Ah, I didn't notice you was also looking into thread. So in that test you used MBAE, then if you had done correctly you'll see MBAE warning, at least after several attempt. As to Fiddler setting I can't comment as PE completely hide Fiddler's right pane. Also I'm not familiar with PE but looking into threads makes sense. I can't read 4th pic as it is too tiny. [EDIT: just to avoid confusion, threads in this post means process threads, not Wilders thread of course! Also PE meant Process Explorer.]
Though I already wrote it in MBAE thread, make sure import each traffic to right pane under Autoresponder tab. They are rules for Autoresponder and traffic to that URL will be overridden by those rules. I can't reply tomorrow but hope you'll succeed. Anyway there're many more skilled people than me here.
So, should anyone use Malwarebytes anti-exploit or not along with Google Chrome? Does MBAE truly weaken Google Chrome's protection and security level? How do you enable-strict-isolation in Google Chrome?
Yes, but that's why I'm asking which malware is actually doing this at the moment? Don't get me wrong, I also prefer so called "stage 1" protection, but I'm just trying to figure out how real the risk is when you allow file-less malware to run. Also, with HIPS it's possible to restrict apps that are vulnerable to attacks, like the browser. With SBIE you can limit access to the file system for example. But HIPS should focus more on this IMO, not a lot of them protect against info/password stealers out of the box.
I didn't keep the tests, but I tested a bunch of HIPS type products including all the old favorites, and non of them with a couple of exceptions(non of which were the oldies) would have st opped memory only attacks. My feeling on letting any file-less malware, or any malware for that fact is it is an unacceptable risk. But this may depend on the user. In my case I have client financial data on my machines. Would you be comfortable if I didn't make the effort to block all malware?
Actually I think fiddler right pan will not give you any information whether the exploit was successful or not.
Huh ?!? This is very inaccurate. Granted Chrome is by far the safest of the browsers, but adding exploit mitigations to it just makes it stronger, not weaker.
Can any one look into this screen shot? Am Idoing something wrong. I failed to get any alert from MBAE or HitmanPro Alert! Thanks
I got a little time. Yup, you're doing wrong as right pane only shows 2 line while left shows a lot. You have to D&D all traffic into right pane. Though I didn't know, it seems you can "select all" or Ctrl+A those traces in left according to this link: http://blogs.msdn.com/b/askie/archi...-autoresponder-to-replay-a-fiddler-trace.aspx Now, it's obvious I forgot some minor but important things. Firstly make sure to clear browser's cache, though if it's your first visit it's not a matter. I recommend adding -private option to your IE shortcut for convenience. I also forgot to mention that you have to check "Unmatched request passt" but you have done it correctly. I'll update the post in MBAE thread too. Also make sure you have setup vulnerable system correctly, if it's not match the exploit your test will fail. I don't remember what versions of software I used except bare-born (no patch) IE10. But I remember old java download required registration. You can bypass this by BugMeNot if you don't have Oracle account. Old silverlight required some googling. Old firefox and flash are found easily but if you have latest flash installed, you can't install old flash even after uninstalling latest. Some registry cleaning is needed to install old one. I rather recommned to use old Windows image so that you don't care Windows patches and don't need to clean registry to install old flash. About interpretation of threads, sorry I'm not expert and can't comment on that. I hope Pedro help us.
Actually most of known in-mem malware can be prevented by well-configured HIPS at some point. This is not a surprise because the point of in-mem malware is not on bypassing HIPS but on not leaving traces. Those in-mem malware try to much more dirty things than just steal info within browser, also no wonder considering most of in-mem malware are used in targeted attack. However, remember there've been many malware send such credentials in browser, so it's almost the matter of time, and even though an in-mem malware try to much more nasty things, it is possible they firstly send browser credentials before or at the same time doing more nasty thing. BTW, again term "stage 1" is somewhat confusing. According to this, https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/#entry846361 stage 2 will also prevent this kind of malware, and though it can be said as rhetorical or semantic problem, even stage 3 as in this case payload is mem-only malware.
I don't say "anyone" or "everyone" as each individual have preference and what one think threat is is different. In practical context I don't think MBAE weaken the security of Chrome, yes they (Chromium) say 3rd party dlls are Achilles heal for Chromium and generally every software can bring attack surface at least in theory, but even if that's real still that only matters in studying purpose like Pwn2Own or highly sophisticated APT where attacker don't mind to spend lots of money & time to penetrate victim, however, even in such case still usually there're many more weak points in victim environment and probably attacker choose this rather than such a hard task. You said Chrome have memory protection in another thread, yes that's right but only basic ones such as DEP and ASLR, it doesn't have anti-ROP , heap-spray protection or other advanced memory protection. So MBAE add what Chrome don't have. I'm not paranoid enough to warry about Chrome bypassing as it will only occur in targeted attack, but now begin to being uncertain about whether --enable-strict-site-isolation can really block all mem-only malware so I get a bit more peace of mind by MBAEing Chrome. To enable the flag, you have to add this string "--enable-strict-site-isolation" w/out double quotation into your Chrome shortcut (right click the icon > Property > Shortcut tab > Link to > make it like this: %PROGRAMFILES(x86)%\Google\Chrome\Application\chrome.exe --enable-strict-site-isolation). If you always enable this flag, i.e. not only when you used that shortcut but also when launched by other program, I posted how-to here.
