Samsung Magician 8.0

[share3141]

I updated to Samsung Magician 8.0 (Windows 10 / updated MB).

I had a program blocked by MB and I'm not sure what I should do as I am unable to run Magician 8.0.

A scan did not reveal any problems.

Not sure of my next step.

Below is what I received.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/25/23
Protection Event Time: 6:53 AM
Log File: 28896c60-5b9a-11ee-a8bb-e0d55ee12a6f.json

-Software Information-
Version: 4.6.3.282
Components Version: 1.0.2151
Update Package Version: 1.0.75631
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Process -FilePath 'C:\Program Files (x86)\Samsung\Samsung Magician\SamsungMagician.exe' -WindowStyle hidden -Verb runAs, Blocked, 701, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Start-Process -FilePath 'C:\Program Files (x86)\Samsung\Samsung Magician\SamsungMagician.exe' -WindowStyle hidden -Verb runAs
URL:

[AdvancedSetup]

What link did you use to download the software?

 

[AdvancedSetup]

I updated on a system and have the information. Will move this post into the FP section of the forrums

 

[share3141]

I got the file from Samsung. I downloaded another file from another forum today and the MB problem went away. The app is still giving me troubles but it is not MB related. I'll go talk to Samsung and see what they have to say.  Thanks.  

[AdvancedSetup]

The block appears to be how Samsung did the update using PowerShell

I will see if I can duplicate that and report it to our internal team

Thanks

 

[Porthos]

The beta that was released today has the anti-exploit fix included.

You may get the beta by enabling BETA updates and checking for updates.

This is the version with the fix.

 

Edited September 28, 2023 by Porthos

[mmja]

I have same problem, I have updated to Beta and latest updates, still Magician fails to start and "exploit" is detected. There does not seem to be any viable means to just ignore the "exploit warning" and go on? What should I do?

[Porthos]

1 minute ago, mmja said:

What should I do?

Please do the following so that we may take a closer look at your system.

Please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
   

Thank you

[mmja]

Thanks for quick reply! Here are the logs:

mbst-grab-results.zip

[Porthos]

16 minutes ago, mmja said:

still Magician fails to start and "exploit" is detected.

Could you post the latest log of the detection please.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

 

If you click on the View option you should get something similar to the following with other options available.

 

 

 

 

Thank you

[mmja]

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/7/23
Protection Event Time: 9:09 AM
Log File: 1d372c99-64d8-11ee-af3b-2cfda1e073b2.json

-Software Information-
Version: 4.6.4.286
Components Version: 1.0.2163
Update Package Version: 1.0.76015
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.T1055DefenseEvasion, , Blocked, 519, 392684, 0.0.0, ,

-Exploit Data-
Affected Application: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Protection Layer: APT Behavior Protection
Protection Technique: T1055 - Defense Evasion
File Name:
URL:

 

(end)

[Porthos]

1 minute ago, mmja said:

Exploit.T1055DefenseEvasion, , Blocked, 519, 392684, 0.0.0, ,

Turn off and leave off the following setting in the advanced exploit section. It should have never been enabled.

That setting is specific to penetration testing (i.e. not actual threats) so enabling won't really do anything unless the system is tested using third party testing tools/test exploits.  It is purely for testing purposes to verify that protection is working properly, however it is not needed for protecting your system from actual malware which is why it is turned off by default.

[mmja]

Did that, restarted computer, still Samsung Magician (GUI/APP) does not start. Now my cursors is showing this "circle" everywhere, like Windows or something is trying to do something (loading something?) in the backround.

Malwarebytes services consumes 16% of CPU all the time. There is also several "Samsung Magician 32bit" processes in the backround popping up and if I kill them they pop up again. "Samsung Rapid service" is also running.

I will try to uninstall Samsung Magician comletely, reboot, reinstall it and see what happens.

[Porthos]

5 minutes ago, mmja said:

I will try to uninstall Samsung Magician comletely, reboot, reinstall it and see what happens.

I would do the following first

Lets use the same support tool and do a clean uninstall and reinstall.

If you have enabled the optional tamper protection, please TURN IT OFF.

Note: If you forget your Tamper Protection password, it can be reset using your license key, or the key portion of your license, if your license is in the older ID and Key format. In the Tamper Protection window, click Reset password, then enter your license key (capitalized and including dashes) to set a new password. 

