Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Now for those who still don't know the difference between a vulnerability, crash PoC and weaponized exploit...
    let me remind you with:
    "So i created a malicious image (...) and I was able to successfully crash the Skype application of my friend by sending the image"

    1. He does never mention that he created a weaponized RCE PoC/exploit.
    2. He did not cover the root cause of the crash in his blog post. It could just as well be a null derefence instead of a memory corruption vulnerability.

    It is a bit naive to make a certain statement without even reading the whole article and thinking that this article is enough proof for your statement.

    As additional reference: https://www.wilderssecurity.com/threads/do-you-use-exploit-mitigation-software.377669/
     
    Last edited: Aug 6, 2015
  2. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    it was example, anyway enjoy your utopia ...
     
  3. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Do I completely rule-out the possibility of a remote Skype exploit? No, but I have yet to find a documented case. If you can provide one I am happy to change my opinion :)
     
  4. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I'm having a problem with shielding on FF39.03..Although the pop up appears saying FF and plugins are shielded etc if I use process explorer to check via the mbae.dll it doesn't show FF...It does show other processes such as Windows Media Player etc...I've tried un-installing and a re-install but the FF problem remains..I've also checked under task manager, its not running.

    Win 8 x32 1.

    MBAE 1.07.1.15
     
  5. Timok

    Timok Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    58
    Location:
    Germany
    @clubhouse1

    MBAE 1.07.1.1015 is working fine under Win 7 x64 using FF 39.03

    mbae.jpg
    mbae-2.jpg
     
  6. haakon

    haakon Guest

    I can confirm mbae64.dll injects 39.0.3 cyberfox.exe, but MBAE no longer presents a traybar notification or logs it as it did for 39.0 and 38.x.

    So, protection OK (I hope), notification and logging not OK. o_O

    Other shielded apps all still OK: injection, notification, logging.

    Cyberfox 64-Intel Portable - Windows 7 HP SP1 x64 - MBAE 1.07.1.1015
     
    Last edited by a moderator: Aug 7, 2015
  7. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Seems to be working atm...Showing in Process explorer, but not the task manager.
     
  8. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I am running the latest stable 4.20 x64 of sbie and lately when I open my browsers, mbae only tells me i'm protected the first time I open my browsers. If I close and re-open my browsers it doesn't show the alert. I have searched with process explorer for the dll's and they are loaded but why don't I get the alert anymore?
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I have a variation of the same behaviour (with IE and WIN10), MBAE only tells me I'm protected the first time I install MBAE. Then next reboot MBAE will be silent (on IE) forever. Yes, .dll in still injected in IE but no way to see really if MBAE is working. There must be a way to clearly highlight from the GUI what is currently protected and what is not. I found this rather basic information lacking from the current version.

    EDIT: already tried to do whatever clean install possible with MBAE support.
     
  10. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I feel better that this weird issue is not just happening to me
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    It's a known user interface glitch of 1.07. Already fixed for the upcoming 1.08 beta.
     
  12. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
  13. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,281
    Location:
    Hollow Earth - Telos
    IE and Chrome do not show up in the mbae log anytime at all when thay are started to show that they are protected.
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Thanks!
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    It's interesting, but apparently this is something that should be implemented into the OS itself. So I'm guessing we won't be seeing it anytime soon.
     
  17. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,785
    ETA?
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Weird enough, this is resolved after the latest MS OS updates installed yesterday. Now I am getting always the MBAE pop-up (on IE and WIN10)
     
  20. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,785
    :thumb:
     
  21. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,281
    Location:
    Hollow Earth - Telos
    MBAE just does not work good with chrome for me so i have to use HMPA instead. I had problems on facebook along with slowdowns bringing up a lot of sites.
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you send me FRST logs to see if there are any conflicts with MBAE?
     
  23. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    MBAE won't update for me. It doesn't work if I try it manually, or automatically. I see it ask to connect out as if it's looking for an update, and I know there's one available (I'm on v1.06.1.1019). But it doesn't actually update.

    I know it's not a HIPS problem blocking it because I have everything set to "Ask", and treat it as an installer when it asks permission.

    I also thought maybe it used the Connection settings in Internet Options (Control Panel) to connect out like some programs do (i.e. Sandboxie), and removed a fake proxy (0.0.0.0) I have set up to effectively block that vector. But that didn't make any difference either.

    For the record I'd like to know if it does use that method though so that I can at least put that back to the way it was?

    Plus any other input to help me to get this thing to update properly. I really don't feel like manually uninstalling/installing every single new version.
     
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Something is most likely blocking it from communicating. The service (mbae-svc.exe) connects directly to the Internet to check for upgrades at booth and every few hours thereafter. Check your other programs to make sure nothing is blocking mbae-svc.exe from communicating with the Internet.
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Will MBAE protect against reflective DLL injection into the browser? It sounds like something MBAE should cover. These techniques are used by banking trojans. The description I read says it is never written to the disk. Can reflective DLL injection automatically run in the browser by exploit, or does the user have to be baited into opening an infected executable using social engineering for the injection to occur?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.