Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. reyes

    reyes Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    48
    Location:
    INDIA
    Updated the template but still no luck with palemoon and cyberfox 64 bit
     
  2. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I just installed and tested. For some reason I am seeing similar results. 32 bit palemoon works with exp build and sandboxie 4.14....but the x64 version of palemoon isn't getting it injected. I even tried notepad (64) in sandboxie and guarded with mbae~no luck. A great step in the right direction for sure but not quite there just yet. /cry

    Tested on Windows 7 x64 VM and checked with Sandboxies Resource Access Monitor and Procexp
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Are you able to get other 32bit browsers working within sandboxie 4.x (IE, Firefox, Chrome)?
     
  4. reyes

    reyes Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    48
    Location:
    INDIA
    For me both Firefox and IE worked with SBIE 4.14.... not using chrome now.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    @ ZeroVulnLabs

    I noticed that it's the first time you mentioned some techniques that are being used by MBAE, so will you perhaps release a more complete list of all mitigations used? Of course without any details, so that hackers will not become any wiser. Sort of like EMET has done but without the implementation details.
     
  6. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I can confirm 32 bit chrome (an older version I had on drive) IE & firefox were injected fine. In fact I have seen no issues with any 32 bit apps yet, just 64 bit ones.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Are there any known compatible issues with MBAE with NOD 32 8? Eset said they made enhancements to their exploit blocker so i'm wondering if there still compatible. So far it seems MBAE is the best option for me since I have to disable too many mitigation methods with EMET for it to be compatible with the applications it is meant to protect, and HMPA interferes with my privacy VPN service.
     
    Last edited: Nov 7, 2014
  8. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    I'm using MBAE and Eset v8... so far no problem even with MBAE v1.04... never encountered a problem...
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    Ok, thank You. I'm using Windows 7X64 Ultimate. I'm going to make a backup of my machine, and then install the free version. I will report back if I encounter any problems.
     
  10. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    MBAE 1.05.3.1010 running with NOD32 8.0.304.1 on Win7 Ult. (64) on a laptop without issues so far.
     
  11. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Added HMPA 3.0.15 (build 92 CTP4) :)
     
  12. fs2com

    fs2com Registered Member

    Joined:
    Sep 20, 2014
    Posts:
    118
    Yes I use Win 7 x64 aswell
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    We haven't tested this yet, but MBAE 1.05 might also solve the compatibility problems with Hitmanpro.Alert3.
     
  14. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Have it running alongside HMP.A 3.0.15 bld 92 CTP4 on Windows 7 Pro x64 with no apparent conflicts so far.
    All we need now is compatibility with Sandboxie and there will be several happy bunnies on Wilders :D
     
  15. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Follow up:
    Just tried running the mbae-test and it only works if HMP.A is disabled. With HMP.A running the calculator shows.
    See attached picture showing HMP.A protecting the test file. I assume that mbae doesn't actually see the test file to block it ?
     

    Attached Files:

  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    @ ZeroVulnLabs

    I have a question about this:

    --------------------------
    "As an example of Layer3, we've added a mitigation for the much talked-about recent PowerPoint zero-day vulnerabilities CVE-2014-4114 and CVE-2014-6352. After some testing we saw that the mitigation suggested by Microsoft for EMET could cause system instabilities and conflicts with third-party applications. We have therefore designed a much more stable mitigation for these type of vulnerabilities."
    --------------------------

    What exactly do you mean with this, was this type of "zero day" able to bypass layer 1 and 2 protection offered by MBAE?
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It seems that some here have already made MBAE 1.05 work within Sandboxie for 32bit applications. Check posts on page 46 for details. As for the mbae-test utility, it does get blocked here with MBAE only. Not sure why it would run the calc with HMPA running.

    The two PowerPoint zero-days bypassed all, EMET, MBAE and HMPA included, because it was not really an exploit in the strict sense of the word. Rather it is an "application design abuse exploit" and there are no memory corruptions, etc. involved, so no memory mitigations can detect or block it. This is the perfect example of why having an "application behavior" Layer3 protection is useful to block these types of non-memory exploits, sandbox escapes and memory mitigation bypasses.
     
  18. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Approximately, when is 1.05 scheduled for release?
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Depends on feedback with Experimental and QA testing, probably no less than 2-3 weeks.
     
  20. javagreen

    javagreen Registered Member

    Joined:
    May 2, 2005
    Posts:
    96
    Is MBAE fully compatible with Trend Micro Internet Security, or does any functionality clash/overlap? This is a Windows 8.1 Lenovo laptop, fully patched and running the Trend Micro suite in 'Hypersensitive' mode with all shields activated. A lot of banking and other important personal work related activities are done on this laptop.

    MBAE will make for a great addon to the security arsenal, yes? I don't plan on adding anything else, just TMIS and MBAE.
     
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    There's no conflicts as far as we know. In fact I think MBAE makes a very good complement of TMIS.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,825
    Location:
    The Netherlands
    OK thanks I understand it better now, I will do some reading. :)
     
  23. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    419
    Location:
    Australia
    Currently running well with appguard and EIS.
    @ZeroVulnLabs
    Does this mean it is already inside/ included in 1.05.3.1010 ?

    thanks,
    feandur
     
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes, it is included in 1.05.
     
  25. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    419
    Location:
    Australia
    Yeah !
    thanks ZeroVulnLabs
    :)

    feandur
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.