Malwarebytes Anti-Exploit

Haakon thanks, I think I recently signed up there if I can only remember my password lol

 

pbust e-mail sent

thank you

 

Sent you email!

Yes this is one of the main issues we are dealing with in order to make it as seamless as possible to non-technical novice users. That's the main design principle which we are working on. We do not want to create a complex product, but at the same time want to allow technical users easy access to advanced settings.

We've added a few more FP and conflict resolution levers to the anti-exploit and anti-ransomware technologies. Granted, what you are saying about EMET and HMPA is right, but there's some things we can do automatically to minimize the effects. We are still testing these dynamic configuration options.

We will not loose our roots of believing in layered protection and being compatible with most of all of the security solutions out there. This is another of the guiding principles behind this new product. You'll be able to activate any technology or combination thereof in order to continue layering however you want, such as for ex using MBAM's anti-malware tech only with EMET and WinAntiRansomware instead of MBAE and MBARW (or continue using MBAE standalone with whatever else).

Of course this is no small project and I'm sure we'll have our share of bugs during beta, but we are doing our best to come up with a really cool product which we hope you'll all like.

 

Interesting idea to combine MBAE, MBAM and MBARW! If you also added a simple firewall, then it would be quite a strong security suite. But I do agree with others that sometimes it's better to use standalone products, so I'm not sure what to think.

 

after uninstalling cylance and it was hard to do. antiexploit now works with IE
and so you were right with cylance and antiexploit causing issues.

 

Thanks for confirming! As mentioned via email, just injecting a DLL into IE should not be cause for conflict (which is what they said) unless they are doing it incorrectly. We are trying to get our hands on the Cylance product to troubleshoot the conflict, but this is proving harder than it seems.

 

Forgive me if this has already been asked, but I've noticed since using MBAE that a lot of my favicons no longer appear in Google Chrome. Is this expected behaviour?

 

Never heard that one before as far as I can remember.

 

a) A better uninstaller is on schedule or not?
(No registry remnants, etc).

b) What about this?=
https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-107#post-2526392

 

Yes, better uninstaller and GUI is still on schedule. But the better GUI will be based on the common product.

 

Thank you!

 

the gui is a bit small and seems a bit outdated. concerning uninstalling using nsis i can help you guys out.

 

Thanks for the offer Brummelchen! We already have it in the backlog (removal of Run key during uninstall). Should be there soon.

 

Google Project Zero recently reported these AV vulnerabilities:

http://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

Question: does MBAE 1.08.1.2563 (which I use) or 1.09 (experimental) kick in with its protection to take up the slack from these vulnerabilities?

The technical side is beyond my grasp, but, the GPZ report states: "These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Thanks.

 

That is old news. From your link: "Thanks to Symantec Security Team for their help resolving these bugs quickly.".

 

Old news perhaps .. but, mate, let's keep the Symantec comments in that forum. And, as you should know, the options are less than perfect for lots of their users.

As for MBAE, I don't see an anser to my query. Hope ZeroVulnLabs ("pbust") jumps in with an authoritative reply .. if there is such a thing.

 

Jun 28....,....
https://www.wilderssecurity.com/threads/tavis-ormandy-vs-antivirus-discussion.385510/#post-2598406
--

 

Thanks, but still no reply to the core of my query.

The Symantec patch requires users to update to 22.7, which, as of yesterday, results in BSOD on some users' computers. Version 22.6 and 21.7 are reportedly not covered by this patch. However, as I said, these Symantec comments are really out of place here.

 

I can't say how many of these MBAE can protect against, BUT for protection you would have to add Symantecs processes to MBAE, which is not recommended because it can all kinds of issues. It is in general not recommended to add processes from security software to anti exploit protection, whether that is MBAE, HMP.A, EMET or some other tool doesn't matter.

 

But your link directly questions Norton / Symantec. If you don't want anyone to comment on Norton / Symantec, why post that link?

 

No, because it does not look for exploits in security software. Aside from that, thanks to Symantec's ntoskrnl.dll copy, an attacker can craft exploits for programs that anti-exploit watches, without anti-exploit noticing, because it is watching original ntoskrnl.dll, but the attacker can use Symantec's ntoskrnl.dll instead.

 

Please excuse my ignorance but perhaps you mean ntdll.dll?

 

Thanks. I can see the logic in that argument.

 

Well, too bad. It seems I have to employ Plan C for some of my legacy computers as they can't run any Norton 22.x AV software and thus must stay on 21.7 .. which is not patched for the time being (and may never be unless there is a change of heart by Norton). Thanks.

 

Yes, of course. Thank you!