Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
Problem still exists with build 130
Build 130 automatically downgrades to build 129 so after reboot MBAE wil throw the warning again. We're checking things and might decide to automatically update everybody to build 130 later today.
Could you post some details of the alert that HMPA is showing? Click on 'Technical details' when the alert is shown and copy and past the data (or screenshot). We are unable to reproduce and seek more information.
If you're able to post a screenshot of the 'Technical details' shown in the alert, that would help a lot!
We're pretty eager on diving into this as it seems that Dropbox is altering your data.
Is there any known issue or conflict while using HMPA and Kaspersky software?
Really? It doesn't update until reboot for me, and stayed working with MBAE as build 130 so far. Already implemented?
*Nevermind, it said an update is available and asked me to reboot again. Obviously not going to.
And I would like to ask about Prey compatibility once again if you don't mind.
I'm on win8 using MBAE premium and HPA v3 129 FREE and apparently is working fine, no conflicts, crashes or warnings.
Folks, I'll say it again. Trying to mix MBAE and HMPA, is a bad idea. Erik can fix HMPA, and then a change in MBAE breaks it again. Choose one or the other and stick with it. Trying to mix the two because of the lack of them in the free versions, just will keep leading to the problems. The solution is to buy one. That's life.
I have tested the mitigation capabilities of both MBAE and HMPA and I can say that they offer roughly the same level of protection. I would advise MBAE if you dont want to configure anything by yourself and HMPA if you want more advanced options.
OK, but are you sure that they offer the same level of protection, please look here what HMPA 3 actually offers:
I just don't think MBAE premium offers that much at all, so I don't know what to say about your testing MBAE and HMPA 3.
I mean HMPA 3 offers so much more than just exploit mitigations, it offers:
Please, also read this:
Now when you read this all of this in details, can you again say and 100% confirm that MBAE premium and HMPA 3 both offer the same level of protection, I don't think so, of course, maybe I'm just simply/plain wrong and maybe I'm just making completely wrong conclusions.
Windows 7, 64 bit.
I just started using HMPA again after not using it for a few months. Whan i start Chrome sometimes a get a Application error message for Chrome.exe about some kind of exception. Also does HMPA 2.6.5 have any problems running with MBAE like it has in the past.
Do not make this the other way around. It was MBAE that had an issue with Alert 2.6.5.
Okay, let me rephrase my statement: I have tested the exploit mitigations and they are comparable. Of course HMP.Alert 3 contains more secondary 'protection' mechanism, but those are not key features of HMP.Alert 3.
Alert 3 is install-and-forget. You do not have to configure it. But if you want to, you can, up to every detail.
Alert has both a simple and advanced interface to support both types of users where the simple interface is default.
Also in terms of exploit mitigations, the hardware-assistance offers unprecedented detection of advanced exploit attacks. For example it detects various attacks that bypass EMET via CALL gadgets (http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf). Our Exploit Test Tool has this exact test.
Some attacks are probing whether EMET is protecting the attack surface (https://www.fireeye.com/blog/threat...ises-us-veterans-of-foreign-wars-website.html).
So you see exploit writers are very much aware of what they are up against and how they can bypass mitigations.
Hardware-assistance does offer better protection because it tells you what the CPU has been up to, it cannot be faked. In other words, if a ROP is in progress, the CPU can tell you. Unlike the stack which is under control of the attacker.
Hope this helps.
I agree, especially after reading all these problem reports, almost all are caused because of combining MBAE with HMPA. In theory, HMPA (free version) should not interfere with MBAE, but in practice it's apparently difficult to stay compatible. No wonder because they both monitor the same memory areas. I would expect that tools like Webroot ID Shield and Trusteer will almost for sure also cause problems when combined with MBAE/HMPA/EMET.
What do you think about MBAE not being able to stop some certain tests from the HMPA exploit testing tool? And can you tell me a bit more about your testing methods?
More info, if I open HMPA under safe browsing there are 2 IE icons, if I click on one it opens a box that shows your web browsers, it lists 2 for IE, one is ixeplore.exe(32 bit) and the other iexplore.exe. If I use HMPA to open IE by clicking on "open browser", the 32 bit application does not have the green border or encryption, the other one, iexplore,exe has both. So I guess when I'm clicking on my IE icon on the desktop it opens the 32 bit version instead of the 64 bit version.
The fact that you see problems with Alert 3 is because you are part of its development.
Compare it to a car. Once it is in the shop you just buy and drive it, not knowing that the engineers went through hell getting that V6 engine run smooth in that mini
I think the 32-bit browser is added to the Office template. That was an issue with the CTP4 release. This way the 32-bit browser does not get the green border or encryption. The RC picks up the CTP4 settings.
To resolve, delete the iexplore.exe (32-bit) from the list of Applications. Restart the Alert service so that it picks up the 32-bit browser again.
In the final there will be a reset settings option.
Ok, please explain how to delete it because I can't figure out how to do it. Also, uninstalled MBAE to see if it would make a difference, it didn't.
Open HitmanPro.Alert user interface by clicking on its tray icon (or click on the flyout)
Switch to Advanced Mode via the gear icon next to the minimize window button (top right)
Click on the blue tile
Click iexplore.exe (32-bit) listed under OFFICE
Click Remove mitigations
I reported this instance of two IE11 icons previously in one of my posts re encrypted text in IE11 address bar which by the way I am still awaiting a reply on. It does seem that all my posts are being ignored.
I have just opened the hmp.Alert interface following your instructions above and both my icons are listed under browsers. Is that correct?
Just for information:
I was able to bypass the FTP > NAS upload stalling issue by enabling "active mode" rather than passive mode in Filezilla - the stalling issues have gone away
not a fix of course, but maybe the cause of the problem can be narrowed down.
(RC 129 working fine otherwise, no other problems noticed)
I appreciate your concern on this but I am still hoping that MBAE free version and HMP.A 3 free version without exploit mitigations can cohabit on the same machine.
"The solution is to buy one. That's life."
Not everyone is made of money. That too is life.
First of all: Excuse me for my English.
The testing tool that is provided with HMPA specifically focuses on proving that HMPA works. ( It works )
So I'm not surprised that some tests will 'be unsuccessful' when tested against MBAE. (http://postimg.org/image/4v1klhp11/)
Most exploitation attempts will target Internet Explorer/Flash with memory corruption vulnerabilities, Java or MS Office with malicious macro's trough generally known delivery methods which are also detected by MBAE. But also a number of more exotic tests is present in the testing tool that you probably won't find in the wild that quickly.
I would even be surprised if any professional (with knowledge of vulnerability research) would trust 'evidence' based on a tool that simulates 'attacks'. Furthermore I wouldn't be surprised if 99% of the users of the testing tool doesn't understand *any* of techniques simulated.
Let me mention that this criticism was only focused on the testing tool and *NOT* on HMPA or MBAE. Both tools do a good job in stopping the vast majority of exploitation attempts without a loss of performance, period.
About the testing I performed:
I was originally writing a long post about it, but I didn't make a back-up of my progress before I accidentally reloaded this page ... (Bye bye 30 minutes of typing)
I tested MBAE and HMPA with:
- Internet Explorer on Windows 7
The big question: Can MBAE and HMPA be bypassed? Of course, it even isn't that difficult on a physical machine with hardware assisted CFI.