Malwarebytes Anti-Exploit

Looking for alpha testers for the upcoming MBAE version 0.10. More details:
https://forums.malwarebytes.org/index.php?showtopic=141741

 

Only regular MBAM forum members are eligible for alpha testing. It was a miss from MBAM team to not communicate this properly. There were many requests from new members to test alpha product after seeing the above post.

 

Not true. Look closer at the announcement:

 

Well, the comment was not an attack on MBAE. I just wanted to inform fellow Wilders who were still signing up and posting requests to test alpha product.

 

Wait, MBAE was in beta before and now it's in alpha again? Are you heading in wrong direction?

 

Perhaps it's an Alpha release of a Beta release?

 

RejZoR,

The reason why it's "regressed" to an alpha-candidate is that the code "has been completely re-architected and (now) works as a Windows Service." So basically, testing has to be restarted from scratch. As an example, version 0.10 has introduced significant EMET conflicts which were not present in previous beta versions.

 

As @ky331 says, the architecture has been completely re-done. We will release 0.10 beta soon with this new architecture. We just want to do some alpha testing first to make sure everything is running smooth since it introduces so many internal changes.

Having said that, the protection engine is exactly the same as it is in the current 0.09.5 beta.

 

Sorry if this has been addressed...
Via mbae-test avilable here: https://forums.malwarebytes.org/index.php?app=core&module=attach&section=attach&attach_id=118816, I discovered that protection is active only when the exe is running.
What i did was to place a shortcut in my start menu/startup folder.
Is there a better way to automatically start protection... ie: earlier in the boot process?

 

I am confused. MBAE should start automatically with Windows once it's installed. Just to make sure, you aren't talking about letting MBAE-Test start with Windows, are you?

 

On my pc, mbae.exe (main executable/required for protection) does not autostart, and I dont see how to make it do so through the gui. What I used mbae-test for was to see if i had protection without the main exe running, and apparently i dont.
What i did was force mbae.exe to autostart by putting a shortcut to it in the startup folder.
This is version 0.09.5.1000

 

I have found an issue with the 0.10 alpha and Chrome (XP 32). With everything in my signature disabled and on Incognito mode with no extensions, MBAE blocks Chrome always when closing and frequently when opening it too.

Maybe it's the same problem that has been noted in this thread, but the poster there doesn't give any details about which version is he running:

https://www.wilderssecurity.com/showthread.php?t=359851

 

drhu22,

in mbae 0.09.5 (and earlier), the program is started as a SCHEDULED TASK. Have you checked your Task Scheduler to see if it is listed there? More importantly, you should check the mbae-default.log to see if it contains lines such as:

The Malwarebytes Anti-Exploit task scheduler has been successfully created

Malwarebytes Anti-Exploit Driver Installed successfully

Malwarebytes Anti-Exploit Driver is running

Starting Injection with: C:\Program Files\Malwarebytes Anti-Exploit\MBAE.dll

DLL Injection has been successfully started C:\Program Files\Malwarebytes Anti-Exploit\MBAE.dll


====================================

EDIT/Remark: Starting with version 0.10 , it replaces the Scheduled Task with a Startup Program (plus a Service).

 

I checked taskmanager, and that seems to be where the problem originates. As for the lines in mbae-default.log... they look ok I think... it seems my workaround (shortcut in startup folder) is working. I guess i have to go troubleshoot taskmanager now... thanks for pointing me in the right direction!

PS: I attached the log if you want to have a look

 

Woops I meant task scheduler...

 

drhu22,

I see your log indicates:

The Malwarebytes Anti-Exploit task scheduler has not been created


Hopefully, ZeroVulnLabs will see this and look into the matter for you.

 

Hi vojta,

can you please PM or email me the logs in your %AllUsersProfile%\Malwarebytes\Malwarebytes Anti-Exploit directory?

As for the other issue you noted, I think this is the same user that posted in our forum he was running 0.09.5.0250. Upgrading to the latest publicly available 0.09.5.1000 solved his problem according to him, so it's probably not related to your issue.

 

It seems either you have TaskScheduler disabled or you're running MBAE in LUA mode so it is not able to create the TaskScheduler entry.

If you PM me an email address I can send you the 0.10 alpha version which works as a Windows Service instead of via TaskScheduler so we can test if that one works better for you.

 

@ ZeroVulnLabs

What do you have to say about this PDF
http://www.surfright.nl/en/home/press/surfright-announces-alert-3
http://dl.surfright.nl/Alert-3/HitmanPro-Alert-3-Datasheet.pdf

 

It's good that there are new anti-exploit products coming to market, it shows there is a need that is not being filled by traditional security products. Looking forward to actually testing the product. This one seems like a copycat of EMET which activates various OS protections, although with some improvements. The important thing however is not the number of activated techniques but the detection logic which applies those techniques, as many individual techniques can and have been bypassed.

MBAE as you know takes a different and proven approach to blocking exploits than EMET and this is not reflected in the comparison. For example in addition to memory protections MBAE also has other protection layers which look at application behavior and which prevents exploits even when there are bypasses for those memory protections or sandbox escapes.

Many things shown as negatives on the table we do internally or using other methods not reflected in the table, like for example the per process mitigation. The fact we internally finetune and apply our techniques per process means it is a benefit (instead of a negative) in terms of stability, compatibility and provides the best protection for that specific application, as opposed to applying standard mitigations which can cause incompatibilities such as the known EMET issues. It also means end users who are not experienced vulnerability researchers might turn off important mitigations or not turn on the correct ones for a specific application. Also there are some incorrect statements in the table and irrelevant ones when comparing exploit mitigations (the last 6 or so).

 

are there any preliminary plans/roadmap or so,
when the first regular version of MBAE will be released?

 

Just wondering if MBAE protects against this exploit that bypasses EMET:

http://arstechnica.com/security/201...y-bypasses-microsoft-zero-day-protection-app/

 

+1
Yes, I would like to know this also.

hqsec

 

I would like to check this as well, but unfortunately there's no shared PoC. If one becomes available we'll test and it post results here.

 

Btw Java exploits ITW are bypassing EMET every day, that should be much more worrying: