Jump to content
tribeca

***URGENT*** MBAE*** Multiple alerts

Recommended Posts

Hi,


 


Throughout yesterday (27/01/2016) and today we have been getting a large number of alerts. They are specifically two types of alerts. It only seemed to affect users using IE.


 


28/01/2016 14:40:51        WKS11        192.168.1.1        Exploit memory HeapSpray attempt blocked        BLOCK


 


28/01/2016 14:23:28        LAP19        192.168.1.2       Exploit attempt to bypass ASLR blocked        BLOCK


 


Looking on your forums coincidentally there are two threads from yesterday with reported the same issue:


 


https://forums.malwarebytes.org/index.php?/topic/177952-getting-exploit-attempt-to-bypass-aslr-blocked-and-exploit-memory-heapspray-attempt/


 


https://forums.malwarebytes.org/index.php?/topic/177931-multiple-exploit-blocks/


 


This had large impact on productivity as users were unable certain parts of website etc.


Share this post


Link to post
Share on other sites

Do you have BitDefender installed by any chance?

 

It seems they updated their software recently and it causes a conflict.

Share this post


Link to post
Share on other sites

Please provide MBAE and FRST logs. Instructions in my signature.

 

In the meantime you can deactivate these techniques:

 

Console -> Policy -> Anti-Exploit -> Advanced -> Hardening -> Deactivate Anti-HeapSpraying

Console -> Policy -> Anti-Exploit -> Advanced -> Hardening -> Deactivate BottomUp ASLR

Share this post


Link to post
Share on other sites

Yes - We also run Bitdefender.

 

Sorry I can not get the logs over you at the moment as the users are extremely busy.

Share this post


Link to post
Share on other sites

I ended up editing my policy to not watch for those issues.  I ended up unchecking the two boxes for Browser.  This stopped the alerts to the users.  Not sure if this is the recommended way,

but it works.  Go to the Anti-Exploit tab, choose advanced, then uncheck "DEP enforcement" and uncheck "Anti Heapspraying"

 

  MB_Error2png.png

 

MB_Error3png.png

Share this post


Link to post
Share on other sites

Morning,

 

I left MBAE Turned off since. I will install the new build now.

 

Can we have on official statement pleases as I need to pass this onto a client.

Share this post


Link to post
Share on other sites

Yes, of course.

 

BitDefender recently released an upgrade to their clients. The upgrade contains a bug in one of its modules that causes the conflict and triggers the detection. The component is the following:

C:\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_336\avcuf32.dll

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.