Malwarebytes Anti-Exploit

Re: Malwarebytes Anti-Exploit 0.09.4.1000

With CIS running when you launch a browser, check with SysInternals ProcessExplorer (Find / Find Handle or DLL) and search for mbae.dll. Is it injected in the browser process space?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Thanks, pbust, for the reply. I'll keep watching to see if compatibility can be accomplished at some future point.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Yes, with CIS HIPS in Paranoid or Clean PC the shielded IExplorer, Opera and Firefox got this injection.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Cool, thanks for confirming. Last I heard from the Comodo guys a while back they were going to fix it so I guess it was fixed already. I will take it out of the incompatibility list. Thanks again!

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

U r welcome.
And thanks for teaching how to check these dll injections. I didn't know.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Does this issue affects also to chrome?
It's also happens with Webroot SecureAnywhere 2104?

will there be a free version with at least browser protection, win script host... the basics?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

WSA's IdentityProtection affects IE and FF by default AFAIK. As for 2014, here's Joe's answer:
https://www.wilderssecurity.com/showpost.php?p=2285809&postcount=95

There will be some type of freemium model, but details are not yet final. In addition everyone who participates and provides valuable feedback during the beta here at Wilders and Malwarebytes forum will get a free license.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

My Shielded Applications number still doesn't go down when I close Chrome. Is that still a bug or is it just affecting me?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Yes it's a bug. I'll add it to the known issues list.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

FYI

So i booted up my computer, no MBAE icon in taskbar. Went to task manager and stopped process, then went to start menu clicked on icon and MBAE icon showed up in taskbar again, so this works.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

http://s15.postimg.org/sbaedpjd7/Immagine.jpg

http://s8.postimg.org/nk0lteqyd/Immagine1.jpg

The test is unreliable.
I have stopped the protection MBAE.
EMET 4 not work.
I tested XP home + 7 64 bit

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Did you add mbae-test.exe to EMET?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

See my post #23 in this thread. If your cover mbae-test.exe with emet, it stops the "calculator".

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I'm assuming the screenie means that the exploit test was not blocked by emet? Can you please also post a screenshot of processexplorer when this happens.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I just tried and EMET 4 blocks succesfully, when mbae-test.exe is added.

So, then security software with exploit protection that protects the major browsers, pdf readers, media players etc but not mbae-test.exe will automatically fail the test? That would mean your comparison on Youtube is an unfair and not exactly a good test.

I also tried to copy the test to a computer without Anti-Exploit installed, but when I tried to run it, it said some DLL was missing. Do you plan on releasing the test separately?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I'm using WSA 2014, Malwarebytes Anti-exploit and Hitman pro alert with chrome and I haven notice any problem, this is why I'm asking, What kind of issues should I have with this combination?
Everything seems to be working fine

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Yes you're right, I noticed that same thing after making the video. But then I also tested with mbae-test.exe renamed as %ProgramFiles%\Mozilla Firefox\firefox.exe and the results were the same. You can try this yourself.

I'm guessing the missing DLLs are from the Visual C++ debug runtimes. You can download them from here:
http://www.megafileupload.com/en/file/462633/Debug-DLLs-rar.html

EDIT: changed URL to point to a file sharer that doesn't require installation of crappy Download Manager.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Issues with WSA detailed here:
https://www.wilderssecurity.com/showpost.php?p=2285600&postcount=92

Joe from Webroot confirmed they will fix it after releasing WSA 2014:
At this point, the initial 2014 release is locked down but we should be able to get this into the first update.

Can you double-check to see if the issue is resolved in your install of WSA?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000



http://s11.postimg.org/us7epd1jn/Immagine.jpg

___________________________________________________

http://s21.postimg.org/mk3tl228n/Immagine3.jpg

The EMET alert doesn't appear.
Neither calculator doesn't appear.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I don't have FF installed but with IE, seems to work OK.
I have closed and opened IE several times:
1) IE appears protected in the M antiexploit log
2) The lock appears in the WSA icon indicating that is protecting IE
3) Hitman pro alert popup appears.
4) Not a single alert, popup, log... or anything that could indicate a conflict.

Bug: The MAE log doesn't update when I have opened several times IE, that means that if I open and close 4 times IE the log will only create a entry the first time. But if I clear the log between each iteration it will create a new entry.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Can you check the following:

1- While having both WSA and MBAE running, open IE
2- Use the Find option within ProcessExplorer to look for mbae.dll

Does mbae.dll show up under the IE process space?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Don't know how I did it, but just crashed MBAE:

Got a pop-up from Microsoft C++ Debug Library (indicating)

Debug Assertion Failed!

Program C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
File: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgdel.cpp
Line: 52

Expression: _BLOCK_TYPE_IS_VALID(pHead->nBlockUse)

=====================

Here's the information from Reliability Monitor, assuming it's meaningful/helpful to you:

Description
Faulting Application Path: C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe

Problem signature
Problem Event Name: APPCRASH
Application Name: mbae.exe
Application Version: 0.9.4.1000
Application Timestamp: 5257defd
Fault Module Name: MSVCR100D.dll
Fault Module Version: 10.0.30319.1
Fault Module Timestamp: 4ba220e7
Exception Code: c0000005
Exception Offset: 00000000000d3505
OS Version: 6.1.7601.2.1.0.256.48
Locale ID: 1033
Additional Information 1: 2aed
Additional Information 2: 2aed0b7a352c55b136593db7c1694604
Additional Information 3: 5497
Additional Information 4: 549782914dacf17991d40458ada7e0aa

Extra information about the problem
Bucket ID: 136236687

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

You are right, it doesn't appear under IE process space, it works only when I disable WSA protection. But it works correctly, apparently in chrome.

WSA is about to deploy a new version of Identity shield on WSA 2014, I will try again once it's released

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I seem to remember a similar situation under XP with EMET4. It seems to block the exploit but crashes the application before it can show the EMET alert. But under Win7 it should work ok.