Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I've never understood how this feature exactly works, and what it blocks. It's quite strange that SpyShelter doesn't offer a "allow API hooking" (or Trust) feature, it doesn't make any sense.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I sent a support request to SpyShelter voicing my concern about their product having potential to block hooks needed by MBAE, and below was their response. They keep saying MBAM in their resonse, but I specifically stated MBAE in my support request.

    "SpyShelter should not block MBAM hooks automatically. Check your Rules tab - if you have not blocked any MBAM's action then it should be fine.

    Plugin-container hook blocking is caused by Action Code 58 - you may turn it off if you are sure that your plugins are safe.

    If you are annoyed by the network hooks tray pop-up, you may turn it off in Settings > Security - uncheck "Enable showing tooltips..."

    Please do not hesitate to contact us anytime for further assistance."

    Sincerely,
    Bogdan Siemienowicz
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Btw.. I went ahead, and disabled action type 58 in the Protection Rule Set. I think it could potentially impede functionality for my plugin-ins. I trust the plug-ins I use. Well, I don't trust anything completely, but I trust them enough to disable action type 58. They referred to it as action code 58 in their response. It was causing the plugin-container.exe hooking alerts I was receiving. AFAIk it was anyways. I have not had time to confirm this, but that was what I was informed by SpyShelter. I think they are correct though.

    Edited: 7/11 @5:18

    I had to edit my post again. It was action type 33 that was causing the plugin-container.exe hooking alerts. It is listed as "Internet Security Setting Hook to Monitor Network request". I guess they were wrong since I still get the alerts. I will move this discussion over to the SpyShelter thread. I will have to email SpyShelter back now since they were wrong about the action type.

    Edited: 7/11 @5:42
     
    Last edited: Jul 11, 2015
  4. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    @Cutting_Edgetech

    As a quick note: stacking multiple security tools does not always increase the level of protection.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm well aware of this. I'm just testing SpyShelter right now. I have multiple computers.
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    SpyShelter does. You can disable monitoring of each hook type under List of Monitored Actions. We should move this discussion to SpyShelter thread if you need to respond to this post. I have to leave for a while though, and want be back until late tonight.
     
  7. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Wierd mate... SS pops up nothing for FF29, but does for IE9. Just so we're on the same page, are you referring to SS's AntiNetworkSpy notifications - Action #11?
     
  8. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    How flexible are MBAE Custom Shields? For example, can it be applied to Libre Office or just MS Office? fubar2000 & Windows Media Player Classic? Older versions of IE and FF?
     
  9. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    They're pretty flexible, you can apply them to just about anything. There are some pre-determined profiles, so for LibreOffice use the Office profile. For media players use the mediaplyer profile, etc. The "other" profile can be used for anything that falls outside the scope of the pre-determined profiles.
     
  10. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    [​IMG]
     

    Attached Files:

  11. haakon

    haakon Guest

    @ marzametal & ZeroVulnLabs
    I've been pondering Libre Office myself. According to my firewall, soffice.bin is what makes outbound connections, so I created an Other shield for it. I also did Office for the executables.

    Libre Office is wierd. If I open soffice.exe and then select Writer Document, these are the processes:

    LOsoffice.jpg

    If I open swriter.exe, I get these:

    LOswriter.jpg

    @ Infected
    Is a Shield for Notepad needed? Which Shield do you use?

    Mine, so far...

    MBAEshields.jpg
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I will reply in the SS thread.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    With LibreOffice you only need to create a custom shield for soffice.bin (using the Office profile) as that is the launcher for all the LibreOffice applications. There is no need to create custom shields for the individual LibreOffice applications.
     
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  15. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Not that surprising that MBAE is able to block them if you realize that blocking exploits is all about the exploitation techniques and not about the vulnerability itself.

    e.g.: The source code of the different Flash exploits leaked by HT is all identical except for the part which triggers the actual vulnerability and enlarges a uint vector.
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    True.
    EMET also should block without problems.
     
  17. Pirate_fin

    Pirate_fin Guest

    Does free version update automatically, because yesterday i still had 1.06 installed.

    Today i manually updated it to 1.07.
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes it will once we release the auto-upgrade. We're still hunting down a new bug which might cause us to release a fix to 1.07 prior to releasing the auto-upgrade.
     
  19. haakon

    haakon Guest

    @ ZeroVulnLabs

    Thanks for the reply to my Libre Office post. There's something else I've been wondering about...

    •The benefits/detriments of the advanced settings described herein is not meant to be the focus of this inquiry.

    Given a user's configuration where all checkable items under the four advanced settings tabs are checked, is there any difference between (for example) Other and PDF Readers?

    (In fact, with all items checked, the only one that's unique is Browsers. And yes, I have them all checked.)

    Regards.
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Moving this discussion over to SpyShelter thread.
     
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Internally there are slight differences between how the Layer3 protection is implemented for "Other" vs the rest, but those are minor.
     
  22. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Bye bye Flash exploitation using uint Vectors --> https://twitter.com/guhe120/status/620888560716115968
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  25. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    I will prepare a VM this evening to see whether they protect against this exploit.
    The only thing hasn't been published is an overview of the configurations targeted.

    btw, I expect that this exploit will be in msf quite fast, the sample does not seem to employ any obfuscation at all
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.