WSA Compatibility Problems With MBAE

Discussion in 'Prevx Releases' started by Thankful, Sep 29, 2013.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  3. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you let me know if this is actually happening with the latest builds (even the 2013 build of WSA)? We fixed the incompatibility the last time it was brought up but if something has changed, we can definitely look to re-address it.

    Thanks!
     
  5. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Yes. The incompatibility still exists with build AV 8.0.3.3. The problem is caused when Protected Applications are set to "protect" under Identity & Privacy. When protected applications are set to "allow", MBAE works fine. This has been confirmed by the developer of MBAE.
    Please see :
    https://www.wilderssecurity.com/showthread.php?p=2285546#post2285546
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks! I've replied on the thread and will be taking a look at this soon.
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Thank you.
     
  8. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Any ETA on this issue? The reason I ask is that MBAE recently released a new version I would like to test.
    Thank you.
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK

    It would be worth testing the newest MBAE with the 2014 release - we have several general compatibility improvements which could very well apply here.

    Let me know your results!
     
  10. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Will do.
     
  11. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    Running WSA AV 8.0.4.17, MBAE 09.4.1000. I fired up, in order, IE 10 and Foxit PDF Reader. Only Foxit PDF Reader is protected and has MBAE.dll associated with it. It seems the same problem as before still exists.
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks, I'll have our guys look into it shortly.
     
  13. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I hope this post is allowed in this thread. It is related to a MBAE thread I posted in at the Malwarebytes forum here

    Subsequently, I have downloaded WhoCrashed(Home Edition) v4.02 to investigate further, and have had the 2 recent BSOD's analyzed as shown in the screenshot.

    It seems one of the BSOD's could have something to do with WSA.

    ScreenShot_WhoCrashed_03.gif
     
  14. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    The latest version of WSA2014 still blocks MBAE.dll to be loaded under the browsers processes. I have checked with chrome and IE

    When this will be fixed?
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Can you send the minidump to my username at gmail.com?

    Thanks!
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    We'll be looking into it soon, probably within the next build or build after it.
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks for the crash dump - it looks like this is caused by safemon.sys (SSM 2.0) parsing data incorrectly. Because WSA is in the stack, it points to WSA, but the actual crash is occurring from their driver. I suggest reaching out to them with the same minidump to have it corrected.

    Thanks!
     
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I have conflated my concerns as to the current version of WSA 2014. See my OP from last year here. I have been a long time user of SSM. It is no longer developed.

    The problem does not lie with SSM, but the ongoing development of programs such as WSA, and the changes made with versions thereof.

    As such I will have to remove WSA, before I remove SSM, much to my regret if you are unable to address any issue that makes the two of them incompatible.
     
  19. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Ongoing development sometimes means starting to use rarely-used features of certain data pipes and connectors to improve things. Passing data that the connector is capable of parsing is fine, until something else inserts itself into the pipeline and breaks that connector.

    WSA simply uses the abilities that the data pipeline should have, despite the fact that very few or possibly no other programs do. This does not make WSA bad. It's using a capability that works on millions of machines out there to do something better.

    Unfortunately, SSM breaks that pipe, so on YOUR machine, out of millions, you have Broken Junk, therefore crash.

    If SSM was still under active development, they could stop breaking your stuff so WSA and other things in the future that might use that pipeline will work right. (I wonder how many other crashes caused by SSM's parsing have caused you to uninstall innocent software that makes the inaccurate assumption that your stuff works right.)

    If enough other people used SSM to make it worthwhile, WSA might inconvenience others to do a check and say "Ah, SSM is there and it breaks junk, so protect this person less-well because they have broken junk." Sadly, the cost of making workarounds for potentially one user of outdated and unsupported software is not recouped by that user's subscription, so that cost is not likely to be expended.

    Stay well and stay secure! Come back if you get rid of SSM!
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'd love to have it not be related to SSM as we could then work around it, but they're hooking the SSDT routines and modifying the response, causing the OS to return invalid data. We could "possibly" get around it but it could risk destabilizing code which has been untouched in years and used by millions of WSA users without a problem.

    safemon.sys was last updated March 1st, 2008 and after hundreds of OS changes, I'm not surprised there are issues cropping up. This particular crash occurred from Process Explorer which accesses the OS in less common ways so you may be fine if you just avoid using it (perhaps try Process Hacker instead), but this isn't an issue we'll be able to get around without major risk.
     
    Last edited: Oct 22, 2013
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    FYI - I've found the incompatibility with MBAE: WSA's Identity Shield was blocking it at multiple points from "tampering" with the browser. Even though it is whitelisted, we still block certain classes of changes within the browser for additional security in the rare case of a false negative. This should be fixed within the next build, or build immediately following it, depending on timing.

    Thanks!
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    It only cropped up in the sense that I tried to use Process Explorer, in the context of that post I referenced in connection with MBAE.

    I have also posted in The Sysinternal forum, about the failure that happened when I used that feature in Process Explorer - here.

    If I had not used the feature in Process Explorer, then those 2 BSOD's would not have occurred. ;)
     
  23. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Thanks! I assume your post was meant for me. So, was I helpful in that context, about the incompatibility of WSA with MBAE, and does pbust know?

    P.S. On further reading it was probably meant for Thankful
     
    Last edited: Oct 22, 2013
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I haven't told him but this thread was the first I heard of it. I'll post again as soon as it is available for updates.
     
  25. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Perhaps, I should post a link in that thread at Malwarebytes, pointing back here. ;)
     
Thread Status:
Not open for further replies.