Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  2. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    775
    Location:
    Oklahoma City
    Thanks for your reply and link. Appreciate it.
     
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    No matter what I do I still cannot get this thing to update. I've now removed any and all functionality and ties to anything on my box. It's just installed and sitting there doing nothing. It still won't update, whether I set it up to automatically or try it manually. I grant it whatever access it asks for and treat it as an installer in D+, which allows all activity. It just will not update and still sits at v 1.06.1.1019

    Usually I'm the one seeing people report problems that I never have. Now I'm the person having a (supposedly unique) problem that no one else in the world is having.

    It'll be a royal pain manually uninstalling/installing every new version, especially with a relatively new product being patched often, but I see no other option at this point. Especially adding in having to redo the configuration in Sandboxie to get it to work with it... which btw I've also removed in an attempt to try everything possible to get it to update.
     
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Are you running as a LUA? If so reboot (not log off!) and login as an admin to see if that makes a difference.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    MBAE does block it. I believe in Layer2 (Malicious Memory Protection) IIRC. CVE-2015-5119 is the leaked Flash exploit from HackingTeam that bypasses anti-ROP mitigations in all anti-exploit products.
     
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    Here is the pop-up:

    MBAE1.png

    A similar warning to the test HPA3 (64bit) URLMon.
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,983
    Location:
    Mexico
    Hola Pedro:

    When running a program sandboxed and using mbae template the following message shows up:
    kmsauto.png

    Despite I stop MBAE protection it still blocking an alleged exploit. I pm'ed the files.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Are you running KMSAuto Net sandboxed? It says that is the source of the alert.
     
  11. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,983
    Location:
    Mexico
    Yep. A Russian KMS activator translated to Spanish / English by me lol
     
  12. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    4,014
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    All flash exploits written by vitaly are exactly the same besides the vulnerability trigger of course.
    iirc they should still be blocked by all exploit mitigation software.
     
    Last edited: Aug 24, 2015
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
  15. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,787
    August 12:
    August 12:
    August 29:
    The "soon" not arrived yet.....
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Well the update problem was fixed by changing my Trusted Publishers in SRP to End Users and unchecking the 2 boxes. I'm used to having to do that to update Windows but not apps.

    That said I don't like the update process. The first time I tried it it asked me whether I wanted to allow it to update automatically from now on, transparently, in the background, or worded something like that. There are 3 words I don't like there. I don't like to allow anything to update automatically. And when I heard "background" and "transparently" I think of the BITS service and how I hate that idea. I like to know exactly what's going on on my box and don't want anything doing anything transparently behind my back. So I unchecked that checkbox for it and clicked OK, figuring it would still update without turning automatic updating on, which I had turned off. But it did nothing at all. Turns out you really have no choice but to allow automatic updating, and that background transparency that comes with it. So saying you can uncheck the box for automatic updating and it essentially turns it into manual updating is very misleading.

    I don't like this at all. There should be a true manual update option. I feel so passionately about this that it's pretty much a deal breaker to me. I don't allow anything else on my box to do things transparently, behind my back. I really think this subject should be given top priority.

    I also miss seeing how many shields are running, and wish there'd also be a list of exactly what shields they are. And granular control of settings on an app by app basis, like EMET, instead of just a few templates, because one size rarely fits all, and I have a good amount of things shielded.

    But I realize that would take a good amount of time to implement all that. First things first... please add a true manual updating option.
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes we came across some bugs which we're fixing.

    Hmm, that might be a bug. It should upgrade even if you uncheck that option. We'll try to replicate.
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    @luciddream, I tested the manual upgrade and it behaved as expected.

    I started with an early 1.07 version and unchecked the "Automatic upgrade" option. After a while it shows the "upgrade available" dialogbox and I unchecked the "Always upgrade automatically" checkbox before clicking OK:
    Screen_53 2015-08-29 23.25.jpg

    After the upgrade happened, the latest version 1.07.1.105 was installed and in the settings the "Automatic upgrade" option was still unchecked.
    Screen_53 2015-08-29 23.26.jpg
     
  19. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,787
    That's the problem: If you unchecked the "Automatic upgrade" option, how the program knows that an "upgrade is available"? What kind of "manual" upgrade is this?

    Everybody knows how the "auto" and "manual" option works.....

    o_O
     
  20. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    If you uncheck the "Automatic upgrade" option you'll get a dialog box like the one shown in the first screenshot every time there is an upgrade available. At that point you can OK or Cancel the upgrade.
     
  21. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,787
    +1
     
  22. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,787
    This is your MBAE style "manual" upgrade.
    This is not the usual "manual" upgrade imo......
    In every software that I use, if I uncheck the "Automatic upgrade" option I get NO UPGRADES or DIALOG BOXES.
    I get the upgrade (if any) only if I click the "update now" button.
     
    Last edited: Aug 29, 2015
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    I don't understand, are you saying that MBAE could also not protect against the CVE-2015-5119 Flash exploit? Or do you mean that other products were bypassed, while MBAE was not?
     
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    No, that's not what that means.
    That particular exploit bypasses ROP mitigations. But ROP mitigations are not the only mitigations used in anti-exploit products. There are other mitigations. In the case of MBAE it blocks the exploit in Layer2 (ROP mitigations are in Layer1).
     
  25. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Blocking exploits is not about blocking/preventing the vulnerability being exploited, but about blocking the used exploitation techniques. Therefore it is a bit naive to say that a certain CVE would be blocked.
    But yes, I can understand that it is easier to say "Product X blocks CVE-20XX-XXXX" then to say "Product X blocks the exploitation techniques used in sample Y that exploits CVE-20XX-XXXX".
     
    Last edited: Aug 29, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.