Jump to content
Warb

Malwarebytes 4 breaks Unifi

Recommended Posts

The Ubiquiti Unifi network monitoring system uses Java. Previous versions of Malwarebytes have required an exception to be added to exclude the various components of Unifi to allow it to run correctly. After updating to MWB 4 (which inherently keeps all the existing exclusions that allowed Unifi to work under MWB v 3.x), I have discovered that no amount of exceptions/exclusions seems to allow Unifi to run properly, MWB simply throws up a generic "malicious incoming Java socket" alert and blocks it.

Initially, simply disabling the 4 categories of MWB protection did not to allow Unifi to run, but after rebooting the PC with all protections OFF, I have found that I can re-enabled web, malware and ransomeware protection and still have Unifi working. What is more, whereas initially I found disabling protection did not fix the problem, after a reboot it seems that whilst enabling exploit protection kills Unifi, disabling it (without a reboot) allows it to run again.

It looks like MWB 4 is not correctly using the file and directory exclusions to allow incoming connections to a Java application.

But....Turning Java Malicious incoming shell protection OFF allows exploit protection to be switched on without killing Unifi. Interestingly, once exploit protection is running the incoming shell protection setting can be switched back on, and Unifi will continue to run. Disabling exploit protection and enabling it again (with incoming shell still switched ON) kills it instantly.

So for now I have exploit protection ON, incoming shell protection ON and I am able to use Unifi. However a reboot of my PC without changing any settings will kill Unifi, and I'll have to disable exploit protection, disable incoming shell, re-enable exploit protection and finally re-enable incoming shell protection to have it all working again. Obviously this is less than ideal (understatement), but I thought I'd post it here in case anyone else finds the same problem....

Maybe Malwarebytes could fix this now I've done the diagnostic work?

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Share this post


Link to post
Share on other sites

Greetings,

Normal exclusions in Malwarebytes do not apply to Exploit Protection, which is the component that is blocking Unify based on the description of the block (anything related to Java is going to come from Exploit Protection as it has an entire page of settings dedicated specifically to Java protection).  Because Exploit Protection works on execution analyzing processes' behaviors in memory, this is why you are able to launch Unify and then enable Java protection in Malwarebytes and also why launching Unify after Exploit Protection is already enabled causes the block to occur.  The best solution would be to post your detection logs showing Unify being blocked in a new topic in this area and a member of the Exploit Protection team can assist in investigating the cause of the issue and hopefully get the false positive corrected so that no exclusions will be needed at all.

Share this post


Link to post
Share on other sites

At present I am unsure of the consistency of MWB4. Last night, after reading exile360's message above, I retested and at that time I could start and stop both Unifi and MWB4's exploit protection (with Java incoming either on or off) in any order and Unifi would run happily. That was in contrast to earlier in the day, when I needed to follow a particular order as described previously.

This morning I stopped (quit) MWB4 and restarted it, and the behaviour is exactly back as it was earlier yesterday, i.e. I need to start MWB's exploit protection with Java incoming switched OFF to get Unifi to run, and afterwards I can re-enable Java incoming. I do not recall whether I actually restarted MWB 4 from scratch last night (it was late).

Very frustrating!

Share this post


Link to post
Share on other sites

You can check whether Exploit Protection is loaded directly into a process using MS Sysinternals Process Explorer.  Launch Process Explorer and locate the process you wish to check and then double-click on it or right-click on it and select Properties and look in the Threads tab and you should find an entry listed for mbae64.dll or mbae.dll.  I'm not sure if Java protection requires the DLL to be loaded into the process, but I suspect that it does.  When the blocking fails to occur I suspect it is because the DLL is not loaded into Unifi's process at the time (a member of the staff can correct me on this if this information is not accurate, but I believe this is how it works).

Share this post


Link to post
Share on other sites

The only results to a search (in Process Explorer) for mbae are a bunch of 23 Chrome and Firefox processes using mbae64.dll (this is with exploit protection running having been started with Java incoming initially off, then switched on, then Unifi started).

Under the same circumstances, searching for java results in a large number of java.exe/javaw.exe entries, some unifi entries and a couple of Apple entries, but nothing from the Malwarebytes stable that I can see. Searching for unifi also pulls up a large number of entries, again nothing obviously linked to MWB.

If I have time later I'll restart MWB with exploit protection and the Java incoming setting switched on (i.e. set up to kill Unifi) and see if any MWB entries appear in these searches, but for now it "looks" like there are no direct links, at least in the "running OK" configuration.

Share this post


Link to post
Share on other sites

OK, that makes sense for the scenario where it isn't blocking the program.  Yes, please check to see if it is loaded into it (if possible) when it is configured such that it terminates it (though I don't know if there would be time).  It's also possible that detection happens a different way without injecting the DLL directly into the Unifi process, however I suspect it does inject the DLL as that would definitely explain the variable behavior if it fails to inject the DLL under certain scenarios.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.