Jump to content
pbust

[SOLVED] Looking for alpha testers for upcoming MBAE 0.10

Recommended Posts

When you release .10 as beta, will you have solved/fixed the EMET 4.1 SimExFlow conflict?   Or will you just be "advertising" it as a known issue?

Share this post


Link to post
Share on other sites

We'll post it as a known issue. We still have to add some exploit mitigation techniques to the engine, so fixing this compatibility problem now would be a waste of time as other mitigations we add in the future will probably also conflict. So we'll fix the EMET compatibility issues towards the end of the beta period.

Share this post


Link to post
Share on other sites

Then I would suggest you include a PROMINENT announcement (disclaimer) with the beta, lest EMET 4.x users be very surprised when they soon discover they can't open a browser upon installing/testing the beta [unless they adjust their EMET settings first].

Share this post


Link to post
Share on other sites

Good idea, we can include it in the installer's changelog display as well.

Share this post


Link to post
Share on other sites

Got the 0.10 build installed. I did temporarily disable Immunet's Blocking Mode & Monitor Program Install in Settings and Comodo's AutoSandbox just to make sure there were no conflicts during the install. I added another exclusion for mbae-svc.exe to avoid any possible future conflicts with Immunet just in case. Of course I did get a popup from Comodo after the new process launched and created a new Allowed Application rule for mbae-svc.exe. There is two processes running, mbae.exe too. Is this normal Pedro? I'm assuming mbae-svc.exe is the main process and mbae.exe is for the tray icon. Immunet uses two processes in a similar manner.

 

After installiation the program seems to be stable with no conflicts to report so far. Very little CPU usage when idle observed. About 9 MB of RAM being used for both processes at the moment. Disk I/O is minimal. Very light system footprint! Sweet!

Cheers, Ritchie...

Share this post


Link to post
Share on other sites

After several reboots and the program launching normally I have observed noticeably quicker bootup times with my Win 7 Ultimate x64 machine which is a welcomed plus! The tray icon is launching normally at each bootup so far. It will be "fantastic" not having to deal with that bug anymore I'm really hoping, lol!

 

Ritchie...

Share this post


Link to post
Share on other sites

Hello Pedro,

 

I just wanted to comment that the MBAE alpha is running flawlessly here (except for the software conflict we discussed by PM - no fault of MBAE or you)!

 

Resource usage seems to be a little bit less and I do not notice it running. Works perfectly with a few recent exploits I tested it against. The biggest and best improvement (for me at least) is since installing this alpha, the tray icon has appeared in each and every boot of my system. Not once has it failed to appear. This is a big improvement for me as, with all previous versions, the tray icon never appeared...

Share this post


Link to post
Share on other sites

If anyone else wants to test the new MBAE alpha, you can do so from here.

 

Before you install and since this is a completely new architecture, please make sure to completely uninstall your current MBAE following these instructions:

 

1- Close all protected apps such as browsers, pdf readers, Office, media players, etc.

2- Uninstall MBAE from the Control Panel.

3- Reboot.

4- Delete C:\Program Files\Malwarebytes Anti-Exploit.

 

This will be the last time you'll have to manually uninstall MBAE to install a newer version as this new architecture can perform hot-upgrades to newer versions.

 

Once you've uninstalled feel free to install the new MBAE alpha 0.10.0.0300 attached here. Keep in mind that the logs will now be stored in a different directory:

Windows Vista and above: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Exploit

Windows XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Exploit

 

If you run across any problem or issue please zip all your logs and post them here.

 

EDIT: deleted attachment. Final 0.10 version available here: https://forums.malwarebytes.org/index.php?showtopic=143429

Share this post


Link to post
Share on other sites

An important sidenote for EMET users: disable SimExecFlow mitigation for all programs that are protected by MBAE or those programs won't work any longer.

Share this post


Link to post
Share on other sites

Pedro,

 

I see the alpha mentioned above on this page is a new minor build x.300 (as opposed to the previous x.200).

 

Can you elaborate on the changes implemented from one to the next?   Is it worth it for x.200 testers to update to x.300, or should we just wait until a newer build is released?

 

EDIT:  I just "discovered" a message you had sent me yesterday, answering this question.

Share this post


Link to post
Share on other sites

in x.300, information on the LOGS tab for previously existing entries (carried-over from x.200) is messed-up:   instead of showing that an application was protected, it's asserting that an exploit code had been blocked.

 

it seems that NEW entries (created by x.300) are showing normally on the LOGS tab.

 

 

 

Share this post


Link to post
Share on other sites

Yes ky331, hake also reported this very same thing. We'll have to look closer into this.

Share this post


Link to post
Share on other sites

another BIG issue with x.300, after a reboot, the protection is STOPPED... from what I see in the log, it's saying I don't have sufficient administrator rights on my account:   (I will be going back to x.200 at this point)

 

mbae-svc-NoMod(215) - 2014/02/15 - 16:22:49 - #1# - LoadReportFile:   -     9 - 2676
mbae-svc-NoMod(217) - 2014/02/15 - 16:22:49 - #1# - ServiceStart: 9 -     9 - 2676
mbae-svc-NoMod(820) - 2014/02/15 - 16:22:49 - #2# - InstallDriver: Malwarebytes Anti-Exploit Driver Installed successfuly -     30 - 2676
mbae-svc-NoMod(268) - 2014/02/15 - 16:22:49 - #2# - ServiceStart: Malwarebytes Anti-Exploit Service is started -     213 - 2676
mbae-NoMod(455) - 2014/02/15 - 16:23:26 - #2# - IsAdminRunning: Admin Limited -     35 - 4804
mbae-NoMod(139) - 2014/02/15 - 16:23:27 - #1# - LoadReportFile:   -     9 - 4804
mbae-svc-NoMod(1141) - 2014/02/15 - 16:23:28 - #2# - IPCFromClient: GET_NUM_REPORTS -     30 - 5628
mbae-svc-NoMod(1188) - 2014/02/15 - 16:23:28 - #2# - IPCFromClient: GET_NUM_APPLICATIONS -     213 - 5628
mbae-svc-NoMod(1061) - 2014/02/15 - 16:23:28 - #2# - IPCFromClient: CLIENT_RUNNING (4764): <my name> - On -     213 - 5628
mbae-svc-NoMod(1131) - 2014/02/15 - 16:23:29 - #2# - IPCFromClient: GET_APP_CONFIG -     213 - 5628