Please close all browsers and programs before running the tool. Right click and quit MB from the system tray also.

Once done it will attempt to reinstall Malwarebytes. Restart after reinstall.

[mmja]

1) Removed MBAM -> Reboot -> Samsung Magician does not work!
2) Tryed to remove Samsung Magician -> Does not work! Uninstall errors!
3) Killed Samsung Magician services, processes, etc. set them to disable on start -> Reboot
4) Managed to remove Samsung Magician -> Reboot
5) Removed every folder etc. that has anything to do with Samsung Magician -> Reboot
6) Installed Samsung Magician again -> Samsung Magician does not work!
7) Tryed to remove Samsung Magician -> Does not work! Uninstall errors!
8) Cleaned MBAM remains (if there even where any) according to your posts guide.
8) Killed Samsung Magician services, processes, etc. set them to disable on start -> Reboot
....let see what happens now.

[mmja]

Ok apparently now I have managed to completely uninstall MBAM and SM.

Yes told me to disable tamper protection before uninstalling MBAM, but when I uninstalled MBAM it asked for tamper protection password...I did not disable tamper protection because I had not read your message before that. Is this going to mess up something? Im a bit worried about this "File C:\WINDOWS\system32\drivers\wintun.sys move to C:\Users\X\AppData\Local\Temp\6ee921fd-4845-4133-853e-bbfd7792d91c failed with error 5...Failed to delete File C:\WINDOWS\system32\drivers\wintun.sys, reason:(Cannot create a file when that file already exists.(error=183)),...Failed to create PFRO for C:\WINDOWS\system32\drivers\wintun.sys, reason: (Access is denied.(error=5))." WHAT IS THIS?!?! Is something still wrong?!?! Did it not uninstall properly? What is that .sys file and what MBAM uninstall is trying to do it? Why? How?

Here is the complete log I got when I ran the support tools uninstaller:

 

2023-10-07 10:26:49.311   --------LOGGING STARTED----------
2023-10-07 10:26:49.312   --------------------------------------------------------
2023-10-07 10:26:49.312   --------------------------------------------------------
2023-10-07 10:26:49.313   --------------------------------------------------------
2023-10-07 10:26:49.313   Failed to Determine if Tamper Protection is enabled, PoliciesConfig.json file not found.
2023-10-07 10:26:49.314   Tool Version: 1.9.2.982
2023-10-07 10:26:49.315   Dll Version (LUA): 2.1.3.343
2023-10-07 10:26:49.315   Log Path: C:\Users\X\AppData\Local\Temp\mbst-clean-results.txt
2023-10-07 10:26:49.319   User Account Type: Administrator
2023-10-07 10:26:49.320   Date/Time Log Created: 2023-10-07 10:26:49.319
2023-10-07 10:26:49.320   Operating System: Windows 10 (Build 19045.3448) x64
2023-10-07 10:26:49.321   
2023-10-07 10:26:49.321   ======================================================
2023-10-07 10:26:49.321   Pre-Reboot Cleanup
2023-10-07 10:26:49.322   ======================================================
2023-10-07 10:26:49.328   OpenService mbamchameleon failed (1060)
2023-10-07 10:26:49.328   The specified service does not exist as an installed service.
2023-10-07 10:26:49.329   Terminate AE Process name:C:\Program Files\Malwarebytes\Privacy\mbamservice.exe
2023-10-07 10:26:49.342   Terminate AE Process name:C:\Program Files\Malwarebytes\Privacy\mbae-cli.exe
2023-10-07 10:26:49.356   Terminate AE Process name:C:\Program Files\Malwarebytes\Privacy\mbae-svc.exe
2023-10-07 10:26:49.369   Terminate AE Process name:C:\Program Files\Malwarebytes\Privacy\mbae.exe
2023-10-07 10:26:49.382   Terminate AE Process name:C:\Program Files\Malwarebytes\Privacy\mbae64.exe
2023-10-07 10:26:49.396   OpenService mbamchameleon failed (1060)
2023-10-07 10:26:49.396   The specified service does not exist as an installed service.
2023-10-07 10:26:49.414   Launching process:C:\Program Files\Malwarebytes\Privacy\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /log="C:\Users\X\AppData\Local\Temp\Mbae.log"
2023-10-07 10:26:49.443   Failed to launch C:\Program Files\Malwarebytes\Privacy\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /log="C:\Users\X\AppData\Local\Temp\Mbae.log", reason:(The system cannot find the file specified.(error=2))
2023-10-07 10:26:49.444   File C:\WINDOWS\system32\drivers\wintun.sys move to C:\Users\X\AppData\Local\Temp\6ee921fd-4845-4133-853e-bbfd7792d91c failed with error 5
2023-10-07 10:26:49.445   Failed to delete File C:\WINDOWS\system32\drivers\wintun.sys, reason:(Cannot create a file when that file already exists.(error=183)),
2023-10-07 10:26:49.445   Failed to create PFRO for C:\WINDOWS\system32\drivers\wintun.sys, reason: (Access is denied.(error=5)).
2023-10-07 10:26:53.286   Cleanup Succeeded of : MBAM1X.
2023-10-07 10:26:53.286   Cleanup Succeeded of : MBAM2X.
2023-10-07 10:26:53.286   Cleanup Succeeded of : MBAM3X.
2023-10-07 10:26:53.287   Cleanup Succeeded of : MBAE.
2023-10-07 10:26:53.287   Cleanup Succeeded of : MBMC.
2023-10-07 10:26:53.287   Cleanup Succeeded of : MBARW.
2023-10-07 10:26:53.288   Cleanup Succeeded of : MBEPA.
2023-10-07 10:26:53.288   Cleanup Succeeded of : MBPRIVACY.
2023-10-07 10:26:53.288   Cleanup Succeeded of : MBPRIVACYTUNNELDRIVER.
2023-10-07 10:27:05.939   
2023-10-07 10:27:05.940   ======================================================
2023-10-07 10:27:05.940   Install Malwarebytes for Windows
2023-10-07 10:27:05.940   ======================================================
2023-10-07 10:27:05.941   User choice for reinstall prompt (No clicked)

