Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Just released. Notes and changelog at
    https://forums.malwarebytes.org/index.php?showtopic=134888

    If you've had problems with the previous version please re-test with this one as it includes some bug fixes, specifically with IE10 and Chrome.

    Also you'll find "Exploit-Test" with this version, a kinda eicar but for exploits.


    Is this thread title OK now? ~ TAS
    ahh, only the name on this post changed, not the Thread Title, sorry.
     
    Last edited by a moderator: Jan 1, 2014
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Installed.
    TH:;)


    p.s. Test OK:

    Immagine.jpg
     
    Last edited: Oct 15, 2013
  3. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,067
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,072
    Location:
    Netherlands
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Thx, :thumb: from my testing additional memory overflow protection, does not seem to interfere with EMET. trying to find out what additional hooks are monitored, no sense asking I guess :oops:

    No Outlook protected yet :'(

    Impressive code optimising (a lot faster from a little extra CPU load, is relative huge improvement) :thumb:
     
    Last edited: Oct 15, 2013
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Thanks for noticing! :)
     
  7. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    I've noticed two things: The icon is now orange, and RAM usage is less than 1MB!
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    I refer to my earlier problems with the previous version of MBAE here

    I can say this latest version seems to have fixed that problem.

    ScreenShot_MBAE_v0.9.4.1000_Install_06.gif

    ScreenShot_MBAE_v0.9.4.1000_Install_07.gif
     
    Last edited: Oct 15, 2013
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    New AE techniques used, supposedly that address the issue of RCE / in memory attacks. Their page provides zero details, except to say that it works to prevent 'stage one attacks'.

    When are we going to get details about how this actually works?

    My guess - it does something similar to what EMET's 3.5+ Anti-ROP mitigation techniques do; hooks function, checks function. That would be an improvement, I hope they did something cool, I'll look forward to reading the documentation (ie: when someone reverses it and releases the information).
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Cool, thanks for confirming!!! :thumb:
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    YW! :)
     
  12. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Also, can confirm the new test feature works. :thumb:

    ScreenShot_MBAE_v0.9.4.1000_Install_08.gif

    ScreenShot_MBAE_v0.9.4.1000_Install_10.gif

    ScreenShot_MBAE_v0.9.4.1000_Install_11.gif
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Nice!

    As a test of your installed security software, stop MBAE and run the Exploit-Test to see if your Norton/Kaspersky/McAfee/Webroot/etc detects and blocks the exploit. You can even rename exploit-test.exe to iexplore.exe or firefox.exe to make it more obvious to them.

    We made a video of a similar test. You can find the link in the release notes.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Avast detects mbae-test.exe as "MX97:ShellCode-BA [Expl]". Temporarily disabled it to continue the installation. Otherwise, so far so good.
     
  15. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    That's actually a good thing to me; it means Avast! is blocking exploits :D
     
  16. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Yeah that's how I read it too :D
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Just an aside, but I was reading a post in the Malwarebytes forum. Probably, not a fault with MBAE. Just something peculiar to my system and other software running.
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    That's actually a reactive sig detection and a false positive by Avast. The file is digitally signed by Malwarebytes so Avast should not be detecting it. The exploit test is completely harmless. It would be a good thing if Avast detected it when you click the "Exploit" button, not by detecting the .exe itself.

    It's nice that they detect it, but actually it means it is reactively detecting some piece of code within the exe. Exploit shellcode can be changed very easily to avoid signature detection. Also exploits run remotely so detecting these type of shellcodes in static files with signatures is not really the best way to detect exploits. Again the true measure is if they detect and block the action itself when you press the "Exploit" button, not the static file on disk.
     
    Last edited: Oct 15, 2013
  19. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,194
    Location:
    Virginia - Appalachian Mtns
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Is MAE 0.09.4.1000 now compatible with Win 8.1?

    Thank you.

    Later...
     
  20. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Not yet. Next version will be.
     
  21. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    700
    Location:
    North of the 38th parallel.
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Hello Pedro:

    Where all had been well for my OEM W7 Pro SP1 64bit system with your previous MBAE v0.09.3.1000 beta, the following browsers now fail to accept keyboard input w/v0.09.4.1000 beta.

    Firefox 24.0
    Pale Moon 24.0.2
    Opera 12.16

    If protection is stopped through the system tray's MBAE icon -> "Stop Protection", all keyboard input immediately is permitted.

    I can easily fall back to v0.09.3.1000 beta, but I'll keep v0.09.4.1000 beta installed if you need more information.
     

    Attached Files:

    Last edited: Oct 16, 2013
  22. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    Comodo IS even in paranoid mode and verbose popup alerts doesn't detect the exploit. It gives the same alerts for Exploit as for Normal. So CIS doesn't see the difference between them.
     
  23. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    When I cover the mbae-test.exe with EMET 4.0 it detects the EAF mitigation when I press "Exploit".
    Capture.PNG

    ZeroVulnLabs, do you cover Comodo Dragon?
     
    Last edited: Oct 16, 2013
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    I'm very interested in troubleshooting this further 1PW. I'll send you a PM asking for more info if you can help us out in figuring this out. Please allow sending of PM or PM me how to contact you offline.
     
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,161
    Location:
    USA
    Re: Malwarebytes Anti-Exploit 0.09.4.1000

    No, not yet. Search older threads for an explanation. After beta we might add more applications. Right now we're focused on finishing the anti-exploit engine.
     
Loading...