cutting_edgetech

I am sure, you can close the thread. I will report it to Mozilla, and Eset once I have time. I hope Malwarebytes decides to look into this further. I thought they would want to install the extension for themselves, and do their test.

There is no need for that. All malicious activity stopped as soon as I uninstalled Dark Reader extension, and I rolled my computer back to a time before I ever installed Dark Reader. I have experience removing malware, i'm just not familiar with Malwarebytes procedures. I have a degree in IT with a minor in information Security.

I see what you mean. I should have copied the url pointing to the XPI file. Thank You. I will know to do that if I run into another malicious extension.

I'm fairly certain the extension is what is malicious. I already rolled my computer back, so should be no infection remaining. I thought Malwarbytes would be interested in installing the extension themselves, and doing their own test. The extension is recommended by Mozilla, and has a large user base. Poor users, don't even know they have a malicious extension installed.

Here is the url to the malicious extension. https://addons.mozilla.org/en-US/firefox/addon/darkreader/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search VirusTotal Results. https://www.virustotal.com/gui/url/3a8a67e6a6cf95bb6a777080363d22522a7b81a388c535429e8d3c9a0f3c9909 If you use the extension on the following website, then your browser should eventually start getting hijacked. It may take a while before the hijacking begins to occur. https://rarbg.to/torrents.php

Thank you, I read the links you suggested, but I'm still not sure how to submit a browser extension. I could submit the url or webpage that contains the browser extension. I don't know how to get the extension without installing it again, and this is not a test machine. I could also let them know which website to use the browser extension with that triggers the malicious behavior.

My browsers recently began getting hijacked when visiting certain sites after installing the extension Dark Reader on Firefox, Waterfox, and Librewolf. It wasn't immediately obvious that Dark Reader was the culprit since it only happened when visiting certain sites, and I had to be actively using elements on the site for a few minutes before the hijacking would begin to occur. It would work by hijacking every element and link on the website and redirecting it to various links on furiousfar.com. I also had unknown write and code execution attempts originating from my browser that were being blocked by AppGuard. I looked at some code in my browser, and it appeared my browser was being enumerated for vulnerabilities. I'm fairly certain that Dark Reader is at the very least a browser hijacker, since the hijacking stopped immediately after uninstalling Dark Reader (4 days ago). I took some screen shots of some code from by browser at the time my browser (LibreWolf) was hijacked. One could not click on a single element on the page without being hijacked, and redirected to furiousfar.com Below are some screenshots of the code running in my browser when I was hijacked and redirected to furiousfar.com The hijacking code in the first and last image appears to belong to Dark Reader, but i'm not sure about the code in the center image. It looks like some enumeration of my browser and OS could be occurring. Enumerations can be good or bad, but in this case, I believe the enumeration could have malicious intent. Well, I believe the code below in the first and last image points to Dark Reader as being the culprit of the browser hijacking. I am using Windows 10 X64 21H2, and I believe I was using LibreWolf 106.0.1 and Firefox 106.0.2 during the time of the hijacking.

When I attempt to add WinRAR to the listed of Shielded Apps, I am notified that WinRAR already exist in the list of Shielded Apps. WinRAR is not in the list of Shielded Apps. Also, I checked the WinRAR process with Process Explorer, and MBAE is not injecting into WinRAR.exe. I reported this several years ago, so I think this bug has been around for a long time. I would really like MBAE to protect WinRAR and other archive software. MBAE will allow me to add some child processes like RAR.exe, but not the parent process, WinRAR.exe. MBAE 1.13.1.304 Edition Windows 10 Pro Version 20H2 Installed on ‎8/‎22/‎2020 OS build 19042.685 Experience Windows Feature Experience Pack 120.2212.551.0

After uninstalling MBAE, auto-save to the cloud is able to sign into the cloud and save my document. Before it couldn't even sign in before MBAE triggered. It seems that the auto-save to cloud feature is what is triggering MBAE.

I right clicked on the MBAE tray icon and chose "Stop Protection" to disable all protection for MBAE 1.13.1.283. The icon changed to white to indicate that the protection had been disabled. I then selected the option to auto-save my Word document to my student OneDrive cloud account. MBAE immediately triggered saying it had blocked an exploit attempt, killing my document. Now if I select the option to auto-save my document to the cloud it kills my document without giving me exploit attempt prompt at all. I'm going to have to uninstall MBAE at this point. The false positive for Word has been around for a few builds now. I can't even keep it from triggering when disabling MBAE protection. I can't afford to lose my work. I will save the logs from the current installation and keep them. If you work for Malwarebytes, then request them and I will send them to you by pm. I'm currently using MBAE 1.13.1.283 on Windows 10 x64 Pro Version 2004

Well, as I stated in my original post, rebooting brought back the tray icon and gui for me. It didn't seem to work for everyone from reading above.

