pbust
-
Posts
3,369 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by pbust
-
-
We are about to release version 0.09.4.1000 in the next few hours/days. Once it is released download and install it and try again. If you still get a false positive come back and post the steps to replicate it.
The disappearing log after reboot is a known issue which we will fix in the next beta after 09.4.
Regarding the normal way for downloading files, if a malicious site uses that then it won't be an exploit, it will be a normal download where it will prompt you if you want to save the file to your computer.
-
It could be that the WebX tries to launch the file in different ways and the more normal way was allowed to execute as it was not using typical exploit techniques.
Which version of MBAE are you using?
When you click on the blocked event in the UI under LOGS, do you get the option of adding the file to the exclusions?
-
No.
There's indeed a problem with HMP.Alert.
I have in fact removed it altogether.
Cool, thanks for confirming!!
-
Does the same problem occur without HMP.Alert?
-
Please download and install the latest MBAE version 0.09.3.000. If you get the same error again please post back here.
-
Looks like a disk read/write error and/or problem in %temp% directory. You might want to scan/defrag your disk for errors.
-
Anytime!!
-
Yes, correct, all plugins are protected. Since we look generically at the application itself (iexplore.exe, firefox.exe, etc) everything running within the process space is also automatically protected.
-
Not only Java, also Acrobat is shown separately. This is because these two are "special" apps. Not only do they function as browser plugins but also as independent apps (think opening a pdf attached to email). They are also by far the most targeted apps in terms of exploits.
-
Yes, any modules which may be loaded within the browser (such as Flash, Java, Shockwave, Acrobat, Silverlight, etc.) will be protected by MBAE. In the shields tab it doesn't mention each one individually as there may be thousands of available plug-ins, add-ons, etc.
-
A few months, maybe end of year or beginning of next if everything goes smoothly.
-
Thanks for the report and welcome to the forum. We are aware pf this issue and are working already on a fix. Please keep an eye on this forum for announcements of new versions.
-
I know this might be basic @heresthewire, but check your taskbar icons by clicking the up arrow to make sure that the blue-and-white MBAE shield is there.
If that's not the case, open TaskManager (right-click on the taskbar and choose TaskManager) or ProcessExplorer and see if MBAE.exe is running.
-
This discussion is quickly moving from "noob questions" to "l33t questions"
But it's all good, we like discussing these things openly, thanks for participating matth79!!In terms of parallels, MBAE is much more similar to EMET than it is to Blade Defender. If you read the Blade Defender paper (I haven't read it since a few years ago, so I might miss a detail or two) the technology works in a completely different way than both EMET and MBAE. They basically have a sandbox mechanism for the actions from protected processes. This is very different from both EMET and MBAE in that we protect the application in real-time by intercepting the execution flow rather than redirecting it. This is an over-simplification but it serves to illustrate the point.
AFAIK the Blade Defender project was purchased by Siri International and my best guess is that it is probably either abandoned or being kept as a secret defense project within the US Military (or more likely, both).
Going back to parallels between MBAE and EMET, I want to stress my point (1) above that MBAE is growing and includes both stage 1 protection techniques similar to EMET as well as stage 2 protection techniques. As opposed to MBAE, EMET cannot grow to include stage 2 protections or even include some of the stage 1 techniques that we are including. This is not a technical limitation but rather a MSFT policy limitation.
-
Thanks for your interest and welcome to the forum matth79!
In terms of comparing MBAE to EMET, let's look first at the differences in the objective.
- EMET is mainly designed to enforce OS protections on third party (i.e. non-Microsoft) applications. So for example you can force non-ASLR compliant apps to use ASLR. It also includes other mitigations which are very nice and handy as well as the certificate trust feature.
- MBAE on the other hand has been designed as a global (i.e. complete, as in you don't need anything else) multi-layer anti-exploit real-time protection. While some of the mitigations are similar in nature, MBAE is more complete as an anti-exploit as it includes multiple techniques against both stage 1 and stage 2 of the exploit attacks (while EMET is just stage 1). So basically in case something bypasses exploit stage 1 protections with EMET, you are out of luck. With MBAE if some exploit bypasses stage 1 you still have the stage 2 protection layers protecting you as a safety net.
