Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Office, PDF readers and media players are only protected in Premium mode. In Free mode MBAE only protects browsers and Java. This is why your Excel is not being protected.

    Also another thing to note is that if the target application is 64bis, you should be looking for mbae64.dll instead of mbae.dll.

    As for Outlook and other apps that are not shielded by default, you can add custom shields for those in MBAE Premium (but not in MBAE Free).
     
  2. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It's only fair that regular Wilders users get free licenses for helping out during development and beta testing. With MBAE I only did this for beta testers who submitted bug reports. But I think it's only fair to open this up a bit.

    So if you use MBAE and would like a Premium license key, hit me up with a PM. You all deserve it.

    PS: when I say "regular Wilders users" and "you all" I don't mean newly created accounts or accounts with low post counts, so please don't try unless you qualify ;)
     
  3. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Wow, thank you for offering this to the regular Wilders users.

    This is a very kind offer
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Thank you very much for this. Muchas gracias! :thumb:
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1 !!
     
  6. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    For some reason, this is very unpredictable on my XP SP3 system. On rare occassions, it will disappear within 5+ seconds or so, but more often it doesn't disappear until I begin another task (i.e., click the mouse, use the keyboard, etc.). Many times it doesn't disappear at all until I manually click it closed.
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    That's weird. Do you see the same behavior with other programs that show balloon notifications or does this only happen with MBAE?
     
  8. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Only with MBAE. Other programs with balloons seem to perform the way they should.
     
  9. roady

    roady Registered Member

    Joined:
    Mar 27, 2005
    Posts:
    262
    1st of all,Kudos to you for that great offer,it's a very nice gesture! :)
    On a sidenote,did you ever thought about selling a discounted lifetime version to Wilders members ??:D
    Perhaps an interesting option for both sides :
    You still earn some money from Wilders members for your excellent piece of software and your hard work,and you'll get lots of feedback from this community for every new release... ;)
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Send me a PM please :)
     
  11. kantry123

    kantry123 Registered Member

    Joined:
    Apr 11, 2015
    Posts:
    22
    Sir
    i'm facing a slight delay while launching firefox with MBAE on ....
    but i didn't face that while i was using EMET

    regards
     
  12. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Do you have any other programs that might be hooking the browser in addition to MBAE (EMET, Comodo, Trusteer, etc.)? If so, try completely disabling those and rebooting to see if it makes a difference.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    False positive here when trying to access ASUS router web traffic logs.
    res://ieframe.dll/acr_error.htm#,hxxp://192.168.1.1/Main_TrafficMonitor_realtime.asp

    Code:
    "2015-06-20T11:26:02.957+02:00";"username";"716";"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE";"6708";"iexplore.exe";"0";"513";"210";"";"";"";"";"";"";"C:\Windows\SysWOW64\vbscript.dll";"96837E5864777688477AF6DE2332C06D";"";"";""
    "2015-06-20T11:27:28.310+02:00";"username";"2360";"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE";"6708";"iexplore.exe";"0";"513";"210";"";"";"";"";"";"";"C:\Windows\SysWOW64\vbscript.dll";"96837E5864777688477AF6DE2332C06D";"";"";""
    "2015-06-20T11:27:29.685+02:00";"username";"7136";"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE";"6708";"iexplore.exe";"0";"513";"210";"";"";"";"";"";"";"C:\Windows\SysWOW64\vbscript.dll";"96837E5864777688477AF6DE2332C06D";"";"";""
    
    What is the best way to exclude this false positive?
    (I am on latest beta - IE11 - Win8 64bit)
     

    Attached Files:

  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It's not really an FP. Microsoft deprecated VB scripting some time ago. However Exploit Kits like Angler are relying on it heavily (e.g. CVE-2014-6332). This new mitigation basically prevents the vbscript.dll from loading within IE.

    To disable, open MBAE -> Settings -> Advanced settings -> Application Hardening -> uncheck Disable IE VB scripting for Browsers -> Apply -> restart IE
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Thanks! This would disable completely the hardening, right? I would not like to do so.
    No other way to exclude it? E.g. if the request originates from a specific page/IP?
     
  16. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It would not disable *ALL* the Layer0 hardening, only that specific mitigation.

    Unfortunately there's no way to exclude it in a specific IP/range.
     
    Last edited: Jun 20, 2015
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    OK, thanks! No problem, I understand.
     
  18. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I am trying version 1.07.1.1009 (beta) and it seems rock solid in my machine and I got the impression that dll injection is even faster now.

    Very nice build :thumb:
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I have been using 1.07.1.1009 beta for several days now, and I still have not experienced any problems. I'm using Windows 7X64 Ultimate with all patches. Very nice work on this build!
     
  20. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,980
    +1 (Windows 8.1U3 Pro x64)
     
  21. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    May be 1.07.1.1007? Or I don't know about new beta release?
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I installed build 1.07.1.1009 over top of build 1.07.1.1007. I will report back if I experience any problems.
     
  24. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    WinXP-SP3, Office2003, MBAE 1.0.7.1009 beta
    I installed without uninstalling v1.0.6. Several alerts from SSM and Sunbelt firewall behavior watch, and no issues.
    Office application are now protected. How well, I have no clue since I don't run exploit tests.
    Log displays what ran. Nice.
    Curiously, (sort of a log of my adventures)
    1. the General tab reports one shielded application rather than many visible on the Shields tab. Possibly refers to Outlook that I added - Yes, count seems to be for what's added. Hmmm, maybe not, see pt.3 below.
    2. When I ran an application which is started by javaw (jre7), I did not get a popup nor a log entry even though jawaw is in the Shields list. This is a totally local application. It does have a optional button to check for updates. I block javaw in the firewall, but decided to click the button anyway, and MBAE still was silent and the firewall blocked it just fine.
    3. As I was adding Access to the Shields, SSM alerted that mbae-svc wanted interprocess communication to modify memory of Outlook, which isn't even running. I denied, since I have no clue if this was a false alarm or needed by MBAE. Oooops, Access won't run now when I click .mdb. No popup from MBAE.
    And the count of shielded application dropped to zero. And after I ran Excel again, the count is 1. Odd.
    4. Now I retry Access again. Hmmm - Access ran AND Outlook mails opened. This is totally odd. Oh, the .mdb file is a nothing there old thing. No macros, no reports, nothing, just a tiny table. No big deal, since I almost never use Access anyway.
    I better stop now to collect my thoughts and do some yardwork.
     
  25. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Hello

    Can I install this new Beta over my existing paid version and not lose my Lic?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.