Jump to content
siliconman01

New digital certificate on Test versions

Recommended Posts

Hi:

Until a staff member comes along....

If I understand your question correctly, the latest BETA build (1.09.1.1142) is posted HERE, with a special download link in that post.
(If you use NoScript, you'll need to (temporarily) allow box.com and boxcdn.net.)

The latest RELEASE build (1.08.1.2572), as always, is available from the product page download link HERE.

Cheers,

MM

Share this post


Link to post
Share on other sites

I think what he meant was that the experimental builds of MBAE aren't working after the Win10 Anni update, - just as the latest stable release wasn't up until the countersigned fix build was provided by pbust here: https://forums.malwarebytes.org/topic/186525-mbae-windows-10-au/#comment-1054724 

And I would just like to confirm that I'm experiencing those same issues with the experimental builds - same as I did with the latest stable one before the hotfix. This included versions 1.09.1.1156, 1442 and 1440. It just basically doesn`t load and after waiting for a couple of minutes a MBAE pop-up appears stating that it's taking too long to start and that you shoot reboot your PC.  The event viewer error associated with this occurrence is the Event ID error 7000: indicating that the MBAE service couldn't start due to Windows being unable to verify the signature.

Kind regards

 

 

 

Share this post


Link to post
Share on other sites

MBAE Beta version 1.09.1156 fails to load on Windows 10 x64 Build 14393.51 systems that have been fully reformatted and freshly installed when Build 14393 was released.  The failure is because of the digital signature issue.  So cannot test 1.09.1156 on these systems.

Share this post


Link to post
Share on other sites

Test version 1.9.1.1156 re-downloaded on 25-Aug-2016.  It still fails with the Event ID 7000 error "The Malwarebytes Anti-Exploit service failed to start due to the following error: 
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

Share this post


Link to post
Share on other sites

I'm using Windows 10 64bit version 1607 build 14904.100, and have just updated to1156 and it seems to be working as normal.

Share this post


Link to post
Share on other sites
4 minutes ago, henryg_1 said:

I'm using Windows 10 64bit version 1607 build 14904.100, and have just updated to1156 and it seems to be working as normal.

Spoke too soon - while it installed ok, Firefox crashes on closing.

Share this post


Link to post
Share on other sites

Something new to mention: I've just installed MBARW Beta 8 and it seems to be functioning fine in that there are no event id 7000 logs - with beta 7 there were, same as with these experimental MBAE builds.

Share this post


Link to post
Share on other sites

Hey Hydropepon,

 

It seems the log I am trying to look at in the anti-exploit zip was corrupted some how. Can you try grabbing them and attaching them again? If they were emailed to you, the file may have been stripped by email filter. 

Share this post


Link to post
Share on other sites

Hello again, it was actually just a regular "attach file" upload and if the corrupted log that you're referring to is mbae-default.log then unfortunately I think I might be seeing the same gibberish. Here's another batch anyhow - this one's based on an upgraded installation(stable final to experimental).

Malwarebytes Anti-Exploit.zip

Share this post


Link to post
Share on other sites

I've found something that may be of some use(maybe)... So basically if I install the latest experimental MBAE build while having digital signature verification disabled via startup settings and secure boot disabled via UEFI then MBAE installs and launches without any issues. However, if I try and launch MBAE with secure boot ON and digital signature verification OFF then I get the following pop-up(attached image) which I do not get if I have both the aforementioned settings on.

PCAmbae64sys.jpg

Share this post


Link to post
Share on other sites

By this point it looks like I'm basically just spamming the thread, but there's just one more thing that I believe bears mentioning and that is that both of the experimental build mbae.sys and mbae64.sys files only have one digital signature - Malwarebytes Corporation. While the current stable release build sys files both have two digital signatures - one from Malwarebytes and the other one having "Microsoft Windows Hardware Compatibility Publisher" as the name signer. Also, all of the .exe and .dll files have those two aforementioned signatures - both in the experimental builds and the current stable release. Now, unless I'm missing something(and I very well might be) - it looks like the reason these experimental builds don't work for me is simply because the .sys files are missing the digital signatures from Microsoft.

Share this post


Link to post
Share on other sites

I also have a theory about why this is happening. MBAE drivers are signed with sha1 considered insecure and as of July when build 14393 was compiled it's no longer allowed in kernel for binaries compiled after that date. If drivers with sha1 signature are present on upgrade with keep everything they are allowed for compatibility reasons. Latest version of MBAM still works because it was compiled during spring. But I am almost certain a new beta or stable release would suffer from same issue under same signing environment. Most vendors willing to keep XP support opted for a dual signature sha1+sha256. This should no longer require the "Microsoft Windows Hardware Compatibility Publisher"  signature which I am concerned Microsoft may not want to provide for beta software and judging by its name it looks like an interim fallback for corporations late on sha2 adoption. I wouldn't count on this to work for long.

Share this post


Link to post
Share on other sites

Thanks for all the information and testing guys!

As a matter of fact it seems like the experimental build is not being correctly signed (using the old signing process).

We'll look into this one.

Thanks again for reporting!

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.