Malwarebytes Anti-Exploit

Thanks for the info @FleischmannTV

 

Quick question; I recall earlier Betas had only 1 process and the latest appears to have 2 processes running. Is this correct?

Thanks

 

Yes, that's correct. MBAE runs now as a service and two processes should appear on your task manager: mbae.exe and mbae-svc.exe

Here you can find the changelogs for all the past versions:
https://forums.malwarebytes.org/index.php?showtopic=132660&p=799760

 

Please resolve the incompatibility SimExecFlow:






XP Service pack 3 EMET 4.1 account admin:

"Stop protection" available.

 

Same issue on win7 x64 and EMET 5

 

Hello @guest & @Sampei Nihira:

Pedro has been well aware of this problem and it is on his list of "Known Issues & Conflicts".

I'm sure if it was that simple, we would have rapidly seen a new MBAE release with the fix by now.

@Sampei Nihira

It is not necessary to untick all applications in EMET's ROP/SimExecFlow mitigations column. You need only consult the current release MBAE Shields tab and use this as a reference to untick only those ROP/SimExecFlow mitigations in EMET for those applications you actually do use.

Unticking all will un-necessarily increase your potential attack exposures to MBAE unrelated applications.

@guest: I have a similar system setup as yours and I too must untick those applications in EMET 5 TP1 I always run.

HTH

 

OK
TH.

 

While using comodo sandbox with the browser MBAE doesn't not protect the browser. I guess this is the intended behaviour by any sandbox, but I was wondering if it's possible to make MBAE work when the browser is sandboxed.
HPA is loaded, so I guess the same thing can be done with MBAE somehow.

 

Mmmhhh, when Microsoft stops patching XP, would not that be a great introduction moment for MBAE (say a day after)?

 

Q1- Does MBAE protect against the same threats that HM.Alert protects against?

Q2- Is there a REALLY good reason to run both MBAE & HM.Alert? (I hope the answer is "No.")

 

MBAE and the current version of HMP Alert, 2.6, are completely different. MBAE protects against exploits (let's say that it guards the door) while HMP Alert mainly alerts you if your browser has been injected by malware, so it would be more like a last line of defense.

The paid version of HMP Alert 3 (that will come bundled with HitManPro, included in the price of it) will have exploit protection too. The free version will remain more or less the same as it is right now, if I'm not mistaken.

 

MBAE protects popular applications (and soon any user-added applications) against vulnerability exploits. It does so using 3 different layers of protection. Each layer includes a handful of mitigations and they all work in sync amongst them. More info at our FAQs:
https://forums.malwarebytes.org/index.php?showtopic=136424

No.

 

pedro is it included in malwarebytes premium version 2?

 

No, for now MBAE and MBAM are separated things, ideally MBAE should be part of MBAM Premium soon or later.

 

that is good to know thanks buddy for the reply

 

I asked if there is a REALLY good reason to run both MBAE & HM.Alert? Your 1-word reply was . . .

Thanks!

Ergo: I shall run MBAE & not the udder.

 

Just to clarify, they have never said that they will do that, but I think it would be a logical step.

 

bellgamin - See: https://forums.malwarebytes.org/index.php?showtopic=135127
and https://forums.malwarebytes.org/index.php?showtopic=136424
Should answer any questions you may have about MBAE. I had to get a new computer which is 64-bit. I am now using MBAE with Emsisoft AM, VoodooShield and LooknStop Firewall with no problems.

 

thanksyeah I was thinking about that too,it will be a good idea

 

Think I'll try running this alongside Avira Free.. so far no conflicts.. i know its not a good idea to have too many applications running at the same time.. i guess time will tell..

 

Will MBAE cover with its protection all the areas indicated in the datasheet:

http://dl.surfright.nl/Alert-3/HitmanPro-Alert-3-Datasheet.pdf

 

Some of those mitigations in the datasheet are close to worthless nowadays (BottomUpASLR, NULL, anti-heap, etc.). In addition to memory protections MBAE also has a protection layer for application behavior that protects even after memory mitigations have been bypassed. That's really the main difference between MBAE and EMET and EMET look-alikes.

In some cases there are memory mitigations that we still need to add, but again, unlike EMET and look-alikes, MBAE is much less impacted about memory mitigations bypasses thanks to its application behavior protection layer.

Also there are some things that are straight out wrong in the datasheet, like showing the per-application mitigations as something positive when it is in fact something negative and the cause of many FPs and incompatibilities with third-party software. With MBAE we finetune and customize both memory mitigations as well as application behavior mitigations for each protected application with the objective of making it much more compatible and problem-free.

 

OK, thanks a lot for the detailed explanation

 

Re: the datasheet and since Hitmanpro.Alert is basically a look-alike of EMET, what is even more surprising is that they did not compare mitigations that EMET does have such as for example certain ROP techniques (SimExecFlow, LoadLib & EAF) and others such as LrdHotPatchRoutine.

Finally having a bunch of mitigations is good, but at the end of the day it's the detection logic of how those mitigations are applied that is even more important. There's nothing to indicate detection logic in the listing and to me that would be more worrying.

 

@G1111

If running appguard in default mode is there any benefit to also running both VoodooShield and MBAE? .... or would just one of those (VDS or MBAE) be adequate..? [I am also running EAM and a FW - in my case Outpost]

-cheers,
feandur