Jump to content
x64

Malwarebytes Suspicious activty alerts with Safe Money

Recommended Posts

Hi all,

 

I have an issue with Safe Money in KIS 2015 MR1. When Safe Money is active, I am getting repeated alerts that "Suspicious Action was Blocked" with action "Access memory of other processes".

 

I get this for two executables. The Malwarebytes Anti-Malware service (mbamservice.exe), and the Malwarebytes Anti-Exploit Service (mbae-svc.exe). The alerts only occur when Safe Money is active. I am very confident that these services are not infected (I am an extremely experienced computer network engineer).

 

In "Settings" / "Additional" / "Threats and Exclusions" / "Specify Trusted Applications" I have added the two service executables mentioned, and for each of them I checked "Do not monitor application activity" When that did not stop the alerts, I also added "Do not inherit..." and "Do not monitor child application activity", also to no effect.

 

I could probably disable the alert message, but would rather not do so, as the implication is that Malwarebytes is being blocked from accessing the browsers memory, and therefore being impeded in its work.

 

When Safe Money is not active, the system does not generate these warnings when browsing the Internet.

 

Anything else to try (in KIS)? or is is a bug?

 

Environment:

KIS 2015 MR1 15.0.1.415

Malwarebytes Anti-Malware premium V2

Malwarebytes Anti-Exploit free

Windows 7 64bit, Microsoft updates are current.

Firefox 32.0.3 or IE11 (The issue occurs with either browser)

 

x64

 

 

Share this post


Link to post

Welcome,

 

Thank you for thorough description of the issue.

 

I am not aware of this problem. Could you possibly sign up to My Kaspersky Account service at https://my.kaspersky.com and create a request to technical support. Submit following logs:

 

1) Uncheck all protection components but “Safe Money”. To do that go to Settings – Protection Center and disable (switch off) all components, leaving Safe Money.

2) Enable Tracing: http://support.kaspersky.com/11139#block1

2) Reproduce the issue

3) Disable Tracing

4) Send us the resulting traces

 

A detailed tracing guide is available here: http://support.kaspersky.com/11139#block1

 

Traces are *.log files with a specific name:

 

[Product].[Version]_[Date]_[Time]_[Random].[Type]. For example:

 

* KAV.15.0.0.463.**_**.**_***.SRV.log.enc1

* KAV.15.0.0.463.**_**.**_***.GUI.log.enc1

 

Please note that require both GUI and SRV traces.

 

Please upload traces to our FTP: http://support.kaspersky.com/faq/myaccount#section2 or to any freeware file-hosting service and submit a download link.

 

If possible, please pack traces in an archive with maximum compression.

 

Additionally please submit GetSystemInfo 5 utility report: http://support.kaspersky.com/general/dumps/3632

Please note, that by default the *.zip archive containing the report is saved on the desktop.

 

 

Please post here number of your incident.

Share this post


Link to post
...

Please post here number of your incident.

Thanks Egor,

 

I have just submitted the support incident referencing this post, and attached the trace log archive and GetSystemInfo report to the incident request itself.

 

The incident number is : INC000003590083.

 

In order to reproduce the issue, I had to leave both "Safe Money" and "Application Control" enabled - Disable either one and the problem does not happen. Both are enabled during the trace.

 

x64

 

 

Share this post


Link to post

Hi x64,

 

Have you had any response from technical support yet, I also have the exact same problem as you, but in addition I also get "Suspicious action was blocked" for "WMI Provider Host" which constantly repeatedly shows up for the life of the Safe Money session.

 

 

KIS 2015 MR1 15.0.1.415

Malwarebytes Anti-Malware premium 2.0.3.1025

Malwarebytes Anti-Exploit premium 1.04.1012

Windows 7 64bit

Share this post


Link to post

Hello,

 

I have discovered what was causing the "Suspicious action was blocked" for "WMI Provider Host" repeated messages, It was the "Enable Active Monitoring" option in CCleaner.

 

Share this post


Link to post
Hello,

 

I have discovered what was causing the "Suspicious action was blocked" for "WMI Provider Host" repeated messages, It was the "Enable Active Monitoring" option in CCleaner.

 

Hi Mc-Fat-Tongue - No response from support yet. To clarify, my issue is probably more that attempting to exclude the Malwarebytes services from application control did not seem to actually exclude them. Whilst I'm comfortable enough excluding the Malwarebytes services from scanning, I'd not be so happy to do that for "WMI Provider host".

 

x64

 

Share this post


Link to post

Hi x64,

 

I too would not be happy with excluding "WMI Provider host" but unticking the "Enable active monitoring" option in "CCleaner" has stopped the repeat messages for it.

 

I have reverted back to using KIS version 15.0.0.463b which is the current version in the U.K. and when using "Safe Money" now I'm only getting one "Suspicious Action was Blocked" message for "Malwarebytes Anti-exploit" and no more repeats.

 

Regards.

