Jump to content

[SOLVED] MBAE not protecting any aplication/program


Durew

Recommended Posts

MBAE is not working:
Malwarebytes anti-exploit always indicates that zero aplications are shielded. The logs-tab is always empty. All shield have the closed lock indicator.

The 'start protection'-button is not 'available', the 'stop protection' is available. When the 'stop protection' button is pressed MBEA indicates it had stop working and the 'start protection'-button become 'available'. Clicking is yield no result. I must completely restart MBEA to get it running again.

The mbea-default.log has a horrible lay out but indicates the drives are loaded and "Starting Injection with: C:\Program Files\Malwarebytes Anti-Exploit\MBAE.dll
2013-10-15 18:47:40 - DLL Injection has been successfully started", it even mentions protecting java, wich I find curious for I can't remember running java since the new-version was installed. (log attached)
MBAE does load automaticly on boot.

I read sandboxie could block MBAE but even programs not protected by sandboxie stay unprotected by MBEA.

System info:
OS: Windows 7 32-bit enterprise (up to date)
AV: symantec endpoint protection 12.1 (disableing it does not help, whitelisting MBAE does not help, no logs of SEP show any sign of MBEA)
Anti-malware: MBAM PRO 1.75 (turning if off does not help), sandboxie 4.04(turning it off does not help), winpatrol free.
Anti-exploit: EMET 4.0 (works), MBAE 0.09.4.100 (does not work, neither does the older version)
Office: Microsoft office professional plus 2010 32-bit, versie 14. (protected by EMET but not by MBAE, not sandboxed)

Browser: Firefox 24.0 (sandboxed)

 

I have tried to supply as much relevant information as I can, if you need to know anything else, please ask.
I hope someone can help me get MBAE to run properly or that this will help the Malwarebyte's crew to improve MBAE.
 

mbae-default.log

Link to post
Share on other sites

  • Staff

Welcome to the forum.

Please uninstall MBAE completely, reboot, and install again.

Once installed download and run (as admin) SysInternals Process Explorer. Once running open a couple of browsers, Word, Excel, Windows Media Player, Adobe, etc and then search within ProcessExplorer using the binoculars icon for "mbae.dll". Does it find anything? Under normal situation it should find mbae.dll injected into every process you opened. Take a screenshot of the search result windows and post it here.

Then run C:\Program Files\Malwarebytes Anti-Exploit\mbae-test.exe and press the Exploit button. Does MBAE block the test?

Link to post
Share on other sites

Welcome to the forum.

Please uninstall MBAE completely, reboot, and install again.

Once installed download and run (as admin) SysInternals Process Explorer. Once running open a couple of browsers, Word, Excel, Windows Media Player, Adobe, etc and then search within ProcessExplorer using the binoculars icon for "mbae.dll". Does it find anything? Under normal situation it should find mbae.dll injected into every process you opened. Take a screenshot of the search result windows and post it here.

Then run C:\Program Files\Malwarebytes Anti-Exploit\mbae-test.exe and press the Exploit button. Does MBAE block the test?

 

 

I just tried the binoculars icon search for mbae.dll and got a BSOD.  Probably, not the fault of MBAE, but I was surprised.

Link to post
Share on other sites

That's weird. What third-party security applications are you running? Does this also happen without MBAE installed?

 

Also might be helpful to try using two or three different anti-rootkit apps to scan your system.

  

 

I saw two instances where the dll was injected before the BSOD suddenly occurred, i.e Opera  and DefenseWall, I think  ...It happened so quick...I could try again and see if I can induce another BSOD.

 

 

I have been testing MBAR for some time, and posting my experience with in the Wilders forum. I have never found any rootkit!

Link to post
Share on other sites

This time there was no mbae.dll to find when searching for it, since MBAE was  turned off. However, shortly after I got the BSOD, again, but the string was "Kernel_Mode_Exception_Not Handled", whereas the first BSOD I got was "Driver_Corrupted_Expool".  I have the minidumps, which i can send to you by e-mail, if you like.

Link to post
Share on other sites

  • Staff

It seems you have bigger problems in your computer. If I were you I'd uninstall some applications one by one, starting with the security apps, and try again until you find the culprit of the conflict. Once you're kosher then start adding them again, one by one, and verifying everything stays kosher.

Link to post
Share on other sites

I have been advised in the Wilders forums that I run too many security programs. But, I accept that it may cause some conflicts. I find that my computer runs pretty good on the whole. I never find any malware, when I run scans. I only uninstall and reinstall, when I am testing some software, like MBAE for instance.
 

Link to post
Share on other sites

 I uninstalled MBAE, rebooted, installed MBAE, ran Process Explorer as Administrator and got three search results. I attached the screenshot of the results. (As expected programs which are run under sandboxie are not in the searchresults eventhoug they were running.)

 

The MBAE test gives a nice message telling me "Exploit Attempt Blocked". The log as displayed in the MBAE is attached, "the MalwareBytes Anti-Exploit test is now protected" and MBAE tells me that 1 aplication is protected.

 

Does this mean that MBAE is protecting my (non-sandboxed) aplications, but just fails to tell me so?

Anyway, how should I proceed?

post-146800-0-35406400-1381909527_thumb.

post-146800-0-03903700-1381909890_thumb.

Link to post
Share on other sites

  • Staff

OK I see what you mean now. It is normal that MS Office apps are not showing up in the LOGS tab of MBAE. This is known issue #3:

https://forums.malwarebytes.org/index.php?showtopic=134888

We will work in improving the inter-process communication of MBAE shortly and probably fix this soon. In the meantime if you open Adobe Acrobat Reader, Windows Media Player, Foxit Reader, VLC, etc they should all show up in MBAE's LOG tab.

 

As for sandboxed applications, it is normal that they are not injected (i.e. protected) by MBAE as they are sandboxed.

Link to post
Share on other sites

Adobe reader, firefox, windows media player and VLC are run in the sandbox by default, I dind't realise only the Microsoft Office apps were left (of the programs with shortcuts on my desktop and should be protected by MBAE). When the afore mentioned programs are forced to run outside the sandbox MBAE does protect them. That solves most of the problems/questions, thanks a lot for that. There is one exception though...

MBAE indicates in the shield-tab that it will protect 'windows help'. However, when I open a help-file (for example "Malwarebytes Anti-Malware Help") MBAE does not indicate protecting it. Opening "Windows Help and Support" doesn't trigger any log-book note either. A screen-shot with both 'help-programs' and MBAE telling me no application is protected is attached to make clearer which programs I meant.
Was the 'windows help'-shield refering to another program  than I thought or should it have worked?

post-146800-0-28562600-1381935175_thumb.

post-146800-141587.jpg

Link to post
Share on other sites

  • Staff

The Windows Help version that MBAE protects is HelpCtr.exe which is found in older versions of Windows and which has been used in the past by exploits.

 

The new Windows Help you are showing is HelpPane.exe which is not targeted by exploits nor has any known remote code execution vulnerabilities. If (or when) hackers find a vulnerability with HelpPane.exe we will add it to MBAE.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.