Malwarebytes Anti-Exploit

You'd pay for a beta?

Anti-Exploit Premium was once a stand-alone paid product, and the free version became a beta testing program when in no uncertain terms they stiffed those who paid for the discontinued Premium, offering an unannounced, unpublished pro-rated refund to those who discovered they could request it.

 

True. But the Settings UI is really (censored) as it is for just about everything else in there. If only MS would have the anti-exploit settings available in a management console, how nice it would be. I might fire off an email to Nirsoft. Maybe he can come up with one.

 

Along with Malwarebytes Antiransomware (MBARW) Beta, Malwarebytes Anti-Exploit (MBAE) Beta, and Malwarebytes Anti-Rootkit (MBAR) Beta are all now so called perpetual betas.

If a user had previously held licensing for the then MBAE Premium (yearly or lifetime), that licensing would have then been generously converted to MBAM Premium if the refund was not chosen. I know as I personally allowed the conversion of my then MBAE Premium license to the full premium MBAM product. Marcin, @ZeroVulnLabs (@pbust) & Company have always taken the most generous path for Malwarebytes subscribers. At the time, the public announcements asked you to decide which choice you selected. If you personally did not elect a refund, the MBAE Premium license automatically became a MBAM Premium license.

Explanations to this effect were adequately made in 2016 in this sub-forum and in the now Anti-Exploit Beta sub-forum at Malwarebytes.

If your personal records can still show your MBAE Premium license could not activate MBAM Premium, or you applied for a never received refund, I can put you in contact with those who can commence a Malwarebytes internal investigation.

HTH

 

@ 1PW Thank you for your concerns.

I was using Exploit Shield since before the Malwarebytes transition back in 2013. While I don't use it on my production Win10 system, I do run it on two others (one of them for the Insider Program) and two Win7 ones.

Being "so called" is not common knowledge or not recognized by a significant number of its casual users as evidenced by posts herein. Releases should be,for example, "Malwarebytes Anti-Exploit Perpetual Beta 1.13 Build 400 (July 26, 2021)." The /Malwarebytes-Anti-Exploit-Product-Lifecycle page should be titled "Malwarebytes Anti-Exploit Perpetual Beta Lifecycle." And unless "End of Sale" has meaning unrelated to commerce, that column should go. All IMHO, of course.

So, at the time MBAE was dropped, I was not running MBAM Premium nor was I interested in it and that disinterest persists to this day.

The pro-rated refund I received was a result of my own request directly to support@ in December of 2016 for the subscription I renewed in May of 2016 and motivated by the December 7 End of Maintenance FAQ, wherever that might be if it still exists. I made that request because at that point in time, there was no mention of refunds, only the generous conversion to MBAM Premium or an assurance of continued support for the remainder of the MBAE subscription. Neither was acceptable. If a refund option was made public knowledge by Malwarebytes (Inc, LLC, whatever) thereafter, I no longer cared to make note of it. All that said, the refund and subscription cancellation was acceptable not simply for the amount, but in principle.

As for "explanations to this effect...in this sub-forum," a search of "refund" in this thread returns nothing relevant to compensation for Premium customers. I did/do not follow the Malwarebytes forum. Dropping MBAE Premium was always about MBAM subscriptions and MBAE free as beta about testing the beta. As a capitalist, that's good capitalism for one and a brilliant method for acquiring beta testers for the other.

Anyhow, Rasheed187 (having some 166 posts in this thread) dropped in and wondered why MBAE wasn't a premium product because it already was once upon a time and didn't seem to remember what he is using is a beta and why pay for that. My post was just a friendly memory jog.

Speaking of the MBAE Premium license, it's been a few months since I did this, but I can enter it into MBAE Perpetual Beta, it'll go out and hit a server, validate and present my license ID under the About tab. Yes, I know that doesn't do anything special, but fun nonetheless.

Finally, Malwarebytes: Thank You (!) for the Anti-Exploit (Perpetual) Beta releases. And if MBAE Premium were to return to the marketplace, my checkbook PayPal account is ready.

Cheers.

 

Hello @Surt

Not often referred to publicly (nor officially objected to) we (that's me too) of the great unwashed have casually made reference to the downloadable, standalone MBAE, MBAR and MBARW betas as perpetual betas and because they are quite important integral modules/engines they will yet be foreseeably separate from the frequent but nearly always not available as a download, MB4 betas.

If you personally, and many others, are a continuing users of the standalone MBAE beta, please accept the genuine thanks of many who truly appreciate its value like we do.

Please allow that sadly I very likely misinterpreted your earlier post here. To be clear, should I leave things as they are or should I still contact Malwarebytes management for additional action regarding your previous MBAE Premium license?

Thank you.

