Malwarebytes Anti-Exploit

thanks for your reply

 

Btw, why does MBAE need to create a Windows task (in Task Scheduler)?

 

Rasheed,
What version of MBAE are you running?
Earlier versions used a Scheduled Task (in Task Scheduler) as the mechanism to launch MBAE on bootup.
But this was changed, effective with version 0.10.0.1000 (and later), which now use a Windows Service instead.

 

Your confusing an autostart entry in HKLM (run), it needs an autostart every time you start your system. It is normal and safe as long as it is signed by Malwarebytes.

 

Wanted to report that I ran into an issue this weekend where my Google Chrome browser would not load webpages, or even its own settings. It did, however, function quite normally in safe mode. I uninstalled Chrome and installed another chrome variant, SRWare Iron; only to be faced with the same problem. At the suggestion of another Wilders member helping me with the issue, I disabled all the chrome plugins. That didn't help. This morning I then disabled my security apps one by one before launching the browser. When MBAE protection is turned off the browser works perfectly. When MBAE is turned on no pages/settings will load.

 

Which version of MBAE are you running? If it's not the latest try the following and let me know if the results are different:
https://forums.malwarebytes.org/index.php?showtopic=146368

Also do you have EMET installed by any chance? It's weird these results as MBAE doesn't protect SRWare Iron, so it shouldn't make a difference there.

 

http://www.fireeye.com/blog/uncateg...hrough-11-identified-in-targeted-attacks.html

They are recommending EPM or EMET to tackle the exploit. Can you test if MBAE is blocking it or not?

 

Unfortunately I cannot test it as FireEye and Microsoft seem to have a tight grip on the exploit code. As soon as we can get our hands on some sample code we'll test it. From the blog description MBAE should protect against this zero-day.

 

Thanks for your reply. Was running 0.10.0.1000 on XP. No, I no longer have EMET on the system since our discussion about not needing it with MBAE. Updated MBAE via your provided link. Tested browser. I have (2) websites set to load upon running the browser. With MBAE protection on 1 site loads but no clickable links on the page work. The 2nd website does not load. The Settings page will not load with protection on.

 

Can you try disabling your other security software one by one to see if it starts working with one of them disabled?

 

I did that yesterday which was how I identified MBAE as the cause. Aside from MBAE, I have Panda Cloud, CFW, MBAM Pro (without website protection enable) MCShield for USB/Flash & external drives, and Zemana free anti-keylogger, which basically encrypts my keystrokes. My other browser, Avant, is unaffected. So IE 8, and the point of this exercise is to retire it. This problem seems to be with Chrome, and or, Chrome variants.

 

We do have a similar situation reported but it's with certain Chrome extensions such as AdBlock. Can you test if that's the case in your computer as well?
https://forums.malwarebytes.org/index.php?showtopic=147260

 

That is the only extension I had enabled in SRWare Iron. I disabled it and retested the browser, nothing changed with the browser's behavior. It gets more bizarre, I tried a handful of random websites. 1/2 loaded, Wilders being one that did, the others won't load. And browser Settings won't load with MBAE protection on, even with AdBlock Plus disable.

 

Under SRWare Iron or under Chrome? AFAIK MBAE doesn't protect SRWare Iron. What's its main executable filename? It's not chrome.exe, is it?

 

I think is iron.exe

 

I looked in the SRWare Iron folder, it shows both chrome.exe and iron.exe. In the task manager all instances of SRWare Iron are chrome.exe.

 

Can you post a tree-view of the processes?

 

Yep.

 

Can you please kill Panda_URL_Filtering.exe to see if the problem persists? We've had problems with it in the past as it does some weird intercept of many API calls (even many which it doesn't need to intercept to do its basic web filtering job).

 

Killing Panda_URL_Filtering.exe, browser loads webpages normally with MBAE protection on. So my option(s) appear to be, either sacrifice the web filter to have the browser work properly with MBAE, or remove MBAE and return to EMET, since it appears the browser also functions normally with the web filter enable as long as MBAE protection is off. What's your thoughts on this?

 

Well clearly my thoughts are going to be a bit one-sided

But in my previous life at Panda I was also involved in the Panda URL Filtering project so I know that it is hooking much more than it needs to and this can cause conflicts not only with MBAE but also with other applications that perform API hooking. And those conflicts are very hard to detect unless you know exactly what to look for.

 

Alright, I will deliberate a little on this before deciding. But thanks a lot for helping me sort this thing out. Much appreciated.

 

I have just recommended Bitdefender's Trafficlight to someone that needed to replace WSA's web filter. Maybe you could try the same and substitute Panda's filter with Trafficlight, that you already use on other machine:

https://chrome.google.com/webstore/detail/trafficlight/cfnpidifppmenkapgihekkeednfoenal

 

Thanks for the suggestion.

 

Nope, it´s a .job object, this is used by the Task Scheduler in Win XP.

Oh ok, on XP I was using an older version, and I absolutely hate apps that make use of Scheduled Tasks.