New digital certificate on Test versions

[siliconman01]

Can you provide downloads on the test version of MBAE with new digital certs like you did at the link ??

 

[daledoc1]

Hi:

Until a staff member comes along....

If I understand your question correctly, the latest BETA build (1.09.1.1142) is posted HERE, with a special download link in that post.
(If you use NoScript, you'll need to (temporarily) allow box.com and boxcdn.net.)

The latest RELEASE build (1.08.1.2572), as always, is available from the product page download link HERE.

Cheers,

MM

[hydropepon]

I think what he meant was that the experimental builds of MBAE aren't working after the Win10 Anni update, - just as the latest stable release wasn't up until the countersigned fix build was provided by pbust here: https://forums.malwarebytes.org/topic/186525-mbae-windows-10-au/#comment-1054724 

And I would just like to confirm that I'm experiencing those same issues with the experimental builds - same as I did with the latest stable one before the hotfix. This included versions 1.09.1.1156, 1442 and 1440. It just basically doesn`t load and after waiting for a couple of minutes a MBAE pop-up appears stating that it's taking too long to start and that you shoot reboot your PC.  The event viewer error associated with this occurrence is the Event ID error 7000: indicating that the MBAE service couldn't start due to Windows being unable to verify the signature.

Kind regards

 

 

 

[siliconman01]

MBAE Beta version 1.09.1156 fails to load on Windows 10 x64 Build 14393.51 systems that have been fully reformatted and freshly installed when Build 14393 was released.  The failure is because of the digital signature issue.  So cannot test 1.09.1156 on these systems.

[pbust]

Please re-download the latest version from our website.

[hydropepon]

What do you mean? As in we should use the stable release until this issue with the experimental builds is resolved?

[siliconman01]

Test version 1.9.1.1156 re-downloaded on 25-Aug-2016.  It still fails with the Event ID 7000 error "The Malwarebytes Anti-Exploit service failed to start due to the following error: 
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source."

[henryg_1]

I'm using Windows 10 64bit version 1607 build 14904.100, and have just updated to1156 and it seems to be working as normal.

[henryg_1]

4 minutes ago, henryg_1 said:

I'm using Windows 10 64bit version 1607 build 14904.100, and have just updated to1156 and it seems to be working as normal.

Spoke too soon - while it installed ok, Firefox crashes on closing.

[Rsullinger]

Hello All,

We just posted a new build on the sticky. Can you try that one and let us know if the issue still persists? 

[hydropepon]

Hey there,

I'm afraid it's still exhibiting the same issues on my end(fresh windows install).

Regards

[Rsullinger]

Hello Hydropepon,

 

I want to have you grab the logs since you are still experiencing this issue. Please use these instructions to collect them:

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

 

[hydropepon]

Hello, here are both the MBAE logs(fresh installation) and the FRST logs.

Addition.txt

FRST.txt

Malwarebytes Anti-Exploit.zip

[hydropepon]

Something new to mention: I've just installed MBARW Beta 8 and it seems to be functioning fine in that there are no event id 7000 logs - with beta 7 there were, same as with these experimental MBAE builds.

[Rsullinger]

Hey Hydropepon,

 

It seems the log I am trying to look at in the anti-exploit zip was corrupted some how. Can you try grabbing them and attaching them again? If they were emailed to you, the file may have been stripped by email filter. 

[hydropepon]

Hello again, it was actually just a regular "attach file" upload and if the corrupted log that you're referring to is mbae-default.log then unfortunately I think I might be seeing the same gibberish. Here's another batch anyhow - this one's based on an upgraded installation(stable final to experimental).

Malwarebytes Anti-Exploit.zip

[hydropepon]

Just tried 1.9.1.1180 and no difference unfortunately.

[hydropepon]

I've found something that may be of some use(maybe)... So basically if I install the latest experimental MBAE build while having digital signature verification disabled via startup settings and secure boot disabled via UEFI then MBAE installs and launches without any issues. However, if I try and launch MBAE with secure boot ON and digital signature verification OFF then I get the following pop-up(attached image) which I do not get if I have both the aforementioned settings on.

[hydropepon]

By this point it looks like I'm basically just spamming the thread, but there's just one more thing that I believe bears mentioning and that is that both of the experimental build mbae.sys and mbae64.sys files only have one digital signature - Malwarebytes Corporation. While the current stable release build sys files both have two digital signatures - one from Malwarebytes and the other one having "Microsoft Windows Hardware Compatibility Publisher" as the name signer. Also, all of the .exe and .dll files have those two aforementioned signatures - both in the experimental builds and the current stable release. Now, unless I'm missing something(and I very well might be) - it looks like the reason these experimental builds don't work for me is simply because the .sys files are missing the digital signatures from Microsoft.

[Rsullinger]

Hello Hydropepon,

 

That may be the case. Let me research something on my side and to see if I can reproduce this. 

[pal1000]

I also have a theory about why this is happening. MBAE drivers are signed with sha1 considered insecure and as of July when build 14393 was compiled it's no longer allowed in kernel for binaries compiled after that date. If drivers with sha1 signature are present on upgrade with keep everything they are allowed for compatibility reasons. Latest version of MBAM still works because it was compiled during spring. But I am almost certain a new beta or stable release would suffer from same issue under same signing environment. Most vendors willing to keep XP support opted for a dual signature sha1+sha256. This should no longer require the "Microsoft Windows Hardware Compatibility Publisher"  signature which I am concerned Microsoft may not want to provide for beta software and judging by its name it looks like an interim fallback for corporations late on sha2 adoption. I wouldn't count on this to work for long.

[pbust]

Thanks for all the information and testing guys!

As a matter of fact it seems like the experimental build is not being correctly signed (using the old signing process).

We'll look into this one.

Thanks again for reporting!