hazard Posted May 9, 2015 ID:961386 Share Posted May 9, 2015 Hi, When using the proxy JonDo, MBAE marks it as an exploit of Java. Here is the website for the service/program. https://anonymous-proxy-servers.net/en/jondo.html Attached you will find my logs. I am using Windows 7 x64 and MBAE version 1.06.1.1019. Thanks!Malwarebytes Anti-Exploit.zip Link to post Share on other sites More sharing options...
Staff pbust Posted May 9, 2015 Staff ID:961396 Share Posted May 9, 2015 Thanks for posting the logs hazard. Could you please do the following: 1- Reboot the PC (to make sure no Java or JonDo process is running in the background)2- Stop MBAE3- Download and run Process Monitor4- Replicate the process of launching and running JonDo.5- From Process Monitor, save the capture to a .PML file.6- Zip and attach (or PM me) the archive. Thanks! Link to post Share on other sites More sharing options...
hazard Posted May 9, 2015 Author ID:961416 Share Posted May 9, 2015 Hi Pedro, Here is the capture that you have requested. Thanks!Logfile.zip Link to post Share on other sites More sharing options...
Staff pbust Posted May 9, 2015 Staff ID:961435 Share Posted May 9, 2015 Thanks for the capture hazard. This is a bit weird. It shouldn't be blocked by MBAE. Can you create another Process Monitor capture, but this time with MBAE actively running? Link to post Share on other sites More sharing options...
hazard Posted May 10, 2015 Author ID:961484 Share Posted May 10, 2015 Here is the second capture with MBAE blocking Java for JonDo.Logfile.zip Link to post Share on other sites More sharing options...
Staff pbust Posted May 10, 2015 Staff ID:961653 Share Posted May 10, 2015 Thanks for the new log hazard. One last question (which is unfortunately not seen in the procmon capture): What is the parent process of JonDoe.exe? Do you double-click on it from a shortcut on disk (Desktop, Start Menu, etc.) or is it launched from within a browser? Link to post Share on other sites More sharing options...
hazard Posted May 12, 2015 Author ID:962055 Share Posted May 12, 2015 I launch it from a shortcut in my start menu. I know it essentially is running a .jar file though. Link to post Share on other sites More sharing options...
hazard Posted May 12, 2015 Author ID:962056 Share Posted May 12, 2015 Here's a screenshot of the files listed in the program files. I run the JonDo.exe which in turn runs JAP.jar. Link to post Share on other sites More sharing options...
Staff pbust Posted May 13, 2015 Staff ID:962222 Share Posted May 13, 2015 Duh I should have noticed this earlier. You have a custom shield for JonDo.exe, correct? Try deleting that custom shield to see if the problem is resolved. Link to post Share on other sites More sharing options...
hazard Posted May 15, 2015 Author ID:962637 Share Posted May 15, 2015 I do indeed. I thought it was a good thing to shield since it uses java. Not the case I guess? Deleting the shield did stop the exploit notification. Link to post Share on other sites More sharing options...
Staff pbust Posted May 15, 2015 Staff ID:962712 Share Posted May 15, 2015 Cool thanks for confirming.It's not necessary to shield JonDoe.exe sin it simply launches Java and Java is already monitored by default. Link to post Share on other sites More sharing options...
Recommended Posts