Share this post


Link to post
Share on other sites

Another problem:

Perhaps naively, I assumed I could reinstall x.200 over x.300... which seemed to work... except that x.200's protection was initially STOPPED as well.

Uninstalling x.200, and even reinstalling/uninstalling x.300, didn't make a difference.

 

What I finally had to do was go to the new C:\ProgramData folder to manually remove the files there (.dat & others), which apparently were storing the STOPPED status, even after UNinstalling x.300, and even after a reboot.   I was then able to successfully (re-)install and START x.200

Share this post


Link to post
Share on other sites

Sorry ky331 I'm not sure I understand what the problem is.

 

- If you do a fresh install without any previous version or logs directory, does MBAE stay stopped after a reboot?

- What if you install .0300 on top of a normal and running .0200, does MBAE stay stopped after a reboot?

 

If you have the protection stopped when upgrading from .0200 to .0300 it is normal that the .0300 stays in stopped mode as well.

 

EDIT: btw what OS and architecture are you running and what type of user security limitations are you logging in with (admin, LUA, ...)? Please send me a zip with all the logs if you can replicate this problem at will.

Share this post


Link to post
Share on other sites

"If you have the protection stopped when upgrading from .0200 to .0300 it is normal that the .0300 stays in stopped mode as well".

 

I tried to take [what I assumed to be] a safe approach to the upgrade from .0200 to .0300 ; so I stopped .0200's protection, and furthermore, exited that program, prior to installing .0300.

 

When/if I noticed that .0300 was stopped, I turned it back on.   It stayed that way, until I rebooted, only to realize it had shut itself off.   I turned it on again, rebooted, but it was off yet again.

 

Trying to revert back to .0200, without removing the C:\ProgramData folder , resulted in .0200 booting in stopped mode as well.   Only after removing the C:\ProgramData folder, was I able to get .0200 to start up normally.

 

I'll check momentarily to see if I still have a log file, to zip/e-mail you.  [EDIT:  Found, and sent.]

 

the particular test was done on a Win7x64 Pro SP1 system, on an account with full administator rights.   Avast 8, Emet 3, MBAM Pro 1.75.  

Share this post


Link to post
Share on other sites

Just e-mailed you logs of two tests I ran today --- this time, on a 32-bit WinXP Pro SP3 system, on an account with full administator rights.   Avast 2014, Emet 2, MBAM Pro 1.75.

 

Apparently, the problem was that I stopped x.200's protection --- thinking that was a prudent move --- before installing x.300 over it.   In this scenario, even after manually starting x.300's protection, it would be stopped on subsequent reboots.

 

In contrast, by leaving x.200's protection running, and installing x.300 over it, everything went normally.

Share this post


Link to post
Share on other sites

Got your email, thank you!

Everything is very well explained with exact steps to reproduce and complete logs, perfect!

We will be taking a look at this in the next couple of days and fix it asap.

Thanks again for all your help ky331!!

Share this post


Link to post
Share on other sites

No problems here with the newest build.  Uninstal and install went smoothly.  Ran Chrome, firefox and IE without a hiccup.  I'm currently running it with WSA IS and CFW.  The logs all show protected in every browser.  No conflicts with WSA noted.  Also tried running adobe reader and VLC.   Also no problems noted.  The new service is running nicely. 

Share this post


Link to post
Share on other sites

Hello,
 

I tried to take [what I assumed to be] a safe approach to the upgrade from .0200 to .0300 ; so I stopped .0200's protection, and furthermore, exited that program, prior to installing .0300.
 
When/if I noticed that .0300 was stopped, I turned it back on.   It stayed that way, until I rebooted, only to realize it had shut itself off.   I turned it on again, rebooted, but it was off yet again.

 

I had tried to reply to this last night but was having issues posting. I had the same issue that ky331 posted above. The only way that I could solve the issue was to fully remove MBAE by both running the uninstaller and being sure all folders and files relating to MBAE was removed. A fresh install of MBAE then solved the issue and MBAE now starts at boot with protection running as it should. It seems MBAE somehow "remembers" the fact that you had protection stopped when you did the upgrade and then remembers that and you can not change it.

 

Pedro, I see you are looking into it but just wanted to verify that I had that same issue. Other than that one hiccup, all is running great here now...

Share this post


Link to post
Share on other sites

For me, this new alpha build 0.10.0.0300 is not conflicting anymore with EMET's SimExecFlow mitigation!

 

Chrome, Word, Excel, PowerPoint, Windows Media Player and Adobe Reader all (except Google Chrome) are added to EMET's protection list with ALL mitigations enabled and in the same time all are properly shielded by MBAE.

 

Anybody out there experiencing this? 

Share this post


Link to post
Share on other sites

I can confirm what ky331 said. I left the .0200's protection running and the icon in the sys tray active when I ran the .0300 installer and everything went smoothly for me. After deleting the old log files the old build was stopped sucessfully by the installer and the new build's protection started normally after installiation.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.