Malwarebytes Anti-Exploit

That post was from when MBAE only included Layers 2 and 3 in terms of protection ("Malicious Memory Caller" and "Application Behavior" layers). Since then MBAE has evolved quite a bit and now includes a Layer 0 called "Application Hardening" and Layer 1 "Protection Against OS Security Bypasses". Some of the techniques included in the layers 0 and 1 do conflict with EMET as they are similar in nature (anti-heapspraying, stackpivoting, ROP, etc.). Therefore our recommendation nowadays is that MBAE is a much more complete and stronger offering than EMET and should replace it to provide stronger protection, more coverage against third-party applications and a more seamless user experience in terms of conflicts and FPs.

 

See: https://www.wilderssecurity.com/threads/emet-mbae-and-hmp-a.370363/

 

Does that also apply to the free version of MBAE?

 

It applies to MBAE Free when it comes to browsers, browser add-ons and Java (remember that EMET doesn't actually detect Java exploits, it simply disables Java). Of course if you only have MBAE Free it is always recommended to continue using EMET for other applications such as Office, PDF readers, etc.

 

Does MBAE protect against drive-by downloads?
At least it says this on Malwarebytes own website-true or false.

 

There's different definitions for "drive-by downloads". To me the most correct is the one that involves exploits as it does not require user interaction. If that's the case then yes, MBAE protects against drive-by downloads.

However if your definition of "drive-by" includes manually downloading and executing an EXE, then no. But in this case I think your definition is wrong as that is social engineering.

https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/#entry846346

 

No, I definitely don't mean by manually downloading files, because my friends got infected by drive-by downloads which neither required user interaction, none of my friends have never manually downloaded any kind of exes and similar.
How come they could get infected via Google Chrome which is suppose to be sandbox protection, until I detected the problem and it turns out that it wasn't Google Chrome sandbox itself bypassed it was one of his weak points back than, one of plugins or flash player-it doesn't make any sense to me, it doesn't make sense, so the best thing is to have anti-exploit softwares and/or Sandboxie.

 

Typically plugins like Flash or Java are the culprits under those infection scenarios.

As for Sandboxie vs MBAE I would choose one or the other. I know this will probably spark a debate and I'm clearly biased, but under the same conditions (Free MBAE vs Free Sandboxie) I prefer Free MBAE for non-techie friends and family as it is more hands-off, transparent, doesn't require management, install and forget, auto upgrades, etc. Yes I know there's other things that Sandboxie does that MBAE doesn't, but for that i use MBAM + MSE (or any other free AV).

 

Good, then you have the correct definition. You'd be surprised what others consider a drive-by. Even AMTSO and its supporting members listed there think a normal download of eicar qualifies as a drive-by.
http://www.amtso.org/check-desktop-drive-by-download

 

I agree, when it comes to preventing exploits it depends a bit on what type of user you need to protect. For some SBIE might be too confusing or intrusive.

 

I can finally relax now. I put a MBAE Shield on AppGuard and HitmanPro...lmao

 

So what do MBAM+MSE in equivalent to sandboxie??

I would choose Sandboxie and if needed an anti-exploit tool which is compatible. There are great alternatives.

 

"Choose one or the other" is this because MBAE cannot fully protect a program running in SBIE, or just to complicated to setup?
I am talking about 64bit browser and machine.

 

Any potential conflicts by doing that with those two security apps?

 

Hi,

I've noticed that many analyses use "remote code execution," or "arbitrary code execution" rather than "drive-by download," to indicate code execution that infects the computer with no user intervention.

As an example, a recent Microsoft Technet bulletin:

https://technet.microsoft.com/library/security/ms14-080

And the pertinent CVE reference:

CVE-2014-6363
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6363

And from securityfocus.com:

Microsoft VBScript CVE-2014-6363 Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/71504/discuss

(My bolding above). The affected application in this case is Internet Explorer.

In years past, "drive-by download" often referred to code on a web page that triggered an exploit -- something occurred while on the site that wasn't supposed to happen. It could be a download prompt, tricking a user into downloading the malware. The fake Antivirus exploits from several years ago would fall into that category. It was confusing, because "drive-by" in most places referred to "no user action." Perhaps that is why "remote code execution" seems more widespread now.

