[EMET] VideoLAN (VLC) 2.1.3, MBAE 0.10.0.1000 and EMET 5.0 TP

[Nesivos]

This is a bit complicated so walk with me on this.

 

W7-SP1

Adding VLC 2.1.3 to EMET 5.0 TP on my W7-SP1 x64 with MBAE protection enabled prevents VLC from opening due to EMET 5.0 TP detecting SimExecFlow a mitigation.  This is a ROP (Return Oriented Programming)i mitigation.  If I exclude SimExecFlow Miigation from EMET 5.0 TP for VLC 2.1.3, VLC will run fine even with MBAE protection enabled.  Adding VLC 2.1.3 to EMET 5.0 TP without MBAE protection enabled still crashes VLC unless I exclude the SimExecFlow a mitigation from VLC in EMET 5.0 TP.

 

So whether or not MBAE protection is enabled or disabled VLC will not run the W7-SP1 unless I exclude SimExecFlow Mitigation from VLC in EMET 5.0 TP.

Once the exclusion is in place than VLC will run fine on the W7-SP1 computer whether MBAE protection is enabled or disabled.

 

W8.1 Pro Updated Through This Last Tuesday

However on my W8.1 Pro updated through last Tueday VLC will not run with MBAE protection enabled with VLC added to EMET 5.0 TP even with the SimExecFlow Mitigation (ROP) mitigation excluded in EMET.  The only way VLC will run in this scenario on the W8.1 updated computer is to exclude the SimExecFlow Mitigation for VLC in EMET 5.0 TP and disable MBAE protection.

 

I hope this is clear Sorry if it is not.

 

[danburrito]

Try updating MBAE to version 0.10.3.0100.

 

Uninstall MBAE

Delete %ProgramFiles%\Malwarebytes Anti-Exploit

Delete %AllUsersProfile%\Malwarebytes\Malwarebytes Anti-Exploit

Reboot

Download version 0.10.3.0100 here: https://forums.malwa...howtopic=146368

Install

[danburrito]

And if you happen to have MBAM v2.0.1 installed, make sure to disable the self-protection module in MBAM first.

[Nesivos]

 

Try updating MBAE to version 0.10.3.0100.

 

Uninstall MBAE

Delete %ProgramFiles%\Malwarebytes Anti-Exploit

Delete %AllUsersProfile%\Malwarebytes\Malwarebytes Anti-Exploit

Reboot

Download version 0.10.3.0100 here: https://forums.malwa...howtopic=146368

Install

 

Too complicated.  According to posts on the forum future updates of MBAE after 0.10.01000 were not to require uninstalls before installing the new version.

 

I tried the new version yesterday and most of the files had a '_' at the end.   I had never seen files before that ended in '_" especially '*.exe' files that ended with '*.exe_'

 

Not sure why you would have to turn off MBAM self protection to do an update to MBAE.

 

Thanks for your advice but I will hold off doing anything until someone with more posts here comes along and says the the latest release of MBAE 0.10.3.0100 has been updated or the file on the link is the updated build that won't generate files ending in '_"

[danburrito]

Too complicated.  According to posts on the forum future updates of MBAE after 0.10.01000 were not to require uninstalls before installing the new version.

Just like reboots are not required 99% of the time, yet some people still do them after every install/uninstall.

 

I tried the new version yesterday and most of the files had a '_' at the end.   I had never seen files before that ended in '_" especially '*.exe' files that ended with '*.exe_'

 

I was under the impression that issue had been fixed, according to the thread you started: https://forums.malwarebytes.org/index.php?showtopic=146389

 

Not sure why you would have to turn off MBAM self protection to do an update to MBAE.

Pedro said so: https://forums.malwarebytes.org/index.php?showtopic=146097&page=2#entry816876

 

Thanks for your advice but I will hold off doing anything until someone with more posts here comes along and says the the latest release of MBAE 0.10.3.0100 has been updated or the file on the link is the updated build that won't generate files ending in '_"

I shall work on my quantity of posts.

[pbust]

The EMET conflicts with VLC and other apps are known and there's no solution for that currently.

 

The Win8.1 issue is fixed with build 0.10.3.0100 which is available here. This build is already updated and does not require deactivation of MBAM Self-Protection.

 

The files ending with .___ is part of the hot upgrade mechanism. It is by design. After a successful upgrade they should disappear. If you have MBAE installed and you are still seeing files with those extensions then that means that somewhere along the way there was a failed install. If you want to get rid of them you can simply delete them or uninstall MBAE completely, remove the %ProgramFiles%\Malwarebytes Anti-Exploit folder and re-install. The only known install problem we've seen so far is when the Service Control Manager (SCM) is open. This happens sometimes if you have MMC or ProcessExplorer open during the MBAE installation. This seems to prevent the installer from upgrading the MBAE Service (mbae-svc.exe).

[pbust]

Unlocking and re-opening the EMET-compatibility discussions under "News, Questions and Comments" section instead of under "Product Support".