Jump to content

Malwarebytes installs root certificate - why?


Recommended Posts

Malwarebytes appears to install a root certificate for all purposes in windows. The certificate is "Malwarebytes Web Protection" and isn't on Microsoft's trusted list. It's good through 2060(!), and when I reboot it reenables it for all purposes if I edit properties to disable for all purposes.

Anyone know why Malwarebytes is doing this?

 

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

That's normal, it's a part of the Web Protection component which is used for the filtering/blocking of malicious websites by enabling it to register with WFP (the same APIs/framework used by the built in Windows Firewall).  Many other AVs do the same thing.

I hope this helps, and if there is anything else we might assist you with please let us know.

Thanks

Link to post
Share on other sites

Thanks, looks like Malwarebytes does remove the cert when I disable Web Protection. It's unfortunate that it would be necessary to install such a powerful certificate for this functionality, it really needs to be for ALL purposes?  How would we ever detect if Malwarebytes was itself infected and an exploit was able to use this cert?

Link to post
Share on other sites

I'm not sure what you mean; a legitimate cert isn't that easy to hijack, nor is Malwarebytes Premium for that matter, since it not only runs in real-time, using drivers and a service which are all digitally signed, but also including a powerful self-protection driver which is enabled by default which prevents unauthorized processes from modifying, terminating or removing any of its processes and core components.

That said, if somehow the cert were hijacked and abused then it would be reported to the appropriate cert authorities as well as Microsoft for blacklisting, the same as any other past legitimate cert which has been stolen or abused in the past (though I believe in most cases it was actually issued to a malicious actor to begin with, not stolen or hijacked from a legitimate cert owner).

Link to post
Share on other sites

6 minutes ago, exile360 said:

I'm not sure what you mean; a legitimate cert isn't that easy to hijack, nor is Malwarebytes Premium for that matter, since it not only runs in real-time, using drivers and a service which are all digitally signed, but also including a powerful self-protection driver which is enabled by default which prevents unauthorized processes from modifying, terminating or removing any of its processes and core components.

That said, if somehow the cert were hijacked and abused then it would be reported to the appropriate cert authorities as well as Microsoft for blacklisting, the same as any other past legitimate cert which has been stolen or abused in the past (though I believe in most cases it was actually issued to a malicious actor to begin with, not stolen or hijacked from a legitimate cert owner).

Maybe I missed it but it looked self-signed by Malwarebytes. 

Link to post
Share on other sites

As I understand it, it doesn't matter who signed it as bad certs get blacklisted through the likes of Windows Update, however, if it does simply come down to Malwarebytes' own signing then the same logic applies to the drivers which are also signed by Malwarebytes (as they would be in most cases for most vendors since they are signed using the developers' own machine, again, as I understand it at least).  If it does work the same way as drivers, then the only way anyone besides Malwarebytes could use the cert would be to get access to the machine used for signing it, as would be the case for the drivers; something that Malwarebytes and other vendors are extremely cautious about as they should be.

Link to post
Share on other sites

Thanks, that's interesting about the MS blacklist capability I'd assumed the CA would need to revoke.  As I understand it the root certificate allows malwarebytes or anyone that infiltrates malwarebytes to MITM all your encrypted communications, which makes it relatively attractive to target that one thing (injecting something malicious into the malwarebytes product) in order to spy on all traffic for every customer of Malwarebytes. You'd think that if it was really that trustworthy, that they could have convinced MS to add them to the list of trusted root certs. MITM through voluntarily allowed root certs is absolutely routine (almost every company, school, etc. does this for deep inspection of SSL traffic) but also not something I want on my own network when it's someone else holding the keys to the castle.

Link to post
Share on other sites

I don't think Malwarebytes uses the cert for its encrypted communications with Malwarebytes' servers; I believe it is only for the Web Protection component, but I don't know that for certain as I'm not one of their Developers, however I do know that all of its traffic has been encrypted and secured even before they started installing a certificate.

With regards to certs being blacklisted/revoked, yes, the issuing authority can revoke it, but I've also seen where Microsoft releases updates to the list of valid certs through Windows Update to blacklist known malicious/compromised certs.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.