Malwarebytes Anti-Exploit

Now for those who still don't know the difference between a vulnerability, crash PoC and weaponized exploit...
let me remind you with:
"So i created a malicious image (...) and I was able to successfully crash the Skype application of my friend by sending the image"

1. He does never mention that he created a weaponized RCE PoC/exploit.
2. He did not cover the root cause of the crash in his blog post. It could just as well be a null derefence instead of a memory corruption vulnerability.

It is a bit naive to make a certain statement without even reading the whole article and thinking that this article is enough proof for your statement.

As additional reference: https://www.wilderssecurity.com/threads/do-you-use-exploit-mitigation-software.377669/

 

it was example, anyway enjoy your utopia ...

 

Do I completely rule-out the possibility of a remote Skype exploit? No, but I have yet to find a documented case. If you can provide one I am happy to change my opinion

 

I'm having a problem with shielding on FF39.03..Although the pop up appears saying FF and plugins are shielded etc if I use process explorer to check via the mbae.dll it doesn't show FF...It does show other processes such as Windows Media Player etc...I've tried un-installing and a re-install but the FF problem remains..I've also checked under task manager, its not running.

Win 8 x32 1.

MBAE 1.07.1.15

 

@clubhouse1

MBAE 1.07.1.1015 is working fine under Win 7 x64 using FF 39.03

​

 

I can confirm mbae64.dll injects 39.0.3 cyberfox.exe, but MBAE no longer presents a traybar notification or logs it as it did for 39.0 and 38.x.

So, protection OK (I hope), notification and logging not OK.

Other shielded apps all still OK: injection, notification, logging.

Cyberfox 64-Intel Portable - Windows 7 HP SP1 x64 - MBAE 1.07.1.1015

 

Seems to be working atm...Showing in Process explorer, but not the task manager.

 

I am running the latest stable 4.20 x64 of sbie and lately when I open my browsers, mbae only tells me i'm protected the first time I open my browsers. If I close and re-open my browsers it doesn't show the alert. I have searched with process explorer for the dll's and they are loaded but why don't I get the alert anymore?

 

I have a variation of the same behaviour (with IE and WIN10), MBAE only tells me I'm protected the first time I install MBAE. Then next reboot MBAE will be silent (on IE) forever. Yes, .dll in still injected in IE but no way to see really if MBAE is working. There must be a way to clearly highlight from the GUI what is currently protected and what is not. I found this rather basic information lacking from the current version.

EDIT: already tried to do whatever clean install possible with MBAE support.

 

I feel better that this weird issue is not just happening to me

 

It's a known user interface glitch of 1.07. Already fixed for the upcoming 1.08 beta.

 

Cool!

 

IE and Chrome do not show up in the mbae log anytime at all when thay are started to show that they are protected.

 

https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-99#post-2515057

 

Thanks!

 

It's interesting, but apparently this is something that should be implemented into the OS itself. So I'm guessing we won't be seeing it anytime soon.

 

ETA?

 

ETA = soon

Btw seems like first RCE for Microsoft Edge is here already:
https://technet.microsoft.com/libra...459594)(je6NUbpObpQ-5sv2VMnReJnIL504WJdzPQ)()

 

Weird enough, this is resolved after the latest MS OS updates installed yesterday. Now I am getting always the MBAE pop-up (on IE and WIN10)

 

MBAE just does not work good with chrome for me so i have to use HMPA instead. I had problems on facebook along with slowdowns bringing up a lot of sites.

 

Can you send me FRST logs to see if there are any conflicts with MBAE?

 

MBAE won't update for me. It doesn't work if I try it manually, or automatically. I see it ask to connect out as if it's looking for an update, and I know there's one available (I'm on v1.06.1.1019). But it doesn't actually update.

I know it's not a HIPS problem blocking it because I have everything set to "Ask", and treat it as an installer when it asks permission.

I also thought maybe it used the Connection settings in Internet Options (Control Panel) to connect out like some programs do (i.e. Sandboxie), and removed a fake proxy (0.0.0.0) I have set up to effectively block that vector. But that didn't make any difference either.

For the record I'd like to know if it does use that method though so that I can at least put that back to the way it was?

Plus any other input to help me to get this thing to update properly. I really don't feel like manually uninstalling/installing every single new version.

 

Something is most likely blocking it from communicating. The service (mbae-svc.exe) connects directly to the Internet to check for upgrades at booth and every few hours thereafter. Check your other programs to make sure nothing is blocking mbae-svc.exe from communicating with the Internet.

 

Will MBAE protect against reflective DLL injection into the browser? It sounds like something MBAE should cover. These techniques are used by banking trojans. The description I read says it is never written to the disk. Can reflective DLL injection automatically run in the browser by exploit, or does the user have to be baited into opening an infected executable using social engineering for the injection to occur?