Malwarebytes Anti-Exploit

Don't really know much about AppGuard. I have never tried it so can't say if it would duplicate VS and MBAE combo. I am running a similar setup to what I had on my now history x86 machine. Went with MBAE instead of EMET 4.1 and cannot install my all time favorite DefenseWall as it is x86 only. I already was familiar with Emsisoft AM and VS. Just added MBAE to complete my current x64 setup.

 

fair enough
Thanks G1111

-cheers,
feandur

 

In regards to exploits I see a benefit of running MBAE together with AppGuard, but VoodooShield not so much. As far as I know VS is a very basic anti-executable, which means it might stop a payload from executing at the very end. That's about it. Both AppGuard and MBAE already offer protection against exploit payloads, so there is no benefit in running them together with VS. Further I don't how critical the disabling of the UAC is in exploitation scenarios, which VoodooShield does. With disabled UAC a process, which has been taken over, might run with high integrity instead of untrusted / low / medium.

On top of that AppGuard and MBAE have more protections in place which can disrupt an exploit at an earlier stage.

Thanks to the Guarded Apps, Memory Guard and Privacy Mode protections AppGuard might mitigate the damage an attacker can cause by severely restricting the abilities of the processes, which have fallen victim to remote code execution, to interact with the rest of the system.

MBAE probably has some redundancies with AppGuard when it comes to payloads, but it might offer more protection at earlier stages and additional protection at same stages (Layer 1: Protection Against Operating System Security Bypasses, Layer 2: Memory Caller Protection). So this might indeed be a good combo.

Please take my comment with a grain of salt, because this is just a layman's point of view.

 

That is about to change, VoodooShield 2 will include a cloud AV that will check the unknown files against 50 (approx) AV's in the cloud. Like HitmanPro with more AV's and on real time.
SecureAPlus is going in the same direction with the universal AV.
Both products are in beta now.

 

That doesn't change anything about what I said.

 

Well it in your use case there is no difference between and anti-exe and an anti-exe that check the files against 50 AV in the cloud...
I'm not being ironic
For me it makes sense because in my setup I don't have any real time AV, so VS or SAP are useful and don't have any performance impact.

 

I was referring to the three programs' abilities in regards to exploitation mitigation. The only protection VS offers is final stage payload execution prevention, if anything. G1111 is already using programs that block payloads, so he would gain nothing from it. The fact that VS might check a potential payload against VirusTotal aside from blocking its execution changes nothing for the better in terms of exploit mitigation. Suffice to say, if the payload is blocked anyway, why should I care about a silly VirusTotal scan?

Exploitation scenarios are much more complex than just dropping a payload. That's why mitigation at earlier stages is so important, like making remote code execution more difficult (MBAE layer 1 & 2, EMET) or confining those processes, which are likely to be targeted, so that they can interact as little as possible with the rest of the system (Chromium sandbox | AppGuard: Guarded Apps, Memory Guard, Privacy Mode | Sandboxie | Advanced HIPS rules | Behavioral analysis that detects and blocks process manipulation, code injection etc...).

 

You can already do that now with VS. Although a brand new zero-day may be detected by a few on VT leaving the user wondering if the few detections were FPs.

 

Hi Guys,

Running current MBAE, MBAM, & 360 IS - I downloaded a song & 360 immediately quarantined, it has having a TR (sorry missed the name), After that MBAE was gone from the tray, 360 & MBAM could not be used. I rebooted to safe mode & used a current restore point. Then a bunch of scanning all is well now.

MBAE did not seem to be helpful, & needed to be re-installed. I was using FF when downloading the song & thought MBAE would protect.

 

If it was malware that you downloaded and executed (instead of an exploit media file) then it's normal that MBAE would not have stopped it as it's outside the scope of MBAE.

What do you mean exactly by this?

If you can provide or PM me a link to the file you downloaded we can take a closer look at it.

 

Thanks for the details via PM Rico.

From what I can tell what you've downloaded is malware, not songs or exploit. The files are named "Robert Gordon - The Fool.exe" and are detected by a large number of anti-malware products, including MBAM.

Related hashes for lookups:
363b6c5aac2a45904c9c66fa5e0930d7d99f502961c98c313a2eeb652baf8388
9da265764f4b93dd8a3b47d9da16e8b2af04d1b125162d6ebd17d534d2408331

 

This is kind of a strange question; in Firefox, to get the best performance, I run it with the plugin container disabled as well as turning off Flash's protected mode/plugin container. Will that cause MBAE to potentially not block an exploit or cause any conflicts in Firefox? I haven't noticed any conflicts but am concerned that chagnign the default way Firefox runs plugins might cause MBAE not to block an exploit. Thanks!

 

No good:



OS Windows XP SP3
I.E.8
Microsoft Update (today)

 

Yes, that is a known issue:

https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-18#post-2349038

 

OS Windows 7 64 bit
S.U.A.

Conflict with new libreoffice 4.2.3.3.
Impossible installation.
Uninstalled.

 

Why didn't you just stop the Protection for the installation and reenable it afterwards?

 

"stop" not available with SUA.

 

Malwaebytes Anti exploit is preventing me from running IE 11 and MS Office 2013. They run fine if i turn of protection.

 

Hello,

This is a known issue over on the MBAM forums and there is a test build out to fix the issue.
https://forums.malwarebytes.org/index.php?showtopic=146368

 

I turned on the "enable self-protection module" under Advanced Settings of MBAM v2.0.1.104 for the first time, recently.

I noticed, just now, that when I booted, that MBAE was not loading at startup any more.

I checked that the MBAE service wasn't started, so I tried to manually start...however, I got the following:

---------------------------
Services
---------------------------
Could not start the Malwarebytes Anti-Exploit Service service on Local Computer.



Error 1053: The service did not respond to the start or control request in a timely fashion.


---------------------------
OK
---------------------------

It wouldn't start, so I decided to disable the "enable self-protection module" in advanced settings in MBAM.

Went into services XP, and was able to start the MBAE service, then start MBAE from the desktop shortcut.

It seems that when I changed that setting in MBAM, it prevented MBAE from starting.

Is this a known issue?

 

I have EXACTLY the same problem....

"Is this a known issue?".... I would say it is....See post..https://forums.malwarebytes.org/index.php?showtopic=146350

I have no answer as of yet,as to why...

 

This problem has finally been addressed.....QUOTE:
"This is a known issue that only happens under Windows XP. Basically MBAM's Self-Protection prevents MBAE from writing to its log directory which is protected by MBAM. This same issue is not a problem under Vista, Win7 or Win8. It only happens under XP. It is neither a bug of MBAM nor a bug of MBAE, just a small conflict."



If you are using this combination (Windows XP + MBAM + Self-Protection + MBAE) the workaround until we fix this conflict is to simply disable Self-Protection.

 

how is this one?as security program?

 

I like it ...very low on resources.....VERY minimal GUI ..(for now)....Has to be good if it comes from the Malwarebytes folks...

 

Actually it comes from ex-Panda guy(s).