Some other differences are the following:
- MBAE is growing and including EMET protections and even other types of protections not found currently in EMET or MBAE. We keep on adding new techniques every other week to make MBAE even more robust and complete as an anti-exploit.
- EMET’s protections are limited in older Operating Systems such as XP, while MBAE is not. Under XP MBAE is much more effective than EMET. This is especially important for larger companies where they still rely on older OS versions and are much more vulnerable.
- Finally potential bypasses for EMET (there have been a few in the past) do no affect MBAE as we include the exploit stage 2 protections not found in EMET as a safety net.
Having said all that I also have to say that EMET is great and we are great fans of it since the beginning. If you are a security enthusiast or security paranoid you can install both EMET and MBAE and you will have much more protection than having just one or the other. But for the rest of the regular joe blow and gramma users MBAE is much better fitted as it is truly install-and-forget.
I hope this helped answer your questions.
-
Thanks for your interest and suggestions. The suggestions you brought up are very similar in nature to other type of product, not for an anti-exploit.
In terms of translators we will need help in the future after the beta testing period. Thanks for offering, we will keep in touch when the time comes.
-
I'm guessing this is Opera 12.x and not the latest based on Chrome?
We are about to release a new version of MBAE which uses a different technique for the memory checks. It sounds to me like that could be the culprit of the problems you are having. Please keep an eye on this forum for announcement of the new version and try that one instead. It should be released in 2 or 3 weeks if it performs well during QA checks.
-
Thanks for reporting and welcome to the forum!
In terms of Pale Moon and Avant, this should not have anything to do with MBAE as those browsers are not supported by MBAE.
In terms of Opera and Firefox, what is the executable name of the portable versions. Are they still opera.exe and firefox.exe?
Lastly, what version of MBAE is installed. Is it the latest 0.09.3.1000?
-
Agreed Ritchie.
As mentioned the next version of MBAE will include an "Exploit Test" application which will allow you to test MBAE. It's kinda like an EICAR but for exploits. This will also allow you to verify if MBAE is working and/or has conflicts with other installed software.
-
Yes the Sandboxie creator is aware of the issue and so are we. However it is not a priority for us, at least during the beta phase. After we finish the engine and go final with 1.0 we will probably take a look at the incompatibility.
-
Hi cyberpau, sorry for the late reply, my fault.
First off let me start by saying that MBAE includes multiple protection layers against exploits, both in Stage 1 as well as Stage 2. Other products such as EMET only include stage 1 protection so if that is bypassed you're out of luck. Having MBAE provides more comprehensive protection.
In terms of your suggestions:
- Adding other browsers and applications to the list of protected software. During the beta phase we are more concerned about finishing the engine and going 1.0 than covering many more applications. Once we go final we will start adding more applications to the list of protected software.
- Website blocking: it is not currently in the plans to add website blocking to MBAE. The way it currently is in MBAM is perfect as it complements the anti-malware component and increases your protection. MBAE will still to be a generic protection against exploits, without blacklists, whitelists or sandboxing.
- Adding cloud-based engine or sandbox is outside the scope of MBAE. The objective is to be a very small yet very powerful generic protection against exploits. For AV/AM features please turn to MBAM.
Hope I clarified your doubts and again sorry for the late reply.
-
This is known issue #7:
http://forums.malwarebytes.org/index.php?showtopic=130688
Will be fixed when 8.1 becomes final. Right now it is still beat.
-
We have repliacted the problem with HMP.Alert and will be fixing it in one of the next beta versions.
I would try to reproduce that issue, but now there is another one - I have installed Windows 8.1 Pro x64 RTM and MBAE doesn't start at all, there is an issue with driver loading, but I have already started new topic, in order not to litter that one.
This is known issue #7:
http://forums.malwarebytes.org/index.php?showtopic=130688
Will be fixed when 8.1 becomes final. Right now it's still beta.
-
Yes, this is known issue #4:
http://forums.malwarebytes.org/index.php?showtopic=130688
It seems Sandboxie is blocking MBAE's injection to the browser.
Please keep developing this program
in Other Tools
Posted
Thanks for the feedback! We think so too