Malwarebytes Anti-Exploit

As I posted in the WSA thread, the log behaviour has changed:
https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-77#post-2475963

 

Ah yeah! I forgot that post of yours. Thank you.
Hopefully the next build will not have that Logs tab.

 

Strange, I can download it without a problem with Chrome from ZeroVulnLabs' signature.

 

I did answer in the thread:

https://www.wilderssecurity.com/thre...sored-by-surfright.374988/page-2#post-2479003

 

It was my bad, had recovered wrong image, the one where I tweaked the policy settings of 'attachments' this also has impact on downloads
Thanks for checking, because of your post I guessed the error was in my setup

 

THanks I saw it.

In the new version I have seen the advanced settings are configure by default without enabling some protection, I don't have enough knowledge to know what I could enable without breaking anything.
I wonder if there could be a way to create by default a more secure profile that potentially would not create many issues.

Ideally everything could be enable by default, and every time something crashes MBAE would detect it a with a popup will suggest the user to disable the setting/protection which causes it. Current default setting should not be suggested to be disable and should create a bug report...

 

As of MBAE 1.06 not only can you fine-tune some of the mitigations in the advanced setting, but also the new alert popup will show you which Layer and Mitigation was triggered. So you can enable all mitigations and if during testing any of them fires off incorrectly, you will be able to see which mitigation is the one firing and disable it in advanced settings.

We've done this as some of the more generic mitigations, especially those in Layer0 Application Hardening, may trigger alerts with badly coded websites/plugins/applications. And you'd be surprised how many popular websites/plugins/applications are badly coded.

 

In the Advanced Settings, by default under Chrome browsers, Anti-Heapstraying Enforcement and BottomUp ASLR Enforcement are unchecked. I am testing MBAE 1.06 right now and it's been a while since I last tested MBAE. I have significantly more experience with EMET than I do with MBAE. But what I am wondering is, I am used to having all of those similar settings checked in EMET for Chrome with no ill effects. Why do these need to be disabled in MBAE? I am just curious where this differs here with MBAE. Thank you.

 

The Anti-HeapSpraying in MBAE is more advanced than that of EMET, so they are not comparable. The settings we have are the best combination of protection and conflict reduction. In most cases you can enable those mitigations and they won't conflict. But in case they do conflict with some badly coded websites/plugins/applications, you can go back to Advanced settings and disable them.

 

@ ZeroVulnLabs

Can the "phoning home" problem be fixed? I see that WFC blocked some outbound connections being made, even though I have disabled auto upgrade and other settings in MBAE.

 

@ ZeroVulnLabs

Hi.
2 questions:

1) Can you explain the function "Protection for Messagebox Payload"?

2) "Malicious Return Address Detection" has a corresponding function in EMET/HPA3?

TH.

 

There are other "phoning home" processes other than automatic upgrades, such as heartbeat telemetry. These cannot be turned off, but you can of course block them by the firewall if you wish.

Metasploit includes a MessageBox payload. it simply displays a popup after successful exploitation. It's not really malicious but some independent testers and penetration testers do use it sometimes. The Malicious Return Address Detection is sometimes also known as "Caller", although in the case of MBAE it is more thorough than EMET. However simply comparing mitigations by name does not really say nothing about how the mitigation is implemented.

 

In the table "Feature Overview, Comparison" of HPA3, MBAE provides the 64-bit applications the same protection of those 32-bit:

http://www.surfright.nl/en/alert

With EMET is not available the 64-bit support with the mitigations ROP:

1) Caller
2) SimExecFlow

Is possible to conclude that these mitigations, in the MBAE, are available for 64-bit?
TH.

P.S. Sorry for all these questions..................

 

I did the test HPA3 (Stack Pivot).
Renamed test (Opera.exe).
Stack Privoting Protection off.
MBAE Has blocked the same.
Can you explain?
TH


Disabled all the mitigations for browsers .... MBAE has blocked the same:

 

Did you restart the HPA3 tester after applying the MBAE configuration changes?

 

Yes.

 

If you can help, in EMET 4.1U1, to not pass the test must uncheck the mitigations:

1) Caller
2) SimExecFlow
__________________

3) StackPivot

If the mitigations 1-2 are deselected and you select only StackPivot you get the corresponding block to exploit.
I used XP.

 

You're disabling StackPivoting for Browser profile, but Opera is within the Chrome-based profile. Disable for that family and it should work.

 

Not cool, I think it should be possible to disable all "phoning home" related options.

 

You could say the same about many softwares...Its hardly unique to MBAE....As already pointed out I use firewall blocking if I feel its necessary.

 

Now is OK.
TH.

 

Well, I do say the same about other software, phoning home is not a good thing in my book, especially when you can't disable it. Of course I do trust MBAE, but that's not the point.

 

Test HPA3 64-bit on Windows 7 64-bit

EMET 5.2

Stack Pivot = Passed (StackPivot)
Stack Exec = Passed (MemProt)

ROP WinExec* = Failed (DEP)
ROP Virtual Protect* = Failed (DEP)
ROP Nt Protect Virtual Memory* = Failed (DEP)

* = (The mitigation "Caller" that intervenes for ROP 32-bit is not available for 64-bit)

Heap Spray 1 = Failed
Heap Spray 2 = Failed
Heap Spray 3 = Failed
Heap Spray 4 = Failed

URL Mon = Passed


________________________

Test HPA3 64-bit on Windows 7 64-bit

MBAE 1.06.1.1018

Stack Pivot = Passed
Stack Exec = Failed

ROP WinExec = Failed
ROP Virtual Protect = Passed
ROP Nt Protect Virtual Memory = Passed

Heap Spray 1 = Failed
Heap Spray 2 = Failed
Heap Spray 3 = Failed
Heap Spray 4 = Failed

URL Mon = Passed

 

I'm trying this setting.
MBAE + EMET on windows 7 64 bit (Chrome + I.E. 64 bit):





I tried to do the test HPA3 64-bit renaming the exe as Firefox and inserting it in the list EMET.

Results

Stack Pivot = Passed (EMET)
Stack Exec = Passed (EMET)

ROP Virtualprotect = Passed (MBAE)
ROP Nt Protect VirtualMemory = Passed (MBAE)

URL Mon = Passed (MBAE)

_____________________________________________

@ZeroVulnLabs

Is OK the setup MBAE?

Is better as the picture below?


TH.

 

I would like to remind you that exploiting 64-bit processes is quite different than exploiting 32-bit processes.
For example: This talk contains some differences with regard to Internet Explorer 11 on Windows 8.1 --> https://www.syscan.org/index.php/do...Exploit Under the New Exploit Mitigations.pdf