Edited by MC-Fat-Tongue

Share this post


Link to post

Hello, x64, MC-Fat-Tongue,

 

This behavior of our product is considered normal. SafeMoney has a little different algorithm of controlling applications actions in the system (compared to regular Application Control functions) thus providing "extra" protection by restricting access to SafeBrowser proccess. This algorithm is intended to prevent other applications' attempts to access the SafeBrowser process (otherwise it would be possible to intercept data). As far as I can tell Malwarebytes behavior falls under "interceptors" category in this case and thereby is being blocked by SafeMoney.

Share this post


Link to post

I am running Malwarebytes Antimalware premium 2.2.0.1024 and Malwarebytes Anti-exploit free 1.08.1.1189

 

The only time i get any warning about using these is when I use Safe Money Suspicious action was blocked. Of course if i stop protection with anti-malware and turn off malware protection , Malicious web site protection no warning.

 

Just wondering if need to put in any exceptions.

 

Kaspersky Internet Security 16.0.1.445(a)

 

 

 

 

Share this post


Link to post

Each computer is different, but I don't see any such notifications with KIS 2016 (16.0.1.445(a)), MBAM Premium and MBAE Premium.

(I have mutual exclusions set between MBAM and KIS, and I give MBAE full permissions in KIS.)

 

My hunch is that it might be MBAM and MBAE doing their job (IOW the problem might be "real" and might be with the website you are visiting).

 

***It would help to see a screenshot of the message (or MBAM and MBAE logs), to know which program is generating the block and what is triggering it.

 

>> The MBAM forums seem to be down for maintenance at the moment.<<

 

If the message you see is from MBAE, "Exploit Blocked", then I suggest starting with the advice in the sticky at the top of the MBAE Support Forum: https://forums.malwarebytes.org/index.php?/...lude-mbae-logs/

Then I would post the requested information in a new post in the MBAE Support Forum: https://forums.malwarebytes.org/index.php?/...roduct-support/

 

If the message you see is from MBAM, about an IP/website block and you think it might be a False Positive, then I suggest starting with the advice in the stickies at the top of the MBAM Website False Positives Forum: https://forums.malwarebytes.org/index.php?/...false-positive/

Then I would post the requested information in a new post in the MBAM Website False Positive Forum: https://forums.malwarebytes.org/index.php?/...bsite-blocking/

 

If neither of those scenarios explains or resolves your issue, please post back here and provide a bit more information, such as a screenshot of the block, and/or the MBAE logs or MBAM protection logs.

 

We can go from there.

 

Thanks,

MM

Edited by MoxieMomma

Share this post


Link to post

Thanks for your reply MoxieMomma.

 

My apologies for not being more specific, as I am not the sharpest tool in the shed.

 

The warnings I'm getting are coming from Kaspersky.

I also not sure what exceptions to put in Malwarebytes or Kaspersky.

 

Using firefox, chrome, even Ie11 I get no warnings. The only time I get warnings if i use SafeMoney .

Kas_1.txt

Share this post


Link to post

Hi:

 

Hmm, I guess I misunderstood your original post -- the problem is that KIS is flagging MBAM as suspicious, not vice versa.

 

You might wish to set mutual exclusions between MBAM and KIS.

 

The attached screenshot shows how to add the KIS folder to MBAM exclusions.

The text below lists the MBAM files to exclude in KIS, if you wish to do so manually.

Details about how to configure application control in KIS are here: http://support.kaspersky.com/12101

 

Please let us know if this resolves your issue.

 

Thanks,

MM

----------------------

 

For 64-bit Windows, these are the MBAM files to exclude in KIS (for 32-bit Windows, the file paths are the same, minus the "(x86)" bit:

 

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamdor.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbampt.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamresearch.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware \mbamscheduler.exe

 

Once that's done, please make sure that if your AV or firewall has any sort of web filter, that you add the following as a trusted site:

data-cdn.mbamupdates.com

post-261768-1456750891_thumb.png

Share this post


Link to post
I am running Malwarebytes Antimalware premium 2.2.0.1024 and Malwarebytes Anti-exploit free 1.08.1.1189

 

The only time i get any warning about using these is when I use Safe Money Suspicious action was blocked. Of course if i stop protection with anti-malware and turn off malware protection , Malicious web site protection no warning.

 

Just wondering if need to put in any exceptions.

 

Kaspersky Internet Security 16.0.1.445(a)

 

Also,

 

See a similar thread I started about Kaspersky 2015 and even raised a support incident about it.

https://forum.kaspersky.com/index.php?showtopic=306819

 

I too thought that adding exclusions would allow me to deconflict the applictions, however it seems that "Safe Money" has other ideas. Look at the last post in that topic, (the one by Nikita Shembel. )

 

Basically MBAM is examining Safe Money's memory ares, and Safemoney is taking exception to that (as it's job is to prevent any and all snooping of the data it is protecting).

 

The information in the thread is for KIS2015, but from the responses that I received - it did not sound as if KL were considering changing the absolutely "no snooping on safe money's memory" policy.

 

x64

Share this post


Link to post

Thanks MoxieMomma for all your assistance,very much appreciated.

 

Also Thanks x64, interesting reading.

 

Edit: Also thanks to richbuff for merging topics.

 

Cheers

Edited by pete319

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.