MBAE 1.08 Beta Preview

[1PW]

Hello All:
 
Ref: https://forums.malwarebytes.org/index.php?/topic/172363-mbae-108-beta-preview/page-2#entry987726

Despite postings here to the contrary, and to give Pedro yet another data point, I did install 1.08.1.1021 over the top of 1.08.1.1016 on my previously mentioned XP Home x86 SP3 testbed system in part because no Kaspersky products have ever been installed on that system.

 

I have reverted all settings in build 1021 to default and now that system's Opera 12.17.1863.0 browser along with Excel 10.0.6871.0 launch and operate normally while enjoying MBAE's protections.

 

As no other issues have been uncovered there, I'll let that system's build 1021 await another Beta Preview version even while it's kept off-line.

 

Thank you.

[TheDude23112]

Welcome to the forum TheDude23112.

 

Can you please attach your MBAE logs here? Instructions can be found in the "readme first" link in my signature.

 

Thanks!

What exactly is the directory name?

[pbust]

The "readme first" link explains it all and shows the directory names per OS.

[pbust]

Build 1023 released:

https://malwarebytes.box.com/s/p5dshht5siqu9owc6qom2wg3tuzagqxg

 

Changelog:

* Re-fix of the Kaspersky conflict

* Remove RET-ROP technique from "Other" family

* Fix for conflict with third-party products that use the same hooks

* Fix for keeping custom shields when upgrading from 1.07

[Wilpower]

Thanks Pedro.

V. 1023 has solved the issue for me on W10 64 Bit

Appreciate the hard work.

[1PW]

Build 1023 has been installed over-the-top on several MBAE Premium systems here, and no issues are seen.

 

Thank you to all.

[ky331]

With build 1023 on Win7x64, all seems stable in quick/preliminary testing.   Two comments:

 

1) I had deactivated the IE shield in 1021... the install of 1023 overrode that setting, and activated the IE shield again.   Was that intentional on your part, to re-activate any shields that the user had chosen to deactivate? 

 

2) I had a custom (Open)Office shield [for soffice.bin] in 1021 (and earlier versions/builds).   I read that you had added protection for Libre Office in 1.08.x , but I hadn't actually noticed it until today's build:   My custom shield for (Open)Office "disappeared", and was replaced by the pre-defined shield for LibreOffice.    I'm sure it's an "even exchange" in terms of what's being protected.   Just wondering why I didn't notice it until today's 1023 build, if --- as is my understanding --- you started protecting LibreOffice in build 1016?   [Note:   I just double-checked on another system's 1021, which indeed still shows my (Open)Office but not your LibreOffice.]

[yardbird]

Build 1023 Premium, installed over the top, no issues at this time..will report any if any... thanks.... (Windows 7 (SP1) 

[pbust]

ky331, not sure what happened with your OpenOffice custom shield. Do you remember if the filename shielded as the same?

[sman]

Hi,

 

Updated to 1023 build and everything is fine..

 

Have a few general queries..

 

- Is 'plugin-container' protection only specific to FF, which is not the case with other browsers?

- To uninstall some AV's one has to do it in Safe mode only, while in case of MBAE, from taskbar it can be killed off, so on this would it not be safer to be in line with AV's?

 

Hope this helps...

[pbust]

Regarding plugin-container.exe, this is shielded by default. But it is not exclusive to Firefox. Some other Firefox-based browsers also use the same named plugin-container.exe.

 

As for uninstall, MBAE was designed as a first line of defense against exploit-based infection vectors. It is not designed to live in an infected system, while AV is. Still you need administrator privilege to unload/stop/uninstall MBAE.

[ky331]

pbust,

 

Yes, I had mentioned in my post (#84) above that the filename is the same --- soffice.bin --- for both OpenOffice and LibreOffice.   So I should still have the same protection as before, it appears to be just a name change for the shield.   The same phenomenon --- my custom OpenOffice shield being replaced by a pre-defined LibreOffice shield --- has likewise occurred on my Win8.1 and WinXP systems.

 

No issues on 8.1.  

 

As for XP, I'm getting some VBscripting engine blocks in IE, for example, at the Adobe Flash test page http://www.adobe.com/software/flash/about/; but IE8 on XP is running into other "aging" problems (NOT related to MBAE), so I doubt I'll be using it much more, meaning I don't know that it's worth it to pursue this (unless you have other people requesting  it).   I can always uncheck the VBscripting option, if I really need it... but I'll probably just stick to Firefox and/or PaleMoon in XP.

