Malwarebytes bought Zerovulnerabilitylabs

But it won't stop loading DLL's from unusual paths after memory intrusion. When anti-Exec's are not able to control all executable binaries, then a bypass is allways possible. So yes additionally monitoring new OLE components to be registered and loading and running of DLL's will help to decrease this 'hole'.

What is more problametic (about ERP) is that the developers released protection software which has holes in it (there used to be a German website, called fake security, which demistified protection claims, hence the name fake security). Why leave out such obvious execution trigger points in an ANTI-Executable program.

Back on Topic to MBAE: I guess the heuristics of MBAE will only become better when they also get access to the MBAM knowledge of vulnable registry items and load points. So it would be able to refine exploit protection to:

a) tries to deliver a payload
b) executes this
c) survives reboot

There would be synergy opportunities between MBAE and Malware Bytes anti root scanner to (simular HMP Alert offers HMP scan after intrusion has been detected).

So I am very interested in how this smart piece of software develops.

 

Wasn't talking about vids but testing myself. But regardless that's file-based payloads. I still would not rely on ERP against memory-only exploits.

 

ERP will soon give you nice surprise regarding dll injections....

Can you guys show us some ERP bypass?

 

Blacklisting regsvr and rundll is not a solution. Those are OS components which the OS needs for many tasks. It might work for you as an advanced technical user who knows what you are doing but it's not a long term or global solution for every type of user nor does it protect against memory-only exploits.

Since there's a thread for ERP if you don't mind let's keep discussing MBAE here and ERP in its own thread.

 

Just to make a final post about it......
ERP does not blacklist regsvr and rundll.
It gives you a popup when they execute.

Please, go to ERP thread and show us bypass(es).
Thanks in advance and best regards.

Over and out....

 

Just bringing to your attention that a new version of Sandboxie (4.0.4) has been released.

"This bug fix release addresses several issues that were reported shortly after the release of version 4.02."

Wondering if perhaps it has addressed any of the issues/conflicts with MBAE??

 

Thanks for the info, sounds exciting.

I was always wondering about this since I´ve been using System Safety Monitor (execution control), and no one ever actually tested this tool to see how good the protection against exploits was. In 7 years I´ve never been infected, might have been just luck, but I doubt it.

 

Trusteer folks just notified us they have finished deploying the whitelist of Malwarebytes Anti-Exploit to all its users. If you've had problems in the past with both Rapport and MBAE installed please check again to confirm the problem is fixed.

Thanks!

 

I can confirm that Rapport is now compatible with MBAE, at least on my end.

 

Malwarebytes Anti-Exploit 0.9.2.1400

New Features:
• Fixed false positive when downloading a binary file under Chrome.
• Fixed crash when opening Chrome under certain configurations.
• Fixed false positive when opening MS Word with certain add-ins.
• Fixed error opening Word/Excel files under certain configurations.
• Improved upgrade mechanism when installing on top of older versions.
• Added full version number to the main interface.
• Minor interface improvements.

 

My preliminary testing of build 1400 indicates an incompatibility with IE (10 on Win7x64 Pro), which might be related to my having/using Yahoo Toolbar (??). When I open IE, it's trying to load the toolbar, but it's not succeeding, and IE freezes.

EMET 3 is reporting a DEP violation in IE.
Then IE crashes, faulting MBAE64.dll.
A short while later, IE crashes yet again, but this time, faulting ole32.dll

(This does not happen with MBAE's protection turned off. Nor did it happen with build 1200 --- everything [including Yahoo Toobar & EMET] was working fine there.)

 

Since we started adding more proactive techniques to MBAE, especially memory protections, some of those might conflict with EMET. Can you re-test without EMET to see if the problems persist?

 

I'm reluctant to repeatedly uninstall (my configured) EMET and reinstall it.

What I did instead was go to another system, which doesN'T have EMET on it. This was WinXP sp3, with IE8.

