stevang Posted March 21, 2017 ID:1110324 Share Posted March 21, 2017 Since Malwarebytes updated to 3.0.6 i can use my Fritz.Fax (together with my Fritz-Box DSL Router) only if i close Malwarebytes. When Malwarebytes is running i get an error that the Capi 2.0 Driver is not installed (wich is not true). So i tried to exlude the Fritz.Fax Folder etc from the Malwarebytes Checks, but still no luck. Malwarebytes is somehow blocking the Capi Driver from loading/running and this breaks my Fax Software Fritz.Fax Any Idea why this happens and what to do about it? FritzFax /FritzBox is a brand of www.avm.de . They do Routers etc and are wide spread in Germany. Regards, Stephan Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110349 Share Posted March 21, 2017 Thanks for the report. Let's first try gathering some information: Open up Malwarebytes 3.x Navigate to Settings -> Application Turn on the Event Log Data option Attempt to Fritz.Fax and click on the error box Open up Malwarebytes 3.x Navigate to Settings -> Application Turn off the Event Log Data option Navigate to C:\ProgramData\Malwarebytes\MBAMService Note that the ProgramData folder may be hidden. If so you'll need to type the path manually or turn on the option to show hidden files/folderes Right click the logs folder and choose Send to -> Compressed (Zipped) folder This will create a log file named logs.zip on your desktop Upload the logs.zip file to your reply After that, can you try turning off the Web Protection option under Settings -> Protection and see if that helps? Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110376 Share Posted March 21, 2017 Turning off Web Protection did not help. logs.zip Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110390 Share Posted March 21, 2017 There are files missing from that logs zip. Can you open up the C:\ProgramData\Malwarebytes\MBAMService\logs folder and see if a file named mbamservice.log exists? There may be other mbamservice.BK1, .BK2, etc files as well Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110395 Share Posted March 21, 2017 i thought i remove the logs first, before i reproduce the error with detailed logs turned on. but it seems 7zip left out that file you are looking for anyway.. so once again (password protected file, password via forum message) logs.zip Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110399 Share Posted March 21, 2017 Ok, those logs don't have the debug logging turned on. Can you please follow those steps I posted above (you can leave the current logs there, it won't hurt anything) and then reupload the logs.zip file? Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110405 Share Posted March 21, 2017 ok, same password logs.zip Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110412 Share Posted March 21, 2017 Darn, nothing jumps out there. LEt's try a few more steps. Please open up Malwarebytes 3 and go to Settings -> Protection. Please try disabling one protection at a time and checking if your application works. For example: Disable Ransomware Protection Try FritzFax If it fails, disable Exploit Protection Try FritzFax If it still fails, disable Malware Protection Try FritzFax If it still fails, disable Web Protection (which you already tried) Try FritzFax If it still fails, disable Self Protection Try FritzFax I realize it's a lot of steps, but hopefully we can rule out what's going on. Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110416 Share Posted March 21, 2017 Ransomware Protection off seems to solve the problem, but how can i now make an exception for fritz.fax and keep Ransomware Protection on? sure, as a workaround i could turn Ransomware Protection off, set fritz.box Capi off and on again and start Fritz.fax, send my fax and turn Ransomware Protection back on again, but thats not realy handy. Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110433 Share Posted March 21, 2017 This is hard to track down because apparently you can't install the FritzFax software without having a FritzBox (which I don't have). Let's try something a bit more advanced. Download ProcMon from the following URL: https://live.sysinternals.com/procmon.exe Make sure Ransomware Protection is turned on Launch ProcMon Try to start FritzFax Stop ProcMon by clicking the magnifying glass Click the save button and save the PML file to your desktop Upload the PML here. If it's too large, you can go to http://wetransfer.com and email the file to dcollins@malwarebytes.com Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110442 Share Posted March 21, 2017 i guess not fritz.fax itself is the problem but the capi over tcp . since there are less and less isdn lines and all is going thru voip connections.. the capi works over tcp now. maybe that triggers some protection mechanism in mwb3 pml file has been send as forum message Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110448 Share Posted March 21, 2017 Ok, can you try excluding the following two applications? C:\Windows\SysWOW64\cjpcsc.exe C:\Program Files (x86)\FRITZ!\FriFax32.exe See if that helps at all Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110450 Share Posted March 21, 2017 the first one belongs to a chipcard reader (www.reiner-sct.com) that has nothing to do with fax functionality and FriFax32.exe is already excluded. Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110454 Share Posted March 21, 2017 (edited) When you added FriFax32.exe to your exclusions, did you make sure to choose to exclude it from Ransomware protection? Edited March 21, 2017 by dcollins Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110465 Share Posted March 21, 2017 (edited) Yes.. i have added the whole FRITZ! folder as well. but still the same error Edited March 21, 2017 by stevang Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110471 Share Posted March 21, 2017 Can you grab the following file and upload it? C:\Users\stevang\AppData\Local\FRITZ!\FritzFax.Log Note that the AppData folder may be hidden, so you may need to type the path in manually or turn on showing hidden files/folders. After doing that, can you try excluding the entire C: drive from ransomware and see if the program works? This obviously isn't a good long term workaround, but it might give us some more information Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110478 Share Posted March 21, 2017 21.03.17 23:02:04 FRITZ!fax 21.03.17 23:02:04 Version 3.07.61 21.03.17 23:02:04 ComDir = C:\Users\stevang\AppData\Roaming\FRITZ!\Fax 21.03.17 23:02:04 Nebenstelle = 0 21.03.17 23:02:04 Amtsholung = 0 21.03.17 23:02:04 Amtziffern = 4 21.03.17 23:02:04 MSN = xxxxxxx 21.03.17 23:02:04 Annahmeverzögerung = 0 21.03.17 23:02:04 Wiederholungen = 0 21.03.17 23:02:04 Pause = 1 21.03.17 23:02:04 Ausdruck einkommender Faxe = 0 21.03.17 23:02:04 Kopfzeile = FRITZ!fax via ISDN 21.03.17 23:02:04 Teilnehmerkennung = +49 xxx xxxxxxx 21.03.17 23:02:06 Anzahl der Controller = 0 21.03.17 23:02:06 FRITZ!Box: ISDN = 0, Analog = 0, Internet = 0 21.03.17 23:02:06 Anzahl der Controller = 0 21.03.17 23:02:06 FRITZ!Box: ISDN = 0, Analog = 0, Internet = 0 21.03.17 23:02:06 CApplicom[1]::InitIsdn(pWnd 0x3EAE0) 21.03.17 23:02:06 NumberOfController: 0 21.03.17 23:02:06 Controller: -3 -> 1 21.03.17 23:02:06 m_pIsdn->Register = 0x1009 21.03.17 23:02:06 CApplicom[2]::InitIsdn(pWnd 0x3EAE0) 21.03.17 23:02:06 NumberOfController: 0 21.03.17 23:02:06 Controller: -3 -> 1 21.03.17 23:02:06 m_pIsdn->Register = 0x1009 and well, exluding C: didn't change anything so excluding files seems not to be a solution Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110481 Share Posted March 21, 2017 Is that the whole contents of the log or just a snippet? Can you follow the instructions below again, but this time note that Ransomware protection is turned off. Hopefully we'll see a difference between the two and it will give us an idea of what's going on Download ProcMon from the following URL: https://live.sysinternals.com/procmon.exe Make sure Ransomware Protection is turned off Launch ProcMon Try to start FritzFax Stop ProcMon by clicking the magnifying glass Click the save button and save the PML file to your desktop Upload the PML here. If it's too large, you can go to http://wetransfer.com and email the file to dcollins@malwarebytes.com Also, make sure to remove the exclusion for the whole C: drive as we no longer need that. And can you also upload the new C:\Users\stevang\AppData\Local\FRITZ!