Malwarebytes Anti-Exploit

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Thanks for reporting vojta. We are looking into this.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

It seems that the new version of WSA, v8.0.4.24 is not blocking mbae.dll to be loaded into chrome anymore. At least on my PC

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

We've had reports of MBAE + EMET 4.0 with Deep Hooks enabled resulting in browsers not launching. Does anybody have this configuration who can confirm or deny this behavior?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Thanks for the tip @Windows_Security. I guess we'll have to dedicate some more time to do in-depth compatibility testing with EMET4.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

It seems that it only happens when I set chrome://chrome/ as the starting page. I use to do this so that chrome search for updates every time that I open it. With a normal internet page as my starting page I don't get alerts for now.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Ok and so the link Mod Peter verified as bad is not an exploit?

Sorry for missunderstanding what an exploity is then ..

Bruce

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Has anybody tried the crypto locker infected websites and pdf against MBAE or EMET . It seems the virus uses vulnerabilities in PDF and Browsers.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Wasn't the supposed pdf actually a file like *.pdf.exe that looked like a *.pdf file because of Windows' option to hide known filename extensions?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Some websites are being used, it is shown in the video explanation of crypto guard. Only visiting a website may be harmful also, this is where anti exploit should jump in.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I know that, but I was explicitly referring to the PDF scenario you mentioned.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

The amount of time taken by MBAE to reply indicates bad news.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

It could just as well mean that pbust just hasn't had the time to check in on this thread since you have asked your question.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

They are actually very quick to tell about MBAE capabilities and till now they have not mentioned about it, so I had to ask it. I also wanted to know if EMET is stopping it. Is there any expert here who can test it.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Sorry I didn't know that question was meant for me. It looked more like an open question.

What specifically are you asking here? Do you have some samples of exploit URLs to test against? If so please send them to me or somehow specify what you want. If these URLs use exploits then the answer is yes, MBAE should detect and block these exploit sites.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I do not have URLs but I think there is a person from hitman pro team in this forum. If you message him he will provide you with the url of the affected website.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Sorry, no time to go hunting for some specific URL from someone, somewhere.

We test MBAE against thousands of exploit URLs every day and are well aware of its capabilities. Whatever specific threat you are talking about, if it uses exploits to drive-by install itself, chances are we block it.

More info from our real-time feed of new, unique, blocked exploit payloads:
http://www.zerovulnerabilitylabs.com/webconsole/lv.php

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

It is impressive.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Why don't you do it yourself?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

MBAE still blocks Hitman Pro Alert, will this be fixed in the next version?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

To ZeroVulnLabs

Malwarebytes anti Exploit does not seem to protect Foxit PhantomPDF, at least in the logs it does not say "Foxit PhantomPDF is now protected". Its a business edition of Foxit Reader.

As far as im aware Anti Exploit protects Foxit Reader, would you be adding support for Foxit PhantomPDF any time?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

What's the process name for Foxit PhantomPDF?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

The process name for Foxit Phantom is " Foxit PhantomPDF.exe "

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Thanks!, we'll add it to the backlog.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Are the Maxthon and Comodo Dragon Browser going to be shielded in the future.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Another vote for Dragon.