Mission impossible? Malwarebytes invents software that blocks zero-day attacks

No matter how well the software works (or more likely doesn't)
it is not an 'invention' .
Article 52 of
The European Patent Convention
states :

Software is 'a work', the author has the copyright .

Maybe it's just me, but I don't think the solution is yet another piece of security-software to install, hog resources, prevent the user from doing what s/he wants because of false positives and .. hog resources - besides, any installed program is, on its own, a possible attack-vector.

Someone should make a program that teaches users how not to do stupid-risky things instead !

 

The author of the article isn't doing Malwarebytes a favor by using these words.
"block all zero-day attacks known and unknown against popular Windows applications"


Later in the article from Marcin, "Malwarebytes Anti-Exploit will help mitigate some of this risk"

"Exploits have been responsible for a lot of headlines recently as they are a highly effective way of stealing confidential data from people and businesses. After researching thousands of vulnerabilities and exploits, we are confident that Malwarebytes Anti-Exploit will help mitigate some of this risk," said Malwarebytes CEO, Marcin Kleczynski.

 

The sensationalism, it burns.

 

I will stick with EMET and save myself $25 a year. Sorry, but the MBAE saga reminds me of "snake oil" salesman of the American wild west days. Or more recently, the founder of LifeLock that used to publically give out his social security number as a dare against identity thieves until it was hacked ........................

 

Tough crowd.

 

It's justified. Anyone who makes claims about blocking all known and unknown zero-days is at best telling a half truth. There is no way they can prove the ability to block all unknowns - not just as a matter of practice but AFAIK as a matter of the laws of mathematics. (i.e. the Halting Problem.)

Actually if I were working for Malwarebytes I'd be rather annoyed at this kind of press. People are weary. Articles that misrepresent a product in an excessively optimistic light might rub people the wrong way more than widespread skepticism.

 

A measure of MB's anxiety to regain lost revenue from the lackluster BMAM v2 ?

MBAM and MBAE came out of beta "recently" (roughly speaking). Now attention grabbing promotions.

hmmm. Shame. I think the products will be / are good enough not to have this sort of PR.

Jut my view -

feandur

 

I think there's a lot of FUD being spread around here for no apparent reason. Let me clarify a few things:

* We have tested MBAE against zero-days since its first beta over a year and a half ago. This can be done simply by getting every new zero-day that comes out and using it against an old version of MBAE that was compiled pre-zero-day. In most cases for these tests we use 1 year old versions. Since we started doing this we found that old versions of MBAE stopped every zero-day we've thrown an it. This includes zero-day exploits for IE, Acrobat, Word, Flash, Silverlight, XLS, etc.

* We have never said we will block every single zero-day from here to eternity. If anyone ever says that they are clearly lying. Sometimes it is difficult to explain vulnerabilities and exploits to media and consumers and unfortunately they do misinterpret things. **** happens, but it is not our fault if someone misinterprets something.

* We've been very clear since the beginning that MBAE works against RCE exploits and we hook in userland. This means that for example kernel exploits, priv escalation exploits, OS exploits, etc are outside the scope of MBAE. If you look at other articles it actually does mention these limitations.

* MBAE is different from EMET. The objective is the same but the techniques and the scope is different. For ex Duqu kernel exploit, while none block it, at least MBAE is able to block the payload malicious action from the typical Duqu attacks that were integrated in Exploit Kits until a few months back. Another is Java exploits.

* By saying it is as revolutionary as a hot dog you're just showing off your ignorance. But you don't have to take my word for it, there's a test performed by an independent researcher which you can look at http://malware.dontneedcoffee.com. This test was performed using MBAE Free and demonstrates how soccer-moms and gramma users might be protected easily against Exploit Kits without paying a dime.

You're all obviously entitled to your opinions and if you don't like MBAE that's all fine by me, but there's no need to be rude or spread FUD. Instead constructive criticism might be nice, like for example how to create/improve other products out there to provide exploit mitigation for the masses that doesn't require end users to be highly technical.

 

Its a good product, you may not like the price but that's a separate issue. It works for what it was designed to do, same as any other security product.

 

pbust - no disrespect ever intended to you as a developer - sometimes I just get a bee under my bonnet with Management and the high handed way they can carry on....

Used your Exploit Shield in 2013, and intend getting licences for MBAE now it is out of beta.

congratulations on a great product.

thanks,
feandur

 

digmor crusher - I also am using Appguard and EAM.
Do you find MBAE plays nicely with your combo? Are you using free or premium?

thanks,
feandur

 

I don't get the analogy, sorry.

 

pbust......For a long time I have been very happy with you people. Thank you.

 

I haven´t read your post yet, but I also don´t have a clue why people are being so negative. It´s just a standard article promoting the product, like all companies do. And I don´t see any outrageous claims being made. Also, buffer-overflow protection is indeed innovative, before Comodo Memory Firewall and EMET, non of the popular HIPS offered this feature.

Edit: And you even offered some proof that MBAE is really blocking exploits. I´m still waiting for the AppGuard report, a developer claimed it outperformed EMET.

 

It's certainly better than those hideous web-antivirus modules and probably more potent than these so called exploit protections in antivirus products. I'd rather pay for this and combine it with a free unproblematic av like MSE than for a bloated internet security suite. Though I understand that exploit protection has to be viewed soberly.

 

Some hotdots are pretty revolutionary though! But I agree, sensationalism at it's best.

 

What are "hotdots"?

 

Have the two been tested alongside each other, were there any conflicts?

 

Marcin has made this statement:
"Sometimes it catches the exploit so early we can't show the alert" that it has stopped an attack.

Which exploit was it? Can you clarify this....

 

Dang, I spilled the beans on the most revolutionary hotdogs of them all.. Hotdots.. Cats out of the bag now!

 

Thanks for the clarification, Doc. I'll make sure to look for them at the nearest 7/11.

 

Not a specific exploit. He was referring to new techniques being introduced:
https://forums.malwarebytes.org/index.php?showforum=153

 

"Not a specific exploit"

Remote Code Exploits seem to dominate the arena of infections... Your provided link simply takes me to your forum.... You still have not answered as far as how are you able to "catch" the exploit without informing a user about the attack? The question still remains (based on Marcin's statement), what does MBAE catch that similar programs can not? I'm sorry about such a specific question, however, I'm just curious about what you might have in your Revolutionary arsenal that no one been able to achieve.... If you have invented the "Holly Grail" of security..... I'm ready to dump all my security applications and keep your "sliver bullet"...