Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I know what you mean, when it comes to HIPS I also don´t like to pay a yearly fee. However, I can also understand Malwarebytes point of view, I mean it IS protecting your PC, after all. :)
     
    Last edited: Jun 15, 2014
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ ZeroVulnLabs

    About the MBAE test by Kafeine, could you perhaps also give some info in which stage these exploits where blocked? In other words, I would like to know which protection layer stopped the exploits. :)
     
  3. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Anyone else have this conflict between MBAE and NVT ERP?
     
  4. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Does MBAE also protect browser plugins such as Adobe Reader, Flash, MS Silverlight, etc.?
     
  5. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Sorry to burst your bubble but my 'test' machine is a quad core 770M GFX card laptop with nothing installed but Windows 8.1, Adguard, and Diskeeper.. NOTHING ELSE. So when something doesn't work right on it, it's the product, not the system. There have been no tweaks done to the test machine whatsoever, and it's paid for by my work precisely to test.

    So get off your high horse and get some facts before you speak.
     
  6. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    342
    Location:
    Boston

    Too bad, Pedro Bustamante.... That is why we went with the Appguard by Blue Ridge Networks and NoVirusThanks EXE Radar Pro. Multiple systems with multiple lifetime licenses.... It doesn't get easier than that. :D
     
    Last edited: Jun 14, 2014
  7. Gobbler

    Gobbler Registered Member

    Joined:
    Jul 30, 2010
    Posts:
    270
    firefox.exe and plugin-container.exe crashes with EMET's Simulate execution flow turned on, turning off Simulate execution flow corrects it
     
  8. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    They ran together good for me as long as i was using IE9 or Maxthon. When i launched Chrome with HMPA and MBAE 1220 it never got to my home page.
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert 2.6.5 and previous builds of MBAE worked fine together on Chrome.
    Something has changed in this new build of MBAE breaking compatibility between Alert and MBAE on Chrome.
    I will see if we can fix compatibility on our end and hopefully release an update next week.
    Thanks for reporting :thumb:
     
    Last edited: Jun 14, 2014
  10. caiusilus

    caiusilus Registered Member

    Joined:
    Feb 14, 2013
    Posts:
    35
    Location:
    France
    Thanks Erik, that's a very good news :)
     
  11. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Is the protection of MBAE Shield/Application specific, or does it protect some general system stuff as well?
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I found the issue which is caused by a race condition in MBAE placing IAT hooks: IAT pointer already altered, but points to MBAE code which is not yet in place!

    The problem is not specifically related to Alert either as the exact same crash also occurs with EMET with only Caller (at same point).

    So it definitely is an MBAE issue. The fact that there was no issue between Alert and MBAE before underlines this.

    I am confident Pedro can solve this quite easily. I will send him the technical details to get him up to speed.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Mostly layer1 and layer2. The only exceptions were the java exploits which were blocked by layer3. I think Kafeine made Fiiddler captures available in his blog, so you can replay on a VM and see MBAE in action blocking those exploits.
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    This is a good read that explains why sig-based detection of exploits is a loosing bet:
    https://community.rapid7.com/commun...and-mouse-game-between-exploits-and-antivirus
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes, any browser addons/plugins are protected automatically. In the mbae log they will not show up separately. It will only say "browser protected".
     
  16. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    There is some protection for a very limited number of system components as well (winhlp32, wscript, etc.).
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the details, we'll take a look at it.
     
  18. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    The only thing I know is that almost nothing seems to run right on your installation, according to your multiple complaining posts, while many other people run the same 'faulty' programs without an issue on the same operating system that you are using. The problem is clearly yours.

    An congratulations for all your new degrees an titles on your signature, it must have been a very productive evening for you.
     
  19. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    It's not 'my' installation, it's default Windows 8.1x. The fact is, I notice things, I test things. It's an engineers brain to find 'stuff'. The vast majority, probably 98-99% of people don't notice things I would notice, in fact, the vast majority probably don't notice much of anything by the looks of people these days. Not really, I was selected on Friday to become Fortinet certified by the firm I work for. WIP (Work in Progress) - by the way, which means I started working on it at FortiCampus.
     
  20. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    I enjoy your posts, I find them entertaining rather than informative. I think you should start your own blog sometime or other...Not for its serious technical information or help, more for your hysterical opinions on softwares....Make it so :)
     
  21. DoctorPC

    DoctorPC Banned

    Joined:
    Jan 9, 2014
    Posts:
    813
    Hilarious opinions, or factual data? I only deal with facts, and I have yet to see any fact I post be shown not to be accurate. All of the WSA fanbois said I was 'seeing things' when I reported expansive bloat with WSA, and it turns out - it's been confirmed. Avira boot issues, which people disagreed with has now long been confirmed, and as more people notice, more have weighed in. I'm sorry if the facts can be painful, but it's not my responsibility to moderate the facts, just to present them. I let the spin doctors deal with that other stuff. Neophyte forums are funny beasts in and of themselves.
     
  22. m0use0ver

    m0use0ver Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    81
    Now , now his own fall from grace has been far more epic then his prophecy of Malwarebytes falling.

    I fancy there is some solid correlation between the number of his posts and the depth of his own current fall :)
    Demise of yet another armchair expert and a new vacancy for resident self titled expert troll at Wilders coming soon...
     
  23. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    342
    Location:
    Boston
    bas

    Based on his credentials (his sig.), it appears that he is a highly skilled individual....:D
     
  24. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Vista 32 b-bit without HMPA...Firefox 30 can be properly launched but while using is crashed (A)...I have the same behaviour with added additionaly STDUViewer (it's not on default list) - (B)
    A)
    140615092258_7.jpg
    B)
    140615091942_6.jpg 140615090715_4.jpg
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Resolved:

    "Chrome doesn't load any websites"

    MBAE is incompatible with the ROP of EMET mitigations:


    MBAE.jpg

    Windows 7 64 bit
    EMET 4.1 + MBAE
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.