Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    @Tarnak Wow, I get scared when i see your systray icons. I guess malware is running away also ;)
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Tarnak has always believed in the minimalist school of self defense ;) :isay:
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, just like I do :)
     
  4. guest

    guest Guest

    I dont want to be his HDD , the i/o writes must be massive... ^^
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What about compatibility with HitmanPro.Alert? And what do you think about ViRobot APT Shield? :)

    https://www.wilderssecurity.com/thre...d-2-0-next-tool-for-blocking-exploits.365958/

    Perhaps Tarnak can make a list of all security apps that he´s using, just for fun?
     
    Last edited: Jul 31, 2014
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Thanks.
    I'll do a test.
    :thumb:
     
  8. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Updated to latest beta. After installing over existing version I rebooted computer and the monitor resolution was lowered (I reset). Not sure if anything to do with MBAE installation. So far running smooth with my programs. Ran MBAE exploit test and it blocked. Not running Java on my machine.
     
  9. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    Does the experimental build 1.04.1.1006 free covers Chrome Canary x64?
     
  10. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    When I install 1.04 I don't get the experimental licence like before, I get free one.
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Added an explanation about that in the thread.
     
  12. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    MBAE makes IE to crash (Win 8.1 Update, EMET 5) in case Bing search is activated via address bar search. Latest experimental build didn't solve this.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool, that´s nice to know. By the way, what do you think about adding a "banking trojan detection" feature like in HMP.A? Would that be difficult to add? And perhaps if you have the time, you can take a look at ViRobot APT Shield, I wonder how good it really is. :)
     
  14. The incidental hanging of chrome when started by user was already solved, now it also runs great when using apptimer to launch Chrome repeately.

    Apptimer also says chrome loads faster now, not really sure whether it is all because of new injector, because i have a newer Chrome version also since last time I check program launch times with MBAE
     
  15. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    "A recent test by China-based PC Security Labs showed that some products are much more effective than others at [blocking exploit attacks:] Malwarebytes [Anti-EXPLOIT] beat all the rest with a success rate of 93.10 percent."

    http://securitywatch.pcmag.com/security-software/326278-can-your-security-software-block-exploit-attacks

    Remark: Most of the other products tested (aside from HitmanPro.Alert and EMET) were security "suites". Emphasize that MalwareBytes Anti-EXPLOIT can be run side-by-side with (i.e., complementing) these security suites! http://en.community.dell.com/emoticons/emotion-2.gif

    Disclaimer: Be advised that Malwarebytes commissioned this test.
     
  16. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA

    Hey... good stuff. Thanks for posting.

    Norton is the great surprise here for me.

    Too bad more apps like AppGuard & NVT EXE were not tested.

    Hopefully there will be more of these tests to help us determine which product is the one we want.

    Yes, MBAM sponsored... got it. But looks good for MBAE.
     
    Last edited: Aug 12, 2014
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Nice job, I really wonder why MBAE performed so much better than the other apps. For example HMPA3 seems to be quite advanced.
    It also makes me wonder how apps like EXE Radar and AppGuard (who don´t offer exploit mitigations) would do. :)
     
  18. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Here's the link to the actual PC Security Labs test results
    http://pcsl.r.worldssl.net/report/exploit/rce_mitigations_201408_en_malwarebytes.pdf

    ================================

    in my case, the 4 exploits that were NOT blocked by MBAE were in fact successfully blocked by my Avast. Meaning that this combination was 100% effective :)
     
    Last edited by a moderator: Aug 12, 2014
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi
    ZeroVulnLabs,
    it is possible to perform a future test to other laboratories (AV-C..........)?
    TH.
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Unless AV-C only test for exploits I think it would be pretty pointless.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Congrats to MBAE for performing so well!
     
  22. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    That was a paid for test. Please read the thread about HitmanPro.Alert. They paid for and insisted a Preview version of HMP.A was to be included just to show they had better scores than an unfinished product. Other than that, all competitors (except EMET which is FREE!) were security suites not specialized in exploits. Makes you wonder why they paid for the test other than just to bad mouth competitors... especially when they didn't even include AppGuard (afraid to go up against a 100% score competitor perhaps?).
     
  23. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Beside the unfairness against HMP.A also the EMET thing is nonsense. They testet the old version, cause the new one (v5) doesn't support the irrelvant test setting (unpatched XP-SP3). Even if still people use this old OS and it's better to find working exploits for it ... it's official no longer supported and therefore shouldn't be used as reference esp. in proactive tests. Newer OSes by itself offer better exploit protections and even in EMET2/3 times M$ showed, that XP (even with EMET) can't be as secure as newer OSes.

    Beside the already mentioned issues (default settings, not enabled things ... but EMET and HMP.A aren't just set-and-forget applications) this sums up to the "value" of this test. Yes Malwarebytes not set the test setting, but they accepted and paid for it.

    Bad and unfair marketing IMO.
     
  24. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Yes! The whole test is bogus.
     
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    As mentioned in another thread our objective was to see the differences in protection from proactive vs reactive approach to exploit blocking (i.e. signature-based vs proactive exploit mitigations) so we were surprised with the results as well.

    Here are some facts to answer the concerns mentioned above about the test:
    • I would prefer a non-sponsored test any day of the week but that wasn't happening and many of you have been asking for third-party tests comparing anti-exploit products for quite some time. However PCSL did a very good job and their independent criteria prevailed during the entire test. I don't necessarily agree with some of the methodology decisions but it was their decision, not ours.
    • It was performed under WinXP as that OS is still in wide usage and more exposed to exploits as Win7/8 as there are no updates from Microsoft. However many of the exploits tested were for non-Microsoft applications (Java, Silverlight, Flash, QuickTime, etc.) and they also work under Win7/8.
    • It also tested Security Suites as they include some exploit blocking features. Comparing paid vs free vs suite vs commercial vs beta was not the objective. The objective was specifically to test exploit mitigation techniques. It's not uncommon to see FreeAV outperform PaidAV or Beta outperform Commercial products, so that's not relevant with the above objective in mind. EMET 4.1 is also a "Technical Preview" btw.
    • Other specialty products such as anti-EXE or white-listing were not included. Even if those products are able to block certain types of exploits, it is a by-product of their approach, not necessarily because they include specific exploit mitigation techniques.
    • The QuickTime bypasses of HMPA3 is probably due to a bug. For some reason the software radar didn't work when executing the exploit and PCSL chose to give it a fail.
    • The Java reverse shell fail of HMPA3 is documented in the methodology. The reverse shell is established, i.e. the exploit payload is executed. Some commands are blocked but some are not. This is easy to verify with Metasploit.
    • The IE8 bypasses are very real. Oddly they are ROP-based.
      25 Aug. 14 19.58.jpg
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.