Malwarebytes Anti-Exploit Known Issues

Document created by drossler Employee on May 11, 2017Last modified by jyamada on Jun 9, 2017
Version 1Show Document
  • View in full screen mode

Last updated: May 01, 2017

 

Malwarebytes 3.0 (MB3) -- Known Issues in Anti-Exploit Module

  • Microsoft Office (v16.0.7 and above) application crashes/hang on Windows 10 Creators Update with Malwarebytes v3.0.6.1469 - The fix is currently being integrated into Malwarebytes 3.1 and is due to release shortly. Until then, the temporary workaround would be to go to Settings->Protection->Manage Protected Applications->Disable protection of the app that is crashing.
  • Chrome browser (32-bit) crashes with Norton Security v22.9.1.12 and Malwarebytes v3.0.6.1469 - This was due to a conflict with the Anti-Exploit module in Norton Security. The fix is currently being integrated into Malwarebytes product and is due to release shortly. Until then, the temporary workaround would be to turn off Norton Exploit protection or use the 64-bit version of the impacted browser or go to Settings->Protection->Manage Protected Applications->Disable protection of the browser that is crashing.

 

MBAE Standalone -- Known Issues and Conflicts

  • Internet Explorer 11 freeze with MBAE 1.09.x.1384: We have had reports of Internet Explorer 11 freeze on a few Windows 7 machines with MBAE 1.09.x.1384. Unfortunately, we are not able to replicate this internally. But we are working with a few of our impacted customers and are in the process of finding a fix for it. Please wait for more updates.
  • Enhanced Mitigation Experience Toolkit (EMET). Both EMET and MBAE are exploit mitigation products that apply similar protections and apply similar API hooking & techniques. However MBAE provides more comprehensive protection due to its Layer0 and Layer3 protections. More information here. It is not recommended to run MBAE and EMET together. Some users have reportedly managed to run both together by tweaking the EMET techniques, but this is not a Malwarebytes officially supported configuration.
  • Trusteer Rapport. Trusteer's "Pinpoint technology", which tries to detect the presence of Trusteer through a webpage, introduces a conflict whereby it cannot detect the presence of Trusteer's hooks. There is a long history of complaints about IBM's lack of interest in fixing Rapport's conflicts with dozens of security applications. We've managed to make Trusteer work with most web browsers but in the case of Pinpoint technology it does not know how to deal with basic chained API hooks. We are working on a new mechanism to handle these types of conflicts.
  • ESET9. A bug exists in the API hooking mechanism of ESET9 that triggers when using ESET9 + MBAE + Firefox. The Firefox crash shows a stack overflow typically generated by ESET. This problem is likely also happening between ESET9 and other security products as well.
  • New Comodo Bug. We found a second new bug in Comodo which may cause conflict with MBAE and result in browsers not being able to open correctly. It seems when MBAE injects after Comodo there is no problem, but if Comodo injects after MBAE then Comodo doesn't handle the chained hooks correctly. A fresh re-install of MBAE might temporarily solve the problem (as it sometimes makes MBAE handle the API hooks after Comodo) but the definite bug fix must come from Comodo.
  • McAfee (new): We recently identified another bug in the hooking engine of McAfee HIPS that causes crashes of protected applications. 
    McAfee HIPS hooking engine fails to disassemble an instruction and generates a breakpoint exception in HcThe.dll resulting in the crashes.
    HcThe.dll hooks a couple of Windows APIs and in some specific cases, if a function is already hooked and McAfee HIPS attempts to hook this API, it fails to disassemble the instruction and generates a breakpoint exception.This conflict is not just with MBAE but with other security products dealing with API hooks as well. If you are experiencing this issue, please contact McAfee to report this bug to them. We are working on a new mechanism in MBAE to handle these types of issues caused by buggy third-party code.
  • McAfee HIPS (old). We have identified an API hooking bug in older versions of McAfee HIPS that may cause a conflict with MBAE. The bug is located in the HCTHE.DLL component of McAfee HIPS. Simply disabling McAfee HIPS does not disable the hooking or solve the bug, so the solution is to upgrade to a fixed version of McAfee HIPS. We are working on a new mechanism in MBAE to handle these types of issues caused by buggy third-party code.
  • Websense Endpoint hooks KernelBase!LoadLibraryExW API via QIPCAP64.DLL. MBAE also hooks this API. However due to a bug in Websense's hooking mechanism it improperly handles the hook and may create crashes when opening Word, Excel or other applications. If you are experiencing this issue please contact Websense to report this bug to them ("bad attempt to copy jmp qword instruction rip based"). We are working on a new mechanism to handle these types of conflicts.
  • Ghostery Add-on for Internet Explorer 11 alongside MBAE, or any other product that hooks wininet APIs, makes IE crash. This is because Ghostery is making incompatible API hooks, i.e. without taking into consideration that there might be other products hooking the same APIs.

Attachments

    Outcomes