Malwarebytes bought Zerovulnerabilitylabs

Discussion in 'other anti-malware software' started by kupo, Jun 20, 2013.

Thread Status:
Not open for further replies.
  1. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Windows 7 Ultimate (64) and no issues with Office Proffesional Plus 2013 (32).
    Also running on this machine MBAM, nod32 (6.0.316.1) and Trusteer Rapport.
    However I have the icon tray issue but this is still under investigation, last three restarts were OK.
    Cheers.
     
  2. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I'll send you a PM.
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Those with MS Office problems and emet installed, can you deactivate emet and try again to see if it's a conflict with emet?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    WIN 7 SP1 x64, NIS 2013, Trusteer Rapport

    I am having no problems with Word 2010 and build 0.9.2.1200. I can read .docx documents online fine using IE 9. However ExploitShield appears to have totally ignored the Word 2010 startup. No entry in the log file indicating Word is protected.
     
  5. M_G_H

    M_G_H Registered Member

    Joined:
    Sep 3, 2007
    Posts:
    27
    I can confirm the addin that spm mentioned, I have the Dymo Label Writer addin as well, once disabled, Word and Excel started working again.
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes that's normal as we deactivated the log entry for Word/Excel for now as part of a workaround. However using ProcessExplorer you can verify if mbae.dll is injected into Word or not by using the procexp search function and searching for mbae.dll.
     
  7. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    440
    Location:
    U.K.
    Not a conflict with EMET here. Tried uninstalling EMET and re-tested: Word and Excel still cause the alert whenever the Dymo LabelWriter addin is enabled. Re-installed EMET now, behaviour is the same.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I use the full version of FlashPlayer, not just the IE plug-in. Would be nice if their was a way to add apps like this Exploitshield.

    I know I can use EMET to protect FlashPlayer but I unistalled ver. 3.0 prior to installing Exploitshield since i didn't want any conflicts. More so since technically EMET conflicts with Trusteer Rapport that I have installed although I experienced no issues running version 3.0.
     
  9. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the reports. We'll take a closer look at the issues with MS Office and report back.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Their also might be an issue with Trusteer Rapport. Since installing ExploitShield, my "blocked process alteration events" count has risen dramatically.

    Appears to me Trusteer Rapport is stopping ExploitShied from any IE9 access. Do exclusions have to be added to either?

    -Update- I stopped ExploitShield and no further "blocked process alteration events" entries in the TR report file. Appears the prior TR incompatibility issues have resurfaced with this latest beta release.
     
    Last edited: Jun 22, 2013
  11. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    Is there any use in keeping EMET and ES in 1 system? Does ES cover the protections provided by EMET?
     
  12. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    I have just installed the latest version after using the '1000 version for a day.

    I found I could not install over the top since there was a file in use so had to uninstall and reboot.

    The sys tray icon is still disappearing and could not find a way to recover it except by shutting down the process in Task Manager and restarting the program from the desktop icon.

    In both versions I have a curious problem that when you rt click on a drive in Explorer it shuts it down and brings up a temporary blue screen (not BSOD). This happens when clicking on the tree in the left pane. Does not happen when using the display of drives at the top.

    I am using Windows 8 Pro.
    SBIE
    Outpost
    Avast free
    Cherry Keyboard Manager for the Cherry Mouse.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes the old problem has resurfaced as Trusteer and Webroot whitelisted the ZVL digital signature. Now they need to do the same with the MWB signature. We will contact them to request this.
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    MBAE and EMET use different techniques. It's best to use both if there are no conflicts as MBAE will detect and block the things that bypass EMET.
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you post a screenshot?
     
  16. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Reminder: I'm still having issues with Lotus iNotes Mail:

    9 (7768 )Internet Explorer the file C:\Users\user_name\AppData\Local\Temp\Low\dwa85res_en.dll has been blocked

    Alert MessageBox from (7768 )C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

    ===============


    17 (4764)Internet Explorer the file C:\Users\user_name\AppData\Local\Temp\Low\dwa85res_en.dll has been blocked

    Alert MessageBox from (4764)C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
     
  17. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Also, on Win7x64, if I start/stop Anti-Exploit's protection while IE 10 is open/running , it's crashing IE. And the start/stop procedure is very slow/sluggish. I believe EMET 3.0 is a contributing factor here, as it simultaneously generates an IE/DEP closure message. [Sorry, I do not want to uninstall EMET to test this.]

    This does NOT happen if I start/stop MBAE while IE is closed.

    It also does NOT happen on my 32-bit WinXP system (with EMET 2.1) even with IE 8 open/running.

    ------------------------

    Description
    Faulting Application Path: C:\Program Files\Internet Explorer\iexplore.exe

    Problem signature

    Problem Event Name: BEX64
    Application Name: iexplore.exe
    Application Version: 10.0.9200.16611
    Application Timestamp: 519214a7
    Fault Module Name: MBAE64.dll_unloaded Fault Module Version: 0.0.0.0
    Fault Module Timestamp: 51c4dfe5
    Exception Offset: 000007fef15b7590
    Exception Code: c0000005
    Exception Data: 0000000000000008
    OS Version: 6.1.7601.2.1.0.256.48
    Locale ID: 1033

    Extra information about the problem

    Bucket ID: 3699154999
     
    Last edited: Jun 23, 2013
  18. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    Ok - right clicking anything under 'Computer' in the left column (red square) will shut down Explorer. No other components in the left column are affected.

    If there is a program running full screen in the background it will bring that to the front. If not it will bring up the blue of the Win 8 Start Screen before returning to the desktop. There is a pause of a few seconds after right clicking on a drive.

    Hope this makes it clearer for you.
     

    Attached Files:

  19. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,565
    I forgot to mention that this also removes AE's icon. Don't know how much else it removes.

    I was not aware of this when I posted yesterday so the comment about the icon still disappearing in this version is not valid apart from the above process.
     
  20. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Have not forgotten about this.

    Can you at least exclude it from the LOG entry now?
     
  21. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    C:\Users\user_name\AppData\Local\Temp\Low\dwa85res_en.dll has been blocked

    Can you at least exclude it from the LOG entry now?


    I don't know that it actually appeared under your program's LOGS tab [where the EXCLUDE button is greyed-out]... I copied/pasted the above entry from the mbae-default.log file. I'll see next time the warning pops-up... it's not happening all the time... and if I can exclude it, I will.

    I can open my iNotes mail using FF --- which doesn't use the ActiveX control ---without any problem. Alternatively, I can access things using Windows LiveMail (IMAP). So while it would be nice to fix the IE issue for me [and presumably others], it's not my number 1 priority. I'm more concerned about the IE/AE/EMET slow interaction & DEP crash I mentioned in my other post.
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you post a screen shot of your LOG tab while selecting the blocked dll entry to see if the"Exclude" button is activated?
     
  23. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can those of you with MS Office compatibility problems please post or PM me the following so we can replicate and fix the problems?:

    OS version:
    Architecture: 32/64
    OS language:
    MS Office version:
    MS Office SP:
    MS Office language:
    Other security software:


    Thanks!! :)
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    The tray icon issue is back for me, after a few days. At first I didn't really care, because I though it was still working with the process in the background. Then I checked the logs, and noticed no entries appeared when the tray isn't there.

    Do I have to worry about it not working until the fix comes along?
     
  25. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    ZVL,
    the next time I get the warning from MBAE, I'll check the LOGS tab to see what's there.
    the iNotes issue it's not showing up regularly... happened once, then didn't occur again for a few days.
    I'm gonna try installing MBAE on some other machines today... both with and without EMET 4... see what I can find out. Will get back when/if I have any results to report.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.