Malwarebytes Anti Exploit and EMET

Discussion in 'other anti-malware software' started by Senhor_F, Mar 4, 2014.

Thread Status:
Not open for further replies.
  1. Senhor_F

    Senhor_F Registered Member

    Joined:
    Oct 18, 2012
    Posts:
    54
    To my largely uneducated eye, the two appear to perform pretty similar functions.

    I've used EMET on win 7 64 bit and it seemed a bit buggy to me. I now run win 8.1 x64 with KAV2K14 as my malware protection, and was wondering if anyone has run a combo of these together and how it worked for you.

    Hopefully we can avoid an a vs. b, because these seem to be the two most popular standalone anti-exploit apps around here. Would appreciate any and all info/opinions you have on these apps.

    Thanks!
     
  2. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Kaspersky products already have their own dedicated protection against exploit payloads since the product range of 2013. Most of these so called exploit protections only protect against the payload and not the actual exploitation of the vulnerability in your software. That's the stage where EMET's mitigations try intervene. If you are happy with Kaspersky just stay with it. Yet if you still consider adding something else, at least wait until the official final release and preferably until someone has properly vetted the stuff.

    MRG-Effitas tests Kaspersky's exploit protection (keep in mind: at that time none of the competitors had anything similar, it might look much better today):

    -http://www.mrg-effitas.com/wp-content/uploads/2012/06/MRG-Effitas-Exploit-Prevention-Test2.pdf

    Kaspersky's protection against exploits explained in detail:

    -https://www.securelist.com/en/analysis/204792303/Filling_a_BlackHole
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper at http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/:
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    143
    There is a long, ongoing thread discussing MBAE... which is currently undergoing an extensive period of BETA testing.... https://www.wilderssecurity.com/showthread.php?t=354641

    Many of the people testing there, including myself, are using EMET as well. While there have been a few incompatibilities between EMET and MBAE reported, it is hoped/expected that the eventual "official" release of MBAE will resolve all of these.

    As such, it is not a question of which is better and choosing only one... but rather, combining them so as to take advantage of both. For while there is unquestionably overlap between these two programs, each one offers aspects not included in the other. To cite an obvious one at present, EMET allows a user to opt-in ANY programs (s)he so wishes... whereas MBAE currently has a pre-determined list of programs it's protecting. On the other hand, MBAE offers multiple "phases" of protection, some of which purportedly go beyond what EMET is capable of protecting. So users can potentially gain by using both.

    MBAE is simpler, in that there's really nothing for the user to adjust/tweak. EMET comes with a large set of pre-defined default options/settings, but all of these can be adjusted/tweaked and augmented by the advanced user, should it become necessary.

    (Note that I am NOT familiar with any dedicated protection against exploit payloads offered by KAV... so I can't say how that may work in place of, or alongside with, EMET and/or MBAE.)
     
  6. Senhor_F

    Senhor_F Registered Member

    Joined:
    Oct 18, 2012
    Posts:
    54
    Thanks, everyone!
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    We're working on this right now. It should be added to MBAE in a couple of releases.
     
  8. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    :thumb:

    hopefully in betas?
     
  9. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Yes, for sure in one of the upcoming betas!
     
  10. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Well, then there'll be a huge room for experiments. :)
     
  11. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Probably one of the biggest differences between MBAE and EMET is that EMET needs
    Microsoft NET Framework to be installed. There can be vulnerabilities/exploits to
    NET Framework that have to be patched.

    MBAE has an issue with Sandboxie . Please correct me if my info is wrong.

    Thanks.
     
  12. Senhor_F

    Senhor_F Registered Member

    Joined:
    Oct 18, 2012
    Posts:
    54
    Would we be heading in shark ridden water if someone delved into the differences/similarities between KAV's exploit offering(s) compared to MBAE's?

    Just trying to figure out if it's needed in my case, or at least wouldn't hurt to have it running along side my KAV. IE no slowdown, etc.

    Thanks again.
     
  13. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    You don't need it.
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Please correct me if I'm wrong, but from what I can tell in addition to forced ASLR the KAV exploit mitigations consists of a basic set of application behavior rules. Some AV products have had these type of basic behavior rules for years now (Avast, Panda, ...). It's obviously better than nothing but by no means as comprehensive, especially when it comes to Java and certain memory attacks.
     