Thank you Yuki, for your big help here, I will try this configuration of Google Chrome, most likely next week, because I'm out of time right now, and I actually thought that Google Chrome does actually protect against anti-ROP , heap-spray protection or other advanced memory protection and etc. But it doesn't, I guess also that Sandboxie 4.14 also does not protect against these advanced exploits as well, right? It means I can use MBAE in peace with Google Chrome, that's all I wanted to know. Also, the main reason why I asked you this is also this: http://www.securityweek.com/google-patches-50-security-vulnerabilities-chrome-browser-update http://threatpost.com/50-security-flaws-fixed-in-google-chrome/107922 I wonder if MBAE would protect against these 50 security holes/vulnerabilities/bugs, before Google Chrome was upgraded?
Yes, I do realize that now. My honest apology, because I desperately wanted to retain MBAE on my computer and it was stupid to me to remove the shield for Google Chrome.
No problem @CoolWebSearch and thanks for bringing it up. I'm afraid you're not the only one that has/had this perception about Chrome. And thanks @142395 for the explanations.
Ok, Tried again in Win 7 ( unpatched) VM with IE and old flash version. Still no go! Not sure what is wrong with my set up.
That's tricky question, exactly speaking no sandbox or anti-exploit products directly protects those vulnerability, that is the job of patch. IOW, non of those programs directly block memory to be corrupted/overwritten AFAIK. However, actual exploit is not a mere abuse of vulnerability, attacker need to bypass OS security and have to reliably execute payload, so AE blocks those malicious attempt thus can block actual exploit w/out patch. Your link illustrates some of those 50+ vulnerability, and it includes some memory read vulnerability. Though I don't know details of them, usually such vuln cause DoS or info-leak problems. AE or sandbox are not designed to protect user from such vulnerability. MBAE clearly states this: https://forums.malwarebytes.org/index.php?/topic/136424-frequently-asked-questions/#entry846348 But about use-after-free vulnerability, MBAE can block actual exploit which try to leverage those vuln, though those vuln can't damage system unless attacker combine sandbox escape exploit. As to --enable-strict-site-isolation, keep in mind that this flag can break some website. Actually it breaks one of my often-visited shopping site when I try to purchase. This is the reason they don't make this isolation option default yet. But most website will work.
Sorry, I can't see what is wrong, possibly the program's version but it seems non-patch IE is enough to trigger the exploit according to Kafein's blog so might be some procedure...not sure.
Yuki, thank you for your time and patience, I'm actually happy that there are people who know about this and are much more informed than I'm, but where can I read about this all? I tried internet and I was extremely dissapointed because I couldn't find many of these explanations. Also, against what other exploits MBAE does not protect, beside XSS, SQL Injection? I also presume it's useless to have Sandboxie or and other sandboxes against these and other exploits you mentioned. Also, some of those exploits as described are designed to actually break out of Google Chrome's sandbox, which means these exploits will bypass Sandboxie's sandbox as well. By the way I don't sandbox Google Chrome browser with Sandboxie anymore (and from this moment this is my final decision, J_L and similar posters have convinced me), I sandbox all of my other browsers, but not Google Chrome anymore, I only sandbox downloads and Java plugins and similar, however, also MBAE also protects both Google Chrome and all other browsers and all the plugins and all add-ons inside Google Chrome and inside all other web-browsers that I use every day for web-surfing/web-browsing. What do you think? So how do you protect against SSL, SQL injection and similar if not with MBAE? With Zemana Anti-Logger? Or something else? Big thanks in advance, again.
I don't know specific site which describes all those things, especially in English. I've been learning security one by one, just like you or Rasheed or FleischmannTV so it's from my current understanding. Surely sandbox wouldn't protect you from DoS attack or XSS, but your saying that those exploit are designed to break out of sandbox is wrong, the fact is sandboxes are not desinged to protect such exploits. As long as you had made proper measure for downloaded program & documents, and also plugins, it will be fine. Practically either SBIEing Chrome or not SBIEing will be fine, it's matter of choice (or matter of view point to what you think is threat) unless there's performance or compatibility issue. Make sure MBAE actually protecting all programs, by test tool or by System Explorer or Process Explorer (see if mbae.dll or mbae64.dll are correctly inserted). SQL injection is a server-side problem, if you don't have your server, need not to care about it (or, maybe an advice is, don't put too much of your sensitive info on cloud and only use trustworthy service as they might be hacked by those vuln). About SSL vulnerability, the best way is always keeping your eyes on security news. You know, this year we had several serious SSL/TLS related flow such as Heartbleed, Triple handshake, POODLE. OTOH there've been other movements e.g. MS published FixIt to disable RC4, attack against MD5 cypher became more easy, etc.. There's no ultimate way to prevent SSL vulnerability proactively, so you have to keep up with latest info about them and if you can, take proper measure. For XSS, the good way is to use Noscript or HTTPSB/μMatrix. By use them on default-deny, you can greatly reduce the chance of XSS attack, besides NS have its own XSS filter which is more radical than Fx's own one while Chrome implements strong XSS filter by itself. There are discussion HTML5 introduces new method to XSS, but basic preventive measure are same.
Ok,finally I am able to run it after installing java on XP. MBAE gives pop up alerts. No peep from Comodo Defence Plus in paranoid mode even. It was expected. Seems Geswall or any other sandbox also can,t do much to stop the exploit here but it will however keep the system clean. Again expected.
Yes I agree, I do think it's important, and we have had numerous of discussions where this was discussed. For example, tools like EXE Radar, AppGuard and VoodooShield can not stop this type of malware from running. But so far, no one has explained which malware that's currently in the wild is actually capable of hijacking the browser or system, when it's running in-memory only.
I'm speaking about my own classification as mentioned in some other thread. Stage 1: Stopping exploit/shellcode Stage 2: Stopping payload/malware (file-based) Stage 3: Containing payload/malware