With MBAE running, I was unable to completely open IE8 with Yahoo's Toolbar.
I *WAS* able to open the "special" IE (No Add Ons) [which of course doesn't have the Yahoo Toolbar]... but even so, that seemed to freeze a short while thereafter.
With MBAE disabled, everything runs fine.

So my conclusion is that there's definitely a conflict between MBAE and Yahoo's toolbar (in IE) [having nothing to do with EMET]... and perhaps some additional conflict as well.

 

Btw, not to bring this discussion up again, but I found a new review of Malwarebytes Anti-Exploit. Second link is also interesting.

Personally, I think they are a bit too harsh, of course MBAE is not the silver bullet, just like with any other HIPS.

But it will make your system harder to exploit, and that´s what counts.

http://www.insanitybit.com/2013/06/22/exploitshield-smart-antiexecutable/

http://www.insanitybit.com/2013/07/02/browser-exploitation-2/

 

Sorry, I stopped reading at "I find MBAM to be one of the best antiviruses...".

lol.

 

MBAE includes different layers of anti-exploit protections. The first one, detection and blocking of exploit behavior, was released with beta 0.7 and includes a set of different heuristic techniques to prevent exploits from successfully compromising hosts. We were very clear from the beginning that it did not include protection for payloads such as ReflectiveDLL and the like and that was only going to be included in the Corporate Edition. This first version 0.7 is the version that was reviewed by these and some other guys, saying that it is only a payload blocker.

The current version also includes memory protection and the version we are working on includes even more advanced memory protection to block exploits at stage 1. As hard as it may be to believe to detractors of MBAE, some companies prefer to block the exploit at a later stage in order to capture the payload information to gather intel about the attackers.

These type of articles are fixated on what was included in the old version 0.7 and they have not updated their reviews nor have they been bothered to "look again" at current versions of the product. They simply keep repeating the same old critiques as if nothing has changed in the product in almost one year. Finally the product is still in beta for the simple reason that it is not finished and we continue developing its core engine.

There's a name for these types of articles, I think it's called yellow journalism.

 

It's all semantics, unless you can define what exactly is a virus compared to malware and name all security programs accordingly. Anyways I think this thread should be combined with:
https://www.wilderssecurity.com/showthread.php?t=333127 (includes the original discussion)
https://www.wilderssecurity.com/showthread.php?t=350294 (where everything related to MBAE should go to)

 

After finally reading that blog post, I'd say that it's all about semantics too. It's surprising that someone so picky with the term 'exploit' can call Malwarebytes 'antivirus' when it doesn't aim at file infectors, for example.

 

Anybody is using Exploit shield together with HitmanPro.Alert? any incompatibility?

 

The difference between AV and AM isn't even semantics. It's totally irrelevant. See the comments of that same article for a discussion that's already happened - if you think the distinction between AV and AM is relevant you've missed the point. This is basic 'Security+' cert BS about malware classification, and it's irrelevant because the term AV is a marketing term, not a literal representation of what the product is meant to do.

My 'browser exploitation' article isn't aimed at MBAE at all, it was requested by someone who posted on the site and I wrote it on a short train ride. It's not meant to incite more of a discussion on this specific product, just to inform users about what someone can do with just very basic shellcode.

MBAE may have changed, they may have added more techniques. I will make a note of this in my article, I think that would be fair.

 

@ Hungry Man

Didn´t know you was the poster, but just to clarify, I knew that it wasn´t aimed at MBAE, I just found it to be interesting, that´s why I posted it.

@ ZeroVulnLabs

Nice to know, but won´t it interfere with tools like EMET?

 

Yes, in fact we've received some reports of conflicts with EMET with the latest MBAE versions, most likely because of the memory protection included in MBAE. The objective of MBAE is to include many more layered anti-exploit protections than those found in EMET.

 

only time will tell if your claim will remain a good purpose or if it is destined to materialize...