Jump to content
XhenEd

MBAE and Kaspersky

Recommended Posts

Does MBAE not conflict with Kaspersky Internet Security 14?

Can MBAE be run alongside KIS14 just like with EMET?

 

KIS has Automatic Exploit Prevention.

I already asked about this in the Kaspersky forum. The reply I got is that there might be a conflict since MBAE is running in real time.

But, here in the MBAE forum, I found some users that has both MBAE and KIS installed. That's why I want to be sure.

 

As of now, I run them both with no system crashes or anything problematic.

Share this post


Link to post
Share on other sites

Hello XhenEd,

 

I have been running Kaspersky Internet Security 14 along side MBAM, MBAE and EMET for a long time (over a year) and have never had any conficts.  One thing I have done is to set exclusions for MBAM and MBAE in KIS 14, and excusions for KIS 14 in MBAM.

 

If you are unsure of what exclusions to set post back here and I will tell what they should be step by step.

 

I hope this helps.

 

Kind regards.

Share this post


Link to post
Share on other sites

I don't use MBAM. I use only MBAE which I already excluded from the KIS.

 

 

My problem is this:

For example, my system is being exploited. I have both KIS and MBAE installed. Which program will first detect and stop the exploit? Is it KIS or MBAE? Both? Or none?

Because of possible conflict, maybe neither will stop the exploit.

Share this post


Link to post
Share on other sites

Hi,

 

I've never come across a live exploit in the wild, but there is a way to do a safe test, then you will be able to see if either MBAE and/or KIS 2014 detect the exploit.

 

Goto this section of the forum and run the test: https://forums.malwarebytes.org/index.php?showtopic=139368

 

If you need any more help just post back.

 

Regards.

Share this post


Link to post
Share on other sites

ok thanks... i'll try it...

but i guess i must first install visual c++ sp1 redistributable to run the test... whenever i run the exploit test, a pop up will show that msvcr100d.dll is missing.

Share this post


Link to post
Share on other sites

huhuhu... even after install visual c++, the pop up still appears...

what should i do to run the test?

 

btw, I have win 8.1 32-bit system...

Share this post


Link to post
Share on other sites

I'm sorry your having problems, unfortunately I don't have access to a Windows 8.1 computer, I'm running Windows 7 64bit, and once I had downloaded the .zip file and extracted it, it ran without problem for me.

 

If you post here the exact message in the pop up I'm sure another forum member that uses Windows 8.1 will be able to help you.

 

Sorry I couldn't be of more help.

Share this post


Link to post
Share on other sites

I have just Googled the file your having problems with (msvcr100d.dll) and there a plenty of sites that have a dowload available. I have tested none of them though because as I said I don't have W8.1 (download them at your own risk) because I'am unable to test.

 

Regards.

Share this post


Link to post
Share on other sites

i got it working... i downloaded the missing .dll... hehehehe...

 

 

MBAE blocked the exploit test... but nothing from KIS, even when I stopped the protection of MBAE...

Share this post


Link to post
Share on other sites

KIS doesn't block the test because the test is added in the Trusted group. The test is digitally signed by Malwarebytes, that's why.

KIS blocks it if I transfer it to Low Restricted or High Restricted.

 

But, by default, KIS let the test (the exploit button) run.

 

 

 

I guess what I need to test is a safe exploit sample that is not digitally signed.

Share this post


Link to post
Share on other sites

Hi XhenEd,

 

Sorry for the delay, I had to go out for a few hours.

 

I did as you asked and disabled MBAE and when I ran the test KIS14 detected the test exploit and deleted the file automatically.

 

To check if KIS14 is detecting it (in KIS) click on the reports button and check under the word "Nutralized" if it shows a report click on it and see if its the test file.

 

If the test has not been detected try clicking on "Settings → Additional → Threats and Exclusions"    Make sure the Detect other Software box is ticked, then retry the test.

Share this post


Link to post
Share on other sites

Have been running K-Pure on W8.1/ 64Bit with MBAE and MBam for a week and no conflict issues .

Don't expect any :)

Share this post


Link to post
Share on other sites

I already checked the box in the threats and exclusions... but no blocking from the KIS...

 

the file is automatically added in the Trusted group... I suppose it's because of the "Trust digitally signed applications"... But even if I don't enable it, the test will still be automatically added to the trusted group... :(

I'm sure KIS is working because it can detect the eicar file...

 

MCFatTongue, what's the detection name given by KIS to the test file?

 

Wilpower, can I ask you to run the test file while MBAE is disabled?

Share this post


Link to post
Share on other sites

Thanks, MCFatTongue!

Thank you for your help.

 

I guess I just have to have both KIS and MBAE in my system.

I still got no response regarding this in the Kaspersky forum.

Share this post


Link to post
Share on other sites

Hi XhenEd,

 

Below  is a screen shot of the KIS14 detection report for the test file:

Hello MCFatTongue:

I just re-scanned mbae-test.exe and mbae-test.zip at VirusTotal, and although both files tested 1/51, it was the Rising engine that gave the (false) positive and notably not Kaspersky.

 

This implies that Kaspersky heuristics might not be used at VT but obviously heuristics were used in your system's environment to include archives.

 

FWIW

Share this post


Link to post
Share on other sites

1PW,

 

I think we have our wires crossed a bit, the kaspersky detection of mbae-test.exe is not a false positive, it has been detected correctly.  The kaspersky detection only occurs if MBAE is deactivated (test as requested by OP). When MBAE is active its that that detects the test file and not Kaspersky.

Share this post


Link to post
Share on other sites

1PW,

 

I think we have our wires crossed a bit, the kaspersky detection of mbae-test.exe is not a false positive, it has been detected correctly.  The kaspersky detection only occurs if MBAE is deactivated (test as requested by OP). When MBAE is active its that that detects the test file and not Kaspersky.

I've been beta testing MBAE for many months and I'm only pointing out the disparity between the consumer's Kaspersky engine and the Kaspersky engine used at VirusTotal.

I'm really only making a slightly off-topic observation. My theory is that the KIS2014 product might be set context sensitive to code like mbae-test (while executing) and the Kaspersky engine in VT can never be.

Share this post


Link to post
Share on other sites

Hi 1PW,

 

Sorry for my confusion, I see what you were saying now and I agree with your theory.

 

Regards.

Share this post


Link to post
Share on other sites

Hi XhenEd,

 

I have just read the Kaspersky forum topic you posted.

 

I use Kaspersky because in my humble opinion it's the best AV on the market, likewise I use MBAM and MBAE because its the best anti-malware on the market.

 

For me, I have used Malwarebytes and Kaspersky products for a number of years, and have never found any conflict between the two.  If a problem ever did arise I know which one I would dump, and it would not be Malwarebytes, I'd just find an alternative compatible AV.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.