 

[mmja]

CORRECTION:
I sayed:"Yes told me to disable tamper protection before uninstalling MBAM, but when I uninstalled MBAM it asked for tamper protection password"
I meant:"You told me to disable tamper protection before uninstalling MBAB, but when I unistalled MBAM it asked for tamper protection password which I gave to it so it could proceed"

[mmja]

Ok I reboot again and tryed to install Samsung Magician. Installs, but does not start. Difficult to remove. Removed. Rebooted. WTF? How could MBAM break my computer in such way that I can no longer use Samsung Magician at all, not even after completely uninstalling MBAM?!? WTF?

What should I do now?

[mmja]

After several more reboots and manual removals I have managed to get to situation where:
- Samsung Magician installs fine, but GUI/app does not open (it does run in the backround with 2-3 processes).
- Samsung Magician can be easily/normally installed and uninstalled
- MBAM runs normally and can be easily/normally installed and uninstalled

Right now I have uninstalled Samsung Magician but have MBAM installed and running.

[share3141]

I've had a similar experience as above. Even when I went back to 7.3 I couldn't get Samsung to run. I believe Samsung Magician is at fault. I have no way to prove this and I can't get any response from Samsung but when I uninstall MB and run SM and it still doesn't work I can only conclude Samsun software is buggy. 

[Porthos]

https://eu.community.samsung.com/t5/computers-it/samsung-magician-8-0-does-not-work/td-p/8309096

[mmja]

6 minutes ago, share3141 said:

I've had a similar experience as above. Even when I went back to 7.3 I couldn't get Samsung to run. I believe Samsung Magician is at fault. I have no way to prove this and I can't get any response from Samsung but when I uninstall MB and run SM and it still doesn't work I can only conclude Samsun software is buggy. 

This is what I tought too, but that does not explain why the old version of Samsung Magician ran without any problems. I used it just few days ago and it worked fine. The new version does not. I dont remember exact version number and I dont know where I could download the previous version of Samsung Magician to test it.

[Porthos]

7 minutes ago, mmja said:

I dont know where I could download the previous version of Samsung Magician to test it.

Many users hoard things in their downloads folder.  Might get lucky.

[Porthos]

https://www.techpowerup.com/download/samsung-magician-ssd-management-utility/

[mmja]

Yep, the older version of Samsung Magician (Samsung_Magician_Installer_Official_7.3.0.1100) works fine! So its not MBAM issue after all!

Im so sorry for your troubles. I have to say, I got very, very good help from you folks. Especially you Porthos! Thank you!