Jump to content

Recommended Posts

This morning I received an anti-exploit alert with "File/Process Blocked" and "Attacking URL" both saying  "N/A."  

Specifically, the alert says it's "Internet Explorer (and add-ons)," Protection Layer: "Application Hardening," and Protection Technique: "Exploit blocked by Anti-HeapSpray Enforcement".

I would like to know the root cause, as I have not recently updated any software on the computer (at least knowingly) and was running standard tests mostly against internal (intranet) sites, so I am posting my MBAE logs as recommended.

Thanks in advance for your help.

Malwarebytes Anti-Exploit.zip

Share this post


Link to post
Share on other sites

Kept getting "upload failed" when trying to attach the screens shot of the MBAE popup (png format), so will abandon that effort.  All the relevant details are described in the text of the original post anyway.

Share this post


Link to post
Share on other sites

Uploading image as JPG instead of PNG as Dave suggests (although the file attachment tool says says PNG files are an accepted file type).

Thanks Dave

MBAE_Popup.jpg

Share this post


Link to post
Share on other sites

Hello DBADoug,

 

This looks like a conflict with some program on the computer. This looks eerily similar to an issue in the past with Comodo. Can you go to this link and collect the logs for FRST:

https://forums.malwarebytes.org/topic/144403-readme-first-posts-here-need-to-include-mbae-logs/

I want to confirm if there is any known conflicts. You can also check them out by looking at this link:

https://forums.malwarebytes.org/topic/151933-known-issues-conflicts/

 

Also, are you able to reproduce this alert or was it a one time thing during the startup? I may need to have you collect another set of logs for more troubleshooting but we will need to reproduce the issue. 

Share this post


Link to post
Share on other sites

Hi Ron,

From taking a look at the Known Issues & Conflicts page, I'm now fairly well convinced that the likely cause of the alert is related to the known issue having to do with Silverlight upgrades.  Although I wasn't accessing Netflix, I was accessing a custom web site we developed that just underwent an Silverlight upgrade.  I have not been able to reproduce the alert - it happened just the one time and I've accessed the same site multiple times since then.

Unless I get more alerts, I am going to assume this was the cause.

I do appreciate your response and the help of others on the forum.

Thanks,

Doug

Share this post


Link to post
Share on other sites

I know this is "old" but I just received the same error.

Silverlight is not installed on my computer.  There were only three webpages being accessed.  (links broken)

  • Tab 1: www,google,com,
  • Tab 2: forums,androidcentral,com,
  • Tab 3: www,pcworld,com  (active tab)

As with the OP there is no information so I have no idea how dangerous the PC World website should be considered or even what the exploit is.  The logs are encrypted so they are of no help.

It is my suggestion this keeps us from making reasonable determinations.  In this case, I have simply crossed off PC World as being too dangerous.  That seems unreasonable but MBAE says it is dangerous.

Another thread suggests we have to send logs to Malwarebytes to find out what is going on which could keep Malwarebytes very busy if we all did that!

PS.  I'm using a trial version to determine if it should be added to my other security layers.  My inclination is yes but lack of information is a drawback.

Share this post


Link to post
Share on other sites

Can't figure out how to edit the previous post.  I now see how difficult, and dangerous, it would be to be more explicit in the information given about a blocked attempt.  Also, I have an ASUS which seems to have been involved with many issues.

Share this post


Link to post
Share on other sites

ExpertNovice - I just wanted to point out that the suspected Silverlight issue did no have to do with it being installed on my computer but rather that a Silverlight upgrade had been performed on the site I was accessing.

That said, I'm no longer convinced that was the true (or only) cause.  One would expect the Silverlight upgrade to produce the Anti-Exploit alert once, the first time the upgraded site was accessed.  However, I continue to have intermittent occurrences of the Anit-Exploit alert.  My network admin and I are now beginning to think it is a conflict with other security packages, namely System Center Endpoint Protection (SCEP) in our case.  The Anti-Exploit alerts only occur when I'm running my automated tests (which access mostly internal intranet web sites) AND when a SCEP security scan is running at the same time.  Yet it doesn't happen every time, so we're thinking it must also have to do with the timing of which local cache files are being accessed by SCEP and/or Internet Explorer, potentially causing a conflict and triggering the Anti-Exploit alert.

At any rate, the behavior is seemingly inconsistent, but we are confident there is no true exploit occurring and believe it is likely just a conflict between security products.  Just wanted to mention that since you said you are evaluating MWB to see if it should be added to already-existing security layers.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.