Malwarebytes Anti-Exploit

Re Chrome's plugins:
https://forums.malwarebytes.org/ind...frequently-asked-questions/page-2#entry890671

Re Metro IE, if it runs as iexplore.exe then yes (which I think it does). Another note about other Metro apps:
https://forums.malwarebytes.org/ind...frequently-asked-questions/page-2#entry911895

 

You can add WinRAR to MBAE and even use the office or pdfreader if you want to be a bit stricter with WinRAR. But it won't stop this kind of vulnerability as it is not a traditional RCE. It simply changes the local file headers within the archive to show EXEs as non-EXEs. The actual operation of reading/opening of a file is the same as if you would open any other file compressed with WinRAR.

 

Thanks. Much clear now.

 

Thanks for clarifying.
Even so, there's other vulnerability history on some archiver programs, so I stand by my conclusion.

 

I'm testing MBAE on one of my computers and I have discovered some incompatibilities (false alerts) with some programs that work by injecting (hook) a DLL into processes protected by MBAE :

AdFender www.adfender.com
AltDesk www.astonshell.com/altdesk/
AutoSizer www.southbaypc.com/autosizer/
Listary www.listary.com/
PS Tray Factory www.pssoftlab.com/
Quick Macros www.quickmacros.com/
Unlocker www.emptyloop.com/unlocker/
WindowSpace www.ntwind.com/software/windowspace.html

I don't know exactly which of these programs are responsible of the false alerts, I will investigate by doing some tests when I will have time for that.

 

After doing some test the programs listed in my previous post seems to not being involved in the false alerts.

Here what I get with various browsers :

Comodo Dragon 31 portable and 36 portable (Chromium) with customized shield: false alerts and the process is terminate
CyberDragon (Chromium) with customized shield: OK
JonfoFox (Firefox) with default shield for Firefox: OK
SlimBoat (Safari) with customized shield: OK
Opera 11 and Opera 20: false alerts and the process is terminate
SRWare Iron 36 portable (Chromium) with customized shield: false alerts and the process is terminate
Internet Explorer 8: false alerts and the process is terminate

The OS is Windows XP Pro SP3

To be honest, I don't have any idea from where come the false alerts.
The computer I used wasn't connected to internet and was checked just before with Emsisoft Emergency Kit (0 virus).
The logs of MBAE doesn't help me...

 

Can you please PM me our MBAE user-data directory (ZIP of C:\ProgramData\Malwarebytes Anti-Exploit) as well as the logs from FRST @qenieautravail?

 

PM sent.

 

those programs have remote control of windows - either resize or kick/kill access on files (like unlocker). adfender is an anti-ad filter and can manipulate websites. each one is harmless but its general behavior is not.

 

AdFender was my previous anti-ads software, I'm using now AdBlock Plus extension for Chrome or Opera.
The other programs doesn't have access to internet (access blocked for them).

 

Hi ZV,

I haven't abandoned MBAE. I am just in another snapshot testing HMPA.

 

Pedro, can you comment on Fabian's claim?
http://support.emsisoft.com/topic/1...rotect-against-file-less-infections/?p=123372

 

afaik the last time that zero-days were used in a blind mass attack was in 2013 when BlackHole included a Java 0day (http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html ?).

Zero-days are normally only used in targeted attacks against for example governments, research institutions and other 'high value targets'.
But we have seen that Flash Player patches can be reverse engineered within just a few days. So if you've not yet installed an update at that moment and you're not running any mitigation software, then you're still toast.
And do not forget the use of malicious macro's in mass spam runs. The dropped executable should still be prevented from running with MBAE/HMPA.

 

Fabian is definitely right at least so far (nobody knows future), there haven't been many 0day exploit against home user and even in some actual case which were just copied or leaked attack from targeted attack, user could avoid them if they paid enough attention for security news as workaround were available before official patch.
Also there's no complete alternative for patch, some vulnerability can only be blocked by patching e.g. application design flaw.
I believe even those anti-exploit devs shouldn't over-emphasize the risk of 0day for home user. But at the same time it's true targeted attack can occur in some home user when they have a reason to be targeted, and for such rare user anti-exploit will at least put another obstacle.

Oh, and I forgot to mention, most AV/IS have network-based IPS and this can prevent known but not patched exploit. It's not 100% but IBK confirmed most major AV can block those attack well as long as they are not highly obfuscated, though probably those 0day attack are well obfuscated.

 

This is more recent one.
http://www.symantec.com/connect/blo...rability-exploited-widespread-drive-downloads

 

Actually, most zero-days do not employ high level of obfuscation.

Just to name a few:
CVE-2013-3893/CVE-2013-3897/CVE-2014-0322/CVE-2014-1815 had 0 obfuscation.

 

MBAE Premium might be causing some Frozen Chrome Extension Icons and opening new tab problems that seem to be better after i stopped protection and started it back on again.

