Jump to content

[SOLVED] MBAE 0.09.4.1000 does not work for me


ardaulairesh

Recommended Posts

The previous version of MBAE was working properly with WSA 2014, Comodo Firewall 6.3.294583.2937, and EMET 4 installed . All the shielded applications (Google chrome, Adobe reader, Windows media player, ... etc) were working properly. But with this new version of MBAE no application is shielded whatsoever. I installed MBAE 0.09.4.1000 as it is instructed by pbust in this website. It did install with no problems, but no application is shielded by this new version. Through process hacker no "mbae.dll or mbae64.dll" is found to be injected into any processes. 

mbae-default.log

post-141856-0-62640300-1382270538_thumb.

Link to post
Share on other sites

Please exit MBAE, deactivate WSA and Comodo and then start MBAE again.

 

I deactivated WSA 2014 only and NOT Comodo Firewall. Bingo, MBAE is now working as it is supposed to do! So, in brief the problem was due to WSA in my case.

I hope there will be a solution to this conflict in the near future.

 

Just to let you know here are some observations by me:

 

1) Google chrome and MBAE are protected by EMET 4. When both MBAE & EMET are running I fire up Google chrome and it is going to be protected and shielded properly by both EMET & MBAE . So, there is no conflicts (by my side) between EMET 4 & MBAE 0.09.4.1000. 

 

2) I have 25 chrome.exe processes (with extensions), but MBAE just shows "Shielded Applications  6" in the general tab. However through process hacker I can verify that all 25 chrome.exe processes are injected  by mbae.dll.

 

3) All Microsoft products (Word, Excel, and PowerPoint) are injected properly but "Shielded Applications" counter in general tab shows zero as well the "Logs" tab does not show anything and it is empty. However  through process hacker I can verify that all three applications are injected  by mbae.dll.

 

4) Adobe reader & Windows media player are properly shielded and correctly shown in the  "Shielded Applications" and "Logs" tabs.

 

5) For me the second known Issue in the "Known Issues & Conflicts" is not present. That is the Shielded apps counter does decrease when closing shielded applications. However the "Date" column in the "Logs" tab does not update when reopening a shielded application. The date indicates to the first time this application was opened.

 

6) As it is obvious from the image the mbae.exe process is elevated. Would it be possible to run it with limited rights as it is dangerous in case of a vulnerability in MBAE that could be exploited under the full rights of MBAE.

 

7) I can see that the Hitmanpro Alert bug is still exist.

 

8) mbae-test is protected by MBAE when pressing Normal button and blocked by MBAE when pressing Exploit button. However, when mbae-test.exe is added to EMET and pressing Exploit button EMET detect it and block it through EAF mitigation.

 

9) Sometimes when trying to exit MBAE the second message below appears. Pressing Retry button several times and MBAE exit.

post-141856-0-18041500-1382292535_thumb.

post-141856-0-37090900-1382292564_thumb.

post-141856-0-06224900-1382292763_thumb.

post-141856-0-55999800-1382292793_thumb.

Link to post
Share on other sites

  • Staff
2) I have 25 chrome.exe processes (with extensions), but MBAE just shows "Shielded Applications  6" in the general tab. However through process hacker I can verify that all 25 chrome.exe processes are injected  by mbae.dll.

Yes this is a known bug.

 

3) All Microsoft products (Word, Excel, and PowerPoint) are injected properly but "Shielded Applications" counter in general tab shows zero as well the "Logs" tab does not show anything and it is empty. However  through process hacker I can verify that all three applications are injected  by mbae.dll.

Yes, known bug.

 

5) For me the second known Issue in the "Known Issues & Conflicts" is not present. That is the Shielded apps counter does decrease when closing shielded applications. However the "Date" column in the "Logs" tab does not update when reopening a shielded application. The date indicates to the first time this application was opened.

Yes this is normal, by design.

 

6) As it is obvious from the image the mbae.exe process is elevated. Would it be possible to run it with limited rights as it is dangerous in case of a vulnerability in MBAE that could be exploited under the full rights of MBAE.

Yes, this will be implemented in the new GUI.

 

8) mbae-test is protected by MBAE when pressing Normal button and blocked by MBAE when pressing Exploit button. However, when mbae-test.exe is added to EMET and pressing Exploit button EMET detect it and block it through EAF mitigation.

Yes, this is normal. That's exactly how both EMET and MBAE should behave. Sometimes MBAE notifies of an exploit earlier and sometimes EMET does. It depends on the mitigation and exploit.

 

9) Sometimes when trying to exit MBAE the second message below appears. Pressing Retry button several times and MBAE exit.

This is very interesting. It is a bug we are trying to pin down. Can you replicate it consistently on your system?

Link to post
Share on other sites

 

This is very interesting. It is a bug we are trying to pin down. Can you replicate it consistently on your system?

 

 

I tried a lot in different ways but not succeeded to replicate it even once. I will let you know if this happens again or if I would be able to replicate it.

 

Just to let you know I was able to configure WSA to allow MBAE injections and now they both work like charm together. Settings of "Identity Protection" of WSA >>> "Application Protection" tab >>>> "Add Application" button  >>>> added both "mbae.exe & mbae-loader.exe" in the MBAE's program files folder and SELECTED "Allow" for both of them.

Link to post
Share on other sites

  • Staff

I tried a lot in different ways but not succeeded to replicate it even once. I will let you know if this happens again or if I would be able to replicate it.

Can you configure your system to create complete memory dumps (My PC properties, advanced system settings, startup and recovery settings, change dropdown from automatic to complete memory dumps. Restart and if the problem happens again please compress the memory dump into a rar/zip and send it to me via a file sharing service.

 

And thanks for the WSA tip! I will have to try this out!

Link to post
Share on other sites

Can you configure your system to create complete memory dumps (My PC properties, advanced system settings, startup and recovery settings, change dropdown from automatic to complete memory dumps. Restart and if the problem happens again please compress the memory dump into a rar/zip and send it to me via a file sharing service.

 

And thanks for the WSA tip! I will have to try this out!

 

 

I did what you said and I am awaiting for the problem to happen (hopefully!) and send you the dump file. Just to make sure is "complete memory dumps" is the same as "Kernel memory dump"? That is because in "write debugging information" drop-down there are two options for me "small memory dump (256 KB) & Kernel memory dump" and there are not such options as automatic and complete memory dumps.

 

Regarding WSA you are welcome. 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.