That sounds a bit ridiculous. Just for your information, I'm active in a lot of threads of products that I will probably never use, but I still think it's interesting to know how they work, if they work correctly, and if they can be improved. To give an example, I came up with new protection ideas for EIS and VoodooShield, two apps that I don't plan on using.
I have also thought about this setup, because to be honest, I'm not into yearly fees. In theory, MBAE and EMET should not conflict, because they inject code only into protected apps. HMPA can be a problem, on the other hand, the free version should only scan browser memory for malicious modification, it should not apply exploit protection.
The free version only scans browser memory and monitors injection INTO browser memory. No exploit mitigations in free version.
Rasheed, I appreciate you are interested in how some of this software works, so am I, but if I am interested enough, I install it and take a look. Am sure some vendors welcome your questions, others might not, but wouldn't publicly say so for obvious reasons. Again that is their call. I am a volunteer here, and gladly help those who need help if I can. But if you ask me questions that you could answer in the same time it would take me, by installing a trial, but don't want to do that, then I can see no reason for wasting my time, and frankly that is what it would be.
@ Peter2150 First of all, I forgot to mention that I'm on an old machine where I don't have any testing options. Secondly, I think you already know why I asked you to test it again, it's because some other member said that AG failed to protect against "process hollowing", so it would be beneficial to you and other users, to recheck if you didn't draw the wrong conclusion. I don't see that as a waste of time. Of course that's your call. But in the time you type stuff like "test it yourself", and "you're not a user or potential buyer", you could have already posted an answer to my question, assuming that you do use VM's. And I'm not sure why it's even relevant to question whether developers appreciate my questions or not, this is not a popularity contest. Like I said before, I like to come up with feedback, in the form of ideas and sometimes constructive criticism, with the goal to improve products. Even when I'm not actually using the product. I might sometimes even step in and explain stuff to "confused" users of certain products, as you may already know.
Yes I know, but what I meant is: if MBAE and HMPA both inject code (for protection) into certain processes, I can imagine they might start to conflict. Even HMPA v2 which didn't offer exploit protection conflicted with MBAE. But I guess it's a matter of you guys working together to avoid conflicts.
Banking trojans inject themselves into browsers. But also many AVs, adblockers (eg. Admiuncher) or toolbars (eg. Bingbar) inject anonymously into browsers. Also mouse drivers and graphics drivers place code hooks in browsers. Hope this helps.
Well just trying to figure out what type of injections, so your are talking about DLL-injections and code hooks set? HMP does hueristics and checks againsg cloud (Kapersky and Bitdefender). Does HMPA also takes a snapshot of loaded dll'd and checks all non Microsoft and non Chrome dll's (or Firefox whatever the browser) whether they are safe, sort of what process explorer does with VT?
No Alert does not check those. Its all behavior detection in Alert. This doesnt mean it will not check against signatures in the future.
The way I understand it: HMPA checks for modifications to certain browser modules (.dll files) in memory. It does this on start of the browser, but also in real-time when the browser is running. So no matter if the system is already infected, or will be infected by malware that injects code, it will alert anyway. Would that add anything to current detection methods?
So, what than, did AppGuard Exe Radar Pro and EIS fully protect 100% your computer system or not and on which Windows did you test and how? And what is EIS BB? I know that EIS is Emsisoft Internet Security, but what is "BB"? Also, did you test properly configured Sandboxie 4.14 against these exploits?
Tested in VPM using the exe the email served up disquised as doc file. 1. Sandboxie didn't stop it, but it did contain it Worked as designed. 2. Emsisoft Internet Suite stopped on two fronts. One as an av and one with it's Behavior Blocker 3. Exe Radar Pro would have stopped it but I had to turn it off to test 4. Appguard appeared to do nothing, but BLueridge tested the sample and found it was benign when there was no network, which was the case when I tested, but once it sensed a network it did it's thing. When everything was on HMPA stopped it first. Even shut it down before it could get to the sandbox
Big thanks for answers, but I do have one more question: So, if Sandboxie did contain all of the exploits that you tested Sandboxie against, does it mean your real system was protected or that you had suffered consequences like data theft, what exactly happened, was your real system plus session paswwords and data compromised? What exactly was compromised when you tested these exploits with Sandboxie?
