Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.
Did you see my post #1342?
- Is it possible to add some parameter to mbae.exe to show the GUI immediately when it's started?
- Any known conflicts between MBAE and EMET(latest 5.1)? On my system I had to disable SimExecFlow cause of MBAE
You do not need both. Most users just need their browser protected. I do not use any office products or Java. Therefore the free version of MBAE works just fine. If you want more features buy the premium. If however you do not want to buy it then use Emet alone. Using 2 anti exploits is like using 2 antiviruses.
I have a Shield on WSA with MBAE. Do you think this is good or bad to do.
That is absurd. It would be a good idea to understand what an anti exploit does if you are going to use it. Antiviruses are not things which are exploited. Just Google exploit attacks. Browsers, Java and Microsoft Office is the most common expedited software. Do you honestly think WSA is going to be exploited or any other av for that matter? Why are you so paranoia?
Here is a list of common programs requiring protection, and their location on system disk (C:) in 32-bit Windows XP, Vista, 7, 8 and 8.1:
Adobe Flash Player - Flash Player runs inside a web browser. Just add Internet Explorer, Google Chrome, Mozilla Firefox or other web browser as described above.
Adobe Reader - Program Files\Adobe\Reader <version number>\Reader\AcroRd32.exe
Adobe Shockwave Player - Windows\System32\Adobe\Shockwave <version number>\Swinit.exe and SwHelper_<version number>.exe
Apple iTunes - Program Files\iTunes/iTunes.exe
Apple QuickTime Player - Program Files\QuickTime\QuickTimePlayer.exe
Apple Safari - Program Files\Safari\Safari.exeNB! Disable Mandatory ASLR, EAF and DEP if Safari crashes.
Foxit Reader - Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
Google Chrome - on Windows XP: Documents and Settings\<your user name>\Application Data\Google\Chrome\Application\chrome.exe;
on Windows Vista, 7, 8 or 8.1: Users\<your user name>\AppData\Local\Google\Chrome\Application\chrome.exe.Alternative location for administrative/corporate install is Program Files\Google\Chrome\Application\chrome.exe.NB! If Shockwave Flash (aka Flash Player/Pepper Flash) does not load in Google Chrome, disable SEHOP mitigation. Depending on installed extensions, you might also have to turn off DEP and Caller mitigations for Chrome.
Do not use wildcards for adding Google Chrome to EMET.
Microsoft Access - Program Files\Microsoft Office\Office<version number>\MSACCESS.EXE
Microsoft Excel - Program Files\Microsoft Office\Office<version number>\EXCEL.EXE
Microsoft Internet Explorer - Program Files\Internet Explorer\iexplore.exeNB! Disable Mandatory ASLR, EAF and DEP if IE crashes.
Microsoft Outlook - Program Files\Microsoft Office\Office<version number>\OUTLOOK.EXE
Microsoft Outlook Express - Program Files\Outlook Express\msimn.exe
Microsoft Powerpoint - Program Files\Microsoft Office\Office<version number>\POWERPNT.EXE
Microsoft Word - Program Files\Microsoft Office\Office<version number>\WINWORD.EXE
Mozilla Firefox - Program Files\Mozilla Firefox\firefox.exe and plugin-container.exeNB! Disable Mandatory ASLR, EAF and DEP if Firefox crashes.
Mozilla Thunderbird - Program Files\Mozilla Thunderbird\thunderbird.exe and plugin-container.exe
Opera - Program Files\Opera\opera.exe or Program Files\Opera\<version number>\opera.exe NB! Disable Mandatory ASLR, EAF and DEP if your browser crashes.
Oracle (Sun) Java - Program Files\Java\jre<version number>\bin\java.exe , javaw.exe and javaws.exe; plus Windows\System32\java.exeNB! Turn off HeapSpray mitigation for Java.
Skype - Program Files\Skype\Phone\Skype.exe and Program Files\Skype\Plugin Manager\skypePM.exeNB! Disable EAF mitigation for Skype.
WinAmp - Program Files\Winamp\winamp.exe
Windows Live Mail - Program Files\Windows Live\Mail\wlmail.exe
Windows Live Messenger - Program Files\Windows Live\Messenger\msnmsgr.exe
Windows Media Player - Program Files\Windows Media Player\wmplayer.exeNB! Disable Mandatory ASLR and EAF mitigations for Media Player.
