Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. haakon

    haakon Guest

    Actually, only within an historical context.

    Over a year old, the PCSL report is obsolete.

    Dismissing EMET, focusing on the two products developed specifically to target exploits and marketed as such:

    Shortly after the MRG test was published, MBAE went from the tested 1.05 (released December, 2014) to 1.06 on March 31. Granted, the test was commissioned by SurfRight to document improvements from 3...167 to 3...174, an impressive boost to 100%. (Who saw that coming?) A quick re-test using MBAE 1.06 would have been nice and, doubtless IMHO, with equally impressive results. Realistically, no one could expect that re-test and now MBAE being at 1.07 with a very soon to be released 1.08, this MRG test is irrelevant.

    Soapbox: with SurfRight releasing perpetual beta-flux versions like the Kardashians churn out selfies, in all fairness, MRG should have tested MBAE's current 1.06 beta at the time.
     
    Last edited by a moderator: Oct 5, 2015
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    As a side note regarding the effectiveness of exploit mitigation software and the results of independent tests:
    Popping shells with a bunch of different exploit samples is not a good indicator for the resistance against bypass attempts. Some techniques just allow for universal anti-ROP bypasses. (Which techniques is not important for the moment.)
    In the case of universal anti-ROP bypasses anti-exploit software has to rely on other mitigations like anti-heapspraying, application lockdown or in the case of EMET EAF and EAF+.
     
  3. LOL, considering that the Kardashians out crowd the Loman brothers :D
     
    Last edited by a moderator: Oct 5, 2015
  4. ROFL you forgot to add ... little grashopper ... at the end :argh:
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  6. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I tried everything. Uninstalled, cleaned everything up, reinstalled. Tons of tweaking & fidling. Nothing's working.

    Not sure if I was clear as to the specifics but Firefox is being protected by MBAE from within Sandboxie just fine. And so are Sandboxie's sub-processes, like DCOM & RPC. But SbieSvc & SbieCtrl aren't protected anymore when Windows starts or when I start Firefox, as used to be the case before upgrading to v1.07. They both used to be protected by MBAE as soon as I booted up Windows. Now the only way seemingly I can get them protected is to create new shields for them every time I boot Windows. Before I shut down I delete the old shields, and then when I boot up I create new ones. Immediately after creating the shields a popup from MBAE comes up saying they are protected. It's good enough for me... I really have no choice other than to downgrade back to 1.06 where all works well, but I'll live with it. When I boot up Firefox the sub-processes SbieRPC & SbieDCOM become protected, along with Firefox. So I leave those shields there.

    But every time I boot up Windows I have to add SbieSvc & SbieCtrl, along with several other things: cpf, cmdagent, explorer, lsass, services, svchost, winlogon... all my startup programs & processes. Kind of a pain but I see no other choice.

    It's the same whether or not I have the "InjectDll etc..." line in the Sandboxie config. file or not, so I just removed it.
     
  7. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Just don't try to add every program to MBAE.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Why the heck would you want to protect all of those processes? I don't believe anti-exploit is meant for this.
     
  9. @luciddream

    As a layman (strawman according to others), this is how I understand why and when someone should use an anti-exploit program.

    As a rule of thumb it is adviced to use anti-exploit programs for all programs using documents which contain code or which meta-data can contain code. These data formats wich also contain code (sniplets) are also callled "active content": typical candidates are
    - all programs processing data which includes scripts (e.g. a browser, PDF-reader, Flash)
    - all programs processing macro's (e.g. visual basic in Office)
    - all programs processing files with meta-data code sniplets (e.g GIF, PNG formats etc)

    The older the program, the more vulnarable it is for exploits (because the compiler with which that program's executable was created, had less code sanitizing limitations). So (in theory) when you run office 2003, you are more vulnarable as someone having Office 2016.

    SBIE is not a front line program running active content. So adding SBIE modules to MBAE has little real life benefits.

    But maybe some experts can join in and provide a better explanation.

    Regards Kees
     
    Last edited by a moderator: Oct 9, 2015
  10. haakon

    haakon Guest

    Agreed.

    If Sandboxie is so good, what's the need for an anti-exploit like MBAE or HMPA? The latter discussion also being over-stuffed with woe-is-me Sandboxie sobbing.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Great post. :thumb:

    That's another discussion. You do need anti-exploit or anti-exe because SBIE can't block exploits itself, it will contain them. But it's not necessary to protect SBIE itself against exploits, because it's highly unlikely that someone is going to try to exploit SBIE. Windows_Security has already explained it.
     