Don't know. Not sure what that thing did, other then it did modify sychost.exe. My regular sandboxes protect my data as they I restrict those folders from access. Also I used to allow Firefox to access profile stuff while sandboxed. Can a memory type malware use the browser somehow. Maybe, but that is why I am also running Appguard, and Hitman Pro Alert. Pete
I know some people have slow browser starts with Emet's EAF+ enabled. Competition is great for consumers. After spectecular performance increase of MBAE 1.05, HMPA build 125 just reduced browser load time with 50% (so twice as fast as earlier builds). Tested with AppTimer, average of 10 runs: Chrome 39 on Windows 7 (with uBlock as only user installled extension, disabled some unvisible chrome extensions with unhackmefree) No anti-exploit = 0,30 MBAE 1.05.1.1016 = 0,39 HMPA 3.0.21.125 = 0,45 EMET 5.1 = 8,1 Well done Everything below <0.5 feels as instantly, so MBAE is a tad faster, but HPMA also breaking the 0.5 sec barrier really makes a difference (okay I own a Ducati and a Laverda, so I am biassed when it comes to speed).
Interesting, I've thought about the same thing config but I decided to do some testing first using the HMPA tool that I renamed to firefox.exe so MBAE would detect it as a browser hopefully. All mitigations enabled in EMET(except ASR) when testing only EMET. If I protect the real firefox EMET detects SimExecFlow when MBAE is also active, so for a realistic test of the test tool SimExecFlow is disabled. In fact, running the test tool with MBAE+EMET incl. SimExecFlow will cause a conflict no matter what you try including the non-exploit method to start calculator, so that mitigation needs to be disabled. http://postimg.org/image/4v1klhp11/ Conclusions from this test: - Bad to have both MBAE and EMET protecting the same app - Best result: EMET I then started thinking about the independent test ordered by Malwarebytes that compared MBAE, EMET and others and where MBAE was much better than EMET. Given my own recent test result there must be some explanation for this. Looking closer at the exploits that failed for these two I realize they're all Java exploits. Since I and many others don't use Java it's interesting to note that the result would be 100% pass for both MBAE and EMET if the Java exploits were excluded, instead of the reported 93% for MBAE and 74% for EMET. Unless someone can find a reason why I shouldn't trust my test results I'll go back to only use EMET for exploit detection and wait for the final and public version of HMPA 3. The biggest difference as I see it is that the HMPA Test Tool tests many exploit techniques while the MBAE tests focuses on Exploit Kits which may be redundant as stated for another test by tester Kafeine: So after reading this, are you any wiser or only more confused? Tested on a 32-bit system
Actually, the mentioned results are based on an older build of the Exploit Test Tool. E.g., MBAE and EMET should not have blocked any of the Heap Spray tests. Also, EMET should not have blocked the 'ROP - VritualProtect via CALL gadget' test. The current version of the Exploit Test Tool is 1.4 and was updated to prevent security tools from blocking the technique with the wrong mitigation. Exploit Test Tool 1.4 also offers additional tests, like 'ROP - CALL preceded VirtualProtect()', Anti-VM and Lockdown. It also allows you to detonate exploit techniques in a custom target application, like e.g. Firefox. This makes it a lot easier to test other security products as well, incl. antivirus software that say they also protect against exploits. Exploit Test Tool 1.4 is available in the HitmanPro.Alert 3 build 120 package: https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-114#post-2433635
Thanks for that explanation, Mark! I should've searched for the latest version and not used the link posted in this thread So do I feel like doing all tests one more time?! I'll have to think about it