So, when landing on the amtso.org page, "a simulated 'drive-by download' is initiated" with this code:

Code:

i frame src="http://eicar.org/download/eicar.com"></i  frame

resulting in:



Clicking to download is supposed to test your Anti-Malware solution, so let's click and see:



While this may test one's Anti-Malware solution, I agree that it is not a true remote code execution exploit, where user interaction is not required.

However, I wonder that to set this up as a true remote code execution exploit might be problematic, since some systems wouldn't respond to the code: a PDF plug-in exploit, for example, if the user didn't have the plug-in enabled. Or if the vulnerability were patched on the user's system.

Perhaps there is some generic remote code execution method that could be used in this type of test?

Regards,

----
rich

 

It the new version compatible with HPA3?

 

You can always install both and see whether your applications stay responsive

 

I didn't say equivalent. I just said for the scenarios not covered by anti-exploit (meaning social engineering delivered malware) the combo of MBAM+MSE provides very good coverage.

As mentioned: "I prefer Free MBAE for non-techie friends and family as it is more hands-off, transparent, doesn't require management, install and forget, auto upgrades, etc."

I agree that RCE is the more correct of the two terms, but I believe its use is restricted mostly to technical circles. In the general media the term "drive-by download" seems to have stuck more with non-techie folks, probably for the tragic similarities to the PC with the real-world concept of "drive-by shootings".

Should be the same as the Experimental 1.05 builds. We don't test specifically against HMPA or EMET in our QA process, but users have reported it working together as of 1.05.

 

Hi Pedro.

http://ipv4.os3.nl/_media/2013-2014/courses/ot/bas_hoda.pdf

EMET fails:

Winrar ( CVE: N/A )
This module abuses a filename spoofing vulnerability in WinRAR. The
vulnerability exists when opening ZIP files. The file names showed in Win-
RAR when opening a ZIP file come from the central directory, but the file
names used to extract and open contents come from the Local File Header.
This inconsistency allows to spoof file names when opening ZIP files with
WinRAR, which can be abused to execute arbitrary code, as exploited in
the wild in March 2014

Maxthon ( CVE: N/A )
Cross Context Scripting (XCS) is possible in the Maxthon about:history
page. Injection in such privileged/trusted browser zone can be used to mod-
ify configuration settings and execute arbitrary commands. Please note this
module only works against specific versions of XCS. Currently, we’ve only
successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.

MBAE blocks these exploit where EMET fails?
TH.

 

The WinRAR exploit is outside the scope of both EMET and MBAE. It is not a typical remote code execution exploit. Not sure why they included this example in the paper. If they knew what they were doing they would know that this type of exploit is outside the scope of EMET.

The Maxthon issue depends on how it is weaponized, but most likely it would be stopped by MBAE if weaponized.

 

Hi Pedro.
Do you think MBAM+MBAE (both premium) would be enough, or is another AV is recommended?

 

You should at the very least have the free Operating System AV (MSE/Defender) active as well, or some other free AV. I think this combo (MBAM+MBAE+MSE) is stronger than many Internet Security Suites out there that have a lot of unnecessary fluff like firewalls, tuneup, etc.

 

Not yet under Windows 7 64-bit with HMP.A build 124 or 125. Build 120 works fine. A new HMP.A version will be released with a compatibility fix I believe.

 

Pedro, I can understand memory protection won't protect from this kind of application design flaw vulnerability, but if it is used in real attack, most likely attacker will try to perform so called drive-by download and MBAE's layer 3 protection will catch it, doesn't it?

Many discussion here seems to recommend adding only internet facing apps and media player, document viewer etc., but archiver program actually has quite many records of vulnerability, so I personally recommend to add them in anti-exploit protection unless it causes issue. Maybe "other" profile is suited?

 

Hi, does free version of MBAE protect Chrome's built-in pdf reader and pepper flash? Also does MBAE protect metro version of IE in windows 8.1?

Thanks