Jump to content

pbust

Staff
  • Content Count

    3,373
  • Joined

  • Last visited

Everything posted by pbust

  1. Unfortunately this is a hard block for the time being. The anti-exploit component prevents any automated execution of scripting apps from Internet-facing applications. If you save the script to disk and execute it from a command line with a non-browser and non-mailclient parent process, it will be allowed to execute. We are evaluating some future enhancements to the anti-exploit component to allow more granularity around allowed/blocked dangerous actions.
  2. It is actually XP that starts unreliably and sometimes it takes longer than others, triggering the MBAE service timeout. If you really want to run the latest, try switching the MBAE service to Manual, and then creating a batch script that runs at boot, sleeps for a few minutes, then starts the MBAE service and then runs the mbae UI executable.
  3. Yes, a few years ago we added the most common and popular email clients as default internal shields for blocking malicious attachments.
  4. You're correct. This is mostly designed for corporate environments.
  5. Hey hake, long time no talk. Hope you're doing ok. Pen-testing is a legitimate activity when done correctly. Some pen-testing tactics mimic malware activity and some don't. We've basically created this option for people who want to detect pen-testing activity even if it is not found in-the-wild in malware attacks.
  6. Hi hake. You can cancel the subscription and continue using the perpetual standalone beta for consumers which is basically the same functionality.
  7. Arthi is on vacation, trying to cover for her. Try this link instead: https://malwarebytes.box.com/s/qmsnivh3l0gy795g6a1lizqsfwfqjxsy
  8. Hi hake, long time no speak. Glad to see you're still around keeping an eye on MBAE! Yes, the team is still very active and introducing lots of improvements into MBAE on a regular basis. Thanks to you and all other testers for helping us keep MBAE effective and evolving over time!
  9. Try disabling the LoadLibrary protection for Browsers under the Anti-Exploit Advanced Settings -> Application Behavior protection.
  10. pbust

    mbae-test tool

    Because by default MBAE shields certain popular apps (browsers, office, java, pdfreaders, etc.). You need to add hmpalert64-test.exe as a custom shield so it gets protected by MBAE before running the test.
  11. pbust

    mbae-test tool

    MBAE-TEST.EXE simulates exploit behavior like executing from the Heap, ROP gadgets, etc., but it is not weaponized and instead simply pops open the Windows Calculator. But it does trigger exploit behavior to see if the installed protection has real exploit mitigations in place or not. The reason that most AVs don't detect MBAE-TEST.EXE is because either (a) they don't want to detect it with signatures as it would make it obvious that they don't have any modern exploit mitigation technology in their product, or (b) they don't have any modern exploit mitigation technology in their products.
  12. Thanks for bringing this to our attention! While we hate driver/registry optimizers and crapware bundlers just as much as anybody else, and are glad that Microsoft finally caught up to our aggressive stance against them, one important distinction is that in this case Avast Free is not preventing you from updating drivers without paying, and it is not using outdated drivers as scare tactics to dupe users into purchasing. Also, the bundled software is Google Toolbar and not some other scammy toolbar (although many people would argue that ALL toolbars are crapware). We have not shied aw
  13. Adobe released updates yesterday to fix a bunch of vulnerabilities. Could be a case of path Monday vs exploit Tuesday. Please share MBAE logs and we'll be able to assist you.
  14. The plans are not locked in yet, but you're not too far off from everything you said above
  15. That's standard InnoSetup. The extracted installer components are unsigned even though the main installer are signed. This is pretty standard.
  16. As well as heuristic-based detection and blocking of browser-lockers typically used by Tech Support Scammers.
  17. Thanks Noctsol. Unfortunately there is no way to exclude individual scripts like these. Allowing Excel or Excel macros to execute a scripting program is a very large security hole which is currently abused by malware writers as an infection vector. The only other way is to create a new Policy with the anti-exploit shield disabled for Excel, and add only the machines that need to execute this script to that particular Policy.
  18. Re: MBAM and Defender, they are 100% compatible. We are using the interfaces available only to AV to manage the registrations and status updates of MBAM in the Windows Security Center. Only Microsoft approved antivirus providers can do this. The difference is that by default we install side-by-side with Defender (even though this behavior can be changed under Settings) as we've always believed that a layered approach is always preferable to relying on a single product. Re: testing methodologies, we've also always been up front about our disagreement with third party testing vendors (and A
  19. Thank you, I feel the same way. We're being extra careful of not just adding blot to meet the test demands. In most cases, the samples tested by 3rd party labs are samples which have long been dead. We'll play the game, but without adding unnecessary bloat.
  20. Ahh, sorry, I thought you were also called Sveta (I've spoken to Sveta @ MRG few times before).
  21. Hi Sveta, as we've said many times, we don't agree with most testing methodologies out there as they consistently don't test any of the vector blocking capabilities of security products. MB3 relies heavily on vector blocking for early detecting and blocking of modern threats. Yet most labs, including MRG, grab the last stage payload and funk around with it and just test it against the on-access and post-execution protection layers, completely bypassing the vector blocking capabilities which could have stopped the threat in the real world. Malware spreads using certain techniques which are
  22. Just send everything within C:\ProgramData\Malwarebytes\MBAMService\Logs\ (path may vary depending on the product version)
  23. Hi. Please attach your endpoint detection logs. There are two advanced settings that can be tweaked to allow these type of actions. But we'll need the logs to figure out which one it is.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.