Malwarebytes Anti-Exploit

Cool, will install it on all my systems. Free version will do the trick for my needs.

 

A forum which claims to inform on security should not post misleading information. Take your responsibility and moderate it by adding a mod comment and close the thread or better remove it.

 

thanks for you concern but no offense, we don't have to remove it however i put some comments; people can make mistakes, it was pinpointed very early, the dev replied, so even the test was flawed, the thread is still informative for Average Joe. (if the readers care to read further)

 

guest, this MBAE "review" in question is not the only one that is done in a wrong way.

 

we are here to teach and learn, this member made some mistakes due to lack of experience about what the product does and with what it should react, not a reason to bash him ; when the various comments were made , i PM and ask about details of how he founds those "links" among other things and oriented him to a better path.

people especially non-professionals have the right to do mistakes but bashing them without correcting them when we can, is even worse to me.

i don't think people appreciate when their boss throws their works to the trash without telling why and how to correct it.

 

You know you are "in charge" as you said of that section so I will not say anything how things can be improved. That is totally up to you.

Personally, I would never test or review a product if don't know what it is i'm testing, or don't know how the product works. I would do proper research before getting started, and not just do a review for the sake of doing one, or because other members are doing one.

 

exactly what i put on the rules/guidelines and what i informed him about.

 

Clearly the "review rules" and/or guidelines needs to be stricter in that case.

Rule nr1 "If a review/test is done wrongly resulting in an inaccurate and unfair product review it will be deleted without warning."

Im sure that rule would have a positive effect on the MT reputation too.

 

for that i have to learn the product too , check the samples, in fact redo the test, so in practice it is impossible; it is why when i don't know/not used to the product, i rely on the others members/devs comments.

 

Ok you do as you like I rest my case. Unfortunately I get the impression that nothing will change a singel bit.

 

80% of the bookings came from the first availability display in the mainframe age (done by travel agents), 80% of the click throughs come from the first "search results" page in the internet age (done by us all).

Assuming 80%/20% applies also on your forum, the "average Joe" won't read further and the thread will be mis-informative. So live by your rules and take your responsibility.

 

@ ZeroVulnLabs

What is your response to the new HitmanPro.Alert exploit testing tool? Does it matter that MBAE can´t block certain exploit methods?

https://www.wilderssecurity.com/thre...discussion-thread.324841/page-74#post-2390819

 

Does not really matter as those are canned tests to validate specific mitigations. It would be trivial to do the same thing for testing specific MBAE protections that bypass HMP.Alert. What matters is that attacks ITW, even those utilizing various ROP techniques, are stopped by MBAE. Just for good measure we are adding various ROP protections as well as performing additional tests by independent labs.

 

I was wondering how that would be responded to..

And that's a pretty good, fair, and understandable response.

 

Security software against exploits has the disadvantage that it can't be tested by the people buying/using them.

MBAE choose to show (on their site and through a related business partner) that it blocks existing malware.

The running test and test of their business partner showed that the software logic used is sufficient to stop existing exploits somewhere in the intrusion chain of events. MBAE does not guard all events, for compatibility, performance and ease of use reasons they choose to guard those events that really define the stages of a staged intrusion. To develop a new intrusion which evades the MBAE roadblocks will take a lot of time, knowledge, effort and money. So the chances of a new intrusion which can be applied in a controlled setting and predictable outcome are low.

Here comes a competitor (product A) which provides us with a test. The test only shows that product A gaurds some more events than product B. On the other hand product B dis not reveal which events they guarded, so product B might also gaurd events which product A does not. As long there is no existing exploit provided with the synthetic test of product A, it only shows that it (surprisingly) passes its own test.

It starts to become a bit of a dilemma when two software companies who I regard as highly professional (in terms of knowledge and products provided) face each other on a overlapping market segement. When one of those two decided to apply aggressive marketing tactics, it starts to get fuzzy. So a compliment for the fair and understandable response of MBAE to nagging (but valid) questions.

 

I prefer the approach of "product A" personally. And I stand by the comment I made way back when this was a one man show, and not in the hands of MB... that it is the most promising looking security product to come out since Sandboxie.

Now that I see ROP protections are being added I will wait a bit longer, until the guts are all in place and it's just a matter of ironing things out until I try it out myself. I want to get a fair assessment of things when it's truly ready to roll, and not a premature, misinformed one.

As for the compatibility, I think mostly they wanted it to be able to co-exist with EMET. I'm sure concessions had to be made in regards to protection for this to be a reality. Running both, once MBAE is perfected should be a very formidable combination. Since I am on XP and unable to utilize ASLR & SEHOP, MBAE obviously is more ideal for me, being able to block similar exploits using dissimilar methods. Even cooler would be to be able to use a completed Open EMET along-side MBAE, and use some of the app. specific mitigations in the former along with MBAE, without the added attack surface of .NET FW. That's a day I'm looking forward to...

 

I could agree...and disagree
Agree...Im not such expert as you are but I think that in fact testing anti-exploit eficiency might be not easy.
Disagree...because test-files which we can easy get from developer's pages are mentioned as not for only advanced users...it means that each one user can do the test by yourself. So average and less-average users try to test how strong is new anti-exploit security on their systems...if the test is failed they are perhaps a bit surprised and frustrated...exactly as me when I tested MBAE Exploit Test.
While testing in "Normal" mode I got calculator what was proper action...when in "exploit" mode I received an alert that MBAE has stopped working but 2 processes of MBAE are still working (checked in ProcessExplorer).
I was more surprised when I changed the name of MBAE test (you mentioned about it earlier)...I called it "something.exe" and run it. "Normal" - everything OK..."Exploit"...and I got calculator...and nothing more...no other action...alert...window...and my system (Vista) started to show strange bahaviour - I couldn't move (drug'n'drop) anything on my desktop.
What I..or another "not an expert" user should think...it's normal?...it's a bug?...anti-exploit aplication is effective?

 

I think you might have misunderstood the objective of exploit-testers provided by vendors. On the one hand they are just to make sure that the installation and specific mitigations are running and working correctly. On the other hand if you rename the exploit tester to "something.exe" which the anti-exploit is not previously configured to protect, it clearly won't be protected when you run it. You can either add custom shield for "something.exe" or rename it to something which it is configured to protect, like iexplore.exe, firefox.exe, etc.

 

I am a user/fan of MBAE *despite* its being engorged by MalwareBytes -- a company with which I now have zero confidence.

 

That's surprising to hear. Care to share why your confidence has been rattled?

 

OK thanks for the reply, sounds good to me. I´m still trying to decide if I´m going to use MBAE or HMP.A on my new machine, it would be cool if I could use them both, MBAE for blocking exploits and HMP.A for the other stuff.

 

MBAE is also blocking the javascrub utility from there uninstall webpage https://www.java.com/en/download/uninstallapplet.jsp.

 

Yes that's a known issue. You can use the Exclude button as shown in your screenshot.

 

I just added my first custom shield for a new browser, that I installed for the first time the other day.

So easy...

 

Are there any known conflicts between NIS 2015 and Anti Exploit other than the Ant-Exploit Icon no longer staying in the task bar tray? With the latest FF 31?