Malwarebytes bought Zerovulnerabilitylabs

Hi,

MBAE gave me a false alert on top of the freezes so I rebooted computer. It works fine for now, so I suppose another reboot was needed. Also added MBAE to PowerApps in AppGuard just to be safe!

 

It may be a good idea to change the MAE icon to something that won't resemble a firewall icon. Today a friend asked me why a security app which is a not a firewall has an icon resembling a firewall icon. It's confusing, and I agree.

What do you think?

 

I don't really think it's a firewall icon. Firewall icons are typically a brick wall. MBAE's icon is a shield with fire inside.

 

Actually, the icon looks almost exactly like VodooShield but with the 'V' up-side-down inside the shield.

Anyone else see this obvious similarity?

 

Then is not a firewall, is a fireshield

Well if a remember well, Agnitum, Online Armor and Comodo FW (old version) use a shield as a tray icon.

Could you take a look to this article?

http://www.insanitybit.com/2013/06/22/exploitshield-smart-antiexecutable/

Anything to say? basically he says ES is worthless and can be easily bypassed.

 

I agree that firewalls are typically represented by a brick wall, and that is the case of Windows own firewall, but there are others that also add fire to the brick wall. For example: -http://www.softpedia.com/get/Security/Firewall/Windows-7-Firewall-Control-Plus.shtml (look at the icon)

Another example, and I'm not sure about the current version's tray bar icon, but the firewall settings tab has a fire icon in it: -http://i1-win.softpedia-static.com/screenshots/Comodo-Personal-Firewall_17.png?1371708824

(Most likely this kind of confusion comes from this kind of examples.)

 

Discussed here already:
https://www.wilderssecurity.com/showthread.php?t=333127&page=30
(from post #730)

Basically the author relies on a lot of hearsay... outdated hearsay.

I think the root of his problem is with the name "ExploitShield" and "Anti-Exploit" and with his continued requests for us to publicly detail how the technology works (which we of course won't).

At the end of the day what counts is if the product does what it says it does. In our case Malwarebytes Anti-Exploit is blocking hundreds of vulnerability exploit attacks every day as can be seen at http://www.zerovulnerabilitylabs.com/webconsole/lv.php.

 

I have to say that 0.9.2.1200 has been working great for me for the last couple weeks. W7 Home Premium x64 SP1 production machine with only MBAM Pro as other security software.

 

Is there an ETA for the 1.0 release?

Also, been using it a couple weeks now and no major problems, just the shielded apps count and the GUI not loading a couple times.

 

I have ran this on my main desktop and on my laptop, both ran MBAE without any problems.

I think it's quite stable and extremely light for a BETA

The only problem I have at the moment would be, It's not compatible with Sandboxie

and yes...I am aware that I mentioned this before

 

We're shooting for a 1.0 before end of year. There's a few really cool ideas and tech from Malwarebytes we are incorporating into Anti-Exploit beta prior to 1.0 release.

As for Sandboxie there's not much we can do in the short term. We can't change our hooking mechanism to fix this, it is not trivial and will take some time. Sandboxie could allow us to hook the browser if they wanted to in the meantime.

 

Nice! I can't wait to see where it's headed.

 

Can't wait for future releases, this will be exciting

I hear ya on that, keep up the good work

Thanks

 

Testing it .

 

It's running.
The 0.9.2 is my first install of MBAE.

I did as suggested and opened my installed FF.
The GUI showed it as shielded. So it is working. Which is good, but that shows that it doesn't protect portable browsers.
I'd like to suggest that it is implemented.
Also I don't know if my Pale Moon browsers isn't shielded becouse of it doesn't know PM or because I use the portable version.
Can you also add The K-Meleon browser?

 

Like what? more features?

 

The criteria we follow for shielding new apps is that (a) it is widely used and (b) it is actively targeted by exploits.

For now we support IE (iexplore.exe), FF (firefox.exe and plugin-container.exe), Chrome (chrome.exe) and Opera (opera.exe and opera_plugin_wrapper.exe). There are dozens of alternative browsers out there and most of them are based on one of the above. If your browser of choice is based on one of these and you can rename it to the original filename then MBAE will shield it, but that's not supported officially.

@guest, sorry, you'll have to wait and see

 

Thanks for your answer.

I just noticed that it supports portable FF.
So I was wrong about that.

In regard to your suggestion about renaming Pale Moon to FF, I tried that but it didn't work.
Something needs to be changed that I'm not aware off.
I changed the name of the portable launcher, the name of the INI file, the name in the splash in the INI file and the PaleMoon file in the Bin directory.

 

I downloaded Pale Moon and with 3 small changes you can make it work with Malwarebytes Anti-Exploit:



1- In Palemoon-Portable.ini change the Appname variable under [Setup] to "firefox" (without the quotes) instead of "Palemoon".

2- On disk, rename the directory \Bin\Palemoon to \Bin\firefox

3- On disk, rename the file \Bin\firefox\palemoon.exe to \Bin\firefox\firefox.exe

That should do it. Simply launch Palemoon-Portable.exe as you normally would and Malwarebytes Anti-Exploit will shield it as if it were the regular firefox.

 

Thank you. That kind of did it.
MBAE shows 1 protected app when I launch PM but there's no entry in the log window.
Perhaps that is not important.
Now I just need to figure out how to keep my prefs and addons under the new conditions.
PM opens as a new browser with no addons and default prefs.

 

Yes, I also wondered about this. I wonder if Malwarebytes Anti-Exploit is using more advanced techniques to block malware.

I mean wouldn´t a tool like EXE Radar Pro do the same? Or perhaps standard execution blockers are less powerful?

 

Yes MBAE includes more protections such as memory exploit detection and we are adding more advanced memory techniques as well.

I really like ERP but I don't think it's designed for the average user nor specifically for exploits. I've seen exploits bypass it via regsvr and rundll and I'm fairly sure memory-only exploits can bypass it as well.

 

Any idea when the version which has the option to disable protection for an application will be released (I still have this Word problem on x32 bits which your QA contacted me for to run some tests).

Regards Kees

 

Not any more!
Those youtube videos were made with older Free version, which is now abandoned.
Newer versions have regsvr32 and rundll32 in Vulnerable list and will give you popup when executing (or auto-block in lockdown mode).

 

We're QA'ing the fixed version. Will be released asap.