[SOLVED] Looking for alpha testers for upcoming MBAE 0.10

[secret365]

For me, this new alpha build 0.10.0.0300 is not conflicting anymore with EMET's SimExecFlow mitigation!

 

Chrome, Word, Excel, PowerPoint, Windows Media Player and Adobe Reader all (except Google Chrome) are added to EMET's protection list with ALL mitigations enabled and in the same time all are properly shielded by MBAE.

 

Anybody out there experiencing this? 

Yes, they are working fine now.

 

What experienced with build 0.10.0200 & EMET are no longer there.

[ritchie58]

After doing a little expermenting with Process Lasso and Anti-Exploit's processes I found something that may be of concern. I wanted to see what would happen if A-E's processes were terminated and then restarted without doing a full reboot. First I right clicked on the icon and stopped the protection, then exited the program. This killed mbae.exe. Next I used Process Lasso to force terminate mbae-svc.exe. I then attempted to launch the program from the Desktop icon. Only mbae.exe would launch and the sys tray icon was not present. This makes it obvious that mbae-svc.exe must remain running during operation.  A full reboot corrects this of course. I was thinking this is less than ideal from a IT security standpoint. Are there CMD commands one could use to launch or terminate one or both processes? If not perhaps a consideration for a future build.

[pbust]

We'll take a look at the 2 issues that have been reported so far with the ugprades:

- Stopped upgrade results in stopped protection after reboot.

- After upgrade old protection GUI-LOG entries are converted to exploit blocked entries.

 

As for stopping the mbae-src.exe, clearly you shouldn't do that as that is the Windows Service for MBAE. Of course you can only stop that as admin, regular users won't be able to kill or stop the service.

[ky331]

Confirming, as have two others previously, that  x.300 is NOT conflicting with EMET 4.x's SimExecFlow mitigation.   Whether this was intentionally done, or merely an "accidental" side-benefit of whatever-else you were trying to fix, I consider this a major improvement in your program.   Good work!

[Durew]

I can confirm that that EMET problem is solved as well.

[pbust]

Thanks for confirming. It was not intentional but we'll look closer to EMET full compatibility when we get closer to release.

[pkolasa]

Pedro,

 

Just tried to install recently posted MBAE alpha version on one of my friend's computers (Windows XP SP3, AVG IS 2014). She had an MBAE previously, but I uninstalled, rebooted and deleted MBAE's folder from Program Files. However, I can't get the alpha version to run. Installer gives me following screen at the end of installation progress:

I checked Malwarebytes Anti-Exploit folder in Program Files, noticing, that MBAE installed almost all files ending with '_' instead of just normal extensions (e.g. mbae.exe._ instead of mbae.exe). The folder looks like that:

It doesn't seem to install the service (no entry of it in Services) nor add any task to install service during boot (checked with Autoruns). Tried to install and reboot many times, but this behaviour doesn't seem to change.

What is going on? There is also no folder for logs in the location you've mentioned in your post with setup file created, however the setup does create Start folder with shortcuts. The installer should work fine, as I have installed this version on my Windows 8.1 x64 and there was no problem at all.

[pbust]

That´s probably due to an incomplete uninstall of the previous 0.09 MBAE. Since the 0.10 is a completely new architecture, the uninstall of the previous 0.09 needs to be complete.

 

Uninstall whatever version you have and reboot and then delete all the files and then reboot again just to be on the safe side. Afterwards it should allow you to install the 0.10 alpha build.

 

If you have problems uninstalling the 0.10 let me know and I´ll send you some manual instructions.

[pkolasa]

Pedro,

I did that even with 0.9 and tried to be thorough. Uninstalled, rebooted, deleted directory, rebooted. Tried now, with 0.10 - uninstalled, rebooted, found that there is no Malwarebytes Anti-Exploit folder in Program Files (must have been deleted by uninstaller), rebooted again, tried to install --> same thing. Checked services and autostart and task scheduler - no sign of MBAE anywhere.

[pbust]

Weird... can I remote to your machine to watch the entire process? If so please download and install TeamViewer and PM me your ID and password.

[puff_m_d]

Hello,

This may already be known to you, but just FYI, the 09 series MBAE installed to either "Program Files" or "Program Files (x86)" based on your system (64 bit or 32 bit). However the 10 series MBAE only installs to "Program Files (x86)" no matter what system that you are on. If you are on a 64 bit system, you must now go to "Program Files (x86)" to delete the MBAE folder (not "Program Files" as with previous builds).

[pkolasa]

Pedro,

Unfortunately I won't have access to that computer to 24th Feb. After the date we can schedule up something.

puff_m_d,

I know that, yet this is irrelevant here, as on XP, usually 32-bit, there is only one Program Files folder.

[pbust]

Ok let me know, I'll be available whenever you are.

