Jump to content
Phaewryn

Firefox Quantum Beta (v. 58.0b4, 64b) closed by Malwarebytes v. 3.3.1.2183

Recommended Posts

Firefox Quantum Beta (v. 58.0b4, 64 bit) was being automatically closed by Malwarebytes (v. 3.3.1.2183) today. I had it do this multiple times today, every time with completely different websites open, it's not any specific website.

I have a screenshot of the popup attached. I also have a screenshot of how it's impossible to add any exceptions for exploits in Malwarebytes as it won't allow me to select any, there's NO LIST to select from.

The Malwarebytes pop up says:
"Exploit automatically blocked
Malewarebytes detected and blocked an exploit. It is no longer a threat.
Affected Application: Mozilla Firefox
Protection layer: Protection against OS security bypass
Protection Technique: Exploit ROP gadget attack blocked."

Additional information:
Malwarebytes version information:
Version 3.3.1.2183
Component package version: 1.0.236
Update package version: 1.0.3287

In Firefox, I have a few add-ons/extensions:
Cisco Webex extension v. 1.0.12
Lastpass free v. 4.2.1.21
New Tab Override v. 11.0.0 by Soren Hentzschel
Stylus v 1.1.5 by Jeremy Schomery
uBlock Origin v. 1.14.18 by Raymond Hill
Unpaywall v. 1.5 by Impactstory team
(I will be disabling all of the ones not essential until this is resolved since I don't know what is triggering the problem)

Firefox crash reports:
https://crash-stats.mozilla.com/report/index/81cfeb51-4c3b-4bd6-96d1-a644f2170118 bp-81cfeb51-4c3b-4bd6-96d1-a644f2170118 1/17/2017 9:27 PM - 21:27
https://crash-stats.mozilla.com/report/index/6d61d73c-8e3c-4854-8c41-35f8d2170118 bp-6d61d73c-8e3c-4854-8c41-35f8d2170118 1/17/2017 8:45 PM - 20:45
https://crash-stats.mozilla.com/report/index/a3112137-1faf-40ee-b4aa-6747b2170118 bp-a3112137-1faf-40ee-b4aa-6747b2170118 1/17/2017 8:45 PM - 20:45
https://crash-stats.mozilla.com/report/index/db10f862-0005-46fa-9bcf-a36dd2170118 bp-db10f862-0005-46fa-9bcf-a36dd2170118 1/17/2017 7:33 PM - 19:33
https://crash-stats.mozilla.com/report/index/2da77aa3-6992-43e4-bc64-aea6e2170118 bp-2da77aa3-6992-43e4-bc64-aea6e2170118 1/17/2017 7:32 PM - 19:32
https://crash-stats.mozilla.com/report/index/390f0847-5925-4523-b91b-188ca2170118 bp-390f0847-5925-4523-b91b-188ca2170118 1/17/2017 7:27 PM - 19:27
https://crash-stats.mozilla.com/report/index/5be968e8-b2ca-4762-86e0-be3291171118 bp-5be968e8-b2ca-4762-86e0-be3291171118 11/17/2017    8:12 PM - 20:12

MalwarebytesClosingNewFirefox.PNG

cantaddexploitsnolist.PNG

Share this post


Link to post
Share on other sites

Hi Phaewryn,

Thanks for reporting it. Can you please help us get some logs, so we can look into it.

Please download the files from this link:

https://malwarebytes.box.com/s/kzoo8u6jq7n82e0uji909y7pnuozx77z

Press the Windows + R keys, type "services.msc" and hit Enter.

Find the service named "Malwarebytes service" and use the right-click menu to stop the service.

Extract the contents of the ZIP to a sub-folder in your Desktop.

Copy the files mbae.dll and mbae64.dll and paste them to the C:\Program Files\Malwarebytes\Anti-Malware\ folder.

Copy the files mbae.sys and mbae64.sys and paste them to the C:\Windows\System32\drivers\ folder.

 

After you replace the files, start the "Malwarebytes service" service again or reboot the computer.

 

Reproduce the problem and collect and send back to us these two files:

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

 

The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it.  

There is also a post here from Microsoft on how to do this for the more recent OS:

https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files

I know this is a lot to do at once, so if you have any questions about the process, please let me know!

Thanks.

Share this post


Link to post
Share on other sites
13 hours ago, Arthi said:

Reproduce the problem and collect and send back to us these two files:

C:\ProgramData\Malwarebytes\MBAMService\logs\mbae-default.log

C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.log

Here you go. BTW, someone from FireFox's GitHub/BugZilla will probably be contacting you, since I reported it there as well. Hopefully the two of you can resolve the issue, as I love BOTH programs, but need them to play nicer. I can't be having my browser just shut down in the middle of work.

Do you have a way for me to add an exception until FireFox's team works out the problem?

mbae-default.log

MBAMSERVICE.LOG

Edited by Phaewryn

Share this post


Link to post
Share on other sites

Thanks Phaewryn.

Can you also send FRST logs, please.

Please download FRST from the link below and save it to your desktop:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Double-click the purple FRST icon to run the program. Click Yes when the disclaimer appears.
Click the Scan button. When the scan has finished, it will make 2 log files in the same directory the tool is run, FRST.txt and Addition.txt. Please attach both files to your reply.

Share this post


Link to post
Share on other sites

I've been running it today with all add-ons but LastPass disabled. It's still happening. I hope you will have a way for me to add an exception by Monday when I need to get back to work, or I may have to disable Malwarebytes.

Share this post


Link to post
Share on other sites

Hi Phaewryn,

In the Malwarebytes application UI, Please go to "Settings" left pane->Protection Tab->Advanced Settings->Advanced Memory Protection Tab, and verify if the following settings are disabled. If not, Please do so, and let me know if that solves your issue. Thanks.

screenshot.png

Share this post


Link to post
Share on other sites

Hi Phaewryn,

Upon analyzing the logs, we realized that you have turned on “RET ROP Gadget detection” which is not our recommended default setting. Disabling it should solve the issue. 

The other settings in our product are there for additional security but we try to find an optimum balance between providing users maximum security while keeping the false positives to a minimum and have come up with these default recommended settings. Moving away from these, though provides the user more security, can be a hindrance in terms of usability.

Please get back to us if you have any questions.

Thanks.

Share this post


Link to post
Share on other sites
On 11/17/2017 at 10:33 PM, Phaewryn said:

Component package version: 1.0.236

 

 

 

 

Could you update by installing the current version from this link and try again please. No need to uninstall.

https://downloads.malwarebytes.org/file/mb3

 

 

Edited by Porthos

Share this post


Link to post
Share on other sites

Hi Xauma95,

In the Malwarebytes application UI, Please go to "Settings" left pane->Protection Tab->Advanced Settings->Advanced Memory Protection Tab, and verify if the following settings are disabled. If not, Please do so, and let me know if that solves your issue. Thanks.

 

screenshot.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.