Malwarebytes Anti-Exploit

Yes, you are right it is not that simple. Anyway I think it will be useful to know more details about profiles details.

 

That's a good possibility, as I mentioned earlier: Very little documentation which might result in making mistakes.

 

Anti-HeapSpraying mitigation is also included in Layer0.

This is correct.

 

It would be cool to combine anti-exploit with sandboxing, but then I would have to be absolutely sure that they are fully compatible. Like I said, I had a bad experience with the HMPA + Sandboxie combo. But when it comes to stopping exploits from running at all, HMPA/MBAE is the better choice. I don't like the thought of malware running inside the sandbox, without me even knowing. Perhaps SBIE will also offer anti-exploit in future versions, after all, Invincea FreeSpace does offer a behavior blocker which can block exploits. And yes you're right, I would of course still use SBIE purely for virtualization/software testing, but I would drop it as real-time protection tool.

 

Yes, this should have been fixed/added a longtime ago.

Interesting, seems to be a simpler version of Metasploit?

To be honest, I kinda like the simple approach, but a Pro version with perhaps more features (like safe browsing?) would be nice.

 

Yes I can't say I don't feel the same way. I love the simple approach but at the same time if the only way to get the 'other' things I want would require a more complicated 'pro' setup and manual selections I would be more than willing to deal with that. The simplicity and advanced AE features of MBAE have been some of the reasons I have stuck with MBAE rather than the 'extra protections' of "EMET" in the first place. I won't say I found EMETs protections difficult to start with but it's just not the same as having a program designed to detect and prevent them from running in the first place rather than 'simply' making it more difficult.

 

I saw some post of users having problems with Media Player Classic. I have been using custom shields for Media Player Classic 32bit, and 64bit without any problems on Windows 7X64 Ultimate. I wonder what OS they are using.

 

Does MBAE's behavior blocker block any malware that does not use an exploit?

 

Hi Cutting_Edgetech, I'm one of those having problems with MPC-HC x64 on Windows 8.1 x64 with MBAE + SBIE. Unsandboxed it runs fine.

 

Some additional information with regard to the layered defense in MBAE:
https://blog.malwarebytes.org/wp-content/uploads/2015/02/Layers.png

 

Layers 0, 1, and 2 deal with memory corruption exploits.

Layer 3 (Application Behavior) deals with other types of exploit behavior by blocking the payload's malicious actions such as:
- Application design abuse exploits (Word Macros, PowerPoint, etc.).
- Java exploits.
- Sandbox escapes.
- Meterpreter payloads.
- Kernel exploits launching its payload (e.g. Duqu).
- Exploit payloads that bypass Layers 0-2.
- Etc.

 

I noticed Libre Office is not part of the default programs. Does that mean that application design abuse is not working for python and bean script (vba also has it is own dll's in Libre office, so fair chance they won't be included either).

 

Are all these 4 layers applied to all shield profiles?

 

I don't know what details you mean, but it basically monitors API/system call and applies kinds of heuristic rules to block certain action (based on chosen profile). Pedro won't disclose them, and even if he did I don't think that would be very useful for most of us.

Those profiles are about layer 3 protection (possibly layer 2 too). So the answer is yes.

 

Thanks for clarifying.
BTW, is the best profile for flashplayerplugin_(version number).exe "browser"? I currently using this profile and never encountered problem, but want to make sure. Sorry if already answered.

 

I haven't experienced any issue by using them (dll not correctly loaded is not a issue for me). As to hook you mentioned earlier, tho potentially any hook can cause problem, theoretically if all application correctly implement hook i.e. correctly chain hook procedure with proper parameter, conflict shouldn't occur (correct me if I'm wrong.)

 

You don't need to add the FlashPlayer executable for every version number. On the one hand all browser add-ons are automatically protected by MBAE Free. And on the other hand for FlashPlayer, MBAE automatically adds all versions using a wildcard approach (i.e. FlashPlayer*.exe). So you can forget about FlashPlayer. We do all that automatically for you.

More info:
https://forums.malwarebytes.org/ind...frequently-asked-questions/page-2#entry890671

 

According to pbust, MBAE uses another injection method than HMPA. The result is that MBAE can't inject code into sandboxed apps, while HMPA can, but HMPA also seems to make SBIE act weirdly, at least on my Win 8.1 64 bit system. I would love to know a bit more between the different methods that are used. I wonder if both MBAE and HMPA will always be a risk to SBIE's stability, because they both hook apps in a "low level" way.

Same over here, with both MBAE and HMPA.

 

However, not everyone experience such issue. I myself used both MBAE and HMPA with SBIE, and haven't seen any serious issue so far.

 

Same here. I use MBAE + SBIE, haven't seen a single issue even though I'm on the hardest of all OS: Win8.1.3 x64. Never tried HMPA and think I never will since I'm really comfortable with my combo so far. I believe adding too much to the mixture is counter-productive. I am a novice in security concerns but I believe I'm very well protected. I'll stick to this combo for the foreseeable future.

 

Thank you.

 

So it's a conflict between Sandboxie, and MBAE instead? If you disable MBAE, and run sandboxed do you still have the problem?

 

MBAE + SBIE = conflict
MBAE alone = no conflict
SBIE alone = no conflict

On Windows 8.1 x64

 

I already investigated this and yes it seems to be a specific issue on Windows 8.1 where MBAE and SBIE protections are enabled for MPC. On windows 7 x64, where I first tested it myself, I had no issues when all three were combined. However it was easily reproducible (2/3 times) inside of a freshly installed 8.1 x64 VM.

Running 'just MBAE' and MPC or 'just SBIE' and MPC wouldn't cause the crash as found by Mr X in my experience. It seems to be a (so far) unique situation involving all 3 programs and 8.1 but once MBAE is fully compatible w sandboxie (eg injecting normally) I hope they'll be able to discover the origin of the issue or that it won't end up being a more widespread problem that makes them incompatible in general. I think the incompatibility scenario is fairly unlikely considering my past/present experiences with the two but it wouldn't be fair to say it is impossible.

 

Ok, thanks for clarifying!