  15. VXB

    VXB Registered Member

    Joined:
    Oct 2, 2010
    Posts:
    18
    I just installed MBAE 0.10.0.1000 on a XP SP3 running EMET 4.1. Now EMET Stops firefox each times I start it supposedly because it got a SimExecFlow application error. The problem disappear when I disable MBAE.

    I'll remove Firefox from MBAE list and see if it solves the problem.

    EDIT: Oups - Exclusion/item removal is not yet available on MBAE.

    MBAE uninstalled, problem solved :)
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Unchecking SEHOP in EMET for Firefox will stop a lot of crashes. If you consider that an acceptable workaround it might be worth trying.
     
  17. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    On XP, mainly, it would be better to keep MBAE and ditch EMET if they can't run together. Very important features of EMET just don't work on XP. If your processor is old (Q6600 and backwards) even more features are missing (hardware DEP).
     
  18. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    143
    VXB said:
    ...Now EMET Stops firefox each times I start it supposedly because it got a SimExecFlow application error...

    1) Since EMET can be configured separately for each program/mitigation, you should be able to UNcheck SimExecFlow for Firefox... and then be able to keep both EMET and MBAE.

    2) There are newer (not well advertised) versions of MBAE [BETA] available that you can consider/test: For 0.10.3.0100, see https://forums.malwarebytes.org/index.php?showtopic=146368
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Q6600 supports it actually. All of the Q6XXX did.
     
  20. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    I have just checked and you are right. But you may find that DEP and virtualization are frequently disabled in the BIOS of old machines, so one would need to tweak it to make them work. That seems to be my computer's case, for example.

    If you check through Windows, as I did first, and virtualization is disabled in the BIOS, Windows will tell you that your processor doesn't support it.

    Now I have installed this Intel utility that tells me otherwise, it is thus supported on Q6600:

    -https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=7838-

    EDIT: The Intel utility tells me that my Q6600 supports virtualization but not hardware DEP, even if everybody seems to be sure that Q6600 supports hardware DEP, when you search with Google.
     
    Last edited: Apr 23, 2014
  21. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    No, ALL features of EMET work exactly the same on XP, other than one: Mandatory ASLR.

    Regarding hardware features (DEP, etc.), the OS doesn't make any difference there. (You slightly implied, that features are missing by being on XP.)

    MBAE still doesn't work with Sandboxie AFAIK, therefore it's useless in that case. Sandboxie + EMET is much, much, much better than MBAE. I also wouldn't discredit EMET alone as much as you seem to. :)
     
  22. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    'Only' Mandatory ASLR is not supported? Ok, no problem then...

    I 'slightly implied' absolutely nothing. I was talking about old processors, the ones that use to run XP. By the way, after checking again, my Q6600 does support virtualization but DON'T support hardware DEP, according to the Intel utility. Another reason to search for alternatives to protect against exploits, in my case.

    And sorry, I don't 'seem to discredit' anything, I'm not into fanboys wars. I only give my opinion about what's better for Windows XP, which is the OS that I use right now.
     
  23. DR_LaRRY_PEpPeR

    DR_LaRRY_PEpPeR Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    141
    Location:
    St. Louis area
    Yeah, I know exactly what you were talking about. :) On systems that used to run XP, "if your processor is old ... even more features are missing," AND upgrading the OS isn't going to allow anything else to be used on that hardware, which you slightly implied... This is NOT upgrading from Win2k/XP SP1 that suddenly allows something like DEP to be used. And ASLR (that an upgrade would add) is NOT a hardware feature, etc. In other words, there's no reason to mention hardware, as it's a non-factor in this thread. :p

    Me too, and I AM discrediting MBAE, since there's no doubt that Sandboxie with EMET is the better choice, period. You suggested ditching EMET, giving no reasons; as if MBAE can somehow do more. It can't AFAIK, other than [try to] stop playloads (too late, though better than nothing).

    And paid-for MBAE (after final?) is certainly useless (it WILL be bypassed; EMET doesn't charge for that "feature").
     
  24. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Whatever...I won't lose more time with your ramblings.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Actually, that's the only one disabled in Application Migitations, in the System-wide settings, SEHOP and ASLR are also disabled.

    Also I thought that DEP without ASLR is pretty easy to bypass, and most other migitations are for protection against techniques that bypass ASLR, which is missing.
     
    Last edited: Apr 23, 2014
Loading...
Thread Status:
Not open for further replies.