 

Malwarebytes Anti-Exploit Beta 1.13 Build 407 (September 1, 2021)
Release Notes (Forum)
Download: https://downloads.malwarebytes.org/file/mbae

Spoiler: Changes v1.13 Build 407

Malwarebytes Anti-Exploit 1.13.1.407
Protection:

• New protection technique to block exploits from abusing MS Office and scripting applications
• New technique to protect MS Office applications from loading points abuse attacks
• New technique to protect MS Office applications from batch command abuse attacks
• New granular protection against VBA7 process and VBE7 object abuse
• New protection for email clients against scripting applications abuse attacks
• New protection to protect MS Office applications from macro 4.0 abuse attacks

Stability/issues fixed:

• Fixed slowdown issues with MS Excel application
• Disabled Java shield by default
• Improved Logging capabilities
• Internal Product Improvements

 

The changes in .407 are not new. They are the same with the prevous version .400.......

1.13.1.407 =
New protection technique to block exploits from abusing MS Office and scripting applications
New technique to protect MS Office applications from loading points abuse attacks
New technique to protect MS Office applications from batch command abuse attacks
New granular protection against VBA7 process and VBE7 object abuse
New protection for email clients against scripting applications abuse attacks
New protection to protect MS Office applications from macro 4.0 abuse attacks

Stability/issues fixed:
Fixed slowdown issues with MS Excel application
Disabled Java shield by default
Improved Logging capabilities
Internal Product Improvements
--------------
1.13.1.400 =
New protection technique to block exploits from abusing MS Office and scripting applications
New technique to protect MS Office applications from loading points abuse attacks
New technique to protect MS Office applications from batch command abuse attacks
New granular protection against VBA7 process and VBE7 object abuse
New protection for email clients against scripting applications abuse attacks
New protection to protect MS Office applications from macro 4.0 abuse attacks

Stability/issues fixed:
Fixed slowdown issues with MS Excel application
Disabled Java shield by default
Improved Logging capabilities
Internal Product Improvements
https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-160#post-3021878

 

Well I'm sure you know what I mean. I remember that MBAE used to be a freeware product, but now they give away the Premium version for free, eventhough they have integrated exploit protection into Malwarebytes Premium that you have to pay for. But you won't hear me complain, I think it's a pretty good tool.

Yes but have you seen how user unfriendly it is? Just like Windows Defender and Windows Firewall, it has a horrible interface. This is exactly why people are using tools like WFC and DefenderUI.

 

No, should i? at least it works, is not intrusing and working like charm.

you mix up two things, Microsoft Defender / Microsoft Firewall and 3rd-party software.

MBAE is 3rd, WFC is using Microsoft Firewall API and DefenderUI is just another UI for Defender settings.

PS
MBAE gets from paid to perpetual beta software with no fee, because they had it integrated into MBAM. either you pay for MBAM with a lot of unneeded features because MS Defender has it all, or you run it for free which means a blown product, the outdated v2.21 still gets signatures for a second scan opinion and i dont see any disadvantage for using it this way. In fact MBAM is not that goog as Defender and MBAM has not the same ability like adwcleaner which is more specific to find adware in system and special files, registry and more, MBAM cant do this in same way. jmy2ct

 

So far, HMPA and MBAE are working like a charm too. And no, I didn't mix anything up, that's why I mentioned WFC and DefenderUI and not MBAE because I know it's third party security and not a frontend for baked in security for Windows. I believe HMPA and MBAE are most likely a bit more advanced when it comes to blocking exploits and they are way easier to configure.

 

Malwarebytes Anti-Exploit Beta 1.13.1.415 (October 6, 2021)
Release Notes
Download: https://downloads.malwarebytes.org/file/mbae

 

@1PW ,
Few minutes ago, MBAE updated from 1.13.1.407 to 1.13.1.415.
With the latest version, it's not possible to open any PDF file. See also the attached screenshot (Adobe Reader warning & MBAE UI / Adobe Reader Preferences).

In order to open the PDF, I have to deactivate the shield for acrord32.exe

 

@1PW ,
Further to the above mentioned bug (Adobe Reader),
also Brave and Vivaldi browsers not open at all!
Once again I have to deactivate the shields for brave.exe and vivaldi.exe!

1.13.1.415 is the worst version ever, back to the .407........


Also here=
MBAE 415 - Acrobate Reader and Firefox do not start/hang
https://forums.malwarebytes.com/topic/279623-mbae-415-acrobate-reader-and-firefox-do-not-starthang/

 

Anon, what OS are you using?

 

Windows 10 Pro x64, 21H1 (19043.1266).

 

Hello @anon

The MBAE Beta Technical Program Manager/Forum Manager are definitely aware of the v1.13.1.415 issues based on the postings you mentioned above. I have supplemented with private messages to Malwarebytes management regarding the additional remarks here.

Thank you.

 

So what is the difference between HItman Pro / MBAE / Windows 10 exploit protection? Cuz I don't see why use a program whose functionality is included in W10

 

Hello @Floyd 57

As far as I am aware, the HitmanPro standalone application itself does not have a real-time Anti-Exploit comparison to Malwarebytes Anti-Exploit or lesser Windows 10 protections. Did you mean another Sophos product instead?

