Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    So in short the truth: You wanted HMP.Alert also testet (even if in Beta) because it also uses a proactive approach. And you have no interest, that it gets removed from the paper. Than your apologies to the Loman brothers are worthless.

    Because all you reasing gives no other answer for the question "What's you reasoning behind not taking care that HMPA3 gets removed from the test-report?"

    Quite unfair, but ok. And btw.: Congrats for your results.
     
  2. guest

    guest Guest

    I didn't see anyone complaining when HPA released a misleading (IMHO) pdf of HPA vs EMET vs MBAE reporting that HPA V3 (BETA) is the best in the world.

    I guess (maybe not) they have tested the 3 products (including MBAE when it was BETA) against all the exploit techniques described in the PDF... has anyone seen the details about this test?

    http://dl.surfright.nl/Alert-3/HitmanPro-Alert-3-Datasheet.pdf
     
    Last edited by a moderator: Aug 15, 2014
  3. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    I don't see the scandal and I don't understand the drama. Both companies compete by comparing their products from their respective point of view. HMP Alert is in beta? It wasn't even in alpha when they, Surfright, were comparing it with the rest of anti exploit apps: "MBAE doesn't have this, MBAE doesn't have that, and we have everything".
     
  4. Pliskin

    Pliskin Registered Member

    Joined:
    Feb 8, 2009
    Posts:
    439
    How did this happen?
     
  5. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    780

    Exactly. the first posts of Pbust specifically said about removing HMP.A from the results, so why leave the note instead of actually removing?

    See my reply on the other post of yours.
     
    Last edited: Aug 15, 2014
  6. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    Totally agree. Tempest in a teapot -- a nirvana for the self-righteous.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    My guess is that it's out of MBAE's hands now and likely the Chinese company PCSL has ownership of the results of simply wont agree to remove HMP Alert from the results.
     
  8. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    As far as I know shielded applications should be 1 when Firefox is running. Am I wrong? o_O
     

    Attached Files:

    • mbae.png
      mbae.png
      File size:
      100.5 KB
      Views:
      52
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is a known bug with MBAE with regards to the browsers. MBAE doesn't show the correct number of shielded apps after a while because the browsers often start and/or close processes and therefore it loses the correct count and shows the wrong number, often zero. But you can be assured that the processes are still protected by viewing that the MBAE DLL is loaded into that process. See Known Issue #1: https://forums.malwarebytes.org/index.php?/topic/135127-known-issues-conflicts/
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Seems to me that HMP started this pissing match by claiming to be the biggest and best in the first place... while in Alpha, Beta, or whatever phase, they made these comments. So MBAE goes to actually test the veracity of these claims using objective methodology, and now they're the bad guy? The word "scandal" even directed toward them.

    BS

    This is just the typical over-reaction we always see on here when fanboys of a certain product/company have their world views tested.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Is this an accurate description of how MBAE mitigates exploits? I read this from Hungary Man's Security Blog. I think it is his blog anyway. You can read the full post here -www.insanitybit.com/page/2/-

    "ExploitShield does not prevent exploits (despite its name), it does not make vulnerabilities more difficult to exploit. What it does is it attempts to detect exploits in various ways, and then, based on that detection, it decides if the ‘shielded’ program should be allowed to execute a payload.

    My real issue with ExploitShield is that it actually doesn’t do anything to prevent exploits. It detects them, and then takes basically a single measure against them, preventing their final payload from executing."
     
  12. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Fellow forum members, a question! Running x64 W7 SP1, Norton A-V, and Malwarebytes Premium. I recall reading somewhere in this thread, weeks if not months ago, about some compatibility issue that I must have thought would have an effect on my system. So I have a two questions, any theories what I'm thinking of and will this application (I would be the free version) have any performance affects on my machine? Thank you!
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If I´m correct, MBAE has been improved a lot since that article, and can now also disrupt exploits. In fact, what is written about ExploitShield does apply to apps like AppGuard and EXE Radar. But like you know, at the moment this is only a security problem "in theory", since almost all exploits use standard payloads. :)
     
  14. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yes, that is what I have been saying all along. Exploits that only reside in the memory are rare in the wild therefore AG will mitigate the overwhelming majority of exploits. It was designed with drive by downloads in mind, and that accounts for the majority of exploits. I will have some information on the memory protection offered by HIPS soon. I'm waiting on some confirmations at the moment. I will open separate thread for it.

