Jump to content

Malwarebytes 3.0.6 kills Fritz.Fax CAPI2.0


Recommended Posts

Since Malwarebytes updated to 3.0.6 i can use my Fritz.Fax (together with my Fritz-Box DSL Router) only if i close Malwarebytes.

When Malwarebytes is running i get an error that the Capi 2.0 Driver is not installed (wich is not true). So i tried to exlude the Fritz.Fax Folder etc from the Malwarebytes Checks, but still no luck. Malwarebytes is somehow blocking the Capi Driver from loading/running and this breaks my Fax Software Fritz.Fax

Any Idea why this happens and what to do about it?

FritzFax /FritzBox is a brand of www.avm.de . They do Routers etc and are wide spread in Germany.

 

Regards,

Stephan

common-api-error.jpg

Link to post
Share on other sites

Thanks for the report. Let's first try gathering some information:

  1. Open up Malwarebytes 3.x
  2. Navigate to Settings -> Application
  3. Turn on the Event Log Data option
  4. Attempt to Fritz.Fax and click on the error box
  5. Open up Malwarebytes 3.x
  6. Navigate to Settings -> Application
  7. Turn off the Event Log Data option
  8. Navigate to C:\ProgramData\Malwarebytes\MBAMService
    • Note that the ProgramData folder may be hidden. If so you'll need to type the path manually or turn on the option to show hidden files/folderes
  9. Right click the logs folder and choose Send to -> Compressed (Zipped) folder
    • This will create a log file named logs.zip on your desktop
  10. Upload the logs.zip file to your reply

After that, can you try turning off the Web Protection option under Settings -> Protection and see if that helps?

Link to post
Share on other sites

Darn, nothing jumps out there. LEt's try a few more steps.

Please open up Malwarebytes 3 and go to Settings -> Protection. Please try disabling one protection at a time and checking if your application works. For example:

  1. Disable Ransomware Protection
  2. Try FritzFax
  3. If it fails, disable Exploit Protection
  4. Try FritzFax
  5. If it still fails, disable Malware Protection
  6. Try FritzFax
  7. If it still fails, disable Web Protection (which you already tried)
  8. Try FritzFax
  9. If it still fails, disable Self Protection
  10. Try FritzFax

I realize it's a lot of steps, but hopefully we can rule out what's going on.

Link to post
Share on other sites

Ransomware Protection off seems to solve the problem, but how can i now make an exception for fritz.fax and keep Ransomware Protection on?

sure, as a workaround i could turn Ransomware Protection off, set fritz.box Capi off and on again and start Fritz.fax, send my fax and turn Ransomware Protection back on again, but thats not realy handy.

Link to post
Share on other sites

This is hard to track down because apparently you can't install the FritzFax software without having a FritzBox (which I don't have). Let's try something a bit more advanced.

  1. Download ProcMon from the following URL: https://live.sysinternals.com/procmon.exe
  2. Make sure Ransomware Protection is turned on
  3. Launch ProcMon
  4. Try to start FritzFax
  5. Stop ProcMon by clicking the magnifying glass
  6. Click the save button and save the PML file to your desktop
  7. Upload the PML here. If it's too large, you can go to http://wetransfer.com and email the file to dcollins@malwarebytes.com
Link to post
Share on other sites

i guess not fritz.fax itself is the problem but the capi over tcp . since there are less and less isdn lines and all is going thru voip connections.. the capi works over tcp now. maybe that triggers some protection mechanism in mwb3

 

pml file has been send as forum message

Link to post
Share on other sites

Can you grab the following file and upload it?

C:\Users\stevang\AppData\Local\FRITZ!\FritzFax.Log

Note that the AppData folder may be hidden, so you may need to type the path in manually or turn on showing hidden files/folders.

After doing that, can you try excluding the entire C: drive from ransomware and see if the program works? This obviously isn't a good long term workaround, but it might give us some more information

Link to post
Share on other sites

21.03.17 23:02:04 FRITZ!fax
21.03.17 23:02:04 Version 3.07.61 
21.03.17 23:02:04 ComDir = C:\Users\stevang\AppData\Roaming\FRITZ!\Fax
21.03.17 23:02:04 Nebenstelle = 0
21.03.17 23:02:04 Amtsholung = 0
21.03.17 23:02:04 Amtziffern = 4
21.03.17 23:02:04 MSN = xxxxxxx
21.03.17 23:02:04 Annahmeverzögerung = 0
21.03.17 23:02:04 Wiederholungen = 0
21.03.17 23:02:04 Pause = 1
21.03.17 23:02:04 Ausdruck einkommender Faxe = 0
21.03.17 23:02:04 Kopfzeile = FRITZ!fax via ISDN
21.03.17 23:02:04 Teilnehmerkennung = +49 xxx xxxxxxx
21.03.17 23:02:06 Anzahl der Controller = 0
21.03.17 23:02:06 FRITZ!Box: ISDN = 0, Analog = 0, Internet = 0
21.03.17 23:02:06 Anzahl der Controller = 0
21.03.17 23:02:06 FRITZ!Box: ISDN = 0, Analog = 0, Internet = 0
21.03.17 23:02:06 CApplicom[1]::InitIsdn(pWnd 0x3EAE0)
21.03.17 23:02:06 NumberOfController: 0
21.03.17 23:02:06 Controller: -3 -> 1
21.03.17 23:02:06 m_pIsdn->Register = 0x1009
21.03.17 23:02:06 CApplicom[2]::InitIsdn(pWnd 0x3EAE0)
21.03.17 23:02:06 NumberOfController: 0
21.03.17 23:02:06 Controller: -3 -> 1
21.03.17 23:02:06 m_pIsdn->Register = 0x1009

 

and well, exluding C: didn't change anything :( so excluding files seems not to be a solution

Link to post
Share on other sites

Is that the whole contents of the log or just a snippet?

