Jump to content

IE 11 adress bar search term triggers MBAM exploit block


Recommended Posts

I won't go into details on to why I was searching this term, but when i typed the word endrimitriosis into the address bar of ie on windows 10 FCU 16299.19, IE suddenly closed and MBAM showed a exploit block message. I tried using the term in the search bar of IE as well as in edge, and no alert was triggered. I also tried other search terms an even misspelling the word in the address bar of IE. the only time the exploit block was triggered was when i used the word endrimitriosis. I don't know why this particular term triggers an exploit alert, but it seemed like an important discovery, so i thought i would ask a bout it here.

 

Malwarebytes
www.malwarebytes.com
-Log Details-
Protection Event Date: 11/10/17
Protection Event Time: 8:28 AM
Log File: 24848688-c634-11e7-ac18-080027007425.json
Administrator: Yes
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.236
Update Package Version: 1.0.3222
License: Premium
-System Information-
OS: Windows 10 (Build 16299.19)
CPU: x64
File System: NTFS
User: System
-Exploit Details-
File: 0
(No malicious items detected)
Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0
-Exploit Data-
Affected Application: Internet Explorer (and add-ons)
Protection Layer: Protection Against OS Security Bypass
Protection Technique: Exploit ROP gadget attack blocked
File Name:
URL:
 
(end)
Link to post
Share on other sites

no the issue does not appear if any other term is used. and the issue does not occur with the search bar... it is when the address bar is used to perform the search. if you use the search bar, nothing happens except for the search. I have included two images. screenshot (62) is the one you asked for, while screenshot (63) demonstrates where i am performing the search.

Screenshot (63).png

Screenshot (62).png

Link to post
Share on other sites

i tried the same address bar search in both Edge and Chrome, and only  doing in IE triggers an exploit block alert.

 

I tried switching the search engine from google back to bing, and the issue still occurs

I also tried removing (one at a time, since there has to be a default search engine) both bing and google as search engines, and re adding them from the  microsoft IE galllery page (https://www.microsoft.com/en-us/iegallery)

 

also tried a repair install, problem still exists

Edited by cybot
Link to post
Share on other sites

You can, based on your symptoms I have a feeling it will work properly since Exploit Protection is what's causing you're issue.

Can you try removing Malwarebytes entirely and installing standalone anti-exploit to see if the issue persists? You can download that from here: 

Edited by dcollins
Link to post
Share on other sites

turning off mbam exploit protection and performing the address bar search with the term endomitriosis the broswer performs a search as expected.....  why is there a exploit warning for this term when an address bar search is performed?

Edited by cybot
Link to post
Share on other sites

Alright, let's go ahead and re-install Malwarebytes, then please follow the instructions below so we can get some debug information:

  1. Please download the files from this link:
    • https://malwarebytes.box.com/s/kzoo8u6jq7n82e0uji909y7pnuozx77z
  2. Right click Malwarebyes in the system tray and choose Quit Malwarebytes
  3. Extract the contents of the ZIP to a sub-folder in your Desktop.
  4. Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.
  5. Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.
  6. After you replace the files, double click the desktop icon to start Malwarebytes again
  7. Reproduce the problem and collect and send back to us these files:
    • C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log
    • C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log
    • C:\ProgramData\MBAE_minidumps\
Link to post
Share on other sites

sorry, was busy yesterday and wasn't able to do the next step until today.

 

I added the files as directed, but when MBAM was restated, the exploit protection would not turn on. I restarted MBAM a second time, and it was on but it turned off after about a few seconds. is this what should be happening?

Link to post
Share on other sites

here is the log files you asked for, but i have a feeling they won't be very useful since antiexploit is not working anymore, since i added the files you had me d/l.

 

included in the .zip file is the mbamservice.log, and mbae-default.log the directory C:\Programdata\MBAE_minidumps does not exist, so naturally, i can not add them to the the .zip file

MBAMSERVICE.zip

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.