Jump to content

pbust

Staff
  • Posts

    3,406
  • Joined

  • Last visited

Posts posted by pbust

  1. Not only Java, also Acrobat is shown separately. This is because these two are "special" apps. Not only do they function as browser plugins but also as independent apps (think opening a pdf attached to email). They are also by far the most targeted apps in terms of exploits.

  2. Yes, any modules which may be loaded within the browser (such as Flash, Java, Shockwave, Acrobat, Silverlight, etc.) will be protected by MBAE. In the shields tab it doesn't mention each one individually as there may be thousands of available plug-ins, add-ons, etc.

  3. This discussion is quickly moving from "noob questions" to "l33t questions" :) But it's all good, we like discussing these things openly, thanks for participating matth79!!

     

    In terms of parallels, MBAE is much more similar to EMET than it is to Blade Defender. If you read the Blade Defender paper (I haven't read it since a few years ago, so I might miss a detail or two) the technology works in a completely different way than both EMET and MBAE. They basically have a sandbox mechanism for the actions from protected processes. This is very different from both EMET and MBAE in that we protect the application in real-time by intercepting the execution flow rather than redirecting it. This is an over-simplification but it serves to illustrate the point.

     

    AFAIK the Blade Defender project was purchased by Siri International and my best guess is that it is probably either abandoned or being kept as a secret defense project within the US Military (or more likely, both).

     

    Going back to parallels between MBAE and EMET, I want to stress my point (1) above that MBAE is growing and includes both stage 1 protection techniques similar to EMET as well as stage 2 protection techniques. As opposed to MBAE, EMET cannot grow to include stage 2 protections or even include some of the stage 1 techniques that we are including. This is not a technical limitation but rather a MSFT policy limitation.

  4. Thanks for your interest and welcome to the forum matth79!

     

    In terms of comparing MBAE to EMET, let's look first at the differences in the objective.

     

    • EMET is mainly designed to enforce OS protections on third party (i.e. non-Microsoft) applications. So for example you can force non-ASLR compliant apps to use ASLR. It also includes other mitigations which are very nice and handy as well as the certificate trust feature.
    • MBAE on the other hand has been designed as a global (i.e. complete, as in you don't need anything else)  multi-layer anti-exploit real-time protection. While some of the mitigations are similar in nature, MBAE is more complete as an anti-exploit as it includes multiple techniques against both stage 1 and stage 2 of the exploit attacks (while EMET is just stage 1). So basically in case something bypasses exploit stage 1 protections with EMET, you are out of luck. With MBAE if some exploit bypasses stage 1 you still have the stage 2 protection layers protecting you as a safety net.

     

    Some other differences are the following:

    1. MBAE is growing and including EMET protections and even other types of protections not found currently in EMET or MBAE. We keep on adding new techniques every other week to make MBAE even more robust and complete as an anti-exploit.
    2. EMET’s protections are limited in older Operating Systems such as XP, while MBAE is not. Under XP MBAE is much more effective than EMET. This is especially important for larger companies where they still rely on older OS versions and are much more vulnerable.
    3. Finally potential bypasses for EMET (there have been a few in the past) do no affect MBAE as we include the exploit stage 2 protections not found in EMET as a safety net.

    Having said all that I also have to say that EMET is great and we are great fans of it since the beginning. If you are a security enthusiast or security paranoid you can install both EMET and MBAE and you will have much more protection than having just one or the other. But for the rest of the regular joe blow and gramma users MBAE is much better fitted as it is truly install-and-forget.

     

    I hope this helped answer your questions.

  5. Thanks for your interest and suggestions. The suggestions you brought up are very similar in nature to other type of product, not for an anti-exploit.

     

    In terms of translators we will need help in the future after the beta testing period. Thanks for offering, we will keep in touch when the time comes. :)

  6. I'm guessing this is Opera 12.x and not the latest based on Chrome?

     

    We are about to release a new version of MBAE which uses a different technique for the memory checks. It sounds to me like that could be the culprit of the problems you are having. Please keep an eye on this forum for announcement of the new version and try that one instead. It should be released in 2 or 3 weeks if it performs well during QA checks.

  7. Thanks for reporting and welcome to the forum!

     

    In terms of Pale Moon and Avant, this should not have anything to do with MBAE as those browsers are not supported by MBAE.

     

    In terms of Opera and Firefox, what is the executable name of the portable versions. Are they still opera.exe and firefox.exe?

     

    Lastly, what version of MBAE is installed. Is it the latest 0.09.3.1000?

