Jump to content
Warb

Malwarebytes 4 breaks Unifi

Recommended Posts

The Ubiquiti Unifi network monitoring system uses Java. Previous versions of Malwarebytes have required an exception to be added to exclude the various components of Unifi to allow it to run correctly. After updating to MWB 4 (which inherently keeps all the existing exclusions that allowed Unifi to work under MWB v 3.x), I have discovered that no amount of exceptions/exclusions seems to allow Unifi to run properly, MWB simply throws up a generic "malicious incoming Java socket" alert and blocks it.

Initially, simply disabling the 4 categories of MWB protection did not to allow Unifi to run, but after rebooting the PC with all protections OFF, I have found that I can re-enabled web, malware and ransomeware protection and still have Unifi working. What is more, whereas initially I found disabling protection did not fix the problem, after a reboot it seems that whilst enabling exploit protection kills Unifi, disabling it (without a reboot) allows it to run again.

It looks like MWB 4 is not correctly using the file and directory exclusions to allow incoming connections to a Java application.

But....Turning Java Malicious incoming shell protection OFF allows exploit protection to be switched on without killing Unifi. Interestingly, once exploit protection is running the incoming shell protection setting can be switched back on, and Unifi will continue to run. Disabling exploit protection and enabling it again (with incoming shell still switched ON) kills it instantly.

So for now I have exploit protection ON, incoming shell protection ON and I am able to use Unifi. However a reboot of my PC without changing any settings will kill Unifi, and I'll have to disable exploit protection, disable incoming shell, re-enable exploit protection and finally re-enable incoming shell protection to have it all working again. Obviously this is less than ideal (understatement), but I thought I'd post it here in case anyone else finds the same problem....

Maybe Malwarebytes could fix this now I've done the diagnostic work?

Share this post


Link to post
Share on other sites

Greetings,

Normal exclusions in Malwarebytes do not apply to Exploit Protection, which is the component that is blocking Unify based on the description of the block (anything related to Java is going to come from Exploit Protection as it has an entire page of settings dedicated specifically to Java protection).  Because Exploit Protection works on execution analyzing processes' behaviors in memory, this is why you are able to launch Unify and then enable Java protection in Malwarebytes and also why launching Unify after Exploit Protection is already enabled causes the block to occur.  The best solution would be to post your detection logs showing Unify being blocked in a new topic in this area and a member of the Exploit Protection team can assist in investigating the cause of the issue and hopefully get the false positive corrected so that no exclusions will be needed at all.

Share this post


Link to post
Share on other sites

At present I am unsure of the consistency of MWB4. Last night, after reading exile360's message above, I retested and at that time I could start and stop both Unifi and MWB4's exploit protection (with Java incoming either on or off) in any order and Unifi would run happily. That was in contrast to earlier in the day, when I needed to follow a particular order as described previously.

This morning I stopped (quit) MWB4 and restarted it, and the behaviour is exactly back as it was earlier yesterday, i.e. I need to start MWB's exploit protection with Java incoming switched OFF to get Unifi to run, and afterwards I can re-enable Java incoming. I do not recall whether I actually restarted MWB 4 from scratch last night (it was late).

Very frustrating!

Share this post


Link to post
Share on other sites

You can check whether Exploit Protection is loaded directly into a process using MS Sysinternals Process Explorer.  Launch Process Explorer and locate the process you wish to check and then double-click on it or right-click on it and select Properties and look in the Threads tab and you should find an entry listed for mbae64.dll or mbae.dll.  I'm not sure if Java protection requires the DLL to be loaded into the process, but I suspect that it does.  When the blocking fails to occur I suspect it is because the DLL is not loaded into Unifi's process at the time (a member of the staff can correct me on this if this information is not accurate, but I believe this is how it works).

Share this post


Link to post
Share on other sites

The only results to a search (in Process Explorer) for mbae are a bunch of 23 Chrome and Firefox processes using mbae64.dll (this is with exploit protection running having been started with Java incoming initially off, then switched on, then Unifi started).

Under the same circumstances, searching for java results in a large number of java.exe/javaw.exe entries, some unifi entries and a couple of Apple entries, but nothing from the Malwarebytes stable that I can see. Searching for unifi also pulls up a large number of entries, again nothing obviously linked to MWB.

If I have time later I'll restart MWB with exploit protection and the Java incoming setting switched on (i.e. set up to kill Unifi) and see if any MWB entries appear in these searches, but for now it "looks" like there are no direct links, at least in the "running OK" configuration.

Share this post


Link to post
Share on other sites

OK, that makes sense for the scenario where it isn't blocking the program.  Yes, please check to see if it is loaded into it (if possible) when it is configured such that it terminates it (though I don't know if there would be time).  It's also possible that detection happens a different way without injecting the DLL directly into the Unifi process, however I suspect it does inject the DLL as that would definitely explain the variable behavior if it fails to inject the DLL under certain scenarios.

Share this post


Link to post
Share on other sites

I haven't had time to play with this any further, and it was working perfectly since my last post (11 days ago). During that time I have made no changes to the settings of MWB, nor any changes to Java or Unifi. The machine has been rebooted for some Windows updates (with no changes to MWB settings), and Nvidia updates, yet Unifi and MWB continued to work in perfect harmony. Throughout that time MWB was on, with inbound protection and exploit protection both ON.

Then, with no changes to anything, MWB suddenly this afternoon popped up the "generic" error (as above) and killed Unifi stone dead. Out of the blue! 11 days it worked, including reboots, and then decided to revert to its original behaviour. As described previously, the procedure of switching off Java incoming, disabling exploit protection, killing MWB and then restarting Unifi allowed it to work. Then, as before, I started MWB, re-enabled exploit protection and finally Java incoming, and everything is happy again!

There's something really odd about this v4 MWB.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.