Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router

    i solved my problem.it is because disabled service Windows Management Instrumentation (winmgmt)
    i see this in log Addition of FRST
    so after enable this service i am able to install it.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Installed the new beta and all seems fine so far on Win10!
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for reporting this @co22 so that others might take this into consideration if their WMI service is stopped.
    From the WMI description:
    "If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
    The WMI is what we're using for detection of EMET during the MBAE installation.
     
    Last edited: Sep 6, 2015
  4. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    @ZeroVulnLabs

    Could you describe the changes that certain new mitigations have brought?
    I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.
     
  5. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    just out of curiosity, is there a free version for MBAE or only a trial version. I have MBAM pro installed and was in the MBAM forum/website and looked up MBAE and it had a free version download. So for the heck of it I downloaded it, installed it and it came out as trial version with 14 days of trial. Please enlighten me. Does the trial go to free after 14 days automatically if not purchased? Also if MBAE goes into free mode, what is crippled in it afterwards. Thanks in advance.
     
    Last edited: Sep 6, 2015
  6. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    1,188
    Location:
    The Netherlands
    I don't now where to start. I think that is too complicated for me. When setting the service to delayed start there is no problem anymore between 360 Total Security and Malwarebytes Anti-Exploit. I also reported the problem to Qihoo. Maybe they will come up with something.
     
  7. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Yes, there is a free version of MBAE. When you installed it you probably forgot to untick the box where the trial version of premium is offered.

    In the free version you cant add/manage custom shields, see here:

    https://www.malwarebytes.org/antiexploit/
     
    Last edited: Sep 6, 2015
  8. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Looks old age might be setting in on my part. I download the free version from the link above. And got to this point, shown below. No where did I see an option to tick or untick and for a free version download. The result shows the Trial version highlighted also shown below. If you could enlighten me as to where this "tick option" for free version is located; would be much appreciated.
     

    Attached Files:

  9. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    @wolfrun, if you already activated the 14 day trial, a second installation won't show the trial option during the installation (as it is already activated).

    Simply wait for the 14d trial to expire. I think after day 9 you have the option of reverting back to the Free mode.
     
  10. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    700
    Location:
    North America
    Thanks for the reply. Tried out the template also in Sandboxie and it works well..thnx again.
     
  11. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    MBAE 1.08 beta running fine here (using it in free mode) to protect Firefox.
    When might the next release come out as I want to activate my trial period then.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  13. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,983
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    @Mister X, do you have Comodo installed by any chance? There's a known issue between Comodo and Chrome that is causing such an error.
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    No I don't. Fwiw, everything was fine with previous stable version: 1.07
    Btw it's not just with Chrome but any other shielded app.
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Did it ever work with 1.08 or have you had this problem since first installing 1.08? Does a fresh re-install of 1.08 solve it?
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes it worked.
    Now a simplistic chronology of events:
    1. Upgrade to v1.08 from v1.07 the same day of release.
    2. No reboot and worked fine for n hours.
    3. Suddenly errors appeared.
    4. Uninstalled v1.08 and delete C:\ProgramData\Malwarebytes Anti-Exploit folder
    5. Restore file applications.dat from a backup.
    7. No reboot. Didn't work.
    8. Reboot the machine, it worked. Everything was just fine.
    9. One or two days of use and suddenly yesterday after a reboot the issue came again.
    10. MBAE 1.08 still running but protection permanently disabled for the moment.
    11. Haven't tested again, I see no point doing that.
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Ok that's weird. Seems like it could be a hooking conflict, maybe with a custom shield (I see you have quite a few of them).

    Let's try the following:

    1- Stop the MBAE service
    2- Delete (or backup/move) the applications.dat file from C:\ProgramData\Malwarebytes Anti-Exploit
    3- Start the MBAE service
    4- Start the MBAE GUI (double-click on mbae.exe)

    Does the problem persist?
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    No it doesn't. But it needs further testing as this is an intermittent glitch. For what I see, you are suspicious of any of my shielded applications, no?
     
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I just want to discard potential conflicts. I see for ex that you have custom shields for Chrome's crash handlers.
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I don't remember doing those explicitly. Perhaps the use of MBAE template in Sandboxie show those handlers in the log file?
    Anyway if you agree I'm going to use MBAE this way say, 4 days. If no issues then I will add all my shields back again.
     
    Last edited: Sep 8, 2015
  23. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    v1.0.8.1016
    (1) Works fine in Windows7 64bit. Including Kingsoft office files for which I added shields.
    (2) In XP - I had to add one shield for Outlook from MS Office 2003. It worked fine in previous versions. But in this version I just got an alert:
    "Protection against OS Security bypass
    Exploit ROP gadget attack blocked
    N/A
    N/A"
    Yikes, same alerts for Excel and Word. Are they full of exploit?? I won't rule out anything, but makes me wonder.

    I didn't uninstall v1.0.7 before installing 1.0.8 and I didn't yet reboot. If things change after reboot, I'll be back.
    What is that ROP gadget thingie?
     
    Last edited: Sep 8, 2015
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Sounds good!

    It's an FP with the new ROP gadget detection technique. It seems to only happen under XP. We're investigating. In the meantime you can disable this technique:
    MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP Gadget detection -> Uncheck for Office -> Apply
     
  25. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,555
    Location:
    New York City
    Pedro,
    Chrome (v. 45) taking noticeably longer to initialize.
    MBAE 1.08.1.1016
    NOD32 AV 8
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.