  12. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    @ZeroVulnLabs where do you guys see MBAE vs. stuff like Cyalance and Palo Alto TRAPS?
    At a basic level it looks like you're doing similar things so I'm trying to understand the differences in the way you go about it - and there's a lot of marketing :)
     
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Nope, MBAE only tries to provide protection against exploits and not against all other malware.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm using Firefox 41.0.1, and my browser has been freezing. Sometimes it freezes completely, and other times my text will not show up when typing until about 10 seconds later. If I type outside the browser it works fine. I'm not sure if MBAE is causing this since i'm also using Eset Smart Security, AppGuard, and Bouncer. I thought I would report it here to see if anyone else is experiencing this.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Notice how everyone avoided addressing the real/pressing issue I brought up here?... and instead side-stepped it by criticizing me about how I choose to deploy my approach, which btw has nothing to do with the flaw that's plaguing me. How I choose to use the product is my own business. I believe there are benefits, whether it was designed to work that way or not. They are core processes running in real time, and/or connected to the internet in real time. How can you not see potential benefit in protecting them from being exploited?

    But again, that's a diversion from the real issue here. Please... let's stick to it. Why aren't these processes being blocked when I start Windows Windows or Firefox like they used to be when I used MBAE v1.06? What changed? And it happens whether or not I have all those other things blocked or not.
     
  16. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Both Cylance and Palo Alto Traps claim to have some basic level of exploit mitigation. But it is purely just marketing at the moment as you cannot download and test their product and there are no public independent tests or reviews of their technologies.

    If you want to test their product you need to be a large company with 500+ employees, sign their NDA, sign their EULA and also sign their Proof of Concept criteria. It looks as if they are afraid of people testing their product and posting results publicly.

    Given how most people don't know how to properly evaluate or thoroughly test exploits and exploit mitigations, it seems as if they are fooling people into buying their product based on their marketing alone and without any proof of real world efficacy against exploits.
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It's not avoidance. As I've posted here before we do not maintain official compatibility tests with Sandboxie executables themselves. So while I would love to have the team dedicate time to this, it is not a priority based on the large number of development backlog things that we have.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    My point is, that you can always expect problems when you use anti-exploit in this way.
     
  19. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    The closest thing coming to a test is SurfRight having a comparison table on their website with Traps included: http://www.surfright.nl/en/alert

    Isn't it always the case that you have to trust the developer when buying into a product?

    Regarding independent tests, actually most exploit mitigation tests only test the 'standard' exploits (e.g. the ones that hijack an indirect call, perform a stack pivot and return into VirtualProtect) and you expect from exploit mitigation software that it can stop this kind of exploits. It would become more interesting if tests would examine the difficulty of creating a bypass (something that is more difficult for certain anti-exploit tools. e.g. EMET 4.1 vs. EMET 5.5).
     
  20. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    How do I set up a shield for Flash Player in IE 11? Does the default shielding of IE 11 do it? LOL Can anything protect my PC from a zero day Flash Exploit o_O?

    OT: I do not have what Adobe says is the latest version of Flash for IE 11. Downloading the installer from Adobe for the latest Player for IE 11 gives me a Windows Update that is already installed. Is Microsoft behind the eight ball on Flash Updates?

    Adobe test page says I have Flash V 19,0,0,185 installed, but it's listing for the latest Flash Version is 19.0.0.207. But I can't get it. All I can get is a stand alone Windows Updater for Version 19,0,0,185.

    OS Win 8.1 64X

    ~ Removed Off Topic Political Comments ~
     
    Last edited by a moderator: Oct 13, 2015
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  22. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Thanks pbust :) ~ Removed Off Topic Remarks ~
     
    Last edited by a moderator: Oct 13, 2015
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Pedro already stated that MBAE protected from the previous Flash zero-day.
     
  24. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    571
    Location:
    USA
    Nobody is criticizing you. How you're deploying MBAE has everything to do with the issue you're having: you can't shotgun all processes with AE countermeasures as each process has to be compatible with each countermeasure you employ--and virtualization software would certainly present difficulties. This is why AEs are configured per process per countermeasure.
     
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.