IE 11 adress bar search term triggers MBAM exploit block

[cybot]

I won't go into details on to why I was searching this term, but when i typed the word endrimitriosis into the address bar of ie on windows 10 FCU 16299.19, IE suddenly closed and MBAM showed a exploit block message. I tried using the term in the search bar of IE as well as in edge, and no alert was triggered. I also tried other search terms an even misspelling the word in the address bar of IE. the only time the exploit block was triggered was when i used the word endrimitriosis. I don't know why this particular term triggers an exploit alert, but it seemed like an important discovery, so i thought i would ask a bout it here.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/10/17
Protection Event Time: 8:28 AM
Log File: 24848688-c634-11e7-ac18-080027007425.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3222
License: Premium

-System Information-
OS: Windows 10 (Build 16299.19)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Internet Explorer (and add-ons)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked
File Name:
URL:

 

(end)

[dcollins]

Can you please grab the logs mentioned in the thread below

 

[cybot]

sure thing, generating logs now..... will post them soon

[cybot]

here are the logs asked for

Addition.txt

mb-check-results.zip

FRST.txt

[dcollins]

Can you try opening an InPrivate browsing session in Internet Explorer and see if the issue persists? You can do this by opening Internet Explorer, going to Settings (the little cogwheel), Safety, InPrivate Browsing

[cybot]

I started up a InPrivate session like you asked, and as soon as i hit enter with the term in the address bar the InPrivate session closed and MBAM gave an exploit block warning, but no log was generated by mbam, which was odd

 

 

[dcollins]

Very interesting. Can you take a screenshot of your web browser before typing anything into your search bar? I wonder if your search bar has been hijacked.

Also, just to clarify, if you type anything besides "endrimitriosis", does the issue still happen?

[cybot]

no the issue does not appear if any other term is used. and the issue does not occur with the search bar... it is when the address bar is used to perform the search. if you use the search bar, nothing happens except for the search. I have included two images. screenshot (62) is the one you asked for, while screenshot (63) demonstrates where i am performing the search.

[cybot]

i tried the same address bar search in both Edge and Chrome, and only  doing in IE triggers an exploit block alert.

 

I tried switching the search engine from google back to bing, and the issue still occurs

I also tried removing (one at a time, since there has to be a default search engine) both bing and google as search engines, and re adding them from the  microsoft IE galllery page (https://www.microsoft.com/en-us/iegallery)

 

also tried a repair install, problem still exists

Edited November 15, 2017 by cybot

[cybot]

should i try temporarily disabling MBAM and performing the search operation just to see what happens?

 

[dcollins]

You can, based on your symptoms I have a feeling it will work properly since Exploit Protection is what's causing you're issue.

Can you try removing Malwarebytes entirely and installing standalone anti-exploit to see if the issue persists? You can download that from here: 

Edited November 22, 2017 by dcollins

[cybot]

so is this just some kind of false warning then?

[cybot]

turning off mbam exploit protection and performing the address bar search with the term endomitriosis the broswer performs a search as expected.....  why is there a exploit warning for this term when an address bar search is performed?

Edited November 15, 2017 by cybot

[cybot]

i uninstalled MBAM as you asked, and installed MBAE using the link you provided, and when i did the same address bar search as previous attempts, MBAE came up with an exploit block warning

[cybot]

could this be related by the bug/exploit in IE where the contents of the address bar are leaked?

[dcollins]

Alright, let's go ahead and re-install Malwarebytes, then please follow the instructions below so we can get some debug information:

1. Please download the files from this link:
   • https://malwarebytes.box.com/s/kzoo8u6jq7n82e0uji909y7pnuozx77z
2. Right click Malwarebyes in the system tray and choose Quit Malwarebytes
3. Extract the contents of the ZIP to a sub-folder in your Desktop.
4. Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.
5. Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.
6. After you replace the files, double click the desktop icon to start Malwarebytes again
7. Reproduce the problem and collect and send back to us these files:
   • C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
   • C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log
   • C:\ProgramData\MBAE_minidumps\

[cybot]

sorry, was busy yesterday and wasn't able to do the next step until today.

 

I added the files as directed, but when MBAM was restated, the exploit protection would not turn on. I restarted MBAM a second time, and it was on but it turned off after about a few seconds. is this what should be happening?

[cybot]

here is the log files you asked for, but i have a feeling they won't be very useful since antiexploit is not working anymore, since i added the files you had me d/l.

 

included in the .zip file is the mbamservice.log, and mbae-default.log the directory C:\Programdata\MBAE_minidumps does not exist, so naturally, i can not add them to the the .zip file

MBAMSERVICE.zip

[cybot]

umm... next step??

[dcollins]

Sorry, I sent you the wrong files. Can you use the files in the link I just sent you in a PM and repeat those steps?

[cybot]

ill give it a try

Edited November 25, 2017 by cybot

[cybot]

looks like MBAM is working with the new files you had me add.

I have added the log files asked for, with one exception. the directory c:\programdata\MBAE_minidumps\ still does not exist or was not created by the files you had me add.

MBAM Logs.zip

[cybot]

I tried manually creating the MBAE_Minidumps directory in c:\programdata\ but nothing got put into it when i rand the search term

[cybot]

next step?

[Porthos]

1 minute ago, cybot said:

next step?

@dcollins