Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Does it still take long if you disable NOD32 and/or MBAE?
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Disabling MBAE 1.08 allows Chrome to initialize very quickly.
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    And if you disable NOD32?
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Disabling NOD32 while enabling MBAE 1.08 still results in a slow initialization of Chrome 45.
     
  5. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you send me FRST logs so we can try to repro?
     
  6. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Results sent in conversation.
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks @Thankful :)

    Will take a closer look.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you check what this is?
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

    Also try disabling all Chrome extensions and then try again. Is it still delayed when opening?
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
  10. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    778
    Location:
    Oklahoma City
    I keep losing the icon on the pop-out notification. Any suggestions how to keep this from happening? There is just a black box where the logo normally should be. I am running Windows 10, MBAE 1.07.1.1015
     
  11. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    if an explorer.exe crashed or terminated the icon of mbae.exe after restarting explorer.exe not visible in task bar(systemtray)
    is this normal?
     
  12. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    @Mister X & @Thankful can you please try disabling the RET ROP technique to see if the problems with Chrome continue?

    @JohnBurns can you please post a screenshot of what you mean?

    @co22, yes this is a known issue as MBAE starts under explorer.exe so when Explorer crashes, it takes mbae with it. This doesn't affect protection as the service (mbae-svc.exe) is still running. It is just the UI closing. We'll be fixing this in the future.
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    @ZeroVulnLabs,
    I have no more problems since removing and reinstalling my two extensions.
    Thank you for your help.
     
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thank you very much.also i see mbae.exe actually don't closed and remain in background just icon disappear
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I'm going to disable for all programs protected by MBAE by default since it's not only Chrome but all shielded apps, e.g., Firefox and IE, all of them crashed.
    So I ask you, it's fine to disable RET ROP for all of them?
     
  16. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes it's ok.
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    New beta build 1021 available. Link in my sig. Changelog in last post of the Malwarebytes thread.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I just upgraded from 1.08.1.1016 to 1.08.1.1021 on Windows 7X64 Ultimate. No problems to report so far.
     
  19. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Is it logging every time? That's the only thing keeping me from upgrading.
     
  20. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    In addition to Word, Excel and Outlook I needed to do the same for Opera 12.17 on XP under MBAE 1.0.8.1.1016 for Browsers. But it doesn't look like it helped. I'll try reboot.
    The same Opera on Win7 is ok.
    VLC and Sumatra are ok with ROP enabled on XP.

    Edit: on XP even after rebooting with RET ROP Gadget unchecked, Opera 12.17 still reports that detaction. Strange.
     
    Last edited: Sep 11, 2015
  21. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
    From 1.08.1.1016 to 1.08.1.1021 on Windows 10 Pro x64.
    No problems so far.
     
  22. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Just updated to 1.08.1.1021 on XP. Looks like ROP gadget things are fixed. Opera 12.17, Outlook, Excel, Word, Sumatra ran with no problems.
    Likely OT: I had all that running, started Process Explorer, started typing to find mbae.dll and it's sitting there dumping memory on BSOD Stop 0x000000C5.; Likely just too much stuff going on which I rarely do. I hope it finishes dumping in this century, especially that I don't need any dumps, they're unreadable useless mess to me.
     
  23. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
    1) The "About" tab in the GUI does not give any information about the license expiry date.
    2) The "General" tab contains the version info. Why not all info (version & license data) in one tab?

    3) Bump =
     
    Last edited: Sep 12, 2015
  24. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
  25. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I noticed startup apps no longer start under MBAE's protection since upgrading. Like Sandboxie's sbiesvc & sbiectrl processes. In fact they don't even start when I start Firefox anymore. The only way to get them to be guarded, seemingly, is to delete the shields for them and create new ones every time I reboot my computer. Then the instant after I create the shield it shows it as protected. Not really a fan of that.

    Am I missing something here? Is there some modification I have to make to the sandboxie configuration since the update due to some change in MBAE? Or something(s) else? I'm all ears...

    I did see a post about being able to delete a couple lines of code now, but thought that was just for x64 users. + Can't find it now and don't feel like combing through the entire thread. Plus I'm not sure that has anything to do with my problem here anyhow.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.