulnerability to overwrite hardware firmware. That means UEFI, BIOS and device firmware (like the VBIOS on GPUs) could be at risk for infection, and if that happens I sincerely doubt any antivirus or anti-malware program would even be able to detect its presence and formatting the operating system would do nothing to eliminate such a rootkit. BIOS/firmware based rootkits are potentially the most dangerous kind of threat due to those issues. Hopefully Microsoft will work out some kind of mitigation for these vulnerabilities. In the meantime I know first-hand how simple it is to make a driver or kernel mode service accessible to user-mode input/processes as I've seen this technique used in software to allow users to control a driver's functions (this is how you can change graphics settings using the driver software for your GPU for example and also how applications like MSI Afterburner are able to tweak/overclock/control graphics hardware, and this is also how Intel's own XTU application is able to modify CPU/chipset settings that affect the BIOS for the system). With all of these hardware vulnerabilities that have been reported recently, starting with the likes of Spectre and Meltdown, I have to wonder if there is anything at all that AV/AM vendors can do to protect devices from attacks/exploits using these vulnerabilities. I sure hope so, but I doubt it because it probably isn't possible. It's not the same as protecting memory and processes, especially with the restrictions that Microsoft has put in place for security that keeps AVs/AMs out of the lowest levels of memory/kernel space where hardware drivers operate and function. As I understand it, security vendors are forced to operate outside of the kernel thanks to PatchGuard/Kernel Patch Protection; a feature that has existed in all x64 versions of Windows since XP x64/Server 2003. Of course I am not a developer so my understanding of these things is not complete and these areas may be unrelated, but if my interpretation of what I've learned is accurate, it means that through such vulnerabilities the bad guys can essentially get more privileged/deeper level access to the OS and hardware than security vendors are able to, and that is a scary thought.
  8. By the way, if you want more details about what this really is and how it works I'd suggest reading their DEF CON presentation which is linked at the bottom of the article in the second link I provided in my first post. It's a PDF of a PowerPoint presentation and gives more details on the issue.
  9. Near as I can tell based on the articles I've read and videos/news I've seen about this, it's a widespread/common issue that exists due to a flaw inherent in how driver signing is handled in Windows. Basically they found a loophole in the existing framework that allows privilege escalation and I guess each hardware vendor is going to have to address it via updates. It's not like a nasty RCE (Remote Code Execution) vulnerability that allows open access to a system from the outside, but it is the kind of vulnerability that could potentially make it much easier for the bad guys to gain full admin/system/kernel level access to the OS once they get their foot in the door, not unlike a typical UAC/privilege bypass vulnerability/attack. The fact that the drivers are signed presents a problem since, at least in theory, the bad guys could use a known vulnerable driver as part of a malicious patch/package to get their target to load their malware onto the system, offering them instant access to full kernel level or even to load malicious firmware onto the system (i.e. BIOS malware that could persist across a full format/reinstall of Windows). That said, it does require that the bad guys succeed in getting some kind of user mode malware onto the system to begin with, so like always, relying on things like UAC and limited user accounts is a poor substitute for real security and safe computing practices (something I've been preaching for a long time having observed early after the launch of Windows Vista that the bad guys had designed most of their threats to run in user mode anyway specifically to bypass any UAC prompts that could potentially stop their threats in their tracks). So no, the sky isn't falling, but it does mean that yet another feature that is supposed to help keep systems secure (i.e. driver signature enforcement) isn't nearly as bullet-proof as it was once presumed (not unlike the vulnerabilities that have been found in technologies like WEP/WPA/WPA2/WPA3 and IPv6 as well as limited user accounts and UAC over the years).
  10. Good, I was thinking that some kind of legal action might be necessary if you're being harassed. I'm glad you've submitted your complaints to the authorities.
  11. I'm not a member of the Malwarebytes staff and haven't been for some time now, but I don't know of any partnerships between Malwarebytes and Google, and in fact the last I checked, Malwarebytes' own browser extension beta blocks ad servers and tracking servers that belong to Google (among others) for protecting privacy and speeding up browsing.
  12. If you believe that to be the case then using a proxy or VPN might be a good idea so they can't identify you based on your IP(s).
  13. Hello again, I'm sorry to hear that. Please follow the instructions in this topic and then create a new topic in the malware removal area by clicking here and one of our malware removal specialists will assist you in getting this issue resolved. Thanks
  14. Greetings, If you have already created an account at My.Malwarebytes.com then you can change your email address by following the instructions in this support article. If not, then you should contact Malwarebytes Support directly by filling out the form on the bottom of this page and they will assist you.
