Jump to content
kieferschild

Anti-Exploit causes program crashes

Recommended Posts

Good morning,

We have a couple of users at different companies who are using Malwarebytes with Symantec Endpoint Protection Cloud.

It seems that MBAE is causing Symantec extensions in web browsers and Outlook to crash which In turn causes the program to crash.

Disabling MBAE seems to have stopped the problem but it's not a fix.

Thanks,

Share this post


Link to post
Share on other sites

Hey Kieferschild,

 

Thank you for the logs. Just to confirm, can you make sure these are in Symantec, don't want this to be because of our normal files:

  • C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files\Malwarebytes Anti-Exploit\mbae-cli.exe

For x64 installations:

  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
  • C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe

Since it is crashing, do you know if these are creating memory dump files? If possible, can you use the instructions here to get one to generate on the on one of the processes that is crashing:

 

https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx?f=255&MSPPError=-2147217396

Edited by Rsullinger

Share this post


Link to post
Share on other sites

Hi,

Symantec have also advised that I excluding the following:

 

  • C:\Program Files\Symantec.cloud\
  • C:\ProgramData\Norton\
  • C:\Windows\System32\drivers\NISx64\
  • C:\Windows\System32\drivers\NISx86\

I've added them under "Ignore List" - Do I need to add them anywhere for MBAE?

 

Share this post


Link to post
Share on other sites

Hey Kieferschild,

 

For mbae's ignore list, we only accept md5's for the exclusion and they only need to be inserted if a block occurs to prevent it from occurring once more. We don't scan the file system directory with mbae like with MBAM so you wouldn't need to add those anywhere. We just monitor what tries to hook or interact with our protected processes. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.