Malwarebytes Anti-Exploit 1.12 Build 137 is blocking PowerShell

[soooner]

If I try to run PowerShell when Anti-Exploit build 137 is running it will block it from running. Not a script or anything, just plain old powershell.exe. 

[Arthi]

Hi soooner,

Can you please post some logs, we can take a look at it immediately. Thanks.

ZIP the entire contents (ALL the files, not just .LOG) of the MBAE user data directory and attach them to your post. The directory is hidden by default so you might have to click on "View -> Hidden items" in Explorer to see it. If you are replying to someone else's post, you can click the "More reply options" button at the end of the page to get the file attachment options. You can find the logs in the following locations:

1. Windows XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit
2. Vista, Windows 7 and Windows 8: C:\ProgramData\Malwarebytes Anti-Exploit

[soooner]

Please see attached. I have reproduced this on 2 out of 2 machines I have tested on. 

Malwarebytes Anti-Exploit.zip

[Arthi]

Thanks soooner. We will keep you posted.

[nukecad]

I'm seeing the same here with 137, I won't post the files unless you ask for them.

The old command window works fine, but powershell gets blocked everytime.

Windows 10 1809, build 17763.134

[darrenwhite99]

I just registered specifically to add that I am seeing this also. In my case it is a background tool running PowerShell, but it is triggering the pop-up to the user. This just started today.

[Arthi]

Thanks All for reporting. We are addressing this issue immediately. Will keep you all posted. 

[syates]

I run a prog called gPodder every morning to download podcasts I follow. Today for the first time I had a message about PowerShell (Version 1.12.1.137 )

https://gpodder.net/     gPodder is a simple, open source podcast client written in Python using GTK+. In development since 2005 with a proven, mature codebase.

[Ph3niX]

Hi everyone,

Same issue here.

When I turned my computer on this morning, I get the same message as sooner. I'm not running any special script at boot.

I can't run Powershell either.

Same issue appeared on both my computers.

I just registered specifically to add this.

I won't post any log unless you ask for it.

Windows 10 Pro b1809 17763.107

Kind regards.

[pal1000]

This issue actually started in 1.12.1.136. Sorry for not reporting it sooner. I thought this was caused by MBAE becoming a bit more unforgiving after the new chromium based browsers protection with the clever tricks I am using in my project to spawn an elevated Command Prompt from a standard one passing a parameter in the process to "transfer" a variable in the elevated context if UAC prompt is accepted and keep the standard cmd open waiting for user action even after the elevated cmd finishes and it is closed. I use Powershell to accomplish all this.

Elevated cmd spawn calls with a variable value as parameter

https://github.com/pal1000/mesa-dist-win/blob/master/buildscript/modules/pythonpackages.cmd#L59

https://github.com/pal1000/mesa-dist-win/blob/master/buildscript/modules/pythonpackages.cmd#L71

Code that runs with admin rights:

https://github.com/pal1000/mesa-dist-win/blob/master/buildscript/modules/pywin32.cmd

It first receives the variable from the standard user context before proceeding any further.

 

[Arthi]

Hi All,

Can you please try the below version and let us know if it fixes the powershell block?

https://malwarebytes.box.com/s/0d22r3umvso1eta2tqcre3yhlszurlac

Thank you all for your patience.

[Ph3niX]

Hi Arthi,

It works great for me but...

I wonder why when it's a Microsoft Office call that Power Shell was blocked ?

Thanks.

[cutting_edgetech]

Is anyone here having powershell blocked in the background without trying to run powershell? Windows 10 started running a powershell test script in the background a few months back. I believe this script is used by Windows to check to see whether the user is running AppLocker, or not. This script gets blocked many times per day by AppGuard.

Here is the script being blocked by AppGuard. This image from AppGuard Activity Report shows a little information about the script.

[cutting_edgetech]

Another powershell script that runs in the background on many Windows 10 installations is used to disable Legacy versions of SMB. You can see this script captured below taken from ERP 's log file. This script has also ran over, and over again since it can not complete due to being blocked by AppGuard. I'm curious whether MBAE build 137 was blocking this script as well. I have not checked to see if this is the case since I have been using Malwarebytes Antimalware the last 3 weeks. I hope the log info below is helpful.

 

Date/Time: 2018-11-16 21:51:29.424
Action:  Allow/Known Safe Process
PID: 5504
Process Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
SHA1: AE8B80AE4D2D3B4AB6A28CC701EB4D888E4EC7AD
Signer:
Command Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client"
Parent: C:\Windows\System32\svchost.exe
Parent SHA1: B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8
Parent Signer: Microsoft Windows Publisher
Expression: -
Category: -
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System
System File: True

 

 

[nukecad]

.139 as posted above seems to have cured the problem.

Remember that this is a beta so some issues/glitches are going to be expected.

[cutting_edgetech]

Thank you for the response. I will switch back to MBAE from Malwarebytes Antimalware soon to see if I have any issues with the latest build.

[Pierre75]

Latest .139 has fixed problem on laptop running Windows 7 Home Premium 64x. There was no problem on other laptop same OS. Had performed a factory reset and rebuild on first laptop a couple of months ago so this may have been the cause. Belarc Advisor caused the Power Shell problem.

Thanks and regards from 'Down Under''. ?