kieferschild

Anti-Exploit causes program crashes

6 posts in this topic

Good morning,

We have a couple of users at different companies who are using Malwarebytes with Symantec Endpoint Protection Cloud.

It seems that MBAE is causing Symantec extensions in web browsers and Outlook to crash which In turn causes the program to crash.

Disabling MBAE seems to have stopped the problem but it's not a fix.

Thanks,

Share this post


Link to post
Share on other sites

ID: 3   Posted (edited)

Hey Kieferschild,

 

Thank you for the logs. Just to confirm, can you make sure these are in Symantec, don't want this to be because of our normal files:

  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

Since it is crashing, do you know if these are creating memory dump files? If possible, can you use the instructions here to get one to generate on the on one of the processes that is crashing:

 

https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx?f=255&MSPPError=-2147217396

Edited by Rsullinger

Share this post


Link to post
Share on other sites

Hi,

I have added the exclusions and enabled MBAE again, i will report back to you in a day or two.

 

thanks,

 

K

Share this post


Link to post
Share on other sites

Hi,

Symantec have also advised that I excluding the following:

 

  • C:\Program Files\Symantec.cloud\
  • C:\ProgramData\Norton\
  • C:\Windows\System32\drivers\NISx64\
  • C:\Windows\System32\drivers\NISx86\

I've added them under "Ignore List" - Do I need to add them anywhere for MBAE?

 

Share this post


Link to post
Share on other sites

Hey Kieferschild,

 

For mbae's ignore list, we only accept md5's for the exclusion and they only need to be inserted if a block occurs to prevent it from occurring once more. We don't scan the file system directory with mbae like with MBAM so you wouldn't need to add those anywhere. We just monitor what tries to hook or interact with our protected processes. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.