1.07.1.1007 OK so far

[John A]

Running on Win 7 x 32 with no issues so far. Unable to test on Win 7 x 64 or Win 10 for a few days.

[pbust]

Thanks for testing as always John!

[siliconman01]

Thus far after 2 days of use, appears to be working fine on Windows 8.1.1 x64 Professional and Windows 10 x64 B10130 Tech Preview

[pbust]

Nice, thanks for confirming!

[ky331]

Really appreciate the shield editor.   Thanks!

[Wilpower]

Very nice. Installed on both OS and no issues to report.

Definitely like the 'edit' option for Custom Shields.

Thanks Pedro.  

[digmorcrusher]

Likewise, Windows 7, no problems here.

[danburrito]

Installed over the top of previous version, and so far no problems on Win 8.1_X64.

[cutting_edgetech]

I installed 1.07 on Windows 7X64 as a new install 2 days ago, and I have not experienced any problems so far.

[btmp]

Once again, no 'problems' here but I was let down by what was exposed in the current log options and what wasn't. I had hoped for the information that was peviously exposed to users but the current beta was a no go there. In fact it appears to just be a 'clone' of the notification alerts we see in the windows notification area while I had wanted (?needed?) to see more helpful info such as which protections were activated for each process. At this moment I'm stuck reverting to an older version of MBAE in order to see this stuff and there is no guarantee a newer version won't 'fail' or 'have issues' along the line and require a looksy or fix when mixed with sandboxie or another piece of security software. I'm not one to take a leap of faith on these things and the last revisions have made it difficult to ensure things are working like they are intended to.

[hake]

Windows XP SP3 32-bit with Agnitum Outpost Security Suite Pro 9.1

 

MBAE 1.07.1.1007 seems not to be behaving itself with Outpost Security Suite.  This is a hair tearing out thing.  Everything worked OK until I ran Word 2003 and then the system seemed to have a glitch.   Some low level issue here I think.  A DOS bat file also hanged.  Reinstating MBAE 1.06.1019 eliminated the issue.

 

This is the first time that I have found an experimental release has not behaved reasonably well.  I cannot get a handle on the circumstances which are causing it.

[pbust]

Is this XP? Can you post or PM me the logs?

 

@btmp, I hear you. Its just that we took that logging out before 1.06 as it was confusing to users. But with the current opt-in format it might make sense to add it back in.

[hake]

To Pedro:

 

I have PMed the logs as requested.

 

The 'bad' behaviour occurs when all the advanced options in MBAE 1.07.1.1007 are checked.  For example, Acrobat Pro 6 won't run when anti-heap spraying or bottom-up ASLR are enforced.  I seem to remember you asking for reports on the effects of checking all the options.  With MBAE 1.07.1.1007 it causes problems whereas MBAE 1.06.1.1019 behaves well with all advanced options checked.

 

Once the options have been misused and an application, e.g. Acrobat 6, has been crippled, the only way to put things right seems to be to uninstall and then reinstall MBA 1.07.1.1007, ensure that the options defaults are restored and the applications should then be found to work.  Mozilla Thunderbird settings are entered after being shown the warning 'Here be dragons'.  This now seems appropriate for Advanced options in MBAE too.

 

Bearing in mind my experiences described above, I respectfully suggest that you consider ensuring that when updating previous MBAE versions to MBAE 1.07.x.xxxx, that the updating process ensures that the Advanced settings are forced to the defaults.

[hake]

The protection events log seems very slow to update.  It also seems to me that when the protection events log is enabled, some applications have trouble running.  This particularly applies to Office 2003 applications and also Adobe Acrobat Pro 6.  I have switched off this feature and things work better without it.  Uh oh!  WINWORD.exe won't start but it still appears in Task Manager's process list.  I try WORD 2003 again and it does start.  Now two WINWORD.exe entries in the process list.

 

I like being able to edit the custom protection shields, if only to reassure myself that I have given the correct executable name and selected the correct application profile.  :-)

[mecanicogolf]

I have just installed on my Win 7 Home Premium 32 bit and so far, soooo good.

