Malwarebytes Anti-Exploit

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Yes we will add more applications once we are out of the woods with the engine development. There's still a few more stage1 mitigation techniques to add and the Windows Service component and then we'll be in a better position to increase coverage to other apps.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Is it going to be free or paid product?
Any plans for integration in MBAM?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

This is indeed an interesting exploit:

http://threatpost.com/ie-zero-day-watering-hole-attack-injects-malicious-payload-into-memory/102891

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

"error installing malwarebytes anti-exploit driver, the Malwarebytes anti-exploit process will be terminated."

this error msg occurs after i press finish on the installation wizard.

Running Outpost 8.1 firewall and kaspersky IS 2012.
Win XP Pro SP3.

I have added the install file and the directory where mbae is installed into kasperksy trusted applications. Also outpost is on auto learn rules and i edited the install file behaviour to "allow all activity"

using version 0.09.4.2000

Is the older 1000 version available to try?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

This is probably due to an incomplete or corrupt uninstall of a previous version.

Please do the following:
1- Close all shielded apps
2- Uninstall from Control Panel if not yet done
3- Reboot
4- Delete HKLM\SYSTEM\Services\ESProtectionDriver
5- Reboot
6- Download and install again.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

BTW there is no services under system in xp pro.

I searched for esprotectondriver but it never arose in regedit.

I did install again for interest and the same problem in that it immediately exits.


thanks
Martin

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Sorry, should be:
HKLM\SYSTEM\CurrentControlSet\Services\ESProtectionDriver

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

checked at the new registry location and nothing is present

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Completely uninstalled outpost 8.1.2 and MBAE is now working.

I will see if i can get Outpost to work with MBAE.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Interesting. Please do report your findings so that we may notify other users of Outpost and MBAE in the known issues and compatibility list:
https://forums.malwarebytes.org/index.php?showtopic=135127

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

i'm running outpost 8.1.2 as well, and mwbae installed and is running fine, for a couple days now.

is this program somewhat like a "run safer" or suchlike?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Some recommended reading material:

MBAE FAQs
https://forums.malwarebytes.org/index.php?showtopic=136424

MBAE Known Issues & Conflicts
https://forums.malwarebytes.org/index.php?showtopic=135127

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

An image is worth a thousand words, from the second post in this thread:

https://www.wilderssecurity.com/attachment.php?attachmentid=240027&d=1381858508

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

What OS are you running?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

So, we ever find out how MBAE does its hooking? Or what it actually looks at to detect attacks?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

@Hungry Man: Just read your original enquiry, just two days ago. Like you I'm also interested in the details. Perhaps giving more details would be the downfall for the product?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

When I get told that being open would help attackers, I usually assume this. That goes double when 'intellectual property' gets used.

This summer I've been hired to do basically nothing but reverse engineer and exploit software, so hopefully they've got something before then, because I'll be having a look and I'd love it if they saved me the trouble

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Ok finally got around to installing outpost again.

MBAE seemed to interfere with installation as a driver could not be installed.
Outpost v7.6.1 reported it was running in limited mode on reboot.

I killed MBAE in task manager and it installed fine.
It is however the older version of outpost 7.6.1 as i prefer its interface to 8.x

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Any idea where I can get Outpost v7.6.1 from to try to replicate this?

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

<http://www.agnitum.com/support/kb/article.php?id=1000290>

Hi Pedro:

I hope the above might be of some help.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Outpost do keep an archive of all their versions at least back to 7.5

Oh its 7.6 not 7.6.1 (which doesnt exist)
sorry.

So far things are co-operating fine including hitmanpro alert with mbae

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Thanks to both, I'll check it out!

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Just noticed MBAE blocked VLC from updating itself.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

Known Issue #8:
https://forums.malwarebytes.org/index.php?showtopic=135127

As a workaround simply exclude the VLC upgrade block event in the MBAE GUI-Log tab and then allow VLC to upgrade itself again.

 

Re: Malwarebytes Anti-Exploit 0.09.4.1000

I have just found a problem when running Microsoft Update (Internet Explorer 8, Windows XP 32 Pro SP3).

When selecting "search for new updates" the page just keeps on showing a running progress bar and nothing happens. A svchost.exe process that uses 25% of my Q6600 quadcore pops up on Windows Task Manager. This is not usual when I run Microsoft Update.

The issue disappears by stopping MBAE protection. It could be a clash with some of the other security software that I have installed, see my sig for details.