Malwarebytes Anti-Exploit 0.09.3.1000

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Aug 9, 2013.

Thread Status:
Not open for further replies.
  1. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    Here's some more information, which may (or may not) be useful to you about my recent issue of MBAE 9.3 "ignoring" its exclusion list.

    For what it's worth, my IE10 has crashed 3 times in the past two days since I updated MBAE to 9.3. I'm not saying that MBAE was necessarily the cause... it may be completely coincidental. Event Viewer asserts the faulting modules as being ntdll.dll, comctl32.dll, and mshtml.dll in these 3 instances.

    Since my IE had been relatively stable until just recently, I decided to test things (temporarily??) by reverting back to MBAE 9.2.1200. The exclusions data file that was updated under version 9.3 survived the uninstall (9.3) / reinstall (9.2) process... and when I then accessed Lotus iNotes this morning, it did NOT object to the .dll file there!

    Expressed differently: while I could not create the exclusion under version 9.2, 9.2 WAS able to acknowledge/use the exclusion created via 9.3.
    In contrast, while 9.3 allowed me to create the exclusion, 9.3 itself was unable to acknowledge/use it!

    Does that tell you anything useful?

    UPDATE: When I tried again this afternoon, 9.2 likewise "overlooked" the exclusion, and blocked the iNotes .dll. Most perplexing.
     
    Last edited: Aug 11, 2013
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    My log never shows more than one entry. It also is being cleared everytime IE9 starts. Appears log is never updated after the initial IE connection after a boot. Mine shows one log entry for the first time I started IE.

    I installed ver. 0.09.3.1000 yesterday after not using this software for a while. First time I accessed anything that uses WIN Explorer on WIN 7 x64 SP1, WIN Explorer crashed and took MAE toolbar icon with it. Only way to restore it was a reboot and icon appearance has been fine afterwards.

    My main issue presently is everytime I boot, I am getting a 4" x 4" block on my desktop that quickly appears and then disappears. No idea what it displays but has to be related to MAE since it didn't exist prior to it's install. A bit disconcerting nonetheless.

    Also why is MAE's hidden .sys driver stored in it's x86 programs folder and not in the WIN driver folder?

    Why does this software use a WIN 7 scheduled task at user logon?

    Uninstalled again.
     
    Last edited: Aug 11, 2013
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I think this might have to do with how Notes uses the filesystem. We'll have to run some tests to see why this is happening.
     
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    You mean total of one entry for ALL apps or only one entry per application per reboot? If you mean one entry per application every time you open and close and open the same application, then it is expected behavior.

    This is also normal as expected. MBAE runs and immediately minimizes itself to the traybar. This is a small issue during the beta as we are working on a completely new GUI for MBAE based on Malwarebytes guidelines which will fix this and many more other UI issues.

    See above, will be fixed with new GUI before the beta is over.

    See above, will be a Windows Service with the new GUI. For now i uses Task Scheduler to run under SYSTEM context after boot.
     
  5. clubhouse

    clubhouse Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    180
    Really puzzled why a simple tray icon can't be fixed (disappearing) with this software, its been like this its first version...Its crazy that users have to use the task manager as admin to stop and restart a service that is in fact running to restore the icon and have confirmation that it is!
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Same reason as my previous post. Our efforts have been mostly in improving the engine. Before end of beta we will create a new GUI around the final engine and this new GUI won't have any of the current UI issues.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It was this one, "only one entry per application per reboot?", but prior day entries are cleared.

    Also in the MAE GUI, count for a given app increases based on number instances runnning, but never decreases when app count is decreased.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Btw, can you give some more info about the new memory protection features? :)

    Do you still need to be using EMET? I mean, does it do the same as EMET, or is it different?

    Also, why isn´t it offered via the Malwarebytes site?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I also noticed this and thought it was a bit odd?
     
  10. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Because it is Malwarebytes Anti-Exploit BETA?

    Also have a look here: Malwarebytes Anti-Exploit Help
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I see. We will take a look at it. Thanks for reporting.
     
