Jump to content

MBAE 1.09.1.1130 Oddities


btmp
 Share

Recommended Posts

The first odd thing I noticed was after the initial install [without a previous version of MBAE already on the system] followed by a reboot. There wasn't an autorun entry created for the GUI. That was easy enough for me to add though but considering someone else had a problem with the service entry being created it seems there is something around that part of the installer that's not quite right..

Another weird thing I noticed was that Palemoon-Portable.exe is (most of the time) being displayed in the log as winrar. Not a problem as it still seems to detect palemoon.exe itself properly, just odd.

Win7 x64

 

Link to post
Share on other sites

  • Staff

The first problem might be due to the installer being blocked by something else due to the low prevalence of this new installer. Try deleting the registry Run entry and re-installing to see if it gets created now.

As for the Palemoon/Winrar issue, can you please post or PM me your MBAE logs?

 

Link to post
Share on other sites

Tried the install on a VM with no other security. It didn't create the startup entry for the gui again so I'll attach the procmon log for you.

As for the palemoon-portable issue, I think it's because (I hadn't noticed) it was removed from the default list but it's getting forcibly injected via the template in sandboxie anyway though why it thinks it's winrar I have no clue. The cmd notifications aren't popping up anymore like they used to but I don't even have winrar! Not a biggy, I'll play with that one on my own till I figure it out for sure.

 

 

MBAE_Install.zip

Link to post
Share on other sites

I looked through the procmon log a bit myself and while it shows the mbae-uninstaller.exe preforming a ReqQueryValue on  HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Malwarebytes Anti-Exploit and the result is NAME NOT FOUND at no point does it (or anything else) ever attempt to CREATE it.

I also found an interesting string for a service start which seems to be a list of the default rules [including some that aren't shown in the default list of the gui I suppose] and guess what....winrar is the first on the list. Could be a coincidence but I'm gonna throw out a guess that when the portable.exe was forced and mbae couldn't find a matching rule it might have been just using the first name it found from its list instead.

"C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe" /Start 0 "winrar.exe|winzip.exe|7z.exe|cmd.exe|winhlp32.exe|wscript.exe|quicktimeplayer.exe|winamp.exe|vlc.exe|mplayer2.exe|wmplayer.exe|powerpnt.exe|excel.exe|excelc.exe|winword.exe|winwordc.exe|soffice.bin|foxitreader.exe|foxit reader.exe|Foxit PhantomPDF.exe|FoxitPhantomPDF.exe|acrord32.exe|acrobat.exe|java.exe|javaw.exe|javaws.exe|dragon.exe|waterfox.exe|tor.exe|tbb-firefox.exe|palemoon.exe|cyberfox.exe|icedragon.exe|seamonkey.exe|maxthon.exe|mxapploader.exe|opera.exe|opera_plugin_wrapper.exe|opera_wrapper_32.exe|iexplore.exe|MicrosoftEdge.exe|MicrosoftEdgeCP.exe|chrome.exe|old_chrome.exe|firefox.exe|plugin-container.exe|FlashPlayerPlugin*.exe|helpctr.exe|mbae-test.exe"

No worries on that one though, this isn't the first weird thing I've encountered with the palemoon-portable.exe (or with mbae+sbie). For some reason on Windows 10, sbie can't start the -portable.exe under its protection properly and it auto-closes. For now I am no longer using the -portable.exe but instead pointing it to the profile via the shortcut to avoid these and other potential silly issues with the autoit palemoon-portable exe.

Link to post
Share on other sites

I would like to bring up the fact that MBAE also does not delete the Startup registry key when you uninstall it either. If you go under Msconfig, and Startup MBAE is still on the list of startup applications after uninstalling it. If the user chooses not to continue using MBAE then they will not want that startup entry to remain.

Link to post
Share on other sites

9 hours ago, cutting_edgetech said:

I would like to bring up the fact that MBAE also does not delete the Startup registry key when you uninstall it either. If you go under Msconfig, and Startup MBAE is still on the list of startup applications after uninstalling it. If the user chooses not to continue using MBAE then they will not want that startup entry to remain.

Confirmed here, not something I normally test :P

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.