LSI/AVAGO/Broadcom Megaraid Storage Manager (MSM)

[IvanIvanovich]

Malwarebytes v3 blocks the managing software for all Megaraid cards. This is a new behaviour that did not appear with the Malwarebytes Anti-Exploit standalone.

Here is the report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/10/17
Protection Event Time: 3:38 PM
Log File: 
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2332
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Java
Protection Layer: Application Behavior Protection
Protection Technique: Java malicious inbound socket detected
File Name: 
URL: 

(end)

 

It is NOT possible to create an exception for this by using "except previously blocked". The only current workaround I can find is to reboot the machine and turn off MBam protection before attempting to start MSM. This is not acceptable. A Security software that makes your machine unusable is NOT on.

This is NOT a server. This is my workstation and it runs 12 disks in three separate raids. This is also the machine that I use to manage the raid-controllers that I have in my six servers. Currently your software is preventing me from doing so.

Can you please fix this pronto? 

The latest version of MSM can be downloaded from this site; https://www.broadcom.com/support/download-search/?pg=Storage+Adapters,+Controllers,+and+ICs&pf=RAID+Controller+Cards&pn=MegaRAID+SAS+9270-8i&po=&pa=Management+Software+and+Tools&dk=

Please fix this!!

[Rsullinger]

Hello IvanIvanovich,

 

That setting that is causing this was something that was disabled in prior versions but enabled in this one. It is something that can be disabled again so you can get your managing software up and running again. To do this, open up mb3 and go to the settings pane on the left. From here, click on the Protection tab and click on Advanced settings. From there, click on the Java Protection tab. The option you want to deselect is 'Java malicious inbound shell protection'.

Disabling that will allow you to continue to use the product without an issue. 

[IvanIvanovich]

What effect will this have on protection? I'd rather not have to turn off protections bit by bit in order to use my machine. I've already had to turn off "self protection" because my machine becomes unstable with it running.

Edited July 11, 2017 by IvanIvanovich

[Rsullinger]

Hey IvanIvanovich,

 

Sorry for the delay, I was getting a few items confirmed by our team. The impact of disabling that setting will be minor. MBAE is a layered protection program in that even if you disable 1 small portion of it, you will still be protected by the other layers. This protection in particular is actually something we have disabled by default on our business version of mbae due to management software (such as this one) needing that unchecked in order to do their java operations correctly. So even if you disable that, you will still be protected by mbae from java based exploits. 

[IvanIvanovich]

Thank you for that information.

Is there any detailed information available about what the different modules and settings actually do (and what they affect)? Any product comparison with your business tools would also be welcomed. It's very easy to find "marketing blurb" but very hard to find real information.

[Rsullinger]

Hey Ivan,

 

Page 14 of this admin guide here: https://www.malwarebytes.com/pdf/guides/MBAEBGuide.pdf?d=2017-07-12-11-42-29--0700

 

goes into it a bit on what each of the settings do. However, they are a bit technical and wouldn't answer most questions more then anything. However, the images from that guide is what the business have checked compared to the one in MB3. The main changes are to the final 2 tabs that involved the application behavior protection and java protection. Some of those settings are changed since business environments have a lot more java management programs that are not malicious. 

[IvanIvanovich]

Thanks! I don't mind the technical bits, it's in my line of work :-)

[Rsullinger]

Hey Ivan,

 

No problem. If you have any other questions let me know! 

[IvanIvanovich]

As of today the problem is back!

Even with the "Java malicious inbound shell protection" box unticked Mbam will block MSM from finding any server (local or LAN).

The unticking of the java protection ONLY works until the next reboot. After a reboot MBAM will yet again block MSM.

 

The ONLY thing I can get to work is to disable the entire exploit protection and then do a reboot. 

This is not an acceptable workaround!

[Rsullinger]

Hello,

 

Just to confirm, on next reboot when it occurs again, when you go to that same setting is it checked again or not? I just want to confirm. If it is not checked and you are still having the issue, is it generating an alert? If so, I will need the logs collected to troubleshoot further.  All you have to do is run this tool https://downloads.malwarebytes.org/file/mb3_check and collect the zip file that is on the desktop.

 

[IvanIvanovich]

It is unchecked and it remains unchecked after reboots. Yes I get a pop-up about a blocked exploit.

I'm unable to divulge in-depth data about this machine to third parties so I cannot send you any logs without first having them vetted. Can you inform me of what format and information those logs you ask for contains?

Will the stand-alone Anti-Exploit run alongside MBAM v.3 (with exploit protection disabled)? If so do you have a download link for it?

 

[IvanIvanovich]

I've just installed MSM on a Virtual Machine running Win10 (with NO Java installed on the machine) and there I get no exploit warning and no conflict (regardless of MBAM settings). I guess this makes sense with no java on the machine.

The machine having problems is a Win7 x64 with loads of Java installed (runtime 1.8.0-131). Will using sandbox setting in Java make any difference?

 

[Rsullinger]

Hey Ivan,

 

I do apologize for the delay. If that is the case with the logging, then it may be best just to collect these two logs since that tool gathers a lot more:

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

So the mbae-default log is an encrypted log that only has information about mbae and just gives me more information on the alerts. The mbam service log has all the products communication to that log. It doesn't pull any user information and just pertains to scans, blocks, or communication to our services. Also, while it is possible to install it side by side, both of them use some of the same dll's so it is not recommended to run anti-exploit side by side. 

For the question in your second post about sandboxing, is that setting on the win7 side? I will have to check with our team if that will make a difference but I want to clarify if you are just asking about turning it on or not. 

 

[IvanIvanovich]

Sandboxing is a security setting in the java control applet.

I'll try to look into the logs during the weekend.

If you are testing with MSM on your side be aware that the exploit block goes on both during server discovery and also whenever the application tries to send an alarm via popup.