concern about log entry winrar is now protected

[ExpertNovice]

I do not use WinRar however, MBAE reports "winrar is now protected". 

At the time the following apps had open windows.

• IE11, one tab, at the following website https://feedback.techsmith.com/techsmith/topics/camtasia-9-freezes-at-exatly-1-1-of-generating-mp4?utm_source=notification&utm_medium=email&utm_campaign=new_topic&utm_content=topic_link
• four notepad files
• Five Excel 2016 workbooks that I created
• Outlook 2016
• one Windows Explorer opened to a non-system folder

I do not see winrar executing as a service, process, or application or in ProcessExplorer.  This thread http://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-58 mentioned an issue with WinRAR which adds to the concern.

Any suggestions on what might be running winrar or how to determine what is executing it?  Should I be concerned?   (My first guess is one of the protective apps being updated but I could not confirm using EventViewer.)

PS.  Only one infection on any computer from 1981 until now.  That was in 2006/2007 before I used protection.  Several scans MalewareBytes, Webroot, Emsisoft, & WindowsDefender find no infection.

Pertinent software
Webroot SecureAnywhere 9.0.13.62
Emsisoft Internet Security 12.0.1.6859
MBAE Premium 1.09.1.1235
Windows 10 Pro 64-bit

 

[btmp]

1.09 Oddities

Quote

I also found an interesting string for a service start which seems to be a list of the default rules [including some that aren't shown in the default list of the gui I suppose] and guess what....winrar is the first on the list. Could be a coincidence but I'm gonna throw out a guess that when the portable.exe was forced and mbae couldn't find a matching rule it might have been just using the first name it found from its list instead.

"C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe" /Start 0 "winrar.exe|winzip.exe|7z.exe|cmd.exe|winhlp32.exe|wscript.exe|quicktimeplayer.exe|winamp.exe|vlc.exe|mplayer2.exe|wmplayer.exe|powerpnt.exe|excel.exe|excelc.exe|winword.exe|winwordc.exe|soffice.bin|foxitreader.exe|foxit reader.exe|Foxit PhantomPDF.exe|FoxitPhantomPDF.exe|acrord32.exe|acrobat.exe|java.exe|javaw.exe|javaws.exe|dragon.exe|waterfox.exe|tor.exe|tbb-firefox.exe|palemoon.exe|cyberfox.exe|icedragon.exe|seamonkey.exe|maxthon.exe|mxapploader.exe|opera.exe|opera_plugin_wrapper.exe|opera_wrapper_32.exe|iexplore.exe|MicrosoftEdge.exe|MicrosoftEdgeCP.exe|chrome.exe|old_chrome.exe|firefox.exe|plugin-container.exe|FlashPlayerPlugin*.exe|helpctr.exe|mbae-test.exe"

So basically due to the 'dirty' InjectDll= done in the template, by using sandboxie itself to inject the MBAE dll, if MBAE doesn't find a matching rule it seems to go with whatever is the first entry. This used to be 'cmd.exe' but if a matching rule is found that will be used. As the sandboxie exes and other components or programs don't have rules in MBAE you will just see winrar instead for them.

Normally MBAE wouldn't inject into programs it doesn't have a rule for this isn't really a problem that can be 'fixed' but if MBAE were to begin properly injecting into sandboxie protected apps by itself then the those InjectDll lines could be removed and the issue would vanish. For now just ignore them as a minor side effect of the InjectDll=.

[ExpertNovice]

BTMP,

Thank you for responding.  That makes sense to me although I was unable to find those, or similar, rules.

More information found in the logs, although the timing discussed here is highly suspect.

After installing MBAE two alerts would be displayed "cmd is now protected" and "IE (...) is now protected".  At some point I found that Sandboxie needed the injection code in order to allow MBAE protection.  I'm guessing the insertion code was added on October 29 because at that time the two alerts changed to "IE (...) is now protecte" and "WinRAR is now protected".

cmd being protected didn't bother me a bit.  WinRAR bothered me a LOT.  (I'm thinking ransomware, WinRAR, and heap exploits...)

 

thanks again.

[btmp]

I'm confused by this comment:

Quote

although the timing discussed here is highly suspect.

 

The InjectDLL [eg insertion code] of the public Sandboxie template has been around for over a year so I wonder if this change of notification might actually be related to the point where a newer version of MBAE with this, new, added 'hidden' winrar rule went live ( and shifted cmd out of being the first in line) and you then saw the new alert?

Quote

I'm guessing the insertion code was added on October 29 because at that time the two alerts changed to "IE (...) is now protecte" and "WinRAR is now protected".

 

According to the posts here: https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-134 it (the new version of MBAE) went stable on the 28th so if you updated it around the 29th it would explain it.

 

To avoid spamming your other thread

Quote

Now, get a life and quit responding to me!

/me cries

[btmp]

Sorry, failed to respond to this area:

Quote

Thank you for responding.  That makes sense to me although I was unable to find those, or similar, rules.

 

Those rules are part of the Sandboxie template released here and some tweaked hybrids you might see elsewhere such as Wilders or the Sandboxie forum and they'd ook something like this:

Quote

[Template_MBAE]
Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
OpenIpcPath=$:mbae-svc.exe
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

 

The InjectDLL rules found in the template are the ones I was talking about and if already added per the 'default suggestion' could be found in the C:\Windows\Sandboxie.ini:

Quote

InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll