Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Did you see my post #1342?
     
  2. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    2 questions:

    - Is it possible to add some parameter to mbae.exe to show the GUI immediately when it's started?

    - Any known conflicts between MBAE and EMET(latest 5.1)? On my system I had to disable SimExecFlow cause of MBAE
     
  3. PatsSoxBruins

    PatsSoxBruins Registered Member

    Joined:
    Dec 14, 2014
    Posts:
    25
    You do not need both. Most users just need their browser protected. I do not use any office products or Java. Therefore the free version of MBAE works just fine. If you want more features buy the premium. If however you do not want to buy it then use Emet alone. Using 2 anti exploits is like using 2 antiviruses.
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,111
    Location:
    Hollow Earth - Telos
    I have a Shield on WSA with MBAE. Do you think this is good or bad to do.
     
  5. PatsSoxBruins

    PatsSoxBruins Registered Member

    Joined:
    Dec 14, 2014
    Posts:
    25
    That is absurd. It would be a good idea to understand what an anti exploit does if you are going to use it. Antiviruses are not things which are exploited. Just Google exploit attacks. Browsers, Java and Microsoft Office is the most common expedited software. Do you honestly think WSA is going to be exploited or any other av for that matter? Why are you so paranoia?
     
  6. PatsSoxBruins

    PatsSoxBruins Registered Member

    Joined:
    Dec 14, 2014
    Posts:
    25
    Here is a list of common programs requiring protection, and their location on system disk (C:) in 32-bit Windows XP, Vista, 7, 8 and 8.1:

    • Adobe Flash Player - Flash Player runs inside a web browser. Just add Internet Explorer, Google Chrome, Mozilla Firefox or other web browser as described above.
    • Adobe Reader - Program Files\Adobe\Reader <version number>\Reader\AcroRd32.exe
    • Adobe Shockwave Player - Windows\System32\Adobe\Shockwave <version number>\Swinit.exe and SwHelper_<version number>.exe
    • Apple iTunes - Program Files\iTunes/iTunes.exe
    • Apple QuickTime Player - Program Files\QuickTime\QuickTimePlayer.exe
    • Apple Safari - Program Files\Safari\Safari.exeNB! Disable Mandatory ASLR, EAF and DEP if Safari crashes.
    • Foxit Reader - Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
    • Google Chrome - on Windows XP: Documents and Settings\<your user name>\Application Data\Google\Chrome\Application\chrome.exe;
      on Windows Vista, 7, 8 or 8.1: Users\<your user name>\AppData\Local\Google\Chrome\Application\chrome.exe.Alternative location for administrative/corporate install is Program Files\Google\Chrome\Application\chrome.exe.NB! If Shockwave Flash (aka Flash Player/Pepper Flash) does not load in Google Chrome, disable SEHOP mitigation. Depending on installed extensions, you might also have to turn off DEP and Caller mitigations for Chrome.
      Do not use wildcards for adding Google Chrome to EMET.
    • Microsoft Access - Program Files\Microsoft Office\Office<version number>\MSACCESS.EXE
    • Microsoft Excel - Program Files\Microsoft Office\Office<version number>\EXCEL.EXE
    • Microsoft Internet Explorer - Program Files\Internet Explorer\iexplore.exeNB! Disable Mandatory ASLR, EAF and DEP if IE crashes.
    • Microsoft Outlook - Program Files\Microsoft Office\Office<version number>\OUTLOOK.EXE
    • Microsoft Outlook Express - Program Files\Outlook Express\msimn.exe
    • Microsoft Powerpoint - Program Files\Microsoft Office\Office<version number>\POWERPNT.EXE
    • Microsoft Word - Program Files\Microsoft Office\Office<version number>\WINWORD.EXE
    • Mozilla Firefox - Program Files\Mozilla Firefox\firefox.exe and plugin-container.exeNB! Disable Mandatory ASLR, EAF and DEP if Firefox crashes.
    • Mozilla Thunderbird - Program Files\Mozilla Thunderbird\thunderbird.exe and plugin-container.exe
    • Opera - Program Files\Opera\opera.exe or Program Files\Opera\<version number>\opera.exe NB! Disable Mandatory ASLR, EAF and DEP if your browser crashes.
    • Oracle (Sun) Java - Program Files\Java\jre<version number>\bin\java.exe , javaw.exe and javaws.exe; plus Windows\System32\java.exeNB! Turn off HeapSpray mitigation for Java.
    • Skype - Program Files\Skype\Phone\Skype.exe and Program Files\Skype\Plugin Manager\skypePM.exeNB! Disable EAF mitigation for Skype.
    • WinAmp - Program Files\Winamp\winamp.exe
    • Windows Live Mail - Program Files\Windows Live\Mail\wlmail.exe
    • Windows Live Messenger - Program Files\Windows Live\Messenger\msnmsgr.exe
    • Windows Media Player - Program Files\Windows Media Player\wmplayer.exeNB! Disable Mandatory ASLR and EAF mitigations for Media Player.
    • VLC Media Player - Program Files\VideoLAN\VLC\vlc.exe
    For 64-bit Windows Vista, 7, 8 or 8.1, some programs might need replacing Program Files with Program Files (x86) and System32 with SysWOW64.

