Jump to content
soooner

Malwarebytes Anti-Exploit 1.12 Build 137 is blocking PowerShell

Recommended Posts

If I try to run PowerShell when Anti-Exploit build 137 is running it will block it from running. Not a script or anything, just plain old powershell.exe. 

Share this post


Link to post
Share on other sites

Hi soooner,

Can you please post some logs, we can take a look at it immediately. Thanks.

ZIP the entire contents (ALL the files, not just .LOG) of the MBAE user data directory and attach them to your post. The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. If you are replying to someone else's post, you can click the "More reply options" button at the end of the page to get the file attachment options. You can find the logs in the following locations:

  1. Windows XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit
  2. Vista, Windows 7 and Windows 8: C:\ProgramData\Malwarebytes Anti-Exploit

Share this post


Link to post
Share on other sites

I'm seeing the same here with 137, I won't post the files unless you ask for them.

The old command window works fine, but powershell gets blocked everytime.

Windows 10 1809, build 17763.134

Share this post


Link to post
Share on other sites

I just registered specifically to add that I am seeing this also. In my case it is a background tool running PowerShell, but it is triggering the pop-up to the user. This just started today.

Share this post


Link to post
Share on other sites

Thanks All for reporting. We are addressing this issue immediately. Will keep you all posted. 

Share this post


Link to post
Share on other sites

I run a prog called gPodder every morning to download podcasts I follow. Today for the first time I had a message about PowerShell (Version 1.12.1.137 )

https://gpodder.net/     gPodder is a simple, open source podcast client written in Python using GTK+. In development since 2005 with a proven, mature codebase.

Share this post


Link to post
Share on other sites

Hi everyone,

Same issue here.

When I turned my computer on this morning, I get the same message as sooner. I'm not running any special script at boot.

I can't run Powershell either.

Same issue appeared on both my computers.

I just registered specifically to add this.

I won't post any log unless you ask for it.

Windows 10 Pro b1809 17763.107

Kind regards.

Share this post


Link to post
Share on other sites

This issue actually started in 1.12.1.136. Sorry for not reporting it sooner. I thought this was caused by MBAE becoming a bit more unforgiving after the new chromium based browsers protection with the clever tricks I am using in my project to spawn an elevated Command Prompt from a standard one passing a parameter in the process to "transfer" a variable in the elevated context if UAC prompt is accepted and keep the standard cmd open waiting for user action even after the elevated cmd finishes and it is closed. I use Powershell to accomplish all this.

Elevated cmd spawn calls with a variable value as parameter

https://github.com/pal1000/mesa-dist-win/blob/master/buildscript/modules/pythonpackages.cmd#L59

https://github.com/pal1000/mesa-dist-win/blob/master/buildscript/modules/pythonpackages.cmd#L71

Code that runs with admin rights:

https://github.com/pal1000/mesa-dist-win/blob/master/buildscript/modules/pywin32.cmd

It first receives the variable from the standard user context before proceeding any further.

 

Share this post


Link to post
Share on other sites

Hi Arthi,

It works great for me but...

I wonder why when it's a Microsoft Office call that Power Shell was blocked ?

Thanks.

2018-11-16_10-06-06.jpg

Share this post


Link to post
Share on other sites

Is anyone here having powershell blocked in the background without trying to run powershell? Windows 10 started running a powershell test script in the background a few months back. I believe this script is used by Windows to check to see whether the user is running AppLocker, or not. This script gets blocked many times per day by AppGuard.

Here is the script being blocked by AppGuard. This image from AppGuard Activity Report shows a little information about the script.

powershell policy script.jpg

Share this post


Link to post
Share on other sites

Another powershell script that runs in the background on many Windows 10 installations is used to disable Legacy versions of SMB. You can see this script captured below taken from ERP 's log file. This script has also ran over, and over again since it can not complete due to being blocked by AppGuard. I'm curious whether MBAE build 137 was blocking this script as well. I have not checked to see if this is the case since I have been using Malwarebytes Antimalware the last 3 weeks. I hope the log info below is helpful.

 

Date/Time: 2018-11-16 21:51:29.424
Action:  Allow/Known Safe Process
PID: 5504
Process Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
SHA1: AE8B80AE4D2D3B4AB6A28CC701EB4D888E4EC7AD
Signer:
Command Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
Parent: C:\Windows\System32\svchost.exe
Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
Parent Signer: Microsoft Windows Publisher
Expression: -
Category: -
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
System File: True

 

 

Share this post


Link to post
Share on other sites

.139 as posted above seems to have cured the problem.

Remember that this is a beta so some issues/glitches are going to be expected.

Share this post


Link to post
Share on other sites

Latest .139 has fixed problem on laptop running Windows 7 Home Premium 64x. There was no problem on other laptop same OS. Had performed a factory reset and rebuild on first laptop a couple of months ago so this may have been the cause. Belarc Advisor caused the Power Shell problem.

Thanks and regards from 'Down Under''. ?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.