Malwarebytes Anti-Exploit

Thanks.

When I run a browser in Sandboxie, MBAE does't show it protected. Why?

 

I'm not the expert here, but as I recall, MBAE is not compatible with Sandboxie.

 

Because Sandboxie prevents MBAE from injecting into the browser:
https://forums.malwarebytes.org/index.php?showtopic=135127

 

Thanks

 

As Willpower and others have said, the current version doesn't feel like a beta at all. For me MBAE is the most stable security program that I have currently installed.

 

If you have sbie installed you shouldn't need MBAE right or wrong?

 

I will PM you about the GUI (a few things bother me), don´t worry it´s minor.

And can you give a bit more info about payloads that are file-less, I still don´t understand it completely.

1 How can they bypass anti-exe tools, and how can they cause any damage?
2 How do EMET and MBAE protect against this?
3 Do you think that HIPS are able to stop malicious behavior from a reverse shell running in browser memory for example?

Edit: It´s my 2500th post.

 

@Overkill, I can't talk about sbie's capabilities. I recall there was a discussion some time ago about sbie vs exploits but you'll have to search for it yourself or contact sbie's new owner.

@Rasheed187, the exploit payload may do a download+exec of a PE file from the Internet (i.e. malware exe) as is typical in most Exploit Kits, but there are other things that can be done such as for example open a reverse shell to the attacker. If you recall the FBI exploit of the Tor Firefox Bundle did not involve a download and execution of an EXE, it simply sent back to them your IP/MAC and other info in a packet. You might want to read up on Metasploit, meterpreter, ReflectiveDLL, etc. There's a few ebooks out there that explain this very well.

 

OT~ Weren't you with panda pbust?

 

Yes I was, for about 16 years

 

@ZeroVulnLabs,
Any plans on providing information about the specific exploit that is blocked rather than a generic
message "An exploit code has been blocked .."?
Thank you.

 

There's a bit more information in the mbae-alert.log file.

 

I thought so

 

What about the possibility of adding "PDF X-Change Viewer" to the current list of Shields ?

 

In the next version you'll have the ability to add custom shields.

 

There are lot of file formats which contain code or script. When you open a webpage or a PDF document, word-document or media file, the anti executable does not stop that, since it allows you browser, PDF-reader, Media player, et cetera to run which is interpreting these little pieces of embedded code 'also called code sniplets'.

First stage of intrusion is when these little pieces of code can breakthrough "normal" in-memory processing (exploit a bug or fault in the program interpreting this code or the OS where it is running on), the exploit

The malware can start to its second stage, downloading some a piece of obfuscated program.

Because malware writers have often little space for (in memory) code execution, this executing the dropped code is often a complex staged intrusion, where the little bits of malware code executed in (unprotected) memory are called stagers. After this code has done its job, the malware often has highest rights and is able to evade security mechanisms of the OS and third party software.

Last stage is to survive reboot. The last stage is sometimes also broken down in steps to evade FW/HIPS like security programs.

EMET by trying to prevent first stage. MBAE by trying to prevent stage 1 and 2 and possibly also stage 3 (EMET relies on DEP and ASLR for that).

Most Sandboxes, AE's and HIPS don't have heap/stack/bufferoverflow protection mechanisms. So the don't stop the first stage. This does not mean that sandboxes, Anti-Executable or HIPS security software are useless against exploits, it often increases the complexity and thresholds, hence predictability for malware to execute in this little in-memory holes (or piggy backing on other software). An AE using hashes will stop a changed calc.exe (often used by malware to launch undiscovered after changing the code of calc.exe). Most HIPS-ses decrease the number of mechanisms which can be used to freely access/change other code (memory protection, DLL-injection, triggering other programs with messaging for example etc).

 

I'm presently using MalwareDefender. Do you remember whether or not it has heap/stack/bufferoverflow protection?

 

No but it covers ALL (MOST) attack vectors on XP, would not hurt to use MBAE

Regards Kees

 

What's the approximate anticipated release date of the next version?

 

FWIW:
https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-23#post-2379361

 

According to MB's forums, EMET and MBAE are currently incompatible. I've opted to roll with MBAE for the time being, but I'm interested in the thoughts of others. Even if MBAE ultimately becomes compatible with EMET, would there be any benefit to running both?

 

The problem is that the developers of MBAE haven´t publicized information about the precise protection methods that are being used. So I can´t say if EMET covers more than MBAE. But there is a benefit of using MBAE, if EMET gets bypassed, MBAE may still be able to catch it with the anti-exe feature.

 

Yes I´ve read about it, but I guess I will really need to see it in action, to understand the details about this method.
I never really understood how code injection (without having to need to start another process), could be enough to perform malicious actions. But basically, if I understood it correctly, you´re using the capabilities of the infected process.

 

Thanks for the feedback.

Yes, of course, EMET and MBAE will terminate the app if memory exploitation is detected, and that´s why the reverse shell can´t be started. So anti-exe isn´t enough I guess? And now that I think of it, even if a process gets exploited, it´s still limited by its privileges, so in a way HIPS will limit the process so that it can´t perform malicious actions. At least in theory. It´s a shame that nobody is testing this kind of stuff.