Can you follow the instructions below again, but this time note that Ransomware protection is turned off. Hopefully we'll see a difference between the two and it will give us an idea of what's going on

  1. Download ProcMon from the following URL: https://live.sysinternals.com/procmon.exe
  2. Make sure Ransomware Protection is turned off
  3. Launch ProcMon
  4. Try to start FritzFax
  5. Stop ProcMon by clicking the magnifying glass
  6. Click the save button and save the PML file to your desktop
  7. Upload the PML here. If it's too large, you can go to http://wetransfer.com and email the file to dcollins@malwarebytes.com

Also, make sure to remove the exclusion for the whole C: drive as we no longer need that. And can you also upload the new C:\Users\stevang\AppData\Local\FRITZ!\FritzFax.Log file from when the program launches successfully

Link to post
Share on other sites

21.03.17 23:23:46 FRITZ!fax
21.03.17 23:23:46 Version 3.07.61 
21.03.17 23:23:46 ComDir = C:\Users\xxxxx\AppData\Roaming\FRITZ!\Fax
21.03.17 23:23:46 Nebenstelle = 0
21.03.17 23:23:46 Amtsholung = 0
21.03.17 23:23:46 Amtziffern = 4
21.03.17 23:23:46 MSN = xxxxxxx
21.03.17 23:23:46 Annahmeverzögerung = 0
21.03.17 23:23:46 Wiederholungen = 0
21.03.17 23:23:46 Pause = 1
21.03.17 23:23:46 Ausdruck einkommender Faxe = 0
21.03.17 23:23:46 Kopfzeile = FRITZ!fax via ISDN
21.03.17 23:23:46 Teilnehmerkennung = +49 xxx xxxxxxx
21.03.17 23:23:46 Anzahl der Controller = 5
21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000
21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000
21.03.17 23:23:46 CAPI-Profile Protokollmaske(4) = 0x4000
21.03.17 23:23:46 FRITZ!Box: ISDN = 1, Analog = 4, Internet = 5
21.03.17 23:23:46 Anzahl der Controller = 5
21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000
21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000
21.03.17 23:23:46 CAPI-Profile Protokollmaske(4) = 0x4000
21.03.17 23:23:46 FRITZ!Box: ISDN = 1, Analog = 4, Internet = 5
21.03.17 23:23:46 CApplicom[1]::InitIsdn(pWnd 0x36EAE0)
21.03.17 23:23:46 NumberOfController: 5
21.03.17 23:23:46 Controller: -3 -> 5
21.03.17 23:23:46 m_pIsdn AppId = 7
21.03.17 23:23:46 Profileabfrage(): G3 = 0 G3Ext = 0
21.03.17 23:23:46 CAPI Hersteller:   AVM Berlin
21.03.17 23:23:46 CAPI Version:      2.0  (3.11.07)
21.03.17 23:23:46 CAPI Seriennummer: 0004711
21.03.17 23:23:46 Empfangsbereitschaft aktiviert
21.03.17 23:23:46 CApplicom[2]::InitIsdn(pWnd 0x36EAE0)
21.03.17 23:23:46 NumberOfController: 5
21.03.17 23:23:46 Controller: -3 -> 5
21.03.17 23:23:46 m_pIsdn AppId = 8
21.03.17 23:23:46 Profileabfrage(): G3 = 0 G3Ext = 0
21.03.17 23:23:46 Empfangsbereitschaft aktiviert

pml file has beend send as forum message

C: exclusion has been removed again

Edited by stevang
Link to post
Share on other sites

Ok, a few more things to try why I keep researching. First off, can you try the steps outlined in this blog post around the registry: https://edvtraining.wordpress.com/2013/12/07/fritzfax-common-isdn-api-ver-2-0-nicht-installiert/

Also, would you mind testing by removing MB3 and installing the standalone version of ARW from here: https://malwarebytes.box.com/s/znlajk1tlmzbm2x3vb4enkik7lreqxd9

One last question, you mention this started with 3.0.6, did you have 3.0.5 before at all, or was this directly from 2.x to 3.0.6?

Link to post
Share on other sites

i came from before mwb3   2.somthing

the capi error on Fritz.fax startup is gone after editing the registry and adding  FoundFritzBoxes„=“XXX.XXX.XXX.XXX“ (xxx replaced with the fritz.box IP) according to the blog post. still strange that this was no problem without mwb3

i'm still curious if the fax realy works or if the software has been fooled by giving it the fritz.box location via registry.. i have no fax to send right now.. do you have a fax nr? :) 

Link to post
Share on other sites

Ok, i was able to send a quick fax.. it is all looking good again! removed the exclusions as well and it is still working.
so, the capi-over-tcp is looking for the fritz.box ip on the network and failes due to mwb3 ransom protection to locate the fritz.box
after telling the capi via regedit where the fritz.box is located IP-wise, the problem is solved cause the capi dos not need to search for the fritz.box and  does not trigger the mwb3 protection anymore.

Thanks for your time! i hope it helps other people with Fritz.Fax and MWB3 as well!

:D

Edited by stevang
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.