Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    Unfortunately, I couldn't find anything about this problem in the Event Viewer. I am uncertain what you mean by "FRST logs". Does FRST refer to the Farbar Recovery Scan Tool, or something else?
     
  2. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes you are correct about FRST.
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the FRST logs pcalvert. I believe the problem you are seeing is due to a bug in Comodo. We've identified a couple of bugs in Comodo. One of them we were able to avoid ourselves but the other one only Comodo can fix. More information:
    https://forums.malwarebytes.org/index.php?/topic/135127-known-issues-conflicts/

    Try completely removing Comodo and rebooting to see if the problem persists. If so, then try the workaround in the Known Conflicts page referenced above.
     
  4. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Hello, I like to talk about several improvements.

    1) The About and General Tab seems a bit redundant, I mean the License ID and the links possible could be displayed at the General Tab instead of having almost the same Tab under a different name.
    2) I can't resize the Window.
    3) Why I not can just Drag & Drop an .exe into 'Shields'? It would be a lot of easier in some situations.
    4) I not can't find any option (via GUI) to import/export my settings. This can only be done registry.
    5) The Shield Tab could maybe get an seperate indicator which apps are installed/running to easier detect which apps you possible need to adjust. And speaking about that, you can't adjust the given list.
    6) Another problem is that e.g. we have Tor.exe in our list for e.g. the Tor Browser or the executable itself but if you start another tor.exe instance for e.g. the Tor Messenger and configure tor.exe to allow a new instance the Log windows is a bit confusing so you need to look and watch at the paths to see which .exe is affected. Maybe an indicator helps.
    7) The detection now works 100% accurate, I started an .exe which comes in the given list from an usb drive and in the logs it doesn't show that this process is protected.

    Thanks for another useful tools. :)
     
  5. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
  6. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
  7. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Thanks @anon, I hope the GUI refresh also includes my ideas.

    Another small problem I found seems that the KEY (to activate the Premium Version) is stored in plain text into the registry, on my x64 system it's under:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes Anti-Exploit. I think that's small to change but very critical since an attacker which have access or remote access could just read-out the key via scripts.
     
  8. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
    It's not a problem, imo.
    In many AV's, the key is clearly shown in the front page.
    i.e. =
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
  10. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Just don't run driver installation software sandboxed and under MBAE...

    The number of Wilders members who add a 1001 applications to MBAE or HMPA and come complaining on the forum still seems to be quite high despite multiple people saying that you'll only create compatibility issues.
    I can understand why Traps, SentinelOne, etc. are only offered to enterprises with sysadmins who know what they are doing...
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I understand perfectly and in my case is not a complaint but sort of notice to Pedro. I never used that DriverPack-Online program before but I know what DPs is (downloaded before via torrent). Thought it was just a downloader for separate drivers yet it's actually a full program which scans the computer for drivers, apps, programs and downloads stuff from the internet.
    Btw I did not add this program to MBAE, it would be a complete stupidity to do so.
     
  14. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Automatically, updated from 1044 to version 1045, earlier today. :)
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
  17. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    This seems like it's become the blanket cop out for everyone complaining that the newer versions aren't working like the 1.06 did. In my case I didn't add anything new at all that I didn't already have in v 1.06. I had shields for Sandboxie processes (SbieSvc, SbieCtrl., SbieDCOM, and SbieCrypto), as well as Firefox. SbieSvc & SbieCtrl. were shielded automatically when I started MBAE under v1.06... that is no longer the case since I updated. I then had to delete the old shields and make new ones every time I restarted my computer, and worse yet wasn't convinced they STAYED on because every time I opened FF I saw bubbles pop up for MBAE saying they were starting again. On 1.06 the protection stayed on until I turned off my computer.

    I also had shields for all startup processes, like winlogon. They also started shielded automatically, and with no adverse side affects. That's hardly 1001 things. Since the update they no longer start shielded and I have to remove/add all of them.

    Don't blame other people for a product that's regressing. I "downgraded" (technically) to 1.06, but really I consider it an upgrade, as this version works better
     
  18. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    https://www.malwarebytes.org/support/releasehistory/#mbaep

    New Features

    • Added Layer0 Dynamic Anti-HeapSpraying mitigation
    • Added Layer0 Anti-Exploit fingerprinting mitigation
    • Added Layer0 finetuned VBScript mitigation for IE
    • Added Layer1 ROP-RET gadget detection mitigation
    • Added Layer3 Application Behavior rules
    • Added protection for Microsoft Edge
    • Added protection for LibreOffice
    • Added failover upgrade mechanism
    • Added auto-recovery for Anti-Exploit service
    Fixes
    • Fixed conflict with third-party products that use the same hooks
    • Fixed conflict with Office family profile
    • Fixed conflict with banking software plugin for browsers
    • Fixed conflict with Citrix when opening IE
    • Fixed conflict with components from Asus and Huawei
    • Fixed conflict with Kaspersky 16
    • Fixed conflict with Comodo
    • Fixed conflict with Imprivata OneSign
    • Fixed issue when custom shields were not kept after upgrade
    • Fixed issue with exclusions sometimes not applied to PDF profile
    • Fixed issue with Layer3 Application Behavior
    • Fixed issue with missing balloon notifications
    • Fixed issue with missing balloon notifications
    • Fixed false positive with Adobe Acrobat
    • Fixed false positive with certain .NET modules under IE
    • Fixed PhantomPDF crash when converting to doc
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi Pedro.

    * Added Layer1 ROP-RET gadget detection mitigation *

    All mitigations (Browsers,Chrome Browsers.......) are disabled a default.
    Why?
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    TH.;):thumb:
     
  22. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello Sampei Nihira,

    You are most welcome ;) ...
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Unfortunately, I'm running MBAE on a pc with 32 bit OS, so I can't test it on that, and the others are currently not fit for testing.
    However I setup a clean VMware VM with Win7x64, latest MBAE premium trial and Firefox. I added the Surfright test tool to the browser profile. MBAE generated a protection notification for both Firefox and the test tool when starting them. However MBAE failed both wow64 exploit/bypass methods on the test tool and firefox. Though since it's not a physical machine, so I'm not sure how accurate the results are.
     
  24. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    An issue with exploit mitigation software in general are the user mode hooks. If one can bypass the hooks or use functions that are not hooked then the mitigation software has no (longer) an entry point for performing its checks.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    For me too:

    1) ROP WOW64 bypass........... is failed.
    2) ROP Exploit WOW64..........is failed.

    Even with the "ROP-RET gadget detection mitigation" enabled.
     
    Last edited: Nov 26, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.