Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Cool, will install it on all my systems. Free version will do the trick for my needs.
     
  2. A forum which claims to inform on security should not post misleading information. Take your responsibility and moderate it by adding a mod comment and close the thread or better remove it.
     
  3. guest

    guest Guest

    thanks for you concern but no offense, we don't have to remove it however i put some comments; people can make mistakes, it was pinpointed very early, the dev replied, so even the test was flawed, the thread is still informative for Average Joe. (if the readers care to read further)
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    guest, this MBAE "review" in question is not the only one that is done in a wrong way. :isay:
     
  5. guest

    guest Guest

    we are here to teach and learn, this member made some mistakes due to lack of experience about what the product does and with what it should react, not a reason to bash him ; when the various comments were made , i PM and ask about details of how he founds those "links" among other things and oriented him to a better path.

    people especially non-professionals have the right to do mistakes but bashing them without correcting them when we can, is even worse to me.

    i don't think people appreciate when their boss throws their works to the trash without telling why and how to correct it.
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    You know you are "in charge" as you said of that section so I will not say anything how things can be improved. That is totally up to you.

    Personally, I would never test or review a product if don't know what it is i'm testing, or don't know how the product works. I would do proper research before getting started, and not just do a review for the sake of doing one, or because other members are doing one.
     
  7. guest

    guest Guest

    exactly what i put on the rules/guidelines and what i informed him about.
     
  8. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Clearly the "review rules" and/or guidelines needs to be stricter in that case.

    Rule nr1 "If a review/test is done wrongly resulting in an inaccurate and unfair product review it will be deleted without warning."

    Im sure that rule would have a positive effect on the MT reputation too.
     
  9. guest

    guest Guest

    for that i have to learn the product too , check the samples, in fact redo the test, so in practice it is impossible; it is why when i don't know/not used to the product, i rely on the others members/devs comments.
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Ok you do as you like I rest my case. Unfortunately I get the impression that nothing will change a singel bit.
     
  11. 80% of the bookings came from the first availability display in the mainframe age (done by travel agents), 80% of the click throughs come from the first "search results" page in the internet age (done by us all).

    Assuming 80%/20% applies also on your forum, the "average Joe" won't read further and the thread will be mis-informative. So live by your rules and take your responsibility.
     
    Last edited by a moderator: Jul 21, 2014
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Does not really matter as those are canned tests to validate specific mitigations. It would be trivial to do the same thing for testing specific MBAE protections that bypass HMP.Alert. What matters is that attacks ITW, even those utilizing various ROP techniques, are stopped by MBAE. Just for good measure we are adding various ROP protections as well as performing additional tests by independent labs.
     
  14. Frank the Perv

    Frank the Perv Banned

    Joined:
    Dec 16, 2005
    Posts:
    882
    Location:
    Virginia, USA
    I was wondering how that would be responded to..

    And that's a pretty good, fair, and understandable response.
     
  15. Security software against exploits has the disadvantage that it can't be tested by the people buying/using them.

    MBAE choose to show (on their site and through a related business partner) that it blocks existing malware.

    The running test and test of their business partner showed that the software logic used is sufficient to stop existing exploits somewhere in the intrusion chain of events. MBAE does not guard all events, for compatibility, performance and ease of use reasons they choose to guard those events that really define the stages of a staged intrusion. To develop a new intrusion which evades the MBAE roadblocks will take a lot of time, knowledge, effort and money. So the chances of a new intrusion which can be applied in a controlled setting and predictable outcome are low.

    Here comes a competitor (product A) which provides us with a test. The test only shows that product A gaurds some more events than product B. On the other hand product B dis not reveal which events they guarded, so product B might also gaurd events which product A does not. As long there is no existing exploit provided with the synthetic test of product A, it only shows that it (surprisingly) passes its own test.