[pbust]

@hake does the issue with Word happen with custom advanced settings? What if you revert to defaults and re-start Word?

[puff_m_d]

Hello Pedro,

 

Just wanted to add that I upgraded to 1.07 as soon as you announced it and it has been running flawlessly since on a Windows 8.1 Pro 64 bit system!

[pbust]

@All,

 

I've updated the download link in the announcement to download build 1.07.1.1008:

https://forums.malwarebytes.org/index.php?/topic/169216-mbae-107-beta/

 

This new build completes one of the fixes for FP conditions under Excel mentioned in the 1007 changelog (so the changelog for 1008 is the same).

 

This 1008 will most likely become the final version if nothing goes wrong over the next few days.

[hake]

Pedro, I have PMed you with a possible explanation of the issue I am having with MBAE 1.07.x.xxxx.  In addition to what I wrote, I have now also unchecked DEP Bypass protection in the OS Bypass Protection tab of Advanced settings.

 

Please let me know what you think.

[pbust]

Yes that could very well be the source of the problem. An old processor without the Nx bit plus BufferShield might very well be the source of the conflicts.

[hake]

It seems that MBAE 1.07.x.xxxx creates more sensitivity than previous versions over conflicts between EMET's non-ROP settings and it's own equivalents.  My rule with EMET is not to set EAF and the ROP options when an application is listed in both EMET and MBAE.  However, with my DEP agnostic PC I am relying on EMET to look after non-ROP protections available in MBAE's Application hardening tab in Advanced settings so as to avoid applications from freezing.  With my Windows 7 64-bit system though, I can set the non-ROP options in EMET (except for EAF) and allow the MBAE default settings in it's Application hardening tab in Advanced settings and applications just run.  Such are the behaviour differences between the different Windows systems.

 

Regarding DEP, the realisation of the conflict involving BufferShield has been helpful in sundry matters including a curious problem with rendering fonts on the http://www.theguardian.com/uk newspaper web site in Opera 12 on my ancient Windows XP non Nx-bit system.  It also resolved a small issue where the acs.exe process of Outpost Security Suite Pro 9.1 was using a consistent 2% of CPU time after Opera 12 had been in use for a while, even after Opera 12 was terminated.  This has now ceased.

[hake]

It's looking like the only way I can continue to use MBAE with XP is to roll back to 1.06.1.1019 and put up with the invitations to upgrade.  Both other problem systems all support XP, all lack the Nx bit but do not run BufferShield, basically because BufferShield doesn't seem to like those laptops.  The really odd aspect of MBAE 1.07.1.1008 is that DOS bat files hang.  There is no obvious answer because MBAE is concerned with applications, not system function.

 

The behaviour of 1.07.1.1008 is excellent on Windows 7 (64-bit) with none of the application hangs which my XP environments suffer.

[pbust]

Some of the new mitigations in 1.07 might be conflicting with BufferShield. Do you have the same problems if you uninstall BufferShield?

 

As for cmd, it is one of the "internal shields" of MBAE's Layer3 which gets hooked briefly to look for clues in case those internal shields are abused by application exploits (i.e. WinWord.exe -> cmd.exe -> powershell.exe -> malware.exe). This might explain why you are seeing this behavior with batch files. Does your CMD prompt hang completely or is it just slower than usual?

[hake]

To Pedro:

 

The CMD prompt hangs completely.  Eventually it wakes up sufficiently to allow the DOS window X button to be usable.

 

The MBAE 1.07 issue occurs on all my Windows XP PCs.  Unfortunately they all lack the Nx bit but only one of them is running BufferShield.

 

I have a friend who is using MBAE with Windows XP but her system supports hardware DEP.  I won't be able to try MBAE 1.07 on it until next Sunday.

[hake]

MBAE 1.07.x.xxxx could do with detecting Windows XP in order that the features which are causing it to be unusable with at least some XP installations could be disabled by default (with the option to manually enable them).  This would, I hope, allow it to continue to run as sweetly as MBAE 1.06.1.1019 and ensure that it does not disable systems of XP users when they receive the update.