 

I just installed MBAE on my Surface Pro tablet running Win 8.1 Pro 64 bit. It's running so far without issue
along with Trend Micro Internet Security 2015. Thanks

 

I don't quite agree with these comments for a few reasons:

• In the past users have been exposed to zero-days numerous times.
• Lately users have been exposed to IE and PowerPoint zero-days for a number of days/weeks.
• A zero-day does not give advanced early warning. By its very own definition by the time you find out about it may be too late. Who's to say users are not being infected by a zero-day as we speak? This is like saying there's no more corporate breaches like the Sony breach as nothing has been disclosed in the news today. More likely, many more companies are breached as we speak and they still don't know about it.
  
• An old exploit for an old vulnerability is still a zero-day for some user or company that is not up-to-date and patched against that vulnerability.
  
• Even though patching is the best approach, many a times users wait to make sure that the patch will not hose their systems (like has happened multiple times this year with Microsoft updates).
• There is a HUGE difference between the Wilders and similar technical/security oriented users and non-technical users (i.e. the vast majority) in terms of keeping up-to-date with the latest patches.
• Many companies simply cannot keep up-to-date with the latest patches. Many times they only have 1 or 2 opportunities per year to update endpoints and even more often their internal applications rely on heavily outdated software. In the last few months I've seen HUGE companies that still require their employees to use IE6 or Java5 for example.
• The Flash example of the patch being reversed and in 1 week seeing the exploit integrated into Exploit Kits is for a reason: most users are affected by this. Otherwise they would not take the time to reverse the patch. We are going to be seeing much more of this type of quick turn-around from patch to exploit in the future for the very simple reason that it is effective.
  
• I've seen backend stats from hacked Exploit Kits control panels and the data supports my arguments: the infection rate is VERY high from EKs. This means regular Joe Blow users (not technical Wilders users of course) are very much affected by this problem.
• Last but not least, about 40% of the signatures that the MBAM team used to add earlier this year were for exploit-delivered malware payloads. Nowadays that number is closer to 60%.

 

I totally agree! A non-signature bares anti-exploit tool is a must. It should be an integral part of any good Antimalware.

 

Are you serious? Can you give us the list of that numerous 0days which attacked common home user in this or last yeah? Even part of the list you can provide soon is welcome as long as it can be regarded as numerous, but I bet you can't simply because there're not so many. I could find some, but far from numerous.

I know and posted about IE one, but didn't know PowerPoint one also affected home user, could you give me a link? And IIRC, nether EMET nor MBAE could block this exploit previously/proactively as it was a kind of design flaw vuln so those anti-exploit needed to add protection (ASR for EMET, update for MBAE).

There may be and would be undiscovered 0day victims, but we can't speak about them for sure, and the scenario many common home user are affected by such 0day which no security vendor/experts could find is quite unlikely at least in popular platform such as Windows. Even if it's true, I somewhat doubt anti-exploit tool really could block such stealth attack.

These are quite valid point, but out of the scope of the discussion. Please only focus on real 0day i.e. there's no patch available, especially unknown one because for known one AV/IS can block them pretty well at least within 48h (some vender within 24h) and this is the reason MBAM don't actually scan contents files (docs, pics, movies etc.), Malwarebytes' representative himself said. But of course those known but not yet patched vulnerability are also okay because if the exploit is obfuscated, AV may fail.

I don't disregard those serious problems, most user don't patch immediately, but then what we should first recommend to them is Secunia or UpdateChecker, not anti-exploit. And for those who postpone patching, I say and said it's still not good practice for home user (not for coporate user!) unless that patch surely causes issue, and even in that case he should apply workaround/mitigation which are often (yes, not always) available. However, I think the most important role for anti-exploit in practical context is those cases.

Again, please focus only on common home user who won't be targeted, does Fabian mentioned about corporate user?

Please focus only on current state and real 0day.

Overall, the risk is not a damage, but product of possibility and damage. We all know even possibility that we come across common exploit is quite low. And when it comes to 0day, it's much less. I've heard many question "Does anyone have experience that EMET/MBAE actually saved you from exploit?" in other forums and never found positive answer. That is the real.

 

Thanks, but I wonder why they don't obfuscate it because obfuscation can be done quite easily, maybe they want to avoid being regarded as suspicious? And because, as these are 0day, anyway they won't be detected even w/out obfuscation?

 

Just a real world example:
CVE-2013-3897 was not obfuscated and had a detecting rate of 20/50 on VirusTotal before the patch. Simply because of the use of a generic heap spray, although Suricata was also able to detect it based on generic rules for shellcode detection. That vulnerability was found by a certain 'Hoodie22' on jsunpack.jeek.org, at that time it was already being used for 2 weeks against japanese and korean users.

 

Your post is a complete nonsense because you insist over and over again on focusing in real world scenarios and common users and the reality is that common users DON'T UPDATE THEIR SYSTEMS. I can convince my brother to update his laptop once (rarely), but it's impossible that I get him to update every program day after day as I do. That's the real world, not the world of people who read security forums.

You cited Secunia, here is some data from Secunia. Only five percent of computers are up to date:
http://www.enterprisenetworkingplan...rm-Only-Five-Percent-of-PCs-Fully-Patched.htm

One year later, less than two percent:
http://secunia.com/blog/191-of-all-pcs-are-fully-patched-37