Malwarebytes Anti-Exploit 0.09.3.1000

Then is it a good idea to use EMET 4.0 and MBAE together?
If yes, how to tune them both?

 

I ran EMET, MBAE, and HMP.A together with no issues other than a minor bug of Malwarebytes Anti-Exploit blocking HitmanPro.Alert's update executable, which is already being looked into.

I max EMET mitigations whenever possible and never disabled any of MBAE's shields.

 

Yeah, I've installed EMET 4.0 with max possible setup for this PC (Win 7 64 bit) as I did it without MBAE: DEP OptOut, Deep hooks - off - all the rest at max. All goes OK so far.

 

Yes, you can run both together side by side.

 

When is Win 8.1 compatibility going to arrive? I tried MAE 0.09.3.1000 in Win 8.1 64 bit yesterday but some driver or service (can't remember exactly) could not load. I'm running EMET 4.0, BTW.

Later...

Bob

 

The compatibility with Win8.1 is in the works. Currently we're QA'ing 0.09.4 and probably by 0.09.5 we'll have Win8.1 compatibility.

 

ZeroVulnLabs, you would better add manual "Check updates" and option to on/off automatic updates.

 

+1..

 

This is still occuring with HitmanPro.Alert 2. I have to exclude after every boot on my W7 32 or 64 bit machines.

 

Meaning exclude doesn't work?

 

You got me curious about this since it's pretty vague. I respect that you need to keep the details of your intellectual property but for a product like MBAE where comparisons to EMET is unavoidable, I think it ought to be fair enough if people are given a small breakdown in terms of which portions are similar (without revealing the trade secrets so to say). At the very least, it makes people running the 2 together know what to look out for if the need to make exclusions in EMET arises.

If you don't mind:

1. Does it enforce DEP for apps it protect?
2. How about ASLR? Since ASLR isn't available on XP systems, does MBAE add any form of pseudo-mitigations like pseudo-ASLR?
3. Does it employ SEHOP for apps it protect?
4. Are there any similarity to other anti-ROP techniques used in EMET? If so, which ones?

A simple answer of "Yes" and "No" would do. I'd understand if you don't wish to reply to all of the above questions.

 

I wish to know this as well.

 

The automatic upgrades to new versions is something that we will be building into the new GUI for 1.0 once the engine is finished, which we are close to finishing after two or three more beta releases.

 

I wish to know this as well - also.... and I then wish for some of you smart guys to explain the in's and out's and implications of each answer.

Thank you.


-ftp

 

I'll try to explain it without spilling the beans.

EMET is focused on enforcement of existing OS techniques like DEP, ASLR. That is why EMET is stronger on some OS'es and not as much in others like XP.

MBAE incorporates completely different approach and techniques. It is more generalistic (i.e. better protection for XP than EMET) as well as more comprehensive as it includes multiple techniques of protection in both layers: stage 1 (DEP bypasses, etc) as well as stage 2 (java, payloads, etc). So with MBAE if something bypasses stage 1 protections your PC won't be infected as it still has stage 2 protections. With EMET if something bypasses its protections you are out of luck. Of course something could theoretically target and bypass the applications themselves (MBAE and EMET) but that's a completely different issue.

Both can be installed alongside each other and we are taking steps to ensure they keep being compatible. But if I had to choose one I would choose MBAE because it is more generic and offers more complete (holistic if you will) protection against exploits.

I hope this helps clarify a bit.

 

To answer your questions directly:

1. Does it enforce DEP for apps it protect?
NO

2. How about ASLR? Since ASLR isn't available on XP systems, does MBAE add any form of pseudo-mitigations like pseudo-ASLR?
NO

3. Does it employ SEHOP for apps it protect?
NO

4. Are there any similarity to other anti-ROP techniques used in EMET? If so, which ones?
Some might be similar, some are definitely different.

 

So we can say that MBAE doesn't repeat EMET. It's very good as if you use both they work complementing each other.

 

The compatibility with Hitman Pro Alert is being fixed, right?

What about Webroot Secure Anywhere? anyone has experience any incompatibility with the Web Shield?

 

Yes, the HMP.Alert conflict will be solved.

As for Webroot, they are compatible except for a small problem with the WSA Identity Protection module which Webroot is already looking into.

 

It may be too early to ask, but will this have a lifetime license like MBAM, or a yearly fee?

 

looking forward for 8.1 compatibility so i can test this.

 

The MBAM model of one-time-pay has worked very nicely for everybody. So they plan to implement the same model.

At least that's what I hope they do..

 

Why not outlook? see picture

 

I have experienced the issue that when I have shielded applications opened and I close one of them, the counter at shielded applications resets itself to 0. Further MBAE succesfully injects mbae.dll into Word 2013 (Office 365), but does not say that Word is now protected and it has no effect on the shielded applications counter.

 

Anyway we could get shielding of thunderbird and libre office?

Other then those wishes i love this app, have so since it was ZVL`s