Malwarebytes Anti-Exploit 0.09.3.1000

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Aug 9, 2013.

Thread Status:
Not open for further replies.
  1. SnowFlakes

    SnowFlakes Registered Member

    Joined:
    Jun 29, 2011
    Posts:
    194
    it takes so long time to scan with malwarebytes.
    I tested with some other av-software and it didnt toke long time but with MalwareBytes all i can say is scaning time is so slowly
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    You're in the wrong thread, this is a different product. Here's the right one: https://www.wilderssecurity.com/showthread.php?t=345076
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    No conflicts with WSA.
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Still not working properly with WSA.
     
  5. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    What versions of MBAE and WSA are you running?

    I know that when ZVL was acquired by Malwarebytes and MBAE started using the Malwarebytes digital certificate instead of ZVL's, the old conflicts with WSA started again. But Joe took care of that about a month or two ago and the latest WSA was reported as playing well with MBAE again.
     
  6. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Running MBAE 9.3.1000 and WSA 8.0.2.174.
    If I fire up IE it will log IE is protected. If I then open FireFox, no log message for FireFox being protected.
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Try this: fire up both IE and Firefox (and any other program you may have in the list of MBAE shields). Once they are all open, use ProcessExplorer and search for mbae.dll. You should get an entry for every program that is supposedly shielded. If you are missing an mbae.dll injected into one of the processes where it should be injecting to, let me know which ones.

    Thanks!
     
  8. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I fired up, in order, IE10, Firefox, Foxit Reader. Only Foxit Reader appears in log tab.
    I don't see mbae.dll at all using ProcessExplorer. I can save the file and send it to you if you want (need your email address).

    Mbae-default:
    2013-09-26 16:48:31 - The Malwarebytes Anti-Exploit task scheduler has been successfully created
    2013-09-26 16:48:32 - Malwarebytes Anti-Exploit Driver Installed successfuly
    2013-09-26 16:48:32 - Malwarebytes Anti-Exploit Driver is running
    2013-09-26 16:48:32 - Starting Injection with: C:\Program Files\Malwarebytes Anti-Exploit\MBAE.dll
    2013-09-26 16:48:32 - DLL Injection has been successfully started C:\Program Files\Malwarebytes Anti-Exploit\MBAE.dll
    2013-09-26 16:49:29 - 0 (1492)explorer.exe (1644)Foxit Reader is now protected

    Windows 7 Ultimate, 32 bit
    No add-ons in Firefox
    Tracking Protection Lists installed in IE10
     
    Last edited: Sep 26, 2013
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,345
    Location:
    Italy
    Is it possible operating MBAE with Pale Moon and Comodo Dragon ?
    Th.
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    @Thankful, this might be a basic thing, but just to make sure the dll will not simply show up in process explorer. You have to use the search function within process explorer. This is what you did, correct?
     
  11. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    No. I have no experience running process explorer, so the more detailed instructions you can give me, the better. I will run again and let you know.
     
  12. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I ran MBAE and fired up, in order, IE 10, Firefox, Foxit Reader. I ran Process Explorer and under "Find" in the menu bar, entered "mbae.dll" and clicked on "search".

    Results:
    System 4 File C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    Foxit Reader.exe 924 DLL C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

    Only Foxit Reader appears in log tab of MBAE as protected.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I just installed the latest WSA and MBAE under your same system specs and they both seem to play together nicely. MBAE is able to protect all the apps I opened.
    ScreenHunter_02 Sep. 29 19.53.jpg

    Maybe you should try re-installing WSA (download the latest if you don't have it) and/or MBAE to see if that solves the issue.
     
  14. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    OK. I will load MBAE first and see if that makes a difference. Thanks.
     
  15. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    MBAE is working fine without WSA AV. Added WSA AV, MBAE no longer working.
     
  16. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    I found the source of the (my) problem. If IE and Firefox are set to "protect" under WSA-> Identity & Privacy -> Protected Applications (Advanced), MBAE does not work properly. If IE and FireFox are set to "allow", MBAE works fine.
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the tip Thankful. From what I could gather from doing various tests based on your discovery, WSA is still blocking the MBAE protection of IE and Firefox (and probably other apps if you add them manually under WSA -> Identity & Privacy -> View/Edit Protected Apps). But it is doing so in a weird way.

    It seems that WSA's protection only blocks injections into IE & FF at the initial launch of the application. So if both WSA and MBAE are running and you open IE or FF, then WSA will block MBAE from protecting the browsers.

    However if only WSA and IE/FF are running and you then open MBAE, then WSA doesn't seem to see the injection and MBAE is able to protect both IE and FF.

    So it seems that the WSA ID & Privacy protection only works during the initial launch of the application. My recommendation until Webroot can fix the incompatibility is to disable this feature within WSA.
     

    Attached Files:

  18. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Thanks. I ran MBAE without any AV installed and it worked perfectly so I knew the problem was with WSA. A couple of comments/questions:
    1. Will you talk with WSA regarding this issue or should I post in their forum?
    2. I believe "protect" in WSA provides malware protection for selected applications so I don't think I can set it to "allow".
    3. Their 2014 edition comes out next month (October) so I don't know how this will affect MBAE.
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes I will, but it won't hurt if you can also post in their forum.

    I believe it applies only for "ID & Privacy" protection (whatever that means), and it does not affect the real-time malware protection. Seems to me the ID & Privacy protection just enforces that the browser starts without any unknown loaded modules. And since it only works at the start of the application I would call it more of a "clean startup" rather than "real-time protection", but it's up to you. Personally I value much more that my browsers are protected against exploits.

    I hope they can fix it by then.
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks for the report - we'll be looking into adding support for this in the 2014 product. Regarding the Identity Shield, it does a lot more than just prevent untrusted modules from loading at browser startup, but it is indeed the opposite of what MBAE does (it protects the browser from the other software on the system, whereas MBAE protects the system from the browser).

    Both products should (and will) work together - we just need to add an exemption on our side to allow MBAE access into the browser. At this point, the initial 2014 release is locked down but we should be able to get this into the first update.

    Let me know if you have any questions or run into anything else in the meantime!
     
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the clarification and for your help Joe. As always top notch! :thumb:
     
  22. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    It installed so quickly. :thumb:

    Does it protects better then EMET 4.0?
     
  23. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Differently.

    Both MBAE and EMET include protection for the stage 1 of an exploit attack.

    But only MBAE also includes protection against stage 2 of the exploit attacks in case something bypasses the stage 1 protections.
     
  24. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    That's cool!

    Does it apply the same mitigations as EMET for the stage 1?
     
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Some similar, some different, some still under development.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.