Jump to content

Recommended Posts

Hello All:
 
Ref: https://forums.malwarebytes.org/index.php?/topic/172363-mbae-108-beta-preview/page-2#entry987726

Despite postings here to the contrary, and to give Pedro yet another data point, I did install 1.08.1.1021 over the top of 1.08.1.1016 on my previously mentioned XP Home x86 SP3 testbed system in part because no Kaspersky products have ever been installed on that system.

 

I have reverted all settings in build 1021 to default and now that system's Opera 12.17.1863.0 browser along with Excel 10.0.6871.0 launch and operate normally while enjoying MBAE's protections.

 

As no other issues have been uncovered there, I'll let that system's build 1021 await another Beta Preview version even while it's kept off-line.

 

Thank you.

Link to post
Share on other sites

  • Replies 386
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

With build 1023 on Win7x64, all seems stable in quick/preliminary testing.   Two comments:

 

1) I had deactivated the IE shield in 1021... the install of 1023 overrode that setting, and activated the IE shield again.   Was that intentional on your part, to re-activate any shields that the user had chosen to deactivate? 

 

2) I had a custom (Open)Office shield [for soffice.bin] in 1021 (and earlier versions/builds).   I read that you had added protection for Libre Office in 1.08.x , but I hadn't actually noticed it until today's build:   My custom shield for (Open)Office "disappeared", and was replaced by the pre-defined shield for LibreOffice.    I'm sure it's an "even exchange" in terms of what's being protected.   Just wondering why I didn't notice it until today's 1023 build, if --- as is my understanding --- you started protecting LibreOffice in build 1016?   [Note:   I just double-checked on another system's 1021, which indeed still shows my (Open)Office but not your LibreOffice.]

Link to post
Share on other sites

Hi,

 

Updated to 1023 build and everything is fine..

 

Have a few general queries..

 

- Is 'plugin-container' protection only specific to FF, which is not the case with other browsers?

- To uninstall some AV's one has to do it in Safe mode only, while in case of MBAE, from taskbar it can be killed off, so on this would it not be safer to be in line with AV's?

 

Hope this helps...

Link to post
Share on other sites

  • Staff

Regarding plugin-container.exe, this is shielded by default. But it is not exclusive to Firefox. Some other Firefox-based browsers also use the same named plugin-container.exe.

 

As for uninstall, MBAE was designed as a first line of defense against exploit-based infection vectors. It is not designed to live in an infected system, while AV is. Still you need administrator privilege to unload/stop/uninstall MBAE.

Link to post
Share on other sites

pbust,

 

Yes, I had mentioned in my post (#84) above that the filename is the same --- soffice.bin --- for both OpenOffice and LibreOffice.   So I should still have the same protection as before, it appears to be just a name change for the shield.   The same phenomenon --- my custom OpenOffice shield being replaced by a pre-defined LibreOffice shield --- has likewise occurred on my Win8.1 and WinXP systems.

 

No issues on 8.1.  

 

As for XP, I'm getting some VBscripting engine blocks in IE, for example, at the Adobe Flash test page http://www.adobe.com/software/flash/about/; but IE8 on XP is running into other "aging" problems (NOT related to MBAE), so I doubt I'll be using it much more, meaning I don't know that it's worth it to pursue this (unless you have other people requesting  it).   I can always uncheck the VBscripting option, if I really need it... but I'll probably just stick to Firefox and/or PaleMoon in XP.

Link to post
Share on other sites

  • Staff

Got it, thanks! Yes its normal obviously for the default factory shield to overwrite the custom shield in this case.

 

As for VBScripting, this is a normal behavior with 1.08 as it enables the application hardening technique by default. It only applies to older IEs as newer IEs already have VBScripting disabled by default as Microsoft deprecated it some years ago.

Link to post
Share on other sites

Hi,

 

Tks for your reply..

 

I checked with Palemoon x64 (though I rarely use it), and do not find ;'plugin-container'' shield for it in Process explorer.. Is it normal?

 

On the other aspect, I'm still not clear, if one were logged in as Admin, what happens?

 

Hope this helps..

Link to post
Share on other sites

  • Staff

Yes that's normal sman. Not all browsers use the same plugin-container.exe name and not all browsers have it running at all times, only when needed by the plugins.

 

As for MBAE behavior... with Admin you can do anything (start, stop, exclusions, shields, uninstall, etc.) whereas with a limited user account you can't do anything.

Link to post
Share on other sites

As part of my post #84 above, I reported:

 

I had deactivated the IE shield in 1021... the install of 1023 overrode that setting, and activated the IE shield again.   Was that intentional on your part, to re-activate any shields that the user had chosen to deactivate? 

 

That comment/question went unanswered.  

 

I now wish to add:    having deactivated the IE shield on 1023 on Win7x64, and rebooted (not sure if only once or several times), the IE shield was reactivated again.   That shouldn't be happening.   I will let you know if it continues to happen on subsequent reboots.

 

EDIT:   I just rebooted, as a test, and IE's shield has been reactivated yet again.   I don't consider this an "emergency"... but I will be reverting to a previous build until this issue is fixed.

Link to post
Share on other sites

This only happened on one system.  I found that although the install was said to have rolled back that it left MBAE 1.08.1.1023 installed and working BUT was absent from Control Panel's Add or Remove Programs list.  It therefore seemed like a good idea to run the MBAE unins000.exe and I followed this with a registry clean by CCleaner and a fresh install.  I have since tried to replicate the behaviour but cannot get it to do a repeat performance.

 

No one else has reported this, I believe, so I am inclined to think that it's only my particular copy of XP that has temporarily exhibited the behaviour.

 

MBAE 1.08.1.1023 works well.

Link to post
Share on other sites

Pedro,

 

I installed x.1025 on my Win7x64. Sure enough, the GUI showed that the Internet Explorer shield was deactivated:  the lock was showing as being UNlocked.  But when I opened IE, I immediately saw the balloon popup asserting that IE was being protected by MBAE!  And I confirmed this via Process Explorer.   Clearly a bug :-(

 

I tried activating and then deactivating the shield again to see what would happen. And then I noticed a stange listing [of shields] which included several BLANK shields (i.e., no names), all of which were deactivated!!!  Very weird. I tried activating and deactivating IE again, and things looked normal again.

 

I tried running IE, and it was again shielded (popup balloon + Process Explorer), even though the GUI again said it was deactivated.

 

So I decided to downgrade back to x.1021, by installing it over 1025... but apparently that's problematic. It asked me to reboot. And when I did, the MBAE icon wouldn't appear in my system tray.  I discovered I had TWO MBAE services installed, the second named "MalwareBytes Anti-Exploit Service 2".   At this point, I uninstalled MBAE x.1021, and rebooted.   The second service still "thought" it was there.   I reinstalled x.1021, and the second service finally disappeared.   And as best as I can tell, things are now finally back to normal (I sure hope so).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.