Malwarebytes Anti-Exploit

Can you replicate the issue and send me the files from your MBAE data directory?

AFAIK it is already compatible with both SBIE and HMPA.

 

By "already" do you mean 1.04 or 1.05 experimental?

 

1.05 experimental.

 

Yes I can replicate the issue, my java programs still don't start. Javaw.exe opens, then terminates. Do you mean the ProgramData folder? Sure, I can PM that.

 

@ZeroVulnLabs. . .

You may very well have seen this recent post in another Wilders thread. I don't really understand all of it, but I'd would love to have your comments and reaction. And as a MBAE Premium user, I'd like to know how I would go about configuring MBAE to stop this type of attack. Thanks.

 

It was incompatibility with EMET 5.1. Removed java/w/s.exe from EMET and now my programs work fine.

 

Had an interesting observation today
Sandboxie latest Beta : 4.15.4 64bit
MBAE : 1.05 experimental
I tried to create a shield for palemoon 64 bit while it was running in sandboxie and continued to use it. To my surprise it was shielded by MBAE. After i closed palemoon and reopened MBAE was not shielding it. Continued this experiment with cyberfox with same result. MBAE shields 64 bit browser only if the shield is created while the browser is already running inside SBIE..... But as of now it will not shield once you close the browser and reopen
http://s23.postimg.org/rr83qg3jv/Capture.png
http://s30.postimg.org/5o7jwdcy9/Untitled.png

 

Tested MBAE with Powerdvd14 and Powerdvd cinema mode. MBAE is blocking their execution saying an exploit has been blocked
http://s30.postimg.org/duh64z9ht/Capture.png
http://s27.postimg.org/z71zuxxyr/Capture1.png
http://s4.postimg.org/vk5kmzl1p/Capture2.png
http://s22.postimg.org/5eafauic1/Capture3.png

 

From what I read this was not an exploit, just running some malware EXE. Exploit mitigations/Anti-exploit are not designed to detect and block malware EXEs. For that you still need an anti-virus & anti-malware products. In the case of Hitmanpro it includes an anti-malware component, so that might be why it detected this specific malware binary. In the case of EMET I'm not sure why it blocked it, but likely it because it is typical for some malware families to be runtime packed and the packer performs some type of memory tricks and obfuscation to prevent revealing its true form in memory. This type of detection from HMPA/EMET/MBAE can happen on malware and goodware alike that use these types of runtime packing techniques. However relying on exploit mitigations to detect and stop malware binaries is NOT recommended and should not be recommended by any vendor. Other examples of exploit mitigations firing off with non-malicious runtime packed software include Spotify, Windows Media Player, PowerDVD (example below) and others.

We saw this same behavior during development of MBAE 1.05. The same thing happens when starting MBAE protection while a program is running within Sandboxie. The program will be protected by MBAE if the protection is started after Sandboxie has executed the program.

As mentioned in the answer to TomAZ's question, some applications use advanced runtime packing which uses obfuscation and evasion techniques that perform memory manipulation and these behaviors might be detected by exploit mitigations. For example we saw a similar thing happen with the main Spotify executable (even though you can still shield the Spotify sub-processes which are really the ones browsing the web) as well as certain piracy-oriented codecs/add-ons for Windows Media Player. In the case of PowerDVD we haven't tried that yet but most likely it is due to the same issue. Try using the "other" profile instead to see if that makes a difference.

 

Pedro,

It appears that when you do a "manual" upgrade/install with MBAE Premium, any user added Shields are not retained. Is that correct?

 

Only in the case the format of our configuration files change. This shouldn't happen very often but it will happen between 1.04 and 1.05.

 

hi
but keeping the browser (in my case) always updated with some extensions is really necessary installing it ?

by the way i really love Anti-Malware Premium

 

Not strictly necessary, but you never know what you're going to experience on the Internet.

 

Yes, when I read that thread I was a bit perplexed, that was clearly a trojan. But I was not in the mood to argue with a global moderator.

 

You need to check if your plugins are always updated too: Flash, Adobe Reader, Java, Silverlight, etc.

 

Hi Pedro.
When will be released the stable version 1.05?
TH.

 

It would be a cool feature if MBAE showed the path, and the payload being blocked when applicable. If it already has this feature then disregard. I have not had MBAE block anything yet.

 

Soon, very soon.

Depending on which layer and technique does the blocking it shows different types of information. In some cases it will show the path, the payload and the URL where the exploit payload came from. This information is saved in the mbae-alert.log in the MBAE data directory. Also as of 1.05 it will move the payload to a Quarantine subdirectory of the MBAE data directory, renamed to md5.mbae.

 

I've been using experimental build 1.05.3.1011 with several custom shields now for 4 days without any problems. Looks like the next stable release will be coming soon.

 

Same here Running with flying colours

 

+1 on Win XP

 

+1 on Win7 x64

 

I know, I know. I simply wasn't in the mood, as I said.

 

Nov 9, 2014:
Depends on feedback with Experimental and QA testing, probably no less than 2-3 weeks
-------------------
the next commercial version 1.05 will be released before the end of month