VLC Media Player - Program Files\VideoLAN\VLC\vlc.exe
For 64-bit Windows Vista, 7, 8 or 8.1, some programs might need replacing Program Files with Program Files (x86) and System32 with SysWOW64.
Several programs (for example, Internet Explorer, Java and Windows Media Player) can have both 32- and 64-bit versions installed, check bothProgram Files and Program Files (x86).
Notice there is not one antivirus listed. The only thing in that list I use is Chrome and Foxit.
Do you think that Tom Brady and Big Poppy have a shield on WSA.
Try "mbae.exe /open"
does anti exploit can replace sandboxie ? its seems to protect the same area ...
Completely and totally different software. An anti exploit protects outdated software security holes before it can be patched. Or a hacker making a code to exploit a particular browser. Sandboxie completely virtualizes software such as a browser. Any changes to your browser will be undone once the sandbox is emptied. An anti exploit does not virtualize your browser. Anti exploits are good for those who do not keep their software up to date.
Why do so many people use security products they know nothing about? Cause other members use it?
Right from Malwarebytes.org
"Malwarebytes Anti-Exploit Premium protects you from zero-day exploits targeting browser and application vulnerabilities. Its proprietary technology guards you in that critical period between the release of a new exploit and its security patch. And, unlike antivirus products, Malwarebytes Anti-Exploit Premium proactively prevents the exploit from installing its payload. Before it can do damage."
Actually, I did. However, a bit too complicated for my taste. I just wish Pedro would address this 32bit issue in the next release so this whole thing could be simplified for 32bit users.
But thanks for sharing this anyway -- and for pointing it out again.
I'm not sure what to think about that and I'd prefer more input and comments. Excuse me for taking EMET as an example here but that's a good way to describe conflicts:
Many AVs have exploit blocking functionality and many EMET users are forced to disable mitigations(without knowing why) that should work with standard apps. They think something is wrong with their system or EMET when it's most likely a conflict between EMET and their AV or another security app. They solve them by disabling the conflicting mitigations in EMET, which means they still have 2 products with anti-exploit functionality running. Are you saying that's a bad setup, even after solving the conflicts?
I used to do it that way too but now I've excluded these apps from DLL injection by my AV which means I can have all mitigations enabled in EMET. So no conflict there anyway.
Under Firefox and Firefox-basad browsers like the older versions of Opera, FlashPlayer runs as a separate sub-process of the browser and must be protected by EMET. In the case of MBAE it is protected automatically. Same applies to plugin-container.exe and opera_plugin_wrapper.exe.
While they act in different stage and works differently, the claim "they protect same area" is not necessarily wrong.
Both of them serve for most common and dangerous exploit, i.e. RCE.
Both of them don't cover other types of threat such as XSS or phishing, that is the job of other product or so.
Still there're some area which only a pair of them cover, but please understand that for common people, what matters is NOT how they work but what threats they protect from.
Actually, as you answered to me:
How exaclty did you do this workaround?
You mean the batch file? The manual version is to open MBAE and click "Stop Protection", then launch the browser with Sandboxie, then switch back to MBAE and click the same button that's now named "Start Protection". Wait and check shielded apps or the Logs tab.
BTW, speaking of protecting other security tools, shouldn't they protect there own process against" dll-injection"? In other words, you would think that MBAE should not be able to inject code into for example Webroot or Zemana.
Automatic upgrades to 1.05.1.1016 have been deployed. If you're on a previous version and you haven't gotten it already you should see an upgrade prompt in the next few hours/days.
I still have a MBAE Shield on WSA. It does not seem to be causing it any problems that i noticed.
Does MBAE report that protection is succesful? That would mean that Webroot does not protect itself against code injection, weird. Perhaps you can ask about this on the Webroot forum.
Right after Boot every day the MBAE log shows that WSA is protected. It shows that MBAM is protected also after i put a shield on it.
I found a 1 year old post by pbust:
Is this still the case with latest versions of MBAE and EMET? I'm one of the paranoid enthusiasts
Separate names with a comma.