  15. It looks like a lot of drivers from the past several years from a multitude of hardware vendors include a nasty privilege escalation vulnerability. Being referred to as 'Screwed Drivers', the following vendors among others which haven't been disclosed yet are affected: · ASRock · ASUSTeK Computer · ATI Technologies (AMD) · Biostar · EVGA · Getac · GIGABYTE · Huawei · Insyde · Intel · Micro-Star International (MSI) · NVIDIA · Phoenix Technologies · Realtek Semiconductor · SuperMicro · Toshiba You can learn more about this issue at the following links: https://www.tomshardware.com/news/screwed-drivers-report-amd-intel-nvidia-vulnerabilities,40136.html https://eclypsium.com/2019/08/10/screwed-drivers-signed-sealed-delivered/
  16. Greetings, You should also refer to this pinned topic as well as this pinned topic for details about this issue. You should be able to get the problem resolved by following the instructions provided in those topics including, if necessary, contacting Malwarebytes Support directly by filling out the form on the bottom of this page so that they can assist you. Please let us know if there is anything else we might assist you with. Thanks
  17. Greetings, It should be possible to configure a daily scan to occur only once, however it does need to actually complete because if it is interrupted (like if the system is shut down mid-scan) then it likely will repeat the next time the system is started if configured to do so. The setting in question is in the scheduled scan's settings under the Advanced section. You can learn more about scheduling scans in this support article as well as the Malwarebytes for Windows User Guide found here. With that said, if you do not want an incomplete or missed scan event to run again at the nearest opportunity once the system is started, then simply disable the option for Recover missed tasks under Recovery Options in the scheduled scan's settings in the Advanced section as described in the User Guide linked to above. I hope this helps, and if there is anything else we might assist you with please let us know. Thanks
  18. Keep in mind that the comments above from David H Lipman only apply to the Malware Protection and scan engine components of Malwarebytes; documents and media files are targeted extensively by Exploit Protection as I mentioned above. The same goes for any scripts executed through a browser, and this is also how file-less malware is targeted (a form of attack that cannot be targeted using traditional signatures or file based heuristics since there are no files to detect, only behaviors). To better understand why Malwarebytes takes this approach, please refer to the information found in this article which explains the point very well. It is for this reason that Malwarebytes focuses on application hardening and behavior based detection for exploit and script based malware because it is trivial to bypass signature based detection of any form of script based attack whereas changing binary/executable malware to do the same is far less trivial. It is true that if you are looking for a solution that explicitly focuses on data integrity, that Malwarebytes is not focused on this type of defense, however there are additional components in Malwarebytes Endpoint Protection and Response as well as Malwarebytes Incident Response (which lacks the Endpoint Protection components included in the former) including Endpoint Isolation and Rollback and Remediation should be more suitable for this purpose, because if any data on your file server becomes corrupted by a malicious actor you should be able to recover from the incident and use the Flight Recorder/Timeliner application to analyze any attack to help track down the source of the threat/incident.
  19. Excellent, I'm glad ADWCleaner was able to help. If there is anything else we might assist you with please let us know. Thanks
  20. Greetings, Malwarebytes uses several different methods and layers to protect systems, many of which are behavior based, and a few which are signature based. It also uses heuristics detection methods and algorithms as well as cloud components to detect new and unknown threats. You can learn more about the various components of Malwarebytes by reviewing the diagram and information found on this page. As for the differences between Malwarebytes and antivirus, it basically boils down to how Malwarebytes detects threats. While it is true that Malwarebytes does use some more traditional detection methods such as hashes and threat signatures to recognize malware file patterns, this is actually a very small component of what Malwarebytes does and most of its protection and detection components rely on more advanced methods to detect threats. With that said, Malwarebytes is not an antivirus but is positioned as an AV replacement and may be used instead of a traditional antivirus. Since the modern threat landscape is so different now compared to how it used to be, traditional AV detection methods are insufficient for protecting devices on the internet from today's attackers and threats, and Malwarebytes is a response to those changes in the cyber-security industry and has been built from the ground up to be effective against modern threats and attack vectors including exploits, ransomware, scams/phishing, Trojans, rootkits, PUPs (Potentially Unwanted Programs) and much more using the methods described in the link provided above rather than relying on more traditional file hashes and signatures as its primary method of detecting threats; this is one of the key ways that Malwarebytes differentiates itself from a traditional antivirus application. That said, Malwarebytes is in fact designed to be compatible with an active antivirus application so that if you prefer to also use a traditional antivirus or other security software alongside Malwarebytes, you should be able to do so without any issues. In fact, many Malwarebytes customers run the free Microsoft Windows Defender/Microsoft Security Essentials