Some folks prefer to use the free Malwarebytes Anti-Exploit (MBAE) Beta instead of installing Malwarebytes for Windows Premium to mediate the continuing shortcomings of Windows.

What is Exploit Protection

HTH

 

Thank you 1PW!

As far as I can see, the Malwarebytes staff keeps radio silence there =
https://forums.malwarebytes.com/topic/279623-mbae-415-acrobate-reader-and-firefox-do-not-starthang/

 

That's why it's called a "Beta".

To test a new anti-malware release before it gets rolled into Malwarebytes Premium.

 

It works.

 

I meant Hitman Pro Alert yeah

 

Windows 10 already contain an anti-exploit modul within defender. you can set exclusions but at least you try to load two AE modules in any program. does not make sense.
https://www.microsoft.com/security/...tack-surface-against-next-generation-malware/

 

Malwarebytes claim that their security is superior to EMET, which as far as I know is an inferior version of windows 10 exploit protection. So who's better? I don't know really, they are incredibly vague in their description. The best one can get is:

I deleted the irrelevant parts of the above quote

Layer 1 - already default On for ALL programs in windows 10




Whether MBAE has smth extra on top of those in Layer 1 it's impossible to tell without manually testing all kinds of exploits against the two (mbae and w10 exploit protection) or seeing the code obviously, which obviously they won't release. But at least W10 is transparent in what it provides, although obviously the implementation and to what level the security works is a whole another topic, like just because both provide DEP doesn't mean one's implementation of DEP isn't better, making it better than the other. Although I am not sure if it works that way or not. Could just be one and the same implementation regardless.

Layer 2 "This protection layer incorporates multiple memory techniques to prevent exploit code from executing from memory." well from w10 EP High-entropy ASLR fits that description, not sure what else. But technically High-Entropy ASLR could have multiple "stuff" that works for it, aka Layer 2 could be the same thing but for all we know Malwarebytes could just be turkish-delight stretching the words to fit the narrative. So what is what, impossible to tell if u're not into this kind of stuff, and there seems to be no "exploit devs" over here.

Layer 3 - This sounds a bit like what appguard does with its Guarded apps, aka it does not let em write to system space. But in case of MBAE, since each application is carefully analysed and adjusted for, it probably only lets them write to their own place, aka browser to the user data and the downloads folder, office only to where the file is saved etc. A good protection indeed. I personally think it's useless for a browser as a home user, i mean chance u visit a 0 day exploit if ur browser has the latest version is close to 0, u prob have more chance of winning the lottery. Probably. But for stuff like MS Office it's a really good protection because for example if u download malicious file with macros and stuff this "exploit protection" will prevent it from writing or starting processes such as cmd and powershell etc. essentially rendering the malware useless. Assuming that what i'm speculating about this Layer 3 is right. However I did read that having both W10 EP and MBAE is bad as they fight each other, so not sure how MBAE solved that, as i don't use it and their FAQ is garbage. And Layer 0 just sounds like adjusting some settings here and there, so nothing u cannot do by hand probably if u know what needs to be adjusted. Like enabling site isolation for browser that is not updated to latest version etc. Such stuff.

So this sums up my speculation on what MBAE does, essentially something like Appguard but with extras as Appguard does not prevent exploits with "techniques" but instead it prevents exploits by Guarding them thus restriction their privileges and permissions. I had the same setups back in the days with Excubits Memprotect and Pumpernickel.

That said, if u go to program settings u can see ALL those exploit protections:

Spoiler

Now as you can see, that's a lot of exploit protections, leaving plenty for Malwarebytes Team to stretch upon their layers with cool sounding words so us mortals who do not understand anything at all will think it's some godlike product, when in fact the truth could be that the only thing MBAE has over W10 EP is Layer 3 with the Restrictions once a process is hijacked Appguard-style

IN FACT, if I am not mistaken, Windows 10 is NOT open-source. So W10 Exploit Protection is NOT open-soource. So maybe malwarebytes did the same stuff like W10 EP but they just don't know it as they cannot check the code of W10 EP, and maybe Microsoft doesn't know that Malwarebytes did the same stuff as W10 EP because they cannot check Malwarebytes' code either, since both W10 EP and Malwabytes are not open-source. And maybe they each have smth that the other one doesn't, maybe they are the exact same, maybe one is strictly inferior, maybe one is mostly inferior but has something extra up its sleeve, who knows? We won't until they go open-source really. The only thing I know is that if MBAE's Layer 3 is what I think it might be (appguard-like defences once a process is hijacked), then it might have something going for it.

 

Further to the mentioned bugs, the latest version (1.13.1.415) comes with some new (and weird) changes:
In "Settings", a new option "Enable Debug Logging" it is already enable by default. If you disable it, with next reboot auto enables once again.