\FritzFax.Log file from when the program launches successfully Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110493 Share Posted March 21, 2017 (edited) 21.03.17 23:23:46 FRITZ!fax 21.03.17 23:23:46 Version 3.07.61 21.03.17 23:23:46 ComDir = C:\Users\xxxxx\AppData\Roaming\FRITZ!\Fax 21.03.17 23:23:46 Nebenstelle = 0 21.03.17 23:23:46 Amtsholung = 0 21.03.17 23:23:46 Amtziffern = 4 21.03.17 23:23:46 MSN = xxxxxxx 21.03.17 23:23:46 Annahmeverzögerung = 0 21.03.17 23:23:46 Wiederholungen = 0 21.03.17 23:23:46 Pause = 1 21.03.17 23:23:46 Ausdruck einkommender Faxe = 0 21.03.17 23:23:46 Kopfzeile = FRITZ!fax via ISDN 21.03.17 23:23:46 Teilnehmerkennung = +49 xxx xxxxxxx 21.03.17 23:23:46 Anzahl der Controller = 5 21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000 21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000 21.03.17 23:23:46 CAPI-Profile Protokollmaske(4) = 0x4000 21.03.17 23:23:46 FRITZ!Box: ISDN = 1, Analog = 4, Internet = 5 21.03.17 23:23:46 Anzahl der Controller = 5 21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000 21.03.17 23:23:46 CAPI-Profile Protokollmaske(5) = 0x8000 21.03.17 23:23:46 CAPI-Profile Protokollmaske(4) = 0x4000 21.03.17 23:23:46 FRITZ!Box: ISDN = 1, Analog = 4, Internet = 5 21.03.17 23:23:46 CApplicom[1]::InitIsdn(pWnd 0x36EAE0) 21.03.17 23:23:46 NumberOfController: 5 21.03.17 23:23:46 Controller: -3 -> 5 21.03.17 23:23:46 m_pIsdn AppId = 7 21.03.17 23:23:46 Profileabfrage(): G3 = 0 G3Ext = 0 21.03.17 23:23:46 CAPI Hersteller: AVM Berlin 21.03.17 23:23:46 CAPI Version: 2.0 (3.11.07) 21.03.17 23:23:46 CAPI Seriennummer: 0004711 21.03.17 23:23:46 Empfangsbereitschaft aktiviert 21.03.17 23:23:46 CApplicom[2]::InitIsdn(pWnd 0x36EAE0) 21.03.17 23:23:46 NumberOfController: 5 21.03.17 23:23:46 Controller: -3 -> 5 21.03.17 23:23:46 m_pIsdn AppId = 8 21.03.17 23:23:46 Profileabfrage(): G3 = 0 G3Ext = 0 21.03.17 23:23:46 Empfangsbereitschaft aktiviert pml file has beend send as forum message C: exclusion has been removed again Edited March 21, 2017 by stevang Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110499 Share Posted March 21, 2017 Ok, a few more things to try why I keep researching. First off, can you try the steps outlined in this blog post around the registry: https://edvtraining.wordpress.com/2013/12/07/fritzfax-common-isdn-api-ver-2-0-nicht-installiert/ Also, would you mind testing by removing MB3 and installing the standalone version of ARW from here: https://malwarebytes.box.com/s/znlajk1tlmzbm2x3vb4enkik7lreqxd9 One last question, you mention this started with 3.0.6, did you have 3.0.5 before at all, or was this directly from 2.x to 3.0.6? Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110503 Share Posted March 21, 2017 i came from before mwb3 2.somthing the capi error on Fritz.fax startup is gone after editing the registry and adding „FoundFritzBoxes„=“XXX.XXX.XXX.XXX“ (xxx replaced with the fritz.box IP) according to the blog post. still strange that this was no problem without mwb3 i'm still curious if the fax realy works or if the software has been fooled by giving it the fritz.box location via registry.. i have no fax to send right now.. do you have a fax nr? Link to post Share on other sites More sharing options...
dcollins Posted March 21, 2017 ID:1110504 Share Posted March 21, 2017 I don't, sorry. There are toll free numbers in the US for testing but I'm assuming you're in Germany? Link to post Share on other sites More sharing options...
stevang Posted March 21, 2017 Author ID:1110508 Share Posted March 21, 2017 (edited) Ok, i was able to send a quick fax.. it is all looking good again! removed the exclusions as well and it is still working. so, the capi-over-tcp is looking for the fritz.box ip on the network and failes due to mwb3 ransom protection to locate the fritz.box after telling the capi via regedit where the fritz.box is located IP-wise, the problem is solved cause the capi dos not need to search for the fritz.box and does not trigger the mwb3 protection anymore. Thanks for your time! i hope it helps other people with Fritz.Fax and MWB3 as well! Edited March 21, 2017 by stevang Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now