[pbust]

Got it, thanks! Yes its normal obviously for the default factory shield to overwrite the custom shield in this case.

 

As for VBScripting, this is a normal behavior with 1.08 as it enables the application hardening technique by default. It only applies to older IEs as newer IEs already have VBScripting disabled by default as Microsoft deprecated it some years ago.

[sman]

Hi,

 

Tks for your reply..

 

I checked with Palemoon x64 (though I rarely use it), and do not find ;'plugin-container'' shield for it in Process explorer.. Is it normal?

 

On the other aspect, I'm still not clear, if one were logged in as Admin, what happens?

 

Hope this helps..

[pbust]

Yes that's normal sman. Not all browsers use the same plugin-container.exe name and not all browsers have it running at all times, only when needed by the plugins.

 

As for MBAE behavior... with Admin you can do anything (start, stop, exclusions, shields, uninstall, etc.) whereas with a limited user account you can't do anything.

[Nix]

Nice v1.08 installed over the top... No problems so far Win7 x64!

[Fenderman]

Hi, all. Just loaded build 1023 on my Win7 system with Kaspersky Internet Security 2016 installed.

 

Can now open all browsers, although link loading seems a little slower. Otherwise, working well.

 

Kudos to all MalwareBytes staff !

[hake]

Just wondered if other XP users have encountered a file open conflict when attempting to install a later beta MBAE over a previous one.

[sman]

Hi,

 

Just a bit of paranoia that admin login would give privileges to an attacker to kill off MBAE and infect the system. Hope, it remains far fetched..

[ky331]

As part of my post #84 above, I reported:

 

I had deactivated the IE shield in 1021... the install of 1023 overrode that setting, and activated the IE shield again.   Was that intentional on your part, to re-activate any shields that the user had chosen to deactivate? 

 

That comment/question went unanswered.  

 

I now wish to add:    having deactivated the IE shield on 1023 on Win7x64, and rebooted (not sure if only once or several times), the IE shield was reactivated again.   That shouldn't be happening.   I will let you know if it continues to happen on subsequent reboots.

 

EDIT:   I just rebooted, as a test, and IE's shield has been reactivated yet again.   I don't consider this an "emergency"... but I will be reverting to a previous build until this issue is fixed.

[pbust]

Interesting, thanks for reporting this. Will repro and fix asap.

 

@hake, can you post a screenshot of what you are seeing?

[hake]

This only happened on one system.  I found that although the install was said to have rolled back that it left MBAE 1.08.1.1023 installed and working BUT was absent from Control Panel's Add or Remove Programs list.  It therefore seemed like a good idea to run the MBAE unins000.exe and I followed this with a registry clean by CCleaner and a fresh install.  I have since tried to replicate the behaviour but cannot get it to do a repeat performance.

 

No one else has reported this, I believe, so I am inclined to think that it's only my particular copy of XP that has temporarily exhibited the behaviour.

 

MBAE 1.08.1.1023 works well.

[pbust]

Build 1025 released. Download link updated in first post of this thread.

 

* Finetuning of fingerprinting detection technique

* Fix bug with default shield re-activating after boot

[hake]

Consequent on my previous post about an installation difficulty, MBAE beta 1.08.1.1025 installed without a hitch.  Nothing else to report.  It works.

[ky331]

Pedro,

 

I installed x.1025 on my Win7x64. Sure enough, the GUI showed that the Internet Explorer shield was deactivated:  the lock was showing as being UNlocked.  But when I opened IE, I immediately saw the balloon popup asserting that IE was being protected by MBAE!  And I confirmed this via Process Explorer.   Clearly a bug :-(

 

I tried activating and then deactivating the shield again to see what would happen. And then I noticed a stange listing [of shields] which included several BLANK shields (i.e., no names), all of which were deactivated!!!  Very weird. I tried activating and deactivating IE again, and things looked normal again.

 

I tried running IE, and it was again shielded (popup balloon + Process Explorer), even though the GUI again said it was deactivated.

 

So I decided to downgrade back to x.1021, by installing it over 1025... but apparently that's problematic. It asked me to reboot. And when I did, the MBAE icon wouldn't appear in my system tray.  I discovered I had TWO MBAE services installed, the second named "MalwareBytes Anti-Exploit Service 2".   At this point, I uninstalled MBAE x.1021, and rebooted.   The second service still "thought" it was there.   I reinstalled x.1021, and the second service finally disappeared.   And as best as I can tell, things are now finally back to normal (I sure hope so).