Malwarebytes Anti-Exploit

@Rasheed187: the capabilities of the program are generally (with a few exceptions) the same as those of the user who launches it. Windows uses discretionary access controls for most programs, and most Linux distros still use DAC for everything. So if you hijack the application, and can make system calls to access the filesystem and/or registry, you can (theoretically) do anything the user could do without ever jumping to another process.

In practice this is kind of fragile from what I've seen, and there are lot of ways (both obvious and not so obvious) to put the kibosh on it. For instance, those "useless" outbound firewall configurations... But please don't take me too seriously - I'm not a pentesting expert, and am not up on the latest developments in the field.

 

MBAE does not have an "anti-exe" feature. I think what you are referring to is the Application Behavior (layer3) protection which prevents the exploit payload from performing any malicious actions. It could be a download+exec of an EXE but it could be other things like for example a reverse shell where there's no EXE involved.

More info at the FAQ #17:
https://forums.malwarebytes.org/index.php?showtopic=136424

 

Would be the customs shields as good as the predefined ones in terms of protection?

 

Yes, all you'll need to do is choose the correct protection profile:

 

One suggestion then would be you to capture data from the protected processes, I guess it would be enough with the process name, and capture aswell the profile chosen by users. With this statistics in every release you can include hundreds of new apps with the profile assigned that could be set as predefine shields. This is very primitive but probably it doesn't make sense to setup this as a cloud thing...

In the shields tab a new column to show the number of times that a shield has been invoked, and a checkbox to hide predefined shields that have never been invoked.

 

Good suggestions, thanks @guest.

 

Most homer-user HIPS treat threat-gate applications like browsers and document readers generally as trusted and allow them to do everything. If somebody takes over these applicationa, he can do everything the application can do. If the application is trusted, the HIPS probably wouldn't stop any action that originates from it. My guess is it would only start to throw alerts once new processes are launched and they try to further compromise the system.

So, in my opinion, default homer user HIPS step in too late in an exploitation scenario. Of course they may be configured to step in earlier but this is not the case in the vast majority of configurations. I think tools like MBAE, EMET and proper low-rights container implementation with job restrictions (Chromium, latest IE for example) offer better exploit protection than home user HIPS with their firewalls in their default configuration would do.

 

100% agreed @FleischmannTV

 

Yes exactly, I was referring to layer 3. But how to stop the reverse shell? Is it simply by blocking a .dll file from loading into memory? Btw, the custom shield feature is looking very exciting.

That´s why it makes sense to run apps as non-admin. To be honest, I still don´t understand how this works in Win Vista/7/8. If I´m correct, even when you run globally as admin, UAC will stop apps from automatically getting admin rights, and I guess that´s why it was such a big deal?

 

I´m sorry but I disagree, I would like to know what HIPS you have been using. Most HIPS will only trust Windows system processes. HIPS won´t automatically restrict apps that are vulnerable to zero day attacks, that´s up to you. But that´s the whole point of using HIPS!

Take a look at this post:

https://www.wilderssecurity.com/thre...-9-spyshelter-firewall-3.360052/#post-2353110

 

@Rasheed187: not enough to run as non-admin, ideally you also want vulnerable programs (like browsers) to be running with *less* privileges than your user. That's mandatory access control - setting additional permissions by program in addition to user. MIAC/UAC does it (though not very flexibly), as does AppArmor and such.

Edit: re HIPS, the problem isn't trusting vs. not trusting the processes, but rather how much they're limited vs. what they would normally be able to do. All HIPS are, at heart, policy sandboxes. If a HIPS is not limiting the privileges of vulnerable processes, it's not working as well as it theoretically could.

 

Well, I think low rights container for vulnarable processes with a dedicated anti-exploit (MBAE) will raise the bar considerably. HIPS is from XP age, there are smarter ways of achieving these protection levels with less user hassle now (with win7/8 ).

 

That´s my whole point, I run HIPS to restrict apps even more, because even in non-admin mode they can still do damage.

Yes, anti-exploit (like EMET and MBAE) is a nice extra layer. Combine it with HIPS, UAC and perhaps sandboxing, and you´re good to go.

 

I anxiously await your next version so that I can obtain MBAE's protection for one of my favorite browsers named "SlimBoat".

 

Just stumbled upon this:

MBAE (Malwarebytes Anti-Exploit) vs All EKs (Exploit Kits)

http://malware.dontneedcoffee.com/2014/06/mbae.html

 

Malwarebytes Anti-Exploit 1.03 has been released out of beta:
https://forums.malwarebytes.org/index.php?showtopic=150498

 

Looks good pbust, congrats!

 

will try it definitely, shame there are no free trial of premium version

 

If you've helped us out during the beta period by reporting issues (either ExploitShield or MBAE), please PM a link to the post and I will send you a license key for Premium as a thanks for helping us out during the development of the product.

 

It's the same build. All you need to do is enter the license key into to the Free version and it unlocks the Premium version.

 

OK

The About Page is not clear.

The click-on for "The Business Edition" and "Activate" box appear next to each other on the same line of the About page.

There is also a click on to "Buy the Premium Edition" on a different line.

Thus, it appears to only give you the option to Activate The Business Edition and

To Buy the Premium.

But Clicking what appears to be "Activate" for "Business Edition," because they are both on the same line, allows you to Activate The Premium Edition with your Premium ID and Lic.

I think The About Page should be redone to make this clear to idiots like me

 

Yes, good suggestion. We'll redesign it for the next build. Thanks!

 

Great!
Can I use the Premium license on more than one computer?

Best!
François

 

Yes, up to 3 PCs.

 

Please verified:

Account SUA
Windows 7 64 bit
EMET 4.1 SimExecFlow (Chrome) deselected

MBAE free

Chrome not work