I was asked if I wanted to update to version 1.13.1.283 from version 1.13.1.257. I unticked automatically upgrade to new versions, and clicked ok. After MBAE updated I had no tray icon or GUI. I waited for about 5 minutes to make sure MBAE had completed updating. I then tried launching MBAE from the Programs Menu, and that did not work. I rebooted my computer, and now the tray icon and GUI are back. I'm using Windows 10x64 Pro Version 2004. This post is for informational purposes only (giving feedback).

Thank You!

I keep making post that do not post to the thread. I will try this once again. Please delete my logs from my post once you get what you need. I accidentally attached them to the post. Also, will I ever get editing rights to my post? I have been a member for a long time, and I can not make any changes to my post. I would just remove them myself if I was able, and send them by pm.

It says a Macro is triggering the behavior protection. I checked in the Macro options under Word and I did not see any Macros listed. The Enterprise Office installation i'm using was provided to me by my University. Each time I save a Word document it automatically saves a copy to Microsoft One drive. Maybe it is using a Macro to save a copy of my document to Onedrive. I'm just taking a stab in the dark. I'm sending you the entire Appdata folder, which contains the logs. Which log files do you normally request? Thank you!

Thank you. I will wait a few days longer, and if I don't get a response I will create a support ticket. I use to just send these reports to pbust. I'm not even sure what they have him doing these days. I've been away for a while since I only used Linux for 2 years.

I Prefer to pm logs. I don't know what information they contain.

I just made it trigger again to see what the MBAE prompt said. The prompt says, "Exploit payload macro process blocked". It was blocked by the Application Behavior Protection Layer.

Every time I try to close or save a Word document I have created, MBAE 1.13.1.257 triggers and says it has just blocked an exploit attempt. MBAE has triggered 5 times so far. It should be a false positive since i'm the one that created the document. I am using Microsoft 365 Apps for Enterprise with Windows 10 x64 Version 2004. Who do I send the log files to?

Thank you for the response. I will switch back to MBAE from Malwarebytes Antimalware soon to see if I have any issues with the latest build.

Another powershell script that runs in the background on many Windows 10 installations is used to disable Legacy versions of SMB. You can see this script captured below taken from ERP 's log file. This script has also ran over, and over again since it can not complete due to being blocked by AppGuard. I'm curious whether MBAE build 137 was blocking this script as well. I have not checked to see if this is the case since I have been using Malwarebytes Antimalware the last 3 weeks. I hope the log info below is helpful. Date/Time: 2018-11-16 21:51:29.424 Action: Allow/Known Safe Process PID: 5504 Process Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe SHA1: AE8B80AE4D2D3B4AB6A28CC701EB4D888E4EC7AD Signer: Command Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client" Parent: C:\Windows\System32\svchost.exe Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8 Parent Signer: Microsoft Windows Publisher Expression: - Category: - User/Domain: SYSTEM/NT AUTHORITY Integrity Level: System System File: True

Is anyone here having powershell blocked in the background without trying to run powershell? Windows 10 started running a powershell test script in the background a few months back. I believe this script is used by Windows to check to see whether the user is running AppLocker, or not. This script gets blocked many times per day by AppGuard. Here is the script being blocked by AppGuard. This image from AppGuard Activity Report shows a little information about the script.

I don't know how else it could be done unless behavior blocking is used to catch the aftermath after an exploit has already executed. That's not ideal, but better than nothing. May parent child process control will help.

Is it possibly to provide exploit protection with a browser extension, or plugin instead? It may be a lot of work maintaining the extensions, or plugins, but if you only had to do it for a few browsers then it may be an option. Malwarebytes already has a browser extension so maybe additional capabilities could be added to it.

The tray icon sometimes does not load after booting my machine. It happens more often after completely shutting down my machine for a while. Process mbae.exe loads at boot, but the tray icon never shows up in the tray. I believe this is due to another app, or service loading at the same time during boot. What I would like to point out is that if I try to access MBAE tray icon or GUI from Windows Start Menu it does not load, and it it spawns a second instance of mbae.exe. If I try to access it again from the start menu then it spawns a third instance of mbae.exe, and so on. While making this post I discovered that mbae service (mbae-svc.exe) is failing to load at startup. I initially thought it was loading because I saw mbae64.exe, and thought that was the service until taking another look. I can see how that would cause multiple instances of mbae.exe to spawn when attempting to access the GUI without the service running. I think maybe NVT ERP is causing the conflict. They try to load about the same time during boot. I would suggest that if the user tries accessing MBAE without the service running that MBAE notifies the user that the service is not running, and also not allow MBAE from spawning another instance of mbae.exe. I'm using Windows 10 x64 Pro version 1709, and MBAE 1.12.1.129.