MBAE IE (and add-ons) Exploit Issue

[steelsox1]

I am perplexed on how to do an attachment from my computer using Office 365 in a browser from my home computer.

I am logged into my business account via the browser when at home and the default attachment options show my business OneDrive directory.  I had a screen shot of something I wanted to share, so I hit My Computer to select it and MBAE shutdown IE and I got the error message in the attached Jpeg.

Has anyone else experienced this?  If so, is there a way to stop it from happening?

I have a workaround, but the problem is I don't remember it the first time I get shut down and I have lost some of my email text as it happened before auto-save was done.  It's just annoying as IE has to be restarted and I have to login again, pull up the Draft and try to recompose what was lost and then do a drag and drop into the email...which seems to take a few attempts before it sticks.

I would rather report this as a bug, which I believe it to be, or change a setting if the bug has been figured out.  Thanks!

[John L. Galt]

Hi, @steelsox1, and

 

Under Settings --> Advanced Settings --> Application Hardening tab does it work if you uncheck Disable Internet Explorer VB Scripting

 

(Note:  You will need to uncheck, then click Apply, and finally reboot for the settings to take effect, and then you can test)

[steelsox1]

John, thank you for the warm welcome and advice.  You were darn close...Turns out I had to uncheck the 'Detection of Anti-Exploit fingerprinting attempts' for it to work.

I have 'Disable Internet Explorer VB Scripting' still checked, so I think it was the fingerprinting.  Thank you again, now I know where to dive deep in MBAE!

[John L. Galt]

You're very welcome.  Glad you figured it out, I took a stab in the dark after a lot of searching on the internet and finding a reference to that one setting causing an issue very similar to yours.

You've also armed us here with something to look at, both us volunteers, by helping us find a solution, as well as the developers, in finding a root cause, for this behavior.  So, Kudos to you!

[Shroz]

Hello. I'm an IT Sys Admin with 15 years experience. Today, I helped a neighbor fix his Malwarebytes Anti-Exploit pop-up error "Anti-Exploit fingerprinting attempt detected."  I recommend that you not disable 'Detection of anti-exploit fingerprinting attempts' located at Settings/Advanced Setting/Application Hardening/Browsers.  The Anti-Exploit software coders created that setting for a specific security reason. Staff Moderator pbust posted the correct fix on 20January2016. View his post below. 

A little background information.  My neighbor's Dell PC is running Windows 7 Pro SP1.  The PC has three up-to-date paid-for security software's installed (ESET nod32 antivirus, Malwarebytes Anti-Malware, Malwarebytes Anti-Exploit). Yesterday the PC user was browsing the Internet using the Mozilla firefox browser when he became infected with Pup.Optional.CrossRider.Generic .  The infection corrupted both of his browsers... Mozilla Firefox and Internet Explorer 11.  The PC user emails only through two webmail accounts (Gmail & Yahoo).  After the infection, the PC user was unable to send email attachments from either email account, nor from either browser. Instead receiving the pop-up message "Anti-Exploit fingerprinting attempt detected."  I scanned and quarantined the PUP infection via Malwarebytes Anti-Malware. I reset both browsers back to factory defaults. I restarted PC. At this point, the pc user could successfully send email attachments via Mozilla Firefox browser, but not via IE11 browser. In accordance with pbust's posted fix, there was an Anti-Exploit shortcut icon located on the PC's Desktop pointing to C:\PROGRAM FILES (X86)\MALWAREBYTES ANTI-EXPLOIT\MBAE.EXE and this was triggering the fingerprinting technique using web-mail via the IE11 browser (older versions of MBAE would create this Desktop shortcut during installation).  I deleted the MBAE icon desktop shortcut, then web-mail attachments worked perfectly again via IE11 browser. Read the pbust fix below. https://forums.malwarebytes.org/topic/177568-solved-anti-exploit-fingerprinting-attempt-detected/

[pbust]

Look for a shortcut on your Desktop pointing to MBAE and then delete it. That should take care of the false positive and you can re-enable the fingerprinting technique.

[John L. Galt]

@steelsox1 - Don't know if you're monitoring this, so I'm tagging you and will send you a PM tomorrow if you haven't returned.  The above solution should work for you without having to disable that setting.

[steelsox1]

5 minutes ago, John L. Galt said:

@steelsox1 - Don't know if you're monitoring this, so I'm tagging you and will send you a PM tomorrow if you haven't returned.  The above solution should work for you without having to disable that setting.

Thank you all, I am but I am traveling so I can't test this until I return home later this weekend.  I have an older laptop on me and that desktop icon is not causing an issue as that was done by a prior version of MBAE.  The office computer desktop icon was manually put there from me, so I will try this solution and report back.  Thanks again!

[steelsox1]

Ok, I am back in the office and I noticed I did not have a shortcut for MBAE on my work desktop.  So, I clicked Restore Defaults in the advanced settings and rebooted.  I seem to be okay now.  My guess is I messed around with another setting thinking "checking this is better protection", but I am still learning and must have caused the issue.

Thank you all for the great advice and for staying with this.  I am now back to normal protection levels and can do an attachment in my Office Web Access client without IE getting shutdown.  Be well.

[John L. Galt]

Good to hear.  If you have any further problems post back.