Jump to content

MBAE 1.09.1.1130 Winrar Shield removed during upgarde


Recommended Posts

I installed MBAE beta 1.09.1.1130 over top the latest stable build, and WinRAR.exe was removed from my Shielded Apps. There are 3 executables that belong to Winrar that I have always added to the Shield; WinRAR.exe, Rar.exe, and Ace32Loader.exe. Rar.exe, and Ace32Loader.exe were still listed as Shielded after the upgrade; WinRAR.exe was missing. I did not check my Shielded Apps right before upgrading to this beta so if it was already missing then that would mean one of the other recent upgrades removed it instead of this beta. I'm positive I added it though, and it was there recently. I will send a link to pBust for my MBAE appdata folder. I'm using Windows 7X64 Ultimate.

 

regards,

Mike

Link to post
Share on other sites

8 hours ago, btmp said:

It want make any difference if the rule still exist because the rule no longer works. I used Process Explorer to see if MBAE was injecting into WinRAR.exe, and it's not. If I try to add it back then I get an alert that states it's already Shielded even though it does not show in the GUI under the Shielded Apps List. It can't only be a GUI bug though since MBAE fails to inject into WinRAR.exe now.

Link to post
Share on other sites

Is WinRAR.exe suppose to be on the list by default? I just finished reading your thread, and that's what I understand you to be saying. I have always had to add WinRAR.exe to the Shielded List manually. Is 7Zip, and WinZip suppose to be on the Shielded List by default also? They are not on the Shielded List anywhere in the GUI. Also, please remember that my WinRAR.exe rule that disappeared from the GUI no longer works after upgarding to this beta so it's not only a GUI bug on my machine. MBAE is no longer injecting into WinRAR.exe.

 

Thank you for the feedback!

 

Cutting_edgetech

Link to post
Share on other sites

I just tested with a clean VM and winrar is getting injected though it doesn't get listed up in the gui shields or log. Looks like it might be due to the previous rule you had. I figured maybe it was confused by the two different rules so I reverted the VM. I installed 1.08.1.2563 first to make a winrar rule then updated it to the beta. While the shield was removed from the gui, the dll was injected into mine so perhaps there is something else involved with your results?

Winrar.jpg

Link to post
Share on other sites

  • Staff

In this latest build we've added WinRAR and some others (WinZip, 7z, etc.) to the "internal shields". Internal shields are basically apps we hook into to help determine certain logic when applying the Layer3 application behavior detection techniques. So for ex if winword.exe launches cmd.exe which in turn launches wscript.exe, that's a clear giveaway of exploit-like behavior. We added Winrar and others as an internal shield as we've detected some ransomware exploiting application behaviors (i.e. social engineering, not real exploits) which we were not blocking before.

Link to post
Share on other sites

On 7/5/2016 at 3:49 PM, pbust said:

In this latest build we've added WinRAR and some others (WinZip, 7z, etc.) to the "internal shields". Internal shields are basically apps we hook into to help determine certain logic when applying the Layer3 application behavior detection techniques. So for ex if winword.exe launches cmd.exe which in turn launches wscript.exe, that's a clear giveaway of exploit-like behavior. We added Winrar and others as an internal shield as we've detected some ransomware exploiting application behaviors (i.e. social engineering, not real exploits) which we were not blocking before.

I will see if WinRAR shield is working again in the next build then. MBAE does not inject into WinRAR with this build on my machine.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.