Jump to content
digmorcrusher

MBAE 1.06 Release Candidate

Recommended Posts

Running great here, turned off the "notification traybar tooltips" as it was annoying, every time I opened a browser it popped up. Now we need the option to open the window full sized, if someone wants to check the logs its very hard with a small window.

Share this post


Link to post
Share on other sites

Further to this, I've opened Chrome and IE 11 several times, Burnaware, Foxit Reader etc, none of them are showing up in the logs as protected.

Share this post


Link to post
Share on other sites

Yes the notification entries in the log have been replaced by the traybar balloon notifications.

In addition to giving a more visual representation of the protection it also frees up the log window to find important entries related to exploits blocked.

Share this post


Link to post
Share on other sites

Ok, so then if I turn balloon off I will get no notification at all, no balloon and nothing in the log? I don't like that, it should be either one, I do not like the balloon popping up everytime I open something up. 

Share this post


Link to post
Share on other sites

I like the tool tip/balloon from the tray icon because it lets me know in real-time that MBAE is protecting my applications as I launch them. It frees the log file up, and it makes it easier to find other information. I guess you could give the option to log this information if the user disables the tool tip, but I prefer the tool tip instead of logging this information.  Thank you for adding the tool tip!

Share this post


Link to post
Share on other sites

I asked this at Wilders, but I think I will move my discussion here so I can make good use of this account which I opened years ago. Are all of MBAE's mitigation methods listed in the advanced settings, or does MBAE use other proprietary methods no listed? If MBAE does use other mitigation methods then what type of mitigation methods are they?

Share this post


Link to post
Share on other sites

I asked this at Wilders, but I think I will move my discussion here so I can make good use of this account which I opened years ago. Are all of MBAE's mitigation methods listed in the advanced settings, or does MBAE use other proprietary methods no listed? If MBAE does use other mitigation methods then what type of mitigation methods are they?

As mentioned over at Wilders, the ones shown in Advanced Configuration are those which are are allowing users to tweak. There are many more that are not showing, especially in Layer3 (Application Behavior).

Share this post


Link to post
Share on other sites

Ok, thank you for the info! I was wondering why some users have been using MBAE with EMET. I just ask this because I wonder what the benefit is for those users that are using them together. EMET 5.1, and 5.2 list several different mitigation methods that are not listed in MBAE advanced settings. I just would like to know if EMET uses any that MBAE does not. If so then maybe it is beneficial to use them together. Below is a screen shot of the latest mitigations used by EMET 5.2. 

post-62103-0-51718800-1426557888_thumb.j

Share this post


Link to post
Share on other sites

There's no point in running both together. It introduces more problems than solutions. Most mitigations found in EMET are included in MBAE, and then some. Also there is the fact that we finetune the mitigations to make them work seamlessly with protected applications, so there is no need to turn some of them off to make it work with certain third-party applications. So really the only reason to go with EMET instead of MBAE is that it's free to protect more than just browsers and Java.

Share this post


Link to post
Share on other sites

I'm having a strange issue with the tool tip, and IE 11 on Windows 7X64. When I first launched IE I did not receive the tool tip informing me that MBAE was protecting IE unless I just missed it. I closed IE, and launched IE again. The tool tip then did not appear until about 15-20 seconds after I launched IE. After that I continued to get random tool tip notifications that MBAE was protecting IE 11 as I surfed the net. 

Share this post


Link to post
Share on other sites

There's no point in running both together. It introduces more problems than solutions. Most mitigations found in EMET are included in MBAE, and then some. Also there is the fact that we finetune the mitigations to make them work seamlessly with protected applications, so there is no need to turn some of them off to make it work with certain third-party applications. So really the only reason to go with EMET instead of MBAE is that it's free to protect more than just browsers and Java.

Ok, thank you for the information!

Share this post


Link to post
Share on other sites

Can you send me a ZIP with all the files in your C:\ProgramData\Malwarebytes Anti-Exploit directory?

Share this post


Link to post
Share on other sites

Check your Process Explorer. Do you still have iexplore.exe processes running? Maybe some other software is loading a hidden iexplore.exe process?

 

If you send me the logs I'll be able to tell you what's going on.

Share this post


Link to post
Share on other sites

I checked process explorer, and I don't have any iexplorer.exe processes still running. It's possible that they were still running in the background when I continued to receive the tool tips though. I'm no longer receiving the tool tips now with IE shut down. I just launched IE again, and the tooltip appeared immediately. I will surf the net for a while, and see if I continue to receive the random tool tips informing me that MBAE is protecting IE.

Share this post


Link to post
Share on other sites

It seems that you have a few instances of rundll32.exe executing iexplore.exe child processes with specific commands to clear IE's cache:

 

C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8651 WinX:0 WinY:0 IEFrame:0000000000000000. Parent Process (1312)explorer.exe

 

Every time this happens it executes 2 iexplore.exe processes.

 

From the logs I see it happened a few times:

 

2015/03/16 - 21:54:15

2015/03/16 - 21:55:16

2015/03/16 - 22:32:00

 

Do you have some type of schedule cleaner running in the background?

Share this post


Link to post
Share on other sites

No, I don't have anything like that running that I am aware of. I have CCleaner installed, but I only use it to clean the cache manually. I don't have any autocleaning enabled. I just have IE configured to delete browing history when I close it. I just closed IE again, and several seconds after closing it MBAE tool tip appeared. It has not appeared again though, and I have had IE closed for about 5 minutes now.

Share this post


Link to post
Share on other sites

Yes it seems that's it. Upon closing IE rundll32.exe will execute a couple of iexplore.exe processes to clear your browsing history. This is what's causing the extra tooltips.

Share this post


Link to post
Share on other sites

I think that is what is causing the extra tool tips when I close my browser, but what about the extra tool tips I was getting when I was surfing the internet? I think something else is causing those. If it starts happening again I will try to figure it out. Thank you!

Share this post


Link to post
Share on other sites

If you can replicate this at will, try the following:

 

1- Stop the MBAE service.

2- Delete all the files from the MBAE logs directory.

3- Start the MBAE service and execute mbae.exe.

4- Replicate the problem.

5- Send me a new ZIP file with the fresh files from the MBAE logs directory.

 

Thanks!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.