    Several programs (for example, Internet Explorer, Java and Windows Media Player) can have both 32- and 64-bit versions installed, check bothProgram Files and Program Files (x86).

    https://www.winhelp.us/microsoft-emet.html


    Notice there is not one antivirus listed. The only thing in that list I use is Chrome and Foxit.
     
  7. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,111
    Location:
    Hollow Earth - Telos
    Do you think that Tom Brady and Big Poppy have a shield on WSA.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Try "mbae.exe /open"
     
  9. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    does anti exploit can replace sandboxie ? its seems to protect the same area ...
     
  10. PatsSoxBruins

    PatsSoxBruins Registered Member

    Joined:
    Dec 14, 2014
    Posts:
    25
    Completely and totally different software. An anti exploit protects outdated software security holes before it can be patched. Or a hacker making a code to exploit a particular browser. Sandboxie completely virtualizes software such as a browser. Any changes to your browser will be undone once the sandbox is emptied. An anti exploit does not virtualize your browser. Anti exploits are good for those who do not keep their software up to date.

    Why do so many people use security products they know nothing about? Cause other members use it?
     
  11. PatsSoxBruins

    PatsSoxBruins Registered Member

    Joined:
    Dec 14, 2014
    Posts:
    25
    Right from Malwarebytes.org

    "Malwarebytes Anti-Exploit Premium protects you from zero-day exploits targeting browser and application vulnerabilities. Its proprietary technology guards you in that critical period between the release of a new exploit and its security patch. And, unlike antivirus products, Malwarebytes Anti-Exploit Premium proactively prevents the exploit from installing its payload. Before it can do damage."

    https://www.malwarebytes.org/antiexploit/premium/
     
  12. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Actually, I did. However, a bit too complicated for my taste. I just wish Pedro would address this 32bit issue in the next release so this whole thing could be simplified for 32bit users.

    But thanks for sharing this anyway -- and for pointing it out again.
     
  13. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    "mbae.exe" /open
    Thanks!
     
  14. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    I'm not sure what to think about that and I'd prefer more input and comments. Excuse me for taking EMET as an example here but that's a good way to describe conflicts:

    Many AVs have exploit blocking functionality and many EMET users are forced to disable mitigations(without knowing why) that should work with standard apps. They think something is wrong with their system or EMET when it's most likely a conflict between EMET and their AV or another security app. They solve them by disabling the conflicting mitigations in EMET, which means they still have 2 products with anti-exploit functionality running. Are you saying that's a bad setup, even after solving the conflicts?

    I used to do it that way too but now I've excluded these apps from DLL injection by my AV which means I can have all mitigations enabled in EMET. So no conflict there anyway.
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Under Firefox and Firefox-basad browsers like the older versions of Opera, FlashPlayer runs as a separate sub-process of the browser and must be protected by EMET. In the case of MBAE it is protected automatically. Same applies to plugin-container.exe and opera_plugin_wrapper.exe.
     
  16. 142395

    142395 Guest

    While they act in different stage and works differently, the claim "they protect same area" is not necessarily wrong.
    Both of them serve for most common and dangerous exploit, i.e. RCE.
    Both of them don't cover other types of threat such as XSS or phishing, that is the job of other product or so.
    Still there're some area which only a pair of them cover, but please understand that for common people, what matters is NOT how they work but what threats they protect from.
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Actually, as you answered to me:
    https://www.wilderssecurity.com/threads/fileless-malware-detection.370944/page-7#post-2437545
     
  18. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    How exaclty did you do this workaround?
     
  19. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    You mean the batch file? The manual version is to open MBAE and click "Stop Protection", then launch the browser with Sandboxie, then switch back to MBAE and click the same button that's now named "Start Protection". Wait and check shielded apps or the Logs tab.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    BTW, speaking of protecting other security tools, shouldn't they protect there own process against" dll-injection"? In other words, you would think that MBAE should not be able to inject code into for example Webroot or Zemana.
     
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Automatic upgrades to 1.05.1.1016 have been deployed. If you're on a previous version and you haven't gotten it already you should see an upgrade prompt in the next few hours/days.
     
  22. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,111
    Location:
    Hollow Earth - Telos
    I still have a MBAE Shield on WSA. It does not seem to be causing it any problems that i noticed.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,435
    Location:
    The Netherlands
    Does MBAE report that protection is succesful? That would mean that Webroot does not protect itself against code injection, weird. Perhaps you can ask about this on the Webroot forum.
     
  24. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,111
    Location:
    Hollow Earth - Telos
    Right after Boot every day the MBAE log shows that WSA is protected. It shows that MBAM is protected also after i put a shield on it.
     
  25. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    I found a 1 year old post by pbust:
    Is this still the case with latest versions of MBAE and EMET? I'm one of the paranoid enthusiasts ;)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.