[danburrito]

After doing a little expermenting with Process Lasso and Anti-Exploit's processes I found something that may be of concern. I wanted to see what would happen if A-E's processes were terminated and then restarted without doing a full reboot. First I right clicked on the icon and stopped the protection, then exited the program. This killed mbae.exe. Next I used Process Lasso to force terminate mbae-svc.exe. I then attempted to launch the program from the Desktop icon. Only mbae.exe would launch and the sys tray icon was not present. This makes it obvious that mbae-svc.exe must remain running during operation.  A full reboot corrects this of course. I was thinking this is less than ideal from a IT security standpoint. Are there CMD commands one could use to launch or terminate one or both processes? If not perhaps a consideration for a future build.

 

[pkolasa]

Pedro, 

 

Just once again I ran into the problem with installing MBAE on Windows XP SP3. In order not to litter the thread here, I sent you a PM.

[danburrito]

pkolasa, you could try to disable AVG before installing MBAE and see if that might be causing issues.

[John L. Galt]

Well, I've had little to no problems with the latest build, an am happy to say that it is not interfering with anything I have installed thus far.

[pbust]

The issue from pkolosa should be fixed already. Had to do with the new installer and localization of the OS in other languages. Thank you so much pkolasa for helping out as much as you did with the remote sessions and everything!! With this fix in place we're freezing code for the final release candidate of 0.10.0.1000 which will be out soon.

 

Thanks everyone for testing the new 0.10 architecture but please continue sending issues if you find any!!

[ritchie58]

So there are CMD commands one could use for Anti-Exploit. Thanks for the info danburrito. I do understand that the average home user shouldn't have a reason to kill the main process. I was thinking more in line with A-E being used in a business enviroment where I still think this CMD command info could be useful to the IT/security department just in case.

[MCFatTongue]

Hi,

 

I have just uninstalled 0.09.5.1000 and installed 0.10.0.0300 for the first time.

 

I can confirm the Emet SimExecFlow problem still exists for me.

 

I'm using MBAE 0.10.0.0300

               Emet  4.1

         Windows  7 64 sp1

            Firefox  27.01

 

I think the previous users that now do not see any conflict have updated from 0.10.0.0200 to 0.10.0.0300, perhaps it's not the update that negated the conflict but something in the update process, so hopefully when the next update hapens the problem will be solved for me.

 

I may just be clutching at straws here, but as things stand I think maybe anyone using MBAE alpha for the fist time will have this problem regardles of the current alpha version.

[MCFatTongue]

Hello,

 

I have just descovered another problem with MBAE 0.10.0.0300, while it's installed I am unable to use the Firefox print preview function (Firefox orange button → Print → Print Privew).  When MBAE alph is uninstalled the print preview function works as expected.  I'm using FF 27.01 and Windows 7 64 sp1.

 

Will someone here on this forum please confirm this behaviour.

 

I reported a similar issue for MBAM 2.00.0.503 and that issue was confirmed by other users. (can be found here  https://forums.malwarebytes.org/index.php?showtopic=142455 )

[kjdemuth]

Funny that you mention that because I also seem to have the same problem.  I went to print something yesterday and I couldn't get it to print.  I didn't get any error but only that the print button under print preview wouldn't respond.  I figured it was a random issue since I have Firefox running under sandboxie.  I printed the item under chrome and it printed fine.  I can't attempt to replicate the issue but I will tomorrow and try to confirm. 

[pbust]

Interesting, can't replicate under Win8 x64.

 

What is your default printer setup to?

 

Can you please delete all your MBAE logs, replicate the issue and then zip all the files in the logs directory and PM them to me or post them here?

[MCFatTongue]

Hi Pedro,

 

I had already uninstalled 0.10.0.0300 and reinstalled 0.09.5.1000 so had to do a clean install of the alpha build to try and replicate the problem.

 

Fortunately or unfortunately depending on your point of view, when I tried the print preview function again in Firefox it worked as it should.  As far as I can remember I did the installation exactly the same way as I did the first time.

 

I will keep running MBAE alpha now, so I will keep an eye on this and should the problem reappear I'll send you the log files you requested.

 

One thing I forgot to mention that while I had the problem on the first install, I was also running MBAM 2.00.0.0503 and EMET 4.1

[ky331]

Out of curiosity, I tried testing FF27.0.1's Print Preview function.

 

On my first Win7x64 SP1 system, with EMET 3, it opened just fine.

 

But on my second Win7x64 SP1 system, with EMET 4.1, something started to pop up, but it immediately disappeared.   Moreover, when I tried an actual Print, it generated a printer error message.   HOWEVER, the same things happened with both EMET and MBAE disabled, so I don't believe either one was responsible here.

 

[The printer works fine with IE.]