    I have been trying to decide whether I want to use MBAE, EMET, or HMPA3 to fill in the gap for the rare instances where AG does not protect. The good thing about EMET is it's free, and well documented. The only problem is there has been very little testing of software that specializes in exploit mitigation so it's hard to really know how effective one is from the other. It's only a matter of time though before some independent testing organization begins to test product's effectiveness against exploits on a regular basis. I would not be surprised if an independent organization decides to do this in the near future after seeing how much attention this has gotten recently. The only thing is it's hard to know for sure if they are bias when most organizations still will not perform the test unless someone pays them to do it.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Wow, very interesting. More proof that anti-exe isn´t good enough. :)

    I forgot to post this link (read this a while back), which is also mentioned on "Malware don't need Coffee".

    http://securityxploded.com/memory-execution-of-executable.php
     
    Last edited by a moderator: Aug 31, 2014
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Personally I think it´s best to combine tools that can tackle both methods. For example, if EMET is bypassed, a tool like AG can still save you. And tools like MBAE and HMPA are in fact trying to cover both standard and advanced ("in-memory") exploits so in theory they would make EMET and anti-exe tools obsolete, at least when it comes to blocking exploits. :)
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm probably going to retire Online Armor soon, and switch to Eset Smart Security. They are further developing their firewall, and exploit shield in Eset Smart Security 8. I have other reasons for switching also. You can get a better understanding of why i'm switching if you read post #132 of this thread -www.://forum.eset.com/topic/2984-eset-smart-security-and-eset-nod32-antivirus-8-beta-available/page-7-

    I have used EMET in the past, but I uninstalled it after suspecting that it was causing problems with some software I use called ,"type accents". It allows typing in multiple languages much faster than using Microsoft's method. I probably just needed to exclude type accents from EMET's protection, but I have not tried it yet. I use type accents several hours a day so if EMET does conflict with it then it would be a deal breaker for me. MBAE seems to be none intrusive, but I have not used it enough with my particular setup to be sure there are no conflicts. If there were any then i'm sure it could be resolved. When I have a little money to spare I may purchase a premium license. The free version does not cover enough vulnerable applications. HMPA looks very promising as well, and i'm actually going to install it now so I can compare it to MBAE. I have the pdf chart comparison from surfright, but that can't replace the actual experience of using the application.
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Sometimes Firefox uses plugin-container.exe and Flashplayer*.exe as child processes of Firefox.exe, so it would be normal for MBAE to show a higher than 1 number of protected applications in those cases.

    This article refers to the very first beta version of ExploitShield, from around September 2012 (i.e. 2 years ago). At that time the very first beta of ExploitShield only had Layer3 protections. Today MBAE also includes Layer1 and Layer2 advanced memory protections which prevent exploits from ever executing in the first place, sometimes before the shellcode is able to run.

    There are no known issues between Norton AV and MBAE as far as we know.

    That might have been true in the past with some of the mainstream drive-by exploits. But there have been a large amount of in-memory exploit payloads around for many years. Just check Metasploit payloads and ITW attacks as documented by FireEye. Also as referenced by @FleishmannTV above, even mainstream exploit kits nowadays are delivering memory-only paloads which bypass HIPS and anti-exe:
    http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html

    In this example of AnglerEK, MBAE blocks it in Layer1 before the exploit shellcode can even execute, which is the safest way to stop an exploit. Regarding AV/HIPS/Anti-Exe, if the exploit can run its shellcode and payload code in memory before downloading and running an EXE it is considered a compromise of the machine as malicious code is already running in memory. At that time the attacker can modify the shellcode to eventually bypass the AV/HIPS/Anti-Exe/whatever.
     
  20. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Very interesting post. I cherish the opportunity to learn from devs in this board, and I have a few questions below:

    Wasn't he asking why there was "0" process showing in MBAE, not asking "higher than 1"? Actually he saw quite the opposite of what you suggested - if he also has flashplayer or other plugin container in Firefox.

    Sounds like a solid progress of MBAE. Would you please talk a bit more in details about what are layer1 to layer 3 protections?

    I read the article from the link, and I have a couple of questions on this claim in that article: "Exploits' hashes were the same as on all other threads but my usual tools were not able to gather the payload and what surprised me more is that HIPS (like Faronics antiexec) were bypassed".

    OK so my question #1: do you happen to know what "usual tools" the author might be referring to? I guess maybe he means "traditional AV"? Question is, is there still any "traditional AVs" survived in today's market? I mean, any decent ones that survive today have long been evolved into more advanced anti-virus suites that include HIPS and anti-rootkit features. A typical example is Kaspersky IS, which has powerful HIPS and anti-rootkit ability. Peter2150 tested and proved the ability of HIPS in KIS in light of the "revolutionary" Memory Guard:

    https://www.wilderssecurity.com/thre...ly-that-vulnerable.365739/page-8#post-2403656
    https://www.wilderssecurity.com/thre...ly-that-vulnerable.365739/page-8#post-2403720

    And senior members of this forum has also tested the ability of HIPS against memory-only malware:
    https://www.wilderssecurity.com/thre...ly-that-vulnerable.365739/page-8#post-2403673

    An article about HIPS from Malwarebytes also indicated the ability of HIPS to stop "InterProcess Memory Access" and its ability to "Protected Registry Keys":
    https://blog.malwarebytes.org/intelligence/2013/05/whatiships/

    So here comes my question #2: is Faronics Antiexec considered widely as being a HIPS? Isn't it usually considered as a typical anti-exe? He did not mention a true HIPS got bypassed, if so that would be interesting. I agree with "On the other hand, this sort of feature is absolutely required for any working mandatory access control framework, which includes HIPS. That's why it's called mandatory access control - processes have mandatory restrictions on what they can do, enforced from kernel space. If an attacker (human or automated) can just jump to a different process that's not restricted, it's not a HIPS, it's a joke."


