Malwarebytes Anti-Exploit

It looks like those are just memory corruption vulnerabilities.

Part 1 of @ZeroVulnLabs answer was with regard to logic flaws in Firefox.
Logic flaws in Firefox are rare and the vast majority of them were found by one researcher (Mariusz Mlynski)

 

Hard to tell, I couldn't find any details other than "unknown vulnerabilities" and "unspecified vectors" in the CVE description.

It does say it's a memory corruption vuln so likely MBAE will detect and stop it. But we'll have to wait for a Metasploit module or leaked exploit poc to know for sure.

 

More reasons to use proactive anti-exploit measures instead of signature based blocking:
http://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396

 

MBAE 1.05.1.1016 (Premium)
SBIE 4.16
OS Windows XP Home SP3.

I inserted the template recommended on SBIE 4.16.
Not work.

 

AFAIK that template workaround only works on 64bit Operating Systems to protect 32bit processes.

 

I read this:

https://forums.malwarebytes.org/ind...choosing-between-sandboxie-and-mbae/?p=914785

Post 34

 

Yes, I remember that post. But I was never able to reproduce it. That's why I didn't include it in our FAQ:
https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/?p=911676

 

hi
first i really love malwarebyte antimalware
may i ask you a question?
i does have a database right?
what does it update?

even taking firefox updated , vlc and foobar , skype is there a risk ?
i use eset smart security

 

If you are talking about Malwarebytes Anti-Malware (MBAM), yes it does have a database. But if you are talking about Malwarebytes Anti-Exploit (MBAE), no it does not have a database. It does include automatic upgrades to new versions, but no signatures or databases.

More information about how it works in our FAQs:
https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/

 

So is the only obstacle with this right now that you have to manually enter that string into SBIE's configuration to get it to be compatable with it?

Oh yeah... last I heard it didn't play well with the HIPS in Comodo 5.10 as well. Namely the shellcode injection protection. I'm willing to enter that code to force compatibility with SBIE, but if it doesn't play well with Comodo 5.10's HIPS that's a deal breaker to me. And that'd be a shame because I really want to use this.

 

Shellcode is one of the main vectors used by exploits so if MBAE cannot inject into it then it probably can't offer protection for many exploits. I'm interested in hearing what pbust thinks about this. How long has Comodo been offering shellcode injection protection?

 

You're wrong.

1. You can't just run shellcode from the stack or heap. (Have you ever heard of DEP and ASLR?)
2. Critical functions (VirtualProtect, WinExec, etc) cannot be called from heap memory when ESP is not an address within the stack boundaries defined in the TEB. (a/k/a stack pivot detection)
3. Critical functions that are called require a return address that is not located on the stack or heap. ( Bye bye exploitation attempt using 'traditional' shellcode )

At least, this is what I have experienced using blackbox testing
Besides that, you also have to deal with Application Lockdown.

 

Yes, I know what DEP, and ASLR. I will look more into what you are saying.

Edited: Are you basically saying the shell code runs later in the chain of executions if the exploit is successful so the shell code is not what is being exploited? That will give me a starting point to read more into this.

 

The following steps are generally taken while exploiting Internet Explorer/Flash Player/etc.

1. Spray the heap
2. Overwrite some value on the heap using a vulnerability to gain RCE
3. Perform a stack pivot
4. Call VirtualProtect/VirtualAlloc to allocate executable memory on the heap in which the shellcode is located
5. Call shellcode
6. game over

 

For a long time. They use to offer it by way of a stand alone program they called the Comodo Memory Firewall, back before they even made a HIPS and their FW was much more basic and rough around the edges. Then when they created a FW/HIPS combo, before they even had an AV, they integrated the feature into it by way of a simple check box: "Detect shellcode injections" in the D+ settings. So they've been at it for a long time.

Not only that but I wouldn't sacrifice it to use MBAE because I feel that doing so could weaken the entire product as a whole. One of those "more than the sum of it's parts" type deals if it isn't there anymore.

I didn't quite follow the exchange the two of you were having. To simplify... is it alright for me to use MBAE and keep that feature enabled in Comodo D+ too without creating problems? If so I'll buy the thing. If not, it's just not an option for me. So far people seem to be evasive when it comes to addressing this issue.

 

As far as we know there's no issue with Comodo D+. I've been in touch with them a few times over the last years to fix some of the earlier conflicts during the MBAE betas, but that was a long time ago. If you're running the latest versions of both products there's no conflicts.

 

That's the thing though... I'm not running the latest version of Comodo, and have mentioned that several times in here. I use v5.10, as do many. It's considered by many to be the best version they've ever made and has become a legacy version. So am I SOL then if I keep using that version? I certainly won't change it.

 

I didn't keep track of which was the version with problems, but it is also possible that the fix was pushed down as an update to Comodo users.

Give it a try with the MBAE trial version. If it doesn't work the uninstall is just 2 clicks away. Even if you decide to purchase MBAE Premium and you run into problems later on, just send me a PM or post here and I'll instruct an immediate refund.

 

Actually, it works for me on my 32-bit system, but I had to downgrade to SBIE 3.76 to make it happen.

 

Pete,

That is not entirely true. SBIE V4 is better for 64 bits systems. True, with V4 the user also benefits from the low rights sandbox (when your OS-facilitates that). On the other hand V3 is well matured for 32 bits systems. As an example 3.76 was not vulnarable to the hardlink sandbox escape which 4.14 and older were vulnarable to.

For 32 bits system owners (partically on XP), there is nothing wrong with using the 3.76 version, But let's take that discussion to SBIE and keep this a MBAE thread.

Regards Kees

 

@ ZeroVulnLabs

I forgot to report that MBAE terminates MS PowerPoint 2013, and gives an "exploit detected" alert, I'm using Win 8.1 64 bit. I'm now on the Free version, but perhaps you can take a look at it.

 

Does antiexploit work with Quitezones TOR browser? Or do I have to add it to the shields somehow?

 

Would need MBAE and FRST logs --> https://forums.malwarebytes.org/ind...-how-to-posts-here-need-to-include-mbae-logs/

If it doesn't show up as protected in the LOGS tab of MBAE, then you need to add a custom shield for it.