Malwarebytes Anti-Exploit

@ ZeroVulnLabs

Can you perhaps respond to post #789: https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-32#post-2383876

Or is there any reason why you won´t give this information?

 

That's correct, we don't detail our mitigation techniques or logic. Some are similar to EMET, some are different, some are unique to MBAE.

 

OK fair enough. The important thing is that it´s really capable of blocking exploits.

I just wondered about this, because a certain competitor claims to offer a more complete solution.

 

@ZeroVulnLabs

Problem #1 - Minecraft and Malwarebytes Anti-Exploit do not run well with one another, Minecraft loads pretty slow when Malwarebytes Anti-Exploit is running in the background. Disable MBAE and Minecraft loads pretty quick.

Problem #2 - After uninstalling Malwarebytes Anti-Exploit, it's program entry still remains listed on startup (Experienced this while running on Windows 8.1 Pro, not sure about other versions).

 

I wonder why Google has not paid to have MBAE built into Chrome the way they have built in other stuff like Flash Player in order to make it more secure.

 

Chrome is extremely secure out of the box. Sure there have been zero-days for it, but it's still light years ahead of IE, Java, Flash, etc.

 

The reason I am not installing MBAE is because chrome developers suggest that Anti exploit techniques may work only when the attacker has no knowledge about it but sometimes it can screw up with the default protection of the browser.
If Google tells or accepts that MBAE is fully compatible and helpful for chrome then I think your sales will skyrocket.

 

99,99% of all Chrome users are not aware of any of its security features. I think none of them are hesitating to buy MBAE unless the Chromium developers recommend it. Even if they did say anything in regards to that matter, these people wouldn't notice or understand. Aside from that, MBAE already shields Chrome in its free version, so nobody is going to buy premium just for Chrome and just because Google recommends it.

 

In regard to Chrome: have you ever tried Chrome with Software Restriction Rules excluding the Admin. I was surprised to be able to run these files from Chrome's download message. Therefor adding 1806 trick to block download in Internet Zone with Chrome.

I want to be able to right click and install anything as admin (I know not the best solution, but my Safe_Admin setup has proven itself last four years).

 

I set UAC to high and edited some policy in gpedit.msc which will always ask me for password to run a software without admin rights. It is irritating sometimes but it is for the best. Also a lot of developers say me that forget the benchmarks, developers know what is best for them and he know 25 good developers who use Chrome as their default browser.

 

I don't know if this question was answered before.
Does MBAE free protect PDF's opened through Adobe reader plugin in Firefox ?

 

Yes, any browser plugins are also shielded in MBAE Free, including FlashPlayer*.exe which under Firefox runs as a separate process.

 

Thanks. But when I open PDF's through plugin, I don't see mbae.dll injected into adobe reader process. It does inject into plugin-container.exe, so is that enough ?

 

That's correct, because the PDF is not opened by acrord32.exe (Adobe Reader) but by Firefox's plugin-container.exe.

 

@ZeroVulnLabs

What plans do you have for MBAE? any roadmap?

 

Do you think Malwarebytes Anti-Exploit is necessary when using Chrome?

 

There's much less of a chance of encountering a zero-day for Chrome vs IE. But there are still zero-days for plugins to worry about (Reader, Flash, Java, etc).

Also now there's more exploits being delivered as email attachments (doc, pdf, jar,...) to worry about. So the browser is not the only exploit vector we need to worry about.

 

Yes, but mostly just engine and hooking improvements. A lot new techniques in the roadmap. Also new things like kernel intercept. Keep an eye on the Experimental builds for the new stuff.

 

@ ZeroVulnLabs

I use Softmaker FreeOffice:

 

Logs?

 

mbae-svc-SvcProtection(447) - 2014/06/30 - 12:11:36 - #2# - MbaeLogProcessModules: Process Info: Pid: 2360 Process Name: C:\Programmi\SoftMaker FreeOffice\TextMaker.exe Address: 0x00000000 - 48 - 2804
mbae-svc-SvcIPC(134) - 2014/06/30 - 12:11:38 - #2# - IPCFromProtector: UNINJECTED: 3 (1660)EXPLORER.EXE (2360)C:\Programmi\SoftMaker FreeOffice\TextMaker.exe is now unshield - 213 - 3528

It does not work....

 

I need all the files in the logs directory please.

 

Thanks for the logs.

I tested under the same conditions (WinX SP3) by adding TextMaker with profile "office" and it seems to be working correctly when I double-click on a doc and it's opened by TextMaker as the default handler for that extension.

Does the problem happen on your end with all .doc files or only a specific format (2003/2000/95)?

 

I created a doc file with Notepad.
The problem sometimes occurs and sometimes not.

 

Had a problem with the application protection counter as I tried MBAE yesterday with latest stable version. Was this never fixed even during the beta? Happened on several occasions.