    I agree MBAE is a potent tool blocking memory-only malware and other exploits, but what about modern antivirus such as KIS, a decent HIPS such as Winpatrol and Comodo Firewall, can they block these kinds of exploits?

    I do appreciate the efforts that the devs put forth in answering questions and disseminating knowledge in computer security. Again, my intention of this post is to learn from security experts in this board to expand my knowledge. MBAE and other products are great tools to use, but sometimes I could be peculiar because I always want to learn HOW stuff works. I saw all sorts of statements bashing HIPS and antivirus software from many members here, so I did a bit research and is trying to learn more.

    Thank you all in advance.

    Edit: just saw one dev's reply to some of my questions in a different thread:

    https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-88#post-2403800

    He asked me to quit "trying to be an expert in others' discipline" after justifying his product against Windows UAC. Did I talk about UAC and said I would rely on UAC for my security? Sorry I only care about data, care about facts. Which discipline I am in has nothing to do with facts. Even in my discipline I am not THE authority and I have no intention pretending to be. So that kind of comments from a so called "scientist" makes me laugh out loud.
     
    Last edited: Sep 1, 2014
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes you're quite right, sorry I missed that. That's probably due to the Known Issue. In the upcoming MBAE 1.04 (link to RC in my sig) we've improved the counter accuracy a bit.

    More info here:
    https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/
    http://malwarebytes.org/webinars/

    Not sure, but from the text I believe he's referring to forensics and analysis tools, not commercial products.

    Actual text on the article is the following: "what surprised me more is that HIPS (like Faronics antiexec) were bypassed".
    Not sure what Faraonics is categorized as or if there is a clear line that separates HIPS from anti-exe.

    I think that the best thing to do for these big discussions about HIPS vs anti-exe vs antivirus vs anti-exploits in terms of blocking exploits and different types of payloads (both file-based as well as memory-only) is for all you guys who participate in these discussions to download Metasploit or CORE Impact and do your own exploit testing. It really is very simple and quick to learn Metasploit.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Since I am quoted, I want to clarify. The use of "revolutionary" in the context wasn't mine. Also i would add that yes KIS did block memory access as did Memory Guard, but there was huge differences. Appguard was like driving Washington to Boston directly via New York, whereas KIS was like driving from Washington to Boston via Chicago. Both got to the same place but....
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The thing is, most HIPS can not really block exploits, but they can try to block the payload (= malware) from running, and even if it manages to run, it should be running under quite a lot of restrictions. And AV´s are trying to stop exploits with signatures (not with HIPS), so that´s why they perform so badly when it comes to blocking exploits. Because of this, some companies like Kaspersky and ESET have now added an "exploit blocker", because they have to keep up with specialized tools like EMET, MBAE and HMPA. :)
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool presentation. I do have two questions though. I noticed that the "exploit mitigations technology" is patented. Can you give some more info about this, how is it possible to patent this? And you might have noticed that EMET and HMPA are very open about the "exploit mitigations" that they are using, why doesn`t Malwarebytes do the same? Do you perhaps think it´s a bad idea, to be so open? :)

    I will take a look thanks. ;)
     
    Last edited: Sep 1, 2014
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It's patent-pending, not patent. If/when the patent is granted all the technical details are made public. However not all of MBAE techniques are included in the patent application, only the ones that are novel to MBAE.

    In terms of techniques (which is what I think you and most users here want to compare on a one-to-one basis to try to determine which is a better product) it's not really the most important aspect. The more important issue is the logic behind how those techniques are implemented. Simply having a "very large number of techniques" does not necessarily make a product better than another. The techniques could be poorly implemented or implemented with little or no logic.

    Also there is a reason not to detail the techniques and logic in order to avoid other vendors copying the same in competing products. If we would be in academics or a public sponsored project maybe we could have done MBAE open-source, but since we have a bad habit of eating every day we try to make a better product and charge for it.

    Finally even though I don't believe in security-by-obscurity, it does help by raising the bar for the bad guys just a little bit more. If they have to reverse every single new version of MBAE to try to find a bypass it will get harder and harder for them.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.