[SOLVED] MBAE detecting Spotify

[catscomputer]

I downloaded MBAE today and am using the premium trial version. I created a custom shield for Spotify, and initially set it to the profile "browsers" as per the FAQ. I got a pop up from MBAE upon launching Spotify as per the pic below saying it had blocked a malicious exploit.



I searched the forum re MBAE & Spotify and I found this post: https://forums.malwarebytes.org/index.php?/topic/170569-mbae-detecting-and-blocking-exploit-code-in-spotify/ > it would appear from the replies to the OP that this issue was resolved in version 1.07. I tried using "chrome browser" as per pbust's reply, but the problem still persists. I'm not sure if the block I am getting is the same as the poster in the other thread. It may be a completely separate issue. I find if I use "other" as a profile then Spotify launches OK (it is the only profile that allows Spotify to launch), but I'm worried that doing this is allowing an actual malicious process (i.e. not a FP / wrong choice of profile / conflict of some kind).

I hope I have done the logs and zip file right. I couldn't find anything called the "MBAE user data directory" as per the FAQ, so I just zipped up the entire contents of the MBAE folder on the file pathway provided. (NB I did unhide hidden folders). My system specs are all in my signature. Incidentally, Spotify.exe is located here: C:\Users\[name of my PC]\AppData\Roaming\Spotify\Spotify.exe - with every other app I made a custom shield for the relevant exe file to launch the programme is in either program files or program files(x86), could that different pathway have something to do with it?

Please could you advise if this is something to be concerned about, and if it is safe to use "other" profile in the custom shield for Spotify? Many thanks.


 

[pbust]

Try editing the shield and changing the profile to ChromeBrowser (since Spotify is based on Chromium).

 

Also I see from your sig you have Hitman Pro. Is this including the .Alert? If so, uninstall Hitman Pro as it might conflict with MBAE.

[catscomputer]

Hi, as I explained above I did try the "chrome browser profile" and it gave the same result. The "other" profile will allow Spotify to launch, but that is the only one that will. (I tried browsers, media player & then chrome browser after reading the post I linked to above).

 

I do have Hitman Pro but it is not in realtime (i.e. not HitmanPro Alert), It is an on-demand second opinion scanner which is not activated and uses no processes unless it is launched & running so I don't think it will be that causing this. I haven't run HMP in weeks.

 

So does that mean it isn't actually malicious, but just a conflict or wrong profile selection issue? Is Spotify safe to launch? Thanks.

 

EDIT - just tried Chrome broswer profile again and got the same result - MBAE blocks it.

[pbust]

Did you shield Spotify.exe itself or its child processes (they are called spotifywebhelper.exe or something along those lines). If you shielded spotify.exe it might throw an FP as it includes some self-protection and obfuscation. Try shielding the Spotify webhelper/helper child processes instead as those are the ones that are Internet-facing.

[catscomputer]

Yes I shielded spotify.exe. According to "properties" on the desktop shortcut for Spotify this is the process which launches spotify on the following path: C:\Users\[name of my PC]\AppData\Roaming\Spotify\Spotify.exe

 

Where would I find "Spotify webhelper/helper child processes"? May I take it that this block is a false positive then?

[pbust]

While you have Spotify running, check TaskManager or ProcessExplorer to see the names of the Spotify helper child processes.

 

I wouldn't call it an FP. It's more of a conflict between the two since Spotify uses aggressive memory obfuscation and other protection techniques. Although these techniques are mostly used by malware, sometimes media players use similar techniques for protection of digital rights. It is normal that these techniques conflict with advanced memory exploit mitigations.

[catscomputer]

Ah that explanation makes sense. Thanks. Phew! I was worried I'd been launching something malicious for all of this time before I downloaded MBAE! OK here is a snipping tool capture of my taskmanager:

 

 

Which process am I best to add?

 

In my AppData\Roaming\Spotify folder there is a process called SpotifyLauncher.exe too, but that doesn't appear to show in my taskmanager.

[pbust]

The one you want to shield is SpotifyWebHelper.exe with the ChromeBrowser profile.

 

I should add an FAQ just for Spotify

[catscomputer]

Yay we have lift off   SpotifyWebHelper.exe with the ChromeBrowser profile launches Spotify with no problems.

 

So this is a better/safer option than choosing Spotify.exe with the Other profile? Thanks.

[pbust]

Great!

 

Yes this is good enough as the WebHelper is the one that is Internet-facing.

 

You can add a "other" shield for Spotify.exe if you like, but that might be overkill. It's up to you.

[catscomputer]

I'll keep it as it is with ChromeBrowser Thanks pbust.

 

Spotify appears to be the only one of the many apps I have made a custom shield for to have had any sort of conflict /issue, so perhaps a dedicated FAQ for Spotify + MBAE would be a good idea.   Love the concept of this software, thanks so much!