    It starts to become a bit of a dilemma when two software companies who I regard as highly professional (in terms of knowledge and products provided) face each other on a overlapping market segement. When one of those two decided to apply aggressive marketing tactics, it starts to get fuzzy. So a compliment for the fair and understandable response of MBAE to nagging (but valid) questions.
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I prefer the approach of "product A" personally. And I stand by the comment I made way back when this was a one man show, and not in the hands of MB... that it is the most promising looking security product to come out since Sandboxie.

    Now that I see ROP protections are being added I will wait a bit longer, until the guts are all in place and it's just a matter of ironing things out until I try it out myself. I want to get a fair assessment of things when it's truly ready to roll, and not a premature, misinformed one.

    As for the compatibility, I think mostly they wanted it to be able to co-exist with EMET. I'm sure concessions had to be made in regards to protection for this to be a reality. Running both, once MBAE is perfected should be a very formidable combination. Since I am on XP and unable to utilize ASLR & SEHOP, MBAE obviously is more ideal for me, being able to block similar exploits using dissimilar methods. Even cooler would be to be able to use a completed Open EMET along-side MBAE, and use some of the app. specific mitigations in the former along with MBAE, without the added attack surface of .NET FW. That's a day I'm looking forward to...
     
  17. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,971
    Location:
    Poland - Cracow
    I could agree...and disagree :)
    Agree...Im not such expert as you are but I think that in fact testing anti-exploit eficiency might be not easy.
    Disagree...because test-files which we can easy get from developer's pages are mentioned as not for only advanced users...it means that each one user can do the test by yourself. So average and less-average users try to test how strong is new anti-exploit security on their systems...if the test is failed they are perhaps a bit surprised and frustrated...exactly as me when I tested MBAE Exploit Test.
    While testing in "Normal" mode I got calculator what was proper action...when in "exploit" mode I received an alert that MBAE has stopped working but 2 processes of MBAE are still working (checked in ProcessExplorer).
    I was more surprised when I changed the name of MBAE test (you mentioned about it earlier)...I called it "something.exe" and run it. "Normal" - everything OK..."Exploit"...and I got calculator...and nothing more...no other action...alert...window...and my system (Vista) started to show strange bahaviour - I couldn't move (drug'n'drop) anything on my desktop.
    What I..or another "not an expert" user should think...it's normal?...it's a bug?...anti-exploit aplication is effective?
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I think you might have misunderstood the objective of exploit-testers provided by vendors. On the one hand they are just to make sure that the installation and specific mitigations are running and working correctly. On the other hand if you rename the exploit tester to "something.exe" which the anti-exploit is not previously configured to protect, it clearly won't be protected when you run it. You can either add custom shield for "something.exe" or rename it to something which it is configured to protect, like iexplore.exe, firefox.exe, etc.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,348
    Location:
    Hawaii
    I am a user/fan of MBAE *despite* its being engorged by MalwareBytes -- a company with which I now have zero confidence.
     
  20. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,051
    Location:
    United Surveillance States
    That's surprising to hear. Care to share why your confidence has been rattled?
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    OK thanks for the reply, sounds good to me. I´m still trying to decide if I´m going to use MBAE or HMP.A on my new machine, it would be cool if I could use them both, MBAE for blocking exploits and HMP.A for the other stuff. :)
     
  22. Novastar 3d

    Novastar 3d Registered Member

    Joined:
    May 3, 2009
    Posts:
    65
  23. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes that's a known issue. You can use the Exclude button as shown in your screenshot.
     
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,966
    I just added my first custom shield for a new browser, that I installed for the first time the other day.

    So easy...:cool::)

    ScreenShot_MBAE_Custom shield added_01.gif ScreenShot_MBAE_Custom shield added_02.gif
     
  25. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,614
    Location:
    DC Metro Area
    Are there any known conflicts between NIS 2015 and Anti Exploit other than the Ant-Exploit Icon no longer staying in the task bar tray? With the latest FF 31?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.