Malwarebytes Anti-Exploit

If not using the famous SBIE template it can't inject the DLL into the sandboxes. When using the template and MBAE injects it to sandboxed processes I see no conflict though. The only conflict I see is MPC-HC player x64 ed. + Sandboxie + MBAE, so far. MPC-HC crashes and closes.

 

Can you ZIP the MBAE user data directory and PM it to me? Instructions here.

 

http://blogs.technet.com/b/askperf/...ws-7-windows-server-2008-r2-console-host.aspx

 

My google searches for this type of info proved fruitless among the many spam and "is it a virus" types..I have wondered why I saw this being used here and there but never understood what it was for. THANK YOU!

 

Thanks, I will read about it. BTW, I've noticed that when you add apps to the "media player" template, they will all crash. I have now added XnView and MPC to "other" and all is fine, so you might want to check that. Also, there is no tool-tip support in the "Log" window, and there is no way to edit shields, this is very unhandy.

 

Actually, after some problems with the HMPA + Sandboxie combo, I'm starting to think that it's perhaps not a good idea to combine anti-exploit with sandboxing. HMPA was interfering with SBIE's hooks. Of course they might be able to fix it, but who says it might not happen again after the next update?

I'm considering to stop using SBIE as real-time "anti-exploit" tool, because it doesn't really stop exploits, it just contains. I think MBAE or HMPA is a better choice. What I like about MBAE is that it injects code only into protected apps, I believe that this approach will stop it from conflicting with other apps. It seems like HMPA might be causing problems even when "anti-exploit" and "safe browsing" is turned off, because it injects code system-wide.

 

BTW, this is not true, MPC still crashes no matter what template you use. Also, the non-ability to edit shields is really getting on my nerves, can't believe that this isn't possible, has no one ever complained about this?

 

I agree with this, totally.

 

Yeah, I know. Sometimes I feel the same.

 

Interesting how this site is being exploited systematically so often:
http://www.speedtest.net/
http://i.imgur.com/qTLDPss.png

Congrats MBAE team!!! Great job you are doing so far.
NO SARCASM in my comment, seriously.
We, the people in general, are very used to receive complains, calls, messages, whatever, when something goes wrong so why not to say when something goes fine and congratulate the person in question? The thing here is when we do that the comment might be seen as sarcasm while it is not.

 

No you wouldn't be the first to have issues about (viewing or) editing existing shields, and not the last I expect. It has been a rather odd oversight (and not its only) but one I hope will be rectified soon. I may not have started a new thread on it over at the MBAE forums but I have payed attention to this along with similar threads.

MBAE appears to be attempting to remain 'easy to use' for home users and sadly this has impacted its advanced users a bit more in ways such as this than one might initially expect. I can't speak for anyone else but I for one am willing to pay a few extra bucks for an upgraded PRO version that is more suited to my needs. Such a version would obviously include the ability to inject into all SBIE guarded apps along with a much more comprehensive set of options to tweak the protections. It would also include more pre-defined rule sets, perhaps even options a bit similar to EMET where I could choose which of the available protection methods should be applied to a given app. Not something that should be opened to home users by any means but if the changes we *want* aren't good for the average home user and an added PRO version (with upgrade options) could be the solution, I'm all for it!

I'm one of the lucky ones still using SBIE 4 alongside MBAE atm and can't say I've had any real issues. Editing rules is not critical for me but it is still 'up there' as it can be annoying when defining rules and being unable to check or change what you put in requiring a deletion and re-addition to be sure its set up the way you meant. There is certainly room for improvement in a multitude of other areas for MBAE as well but overall I can not deny that I still love it and it has done its job well.

@Mr. X~ I couldn't tell if your comment was meant as sarcasm or not. :-/ While I won't say it isn't possible that speedtest.net is serving exploits "unknowingly" it seems to me that it is more likely that it is a false positive, worthy of submitting your logs to MB and having them reviewed for potential compatibility alterations.

 

Oh, no sarcasm whatsoever!
My feeling is genuine. Maybe ZeroVulnLabs could explain us in detail about this though.
Edit my previous post to eliminate any unintended *sarcasm* trace.
We, the people in general, are very used to receive complains, calls, messages, whatever, when something goes wrong so why not to say when something goes fine and congratulate the person in question? The thing here is when we do that the comment might be seen as sarcasm while it is not.

 

We'll add the custom shield edit feature in one of the upcoming releases. As for more granular control, we are doing something about this in the upcoming MBAE 1.06.

Re: speedtest serving malvertising, it wouldn't be the first time. I reviewed Mister X's logs and they didn't look like an FP.

 

can you say something about MBAE versus this EK?
http://www.heise.de/security/artikel/Pentesting-Tool-Exploit-Pack-2516933.html

 

Thanks for very detailed explanation! I much appreciate this kind of tests and analysis than AV-Comparatives like tests.

Well, maybe you forgot MemProt (EMET, HMPA) which can block overwriting execution permission by VirtualProtect even when other mitigation are bypassed?

I understand HMPA test tool is not suitable to test real exploit mitigation capability, but still think having many function/technique is basically good as long as they are built upon solid logic and implementation. As erik said, Stack Pivot protection can be bypassed as those anti-exploit only monitors critical function (for performance sake) thus let attacker unpivot before critical function is called. In that case other mitigation should prevent whole attack.

Just as a note, some AVs implemented behavior lockdown feature even before MBAE/Exploit Shield was born, tho I don't know their effectiveness.

BTW, can MBAE block heap feng shui?

 

I don't agree, they're completely different products works on different levels and purposes, so there's no better or worse. I know in your case you use HIPS so SBIE may not necessary to you, I just don't agree your statement generally. As Pedro admitted earlier in this thread, or as can be seen in Microsoft OLE exploit which required MBAE to add protection, some logic flaw vuln can't be protected by anti-exploit tool, tho I hope behavior lockdown can protect most of them. In that case, sandbox or HIPS still can contain and block whole attack process. Is it rare? Maybe. But exploit which can't be protected by well-configured sandbox is also rare, rather I don't know ITW malware which can't be blocked by that including in-mem malware. And I never understand why so many people only take SBIE as anti-exploit solution, I use it in many different ways (but I guess you're aware so mentioned "as real-time anti-exploit tool").

 

I haven't tested MemProt (EMET) myself, writing and testing PoC code also takes some time and I simply can't test any possible scenario.
The test tool is still very suitable for testing individual mitigations present in a certain mitigation tool, but it has one downside: it doesn't simulate a real attack which could be blocked/prevented by 4/5 different mitigations in some situations (For example: Heap Spray, EAF+, Stack Pivot, EAF, Caller check (just to name a few))

With regard to Heap Feng Shui:
I noticed that MBAE prevents the allocation of heap objects at certain addresses in memory. A similar approach is also present in EMET and HMPA.
I have no idea whether other techniques are implemented which can be used to detect/block heap sprays in some situations.

 

It would be nice if there will be a column with the info of user added shield. Now in the tab "Shields" are only "Application" and "File name" columns.

 

Yikes good thing hes running MBAE then Can't wait to see the edit shield option!

@142395 I couldn't agree more. Both programs do completely different things. With my setup I still feel prevention is better than containment and as such would personally refuse to sacrifice MBAE for SBIE but I can't wait for the day they play a little better together as they are the start of a truly beautiful yet *light* setup. I've personally been able to enjoy this setup for a while due to my unique situation but I expect others will be able to appreciate running a similar setup without the quirks the mix currently faces.

 

Couldn't agree more.... nothing I hate more than an app that tells you only the file name that it's working with... I require just a tad more information, like perhaps the full path. Just saying.

 

Yes more info here might be appropriate, but just not full path as MBAE does not rely on full path, or even full name for that matter, as in the case of the different FlashPlayer*.exe versions.

 

Speaking of web players, haven't Unity Web Player been exploited so far?

 

Thanks again for reply, yes I can understand what you says here. Also appreciate about heap feng shui, so maybe they can block this technique too.

BTW, I forgot to mention in previous post but "layer 0" security enforcement feature seems to be more of forced DEP & ASLR.

 

Hopefully we will see it soon.


Is it possible to range shield profiles by security? I understand that "browser" is for web-browsers etc. It would be especially useful if the appropriate profile crashes an app. Is it correct to say that if the shields are ranged by security, starting from more secure they are in the following order:

browser,
mediaplayer,
office,
pdfreader,
other?

Thank you.

 

I think the thing is not that simple. For browser, connect to remote server, download executable and execute it might be legitimate action, or not. MBAE should decide it based on other clues. But for Office program, it will be unusual, except its own update (other than MS Office). Only sure thing will be "Other" template is the least restrictive.