alongside Malwarebytes to function as a secondary layer of defense against malware. While this is not a requirement, it is an option should you desire to have additional layers of defense for your systems/devices. Malwarebytes targets different behaviors and threats with each layer of protection. The Web Protection component blocks all connections, both incoming and outgoing to/from known malicious servers/websites and even some entire hosts/hosting providers (for known malware-friendly hosting providers) while the Exploit Protection component monitors key applications known to be frequently targeted by exploits for any sort of exploit behavior, especially web-facing applications like web browsers as well as media players and office applications which are often the target of exploits via Trojanized scripts, documents and media files. It also applies hardening to key OS components to defend against common exploit attack methods and behaviors. It is by far one of the most proactive protection layers in Malwarebytes. The Ransomware Protection component monitors all processes and threads in memory to look for ransomware behavior, including the modification and deletion of data as well as the attempted encryption of data in order to catch ransomware in the act before it can encrypt your data. The Malware Protection component uses a combination of traditional threat signatures, advanced heuristics algorithms and cloud based Machine Learning and live threat intelligence to detect both known and new/unknown threats that attempt to execute in memory. The scan engine also uses those same methods that are used by the Malware Protection component in addition to scan-specific technologies such as the advanced Linking engine that can take a single trace detection/file and extrapolate a multitude of additional detections throughout the system in the registry and on disk to detect further components and traces of an infection or malicious application to apply comprehensive detection and remediation of threats, and if enabled, the rootkit detection component in the scan engine will check for both known and unknown rootkits/bootkits on the system and attempt to remediate them, including attempting to repair commonly damaged OS/system components and services that are often the fallout of such infections that most security applications fail to detect or repair during their detection and remediation routines. With regards to your file server specifically, unfortunately I do not know, and we will have to wait to hear from a member of the Malwarebytes staff on that, but in the meantime I hope I have been able to help answer some of the questions you had about Malwarebytes and how it works.
  21. Thanks. OK, to begin, please start by restarting your system. This can sometimes correct an issue if there is a problem with one of Malwarebytes' drivers or configuration files. After the system is restarted try running a scan with Malwarebytes again to see if it now completes normally. If it still isn't working then please try running Malwarebytes Anti-Rootkit to see if it is able to scan your system. If it is able to complete its scan, have it remove anything it detects and then restart your system if prompted to do so to complete the removal process. Once that is done, try running a scan with Malwarebytes again to see if it now works properly. If you still have trouble then please run ADWCleaner and have it scan, and again have it remove anything it detects and restart your system if prompted to do so to complete the cleanup process. After all of that, if Malwarebytes still isn't scanning normally then please do the following: Run the Malwarebytes Support Tool Accept the EULA and click Advanced tab on the left (not Start Repair) Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here Once that is done, try running a scan with Malwarebytes again to see if the issue is now fixed. Please let us know how it goes. Thanks
  22. Greetings, You may submit samples for analysis here if you wish, or, if you'd prefer to keep it private (which is understandable given the sensitive nature of the situation) you may instead send a private message directly to thisisu; one of the primary members of the Malwarebytes Research team who works samples in that area, or you may contact Malwarebytes Business Support if you'd prefer to go that route instead, and you can communicate with them via email. If you prefer the latter then please fill out the form on the bottom of this page and they will respond to you as soon as they are able. I hope this helps and that you are able to find the culprit and get this issue resolved quickly.
  23. You're welcome, I'm glad I was able to help.
  24. Greetings, Something is definitely wrong, as the image you posted indicates that many items have been scanned, yet all of the phases of the scan still show the hourglass icon indicating that none of the phases of the scan have completed (not even the pre-scan operations such as checking for updates which is supposed to complete before the scan even starts). I suspect that something is wrong with your Malwarebytes installation as I have never seen this behavior reported before. Please do the following so that we may take a closer look at what is going on with your installation and hopefully find a fix for the issue: Download and run the Malwarebytes Support Tool Accept the EULA and click Advanced tab on the left (not Start Repair) Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply Thanks
  25. Greetings, If it works anything like the consumer product, then depending on which component of protection made the detections, you should be able to find them under one of the folders stored under the Malwarebytes ProgramData\MBAMService folder. For example, detections for Web Protection can be found under C:\ProgramData\Malwarebytes\MBAMService\MwacDetections. The .JSON files can be viewed using any plaintext editor such as notepad. I hope this helps.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.