Jump to content

Probably EMET 4.0 related MBAM false positives


Recommended Posts

Recently I installed and configured EMET 4.0 final.

http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=39273

 

EMET 4.0 configuration:

Imported EMET protection profile "Popular Software.xml"

and checked "Deep Hooks" in Application Configuration (as that was not checked by default, for some reason).

 

 

Today I noticed MBAM scan results that seem to indicate probably EMET 4.0 related MBAM false positives.

I checked using G Data 2014 and HitmanPro, both found no infections or other issues, so I assume the MBAM results can be regarded as false positives.

 

 

Here's the MBAM log:

 

Malwarebytes Anti-Malware 1.75.0.1300

Database version: v2013.06.19.03

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

 

19-6-2013 13:00:53

MBAM-log-2013-06-19 (13-05-31).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 277490

Time elapsed: 4 minute(s), 27 second(s)

 

Registry Keys Detected: 7

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iTunes.exe (Security.Hijack) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe (Security.Hijack) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe (Security.Hijack) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe (Security.Hijack) -> No action taken.

 

 

 

.

Link to post
Share on other sites
  • Staff

These aren't really false positives. We detect IFEO (Image File Execution Options) hijacks quite deliberately as they're used very frequently by malware. Since these were created by EMET 4.0, I recommend that you simply add them to your Ignore List.

Link to post
Share on other sites

Thank you very much for your reply.

 

I noticed I forgot to save and post a log in developer mode.

I made it some minutes ago.

But now I guess there's no need to post and attach that log?

If you want me to, I can post it.

 

Regarding the MBAM "Security.Hijack" detections, this phenomenon is new to EMET 4.0 final.

It didn't occur using EMET 4.0 Beta, of with previous versions like EMET 3.5 Tech Preview and EMET 3.0.

 

It's fine with me to add the concerning MBAM detections to MBAM Ignore List.

But perhaps it's a good idea for Malwarebytes to find out why MBAM detects those items when EMET 4.0 final is applied, and decide if MBAM should alert about it or not.

 

Not everyone is as wise as to ignore such MBAM detections.

Some go on and delete such items without any further thought - which they shouldn't, of course, but they do.

 

I think it might be good to give this some more thought.

 

 

Thanks very much

and best regards

Link to post
Share on other sites

Edit:

 

IS it possible for you to get us a registry export of the keys and zip and attach here?

 

Um, yes, but what do you mean?

Do you mean the saved log in developer mode, including the registry keys (which are in my initial post also, by the way),

or do you mean some other registry export, I guess?

If so, could you please specify which keys to export.

 

Thanks very much.

Link to post
Share on other sites
  • Staff

actually opening up regedit and navigating to the keys that mbam detected and hitting file/export and saving the keys.

 

http://support.kaspersky.com/common/service.aspx?el=7507

 

Do not change anything in there only export those keys.

 

We need to see whats under for example this key:

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordpad.exe

 

so whats under wordpad.exe thats causing the detection.

Link to post
Share on other sites

Attached is the archive Registry export.zip

containing the seven exported keys:

chrome, firefox, iTunes, opera, Safari, winamp and wordpad.

 

By the way, someone else also reported MBAM detecting a wmplayer key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe

See: https://www.security.nl/artikel/46690/

 

But that wmplayer key is not in my registry (although wmplayer is in the EMET Application Configuration list) so I can't include it in the zip file.

 

 

Thanks very much

and best regards

Registry export.zip

Link to post
Share on other sites
  • Staff

Hmm there doesnt seem to be anything under the keys in your export.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe]

 

there was no data after winamp?

 

like debugger=

Link to post
Share on other sites

Hmm there doesnt seem to be anything under the keys in your export.

 

 

I hadn't checked what was in the exported keys, but I see you're right, there's no further data.

And I see the same when I view those keys in the registry.

I think it's not that odd for those software items that aren't on my system (like iTunes, for instance), but even that wordpad key has no value.

I don't know what to think of it.

Link to post
Share on other sites

Ok i just updated. Please update and let me know if the adjustment i made stops the detections.

 

Thanks.

It helped for 6 out of 7.

One detection is still there:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack)

 

When you're working on that one,

perhaps you can anticipate on the wmplayer key, which isn't in my registry for some reason, but is in others.

 

 

Thanks again

and best regards

Link to post
Share on other sites

With database v2013.06.19.04

I also had the same 7 detections mentioned above, presumably after installing EMET 4.0, plus the one for

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe (Security.Hijack)

 

With database v2013.06.19.05, there are now only 2 dectections, for opera and wmplayer.

Link to post
Share on other sites
  • Staff

Ok update is transmitting now. Give it about five mins its version 06. Let me know what happens.

 

FYI

 

These keys are used a lot by malware to launch companion programs with the program you are trying to launch. Why the value data would be blank though makes no sense.

 

Unless they are trying to protect these keys by blanking them.

Link to post
Share on other sites

Confirming NO detections with database v2013.06.19.06.

 

Of course, if you're saying these could just as easily have been legitimate malware detections, "suppressing" them is not the answer.   I trust that one of your good workers there can now investigate things further, ideally by installing EMET 4 on a test system, and checking things out more definitively... hopefully, finding a way to distinguish between EMET's entries vs. actual malware entries using these same keys.

Link to post
Share on other sites
  • Staff

These were fixed right.  This wasnt a suppression. It was an adjustment to look for more specific values then just a blank key that they were creating. There is no reason ever that you would create this blank key. It simply does not do anything. Its the valuedata under the key that causes something to launch with the original program. These detections have been in MBAM for a very long time and dont false positive that often cause most legit software would never use this key. 

Link to post
Share on other sites

Another thanks for fixing this so quickly from a registered Malwarebytes Pro user. I installed EMET 4.0 on the day it was released and got the same warnings about the same registry items. I let Malwarebytes quarantine them but also suspected false positives from the EMET 4.0 install. As noted, this never happened with earlier versions of EMET (including 4.0 beta). I'll now restore the items from quarantene and hopefully all will be ok.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.