Hitman Pro flags mbae64.sys - only in Safe Mode

[DrewGee]

Hitman Pro is flagging c:\windows\system32\drivers\mbae64.sys as a suspicious file. I'm posting here because that's an MBAM file, and I think an MBAM expert might be able to confirm it's not really a problem. My reason for thinking this follows.

I've scanned the file with MBAM and Norton (both in safe mode), and with three online meta-scanners like Virus Total. All of them say the file is fine.

Hitman Pro only flags mbae64.sys when I run Windows in Safe Mode. Here's what I suspect: in Safe Mode, some MBAM service/process doesn't start. That service would normally keep other AV programs from flagging mbae64.sys, so this isn't really a problem.

But I'm not sure and am a little concerned. Can anyone confirm whether my Safe Mode explanation sound correct, or possibly confirm the file has a valid hash (below)?

Here's why Hitman Pro says mbae64.sys is suspicious:

Properties
Name    mbae64.sys
Location    C:\WINDOWS\system32\drivers
Size    75.6 KB
Time    25.8 days ago (2017-08-28 18:17:45)
Authenticode    Valid
Entropy    6.4
RSA Key Size    2048
Service    ESProtectionDriver
SHA-256    CA3EB6AB127A01311DA1C7CE3A2F4C2C3E3641F45718CFCA0F8AED7235BE910D

Scoring (24.0)
The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Program starts automatically without user intervention.
The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
Starts automatically as a service during system bootup.
The file is a device driver. Device drivers run as trusted (highly privileged) code.
Program is code signed with a valid Authenticode certificate.

Startup
HKLM\SYSTEM\ControlSet001\Services\ESProtectionDriver\

[dcollins]

Thanks for this, I'll do some checking into this to see if I can replicate. If you have any logs from Hitman Pro, can you please upload them as an attachment?

[DrewGee]

Thanks for investigating.

When I try to save a logfile in safe mode, after I select the location for the file, HitmanPro crashes to desktop with "HitmanPro 3.7 has stopped working". No logfile is saved.

When I try to save a logfile in normal mode, I'm able to save it... but in normal mode, mbae64.dll doesn't get flagged as suspicious.

I've attached a file with the information I'm able to get from HitmanPro (the same as from my original post).

HitmanPro mbae64.dll.txt

[dcollins]

I cant replicate this locally. I have the same hash on my version of mbae64.sys but in safe mode, the file doesnt get flagged for me. Are you using cloud definitions (safe mode with networking) or regular safe mode?

[DrewGee]

I'm using safe mode with networking. Would it help to submit the file somewhere?

[DrewGee]

I'm using safe mode with networking. Would it help to submit the file somewhere?

[Porthos]

1 hour ago, DrewGee said:

Would it help to submit the file somewhere?

zip it up and upload it here.

[DrewGee]

Here it is.

mbae64.zip

[dcollins]

I've been able to replicate this by scanning in Safe Mode with Networking. We'll reach out to Sophos and see what we can do. In the meantime, it would also be helpful if you could report this on their forums as well, as this looks to be a false positive on their side.

[DrewGee]

Thank you for confirming.

HItmanPro doesn't seem to have a support forum, but I forwarded the information (and a link to this post) to their support address, support@hitmanpro.com

[erikloman]

Are you using file system virtualization software like Rollback RX?

If the problem keeps persisting, set Settings -> Advanced -> Disk Access Mode to "Compatible Mode".

[DrewGee]

6 hours ago, erikloman said:

Are you using file system virtualization software like Rollback RX?

If the problem keeps persisting, set Settings -> Advanced -> Disk Access Mode to "Compatible Mode".

I'm not, but thanks for checking. 

[itsVance]

hitman pro just gave me a warning about this file.  The log seems to indicate it was flagged due to a few different reasons including that the authors name is missing in the version info, and version control is missing.

This is not in safe mode. 

HitmanPro_20180318_2247.log

mbae64.zip

[exile360]

Thanks, I will see to it that the Product team is made aware of the issue and will recommend they rectify this going forward by including appropriate Version info in the file for future releases.

[itsVance]

Glad I could help