  12. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    This current version includes some memory protections and we are adding quite a few more. The objective is to not need EMET as MBAE will be much more in-depth, including anti-exploit techniques at many more layers of an exploit attack than what EMET includes.

    We are building a page for MBAE within the Malwarebytes.org website. Should be up and running in a few days or weeks.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I would have thought they would have fixed this by now. I have not tried Anti-Exploit in a while, but I reported the protected app count being wrong several months ago. They said they was already aware of it. I wonder why it has not been fixed yet.
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I've discussed this a few times in this thread and a few more times in other threads.

    Since we will be creating a brand new GUI for MBAE following Malwarebytes guidelines, there is not reason to fix this in the current GUI which will be a throw-away. We rather spend the time improving the engine and adding more advanced memory protection techniques.
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I'll have to test a bit more, but switching accounts also resets the LOG tab. It certainly doesn't survive reboots. Awaiting new GUI and stable release for this and missing tray icon.

    Curiously, the hmpalert_update.exe blocked alert has become so rare that I haven't experienced it since that previous post.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thanks for the info! I didn't think that would be a GUI issue.
     
  17. guest

    guest Guest

    The difference is that actually EMET is able to protect any application. Will you add something like that to Anti-Exploit?

    I'm still having issues with the app autostart
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes we are thinking about it. For now it is not really an issue as all of the exploits in the wild are limited to a handful of applications (browsers, java, acrobat, word, ...) which are covered by MBAE.

    By autostart you mean the traybar icon? That will be fixed with the new GUI.
     
  19. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I have discontinued with MAE for the time being, due to problems with using Opera.

    Also, I started getting these kind of errors, while using the latest MAE beta.

    ScreenShot_DW_Opera_exception error_01.gif

    ScreenShot_DW_Opera_exception error_02.gif
     
  20. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    The objective is to not need EMET as MBAE will be much more in-depth, including anti-exploit techniques at many more layers of an exploit attack than what EMET includes.

    As MBAE's creator, you certainly can proceed however you wish... however you deem best.

    However, if I am correct that there is a significant... and growing... base of EMET users/fans, it would seem prudent to me that would want MBAE to be compatible with, and nicely supplement, EMET, rather than try to displace it. Just my opinion, for whatever it's worth.
     
  21. @ky331

    I am afraid the MBAE needs input to determine whether an exploit attempt is done by a program, so this input would cause overlap with EMET's sensors (hooks/code) anyway. So from a coding perspective a replace of EMET would make sense depending on the overlap/dependancy of the EMET input.

    For marketing reasons it would also make sense, for example "MBAE does protect against exploits, including the EMET blocks and the advantage of central system management reporting". These reports are sometimes required for companies to to confirm to audit/trailing regulations for critical society functions/infrastructure.
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Upgrading to the latest Opera seems to fix these issues.

    In regards to the error, it seems like a message from DefenseWall. Do you still get the same errors without DefenseWall? Can you whitelist/exclude MBAE from DefenseWall?
     
  23. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes, EMET is great but there is a very large userbase without technical knowledge where configuring EMET correctly might be an impossibility for them. Also for convenience and usability MBAE is much easier to use. Finally we want to build MBAE to include more protections in different layers where EMET doesn't go into.

    But I do agree that with technical audience and companies there is a need for both MBAE and EMET to coexist and complement each other. It is for this reason that we are thinking of possible MBAE configuration options to allow EMET to coexist. We are still building this part of the engine so it's still not even in the public beta version.
     
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I don't think DW is the problem, since in another snapshot I am still using MBAE v0.9.2.1200 and I use two versions of Opera, regularly.

    I opened each sucessively, a few minutes apart, and each time MBAE listed the protection.

    Firstly, Opera v11.64

    ScreenShot_MBAE_v9.2 beta_Opera_01.gif

    Secondly, Opera v12.15

    ScreenShot_MBAE_v9.2 beta_Opera_02.gif
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Finally caught it, but creating an exclusion makes a blank entry without Hash or File Path, because hmpalert_update.exe is a temporary file. Even "Remove Exclusion" is blanked out on selection.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.