Jump to content

pbust

Staff
  • Content Count

    3,363
  • Joined

  • Last visited

About pbust

  • Rank
    Staff

Profile Information

  • Location
    Earth

Recent Profile Visitors

110,602 profile views
  1. Try disabling the LoadLibrary protection for Browsers under the Anti-Exploit Advanced Settings -> Application Behavior protection.
  2. pbust

    mbae-test tool

    Because by default MBAE shields certain popular apps (browsers, office, java, pdfreaders, etc.). You need to add hmpalert64-test.exe as a custom shield so it gets protected by MBAE before running the test.
  3. pbust

    mbae-test tool

    MBAE-TEST.EXE simulates exploit behavior like executing from the Heap, ROP gadgets, etc., but it is not weaponized and instead simply pops open the Windows Calculator. But it does trigger exploit behavior to see if the installed protection has real exploit mitigations in place or not. The reason that most AVs don't detect MBAE-TEST.EXE is because either (a) they don't want to detect it with signatures as it would make it obvious that they don't have any modern exploit mitigation technology in their product, or (b) they don't have any modern exploit mitigation technology in their products. So yeah, you guessed it, the reality is that most AVs don't have effective and signature-less exploit protection. Sophos' detection is based on their acquisition of SurfRight's HitmanPro.Alert technology, which is similar to Malwarebytes Anti-Exploit technology which does not rely on any signatures. Re: the AMTSO PUP crapware, we'll add detection for it to avoid other users questioning whether we have PUP protection in our products or not. But given the irrelevance of AMTSO as an organization, and the fact that their President is the owner of AppEsteem, a certification body whose business model is to certify PUPs in exchange for money, I wouldn't pay much attention to it.
  4. pbust

    Add Avast to PUP detection list

    Thanks for bringing this to our attention! While we hate driver/registry optimizers and crapware bundlers just as much as anybody else, and are glad that Microsoft finally caught up to our aggressive stance against them, one important distinction is that in this case Avast Free is not preventing you from updating drivers without paying, and it is not using outdated drivers as scare tactics to dupe users into purchasing. Also, the bundled software is Google Toolbar and not some other scammy toolbar (although many people would argue that ALL toolbars are crapware). We have not shied away from detecting competitors who crossed the line in the past in terms of scare tactics (e.g. PC Pitstop PCMatic), and we will keep an eye on the tactics of this an other optimizers to see if they cross the line in the future.
  5. pbust

    MBAE

    Adobe released updates yesterday to fix a bunch of vulnerabilities. Could be a case of path Monday vs exploit Tuesday. Please share MBAE logs and we'll be able to assist you.
  6. The plans are not locked in yet, but you're not too far off from everything you said above
  7. That's standard InnoSetup. The extracted installer components are unsigned even though the main installer are signed. This is pretty standard.
  8. pbust

    Extension added value to MBAM?

    As well as heuristic-based detection and blocking of browser-lockers typically used by Tech Support Scammers.
  9. Thanks Noctsol. Unfortunately there is no way to exclude individual scripts like these. Allowing Excel or Excel macros to execute a scripting program is a very large security hole which is currently abused by malware writers as an infection vector. The only other way is to create a new Policy with the anti-exploit shield disabled for Excel, and add only the machines that need to execute this script to that particular Policy.
  10. Re: MBAM and Defender, they are 100% compatible. We are using the interfaces available only to AV to manage the registrations and status updates of MBAM in the Windows Security Center. Only Microsoft approved antivirus providers can do this. The difference is that by default we install side-by-side with Defender (even though this behavior can be changed under Settings) as we've always believed that a layered approach is always preferable to relying on a single product. Re: testing methodologies, we've also always been up front about our disagreement with third party testing vendors (and AMTSO). We disagree with the fact they don't test vector blocking defenses (i.e. not full product), we disagree with their selection of samples (most of the times older than 1 month, no real focus on 0-day effectiveness), we disagree with the "pay to see misses" business model, and we disagree with the use of simulators which do not behave like real malware does nor does it simulate the infection vector. These are typical practices found in most if not all of the 3rd party testing companies, where each testing company incorporates at least two of the above practices. AMTSO, since its inception, hasn't been able to influence any significant change in AV testing in its entire lifespan. AMTSO doesn't have teeth and has failed on its original mission of improving and evolving AV testing. None of the above should be news to anybody. We've been pretty open and upfront about our views all along. We don't expect everybody to agree with us, but this has been the position since the beginning of Malwarebytes and, even though we will be participating shortly in 3rd party testing, our views about their business model still remain the same. In summary, if you're a troll, move on and stop spreading FUD. You're not welcomed here. To everybody else, if you have questions or concerns about how Malwarebytes replaces and improves your AV, or our views on AV testing, we have been and remain open to having an honest and transparent conversation. Feel free to PM me and I will gladly try to answer any and all concerns you might have about our technologies or our views on testing.
  11. Thank you, I feel the same way. We're being extra careful of not just adding blot to meet the test demands. In most cases, the samples tested by 3rd party labs are samples which have long been dead. We'll play the game, but without adding unnecessary bloat.
  12. Ahh, sorry, I thought you were also called Sveta (I've spoken to Sveta @ MRG few times before).
  13. Hi Sveta, as we've said many times, we don't agree with most testing methodologies out there as they consistently don't test any of the vector blocking capabilities of security products. MB3 relies heavily on vector blocking for early detecting and blocking of modern threats. Yet most labs, including MRG, grab the last stage payload and funk around with it and just test it against the on-access and post-execution protection layers, completely bypassing the vector blocking capabilities which could have stopped the threat in the real world. Malware spreads using certain techniques which are blocked by MB3, and neither MRG nor any of the other labs replicate those real-world environments, and ergo do not test the full product, only portions thereof. We will be participating in more lab tests shortly and biting the bullet of adding unnecessary bloat to the product to entertain these unrealistic tests and test fanboys, but that doesn't mean that we agree with them. Their testing methodologies are all ~10 years old.
  14. Just send everything within C:\ProgramData\Malwarebytes\MBAMService\Logs\ (path may vary depending on the product version)
  15. Hi. Please attach your endpoint detection logs. There are two advanced settings that can be tweaked to allow these type of actions. But we'll need the logs to figure out which one it is.
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.