Jump to content

Hitman Pro flags mbae64.sys - only in Safe Mode

Recommended Posts

Hitman Pro is flagging c:\windows\system32\drivers\mbae64.sys as a suspicious file. I'm posting here because that's an MBAM file, and I think an MBAM expert might be able to confirm it's not really a problem. My reason for thinking this follows.

I've scanned the file with MBAM and Norton (both in safe mode), and with three online meta-scanners like Virus Total. All of them say the file is fine.

Hitman Pro only flags mbae64.sys when I run Windows in Safe Mode. Here's what I suspect: in Safe Mode, some MBAM service/process doesn't start. That service would normally keep other AV programs from flagging mbae64.sys, so this isn't really a problem.

But I'm not sure and am a little concerned. Can anyone confirm whether my Safe Mode explanation sound correct, or possibly confirm the file has a valid hash (below)?

Here's why Hitman Pro says mbae64.sys is suspicious:

Name    mbae64.sys
Location    C:\WINDOWS\system32\drivers
Size    75.6 KB
Time    25.8 days ago (2017-08-28 18:17:45)
Authenticode    Valid
Entropy    6.4
RSA Key Size    2048
Service    ESProtectionDriver
SHA-256    CA3EB6AB127A01311DA1C7CE3A2F4C2C3E3641F45718CFCA0F8AED7235BE910D

Scoring (24.0)
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program starts automatically without user intervention.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Starts automatically as a service during system bootup.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.


Link to post
Share on other sites

Thanks for investigating.

When I try to save a logfile in safe mode, after I select the location for the file, HitmanPro crashes to desktop with "HitmanPro 3.7 has stopped working". No logfile is saved.

When I try to save a logfile in normal mode, I'm able to save it... but in normal mode, mbae64.dll doesn't get flagged as suspicious.

I've attached a file with the information I'm able to get from HitmanPro (the same as from my original post).

HitmanPro mbae64.dll.txt

Link to post
Share on other sites

  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.