  8. Agreed Ritchie.

     

    As mentioned the next version of MBAE will include an "Exploit Test" application which will allow you to test MBAE. It's kinda like an EICAR but for exploits. This will also allow you to verify if MBAE is working and/or has conflicts with other installed software.

  9. Yes the Sandboxie creator is aware of the issue and so are we. However it is not a priority for us, at least during the beta phase. After we finish the engine and go final with 1.0 we will probably take a look at the incompatibility.

  10. Hi cyberpau, sorry for the late reply, my fault.

     

    First off let me start by saying that MBAE includes multiple protection layers against exploits, both in Stage 1 as well as Stage 2. Other products such as EMET only include stage 1 protection so if that is bypassed you're out of luck. Having MBAE provides more comprehensive protection.

     

    In terms of your suggestions:

    • Adding other browsers and applications to the list of protected software. During the beta phase we are more concerned about finishing the engine and going 1.0 than covering many more applications. Once we go final we will start adding more applications to the list of protected software.
    • Website blocking: it is not currently in the plans to add website blocking to MBAE. The way it currently is in MBAM is perfect as it complements the anti-malware component and increases your protection. MBAE will still to be a generic protection against exploits, without blacklists, whitelists or sandboxing.
    • Adding cloud-based engine or sandbox is outside the scope of MBAE. The objective is to be a very small yet very powerful generic protection against exploits. For AV/AM features please turn to MBAM.

    Hope I clarified your doubts and again sorry for the late reply.

  11. We have repliacted the problem with HMP.Alert and will be fixing it in one of the next beta versions.

     

    I would try to reproduce that issue, but now there is another one - I have installed Windows 8.1 Pro x64 RTM and MBAE doesn't start at all, there is an issue with driver loading, but I have already started new topic, in order not to litter that one.

    This is known issue #7:

    http://forums.malwarebytes.org/index.php?showtopic=130688

     

    Will be fixed when 8.1 becomes final. Right now it's still beta.

  12. So if I purposefully lowered my security settings (which I wouldn't do), and a website did drop and run something without my interaction without using an exploit, MBAE would not stop that one because that wasn't exploit-driven?

    Correct

     

    But if I kept my browser security settings as they are, and accidentally went to a website that attempted a "drop and run" without my interaction or without knowingly lowering my browser settings, MBAE would stop that? A lot of new information, I always thought drop and run were called "drive by" downloads and that they all used an exploit of some sort, my brain is trying to understand all the information you're giving so I hope I'm understanding you correctly and I hope I'm not just asking the same thing over and over.

     

    Correct, MBAE would stop that if the drive-by was performed using an exploit. In reality most drive-by downloads use exploits as the default config of browsers prevents an accidental drive-by without user interaction and without exploit.

  13. So, MBAE would not stop those types of downloads since they do not use exploits to drop and run the payload silently, correct?

    Correct.

     

    But it would protect against the websites that do attempt to drop and run it silently without user interaction? So, say I or another user visits a website that either is compromised unknownst to the website owner, or a website that is dedicated to hosting malware and is known by the owner, and this site attempts to drop and run a payload without interaction, this is what you would consider a drive-by and MBAE would stop the payload from hitting the computer?

    Yes, although there's a slight difference between "drop and run a payload without user interaction" and "drop and run a payload using an exploit". MBAE is focused on blocking exploits, regardless of whether they are utilized in drive-by downloads, targeted attacks, financial attacks, cyber-espionage or advanced persistent threats. There are certain very unlikely situations where you can manually lower the security settings of your browser and a website could then "drop and run a payload without user interaction" without requiring exploits. But this is extremely rare as you would have to purposely and knowingly tweak a bunch of browser settings to allow it to happen.

  14. Some people may refer to drive-by downloads as something completely different. From my perspective a drive-by download makes use of an exploit in order to silently drop and run the malware, i.e. it is not dependent upon user interaction like prompting to run a file. If there is a prompt asking you whether you want to save or run the file, in my opinion it is not a drive-by download but rather a social engineering attack.

     

    Some people in the antivirus industry might even call a straight download of an EXE/COM a "drive-by download", which in my opinion it is not:

    http://www.amtso.org/feature-settings-check.html

      --> "2. Test if my protection against a drive-by download (EICAR.COM) is enabled"

    It might be possible in such cases that they would want you to believe you are protected against "drive-by downloads" when in reality you are not.

  15. No need to apologize for asking questions. Other young and not-so-young users will surely benefit from your questions.

     

    MBAE will protect against drive-by downloads which use application vulnerabilities to exploit a hole in the system and remotely execute code in your machine without requiring any intervention on your part. Basically in these scenarios you get infected simply by visiting a page. A real example of this was a few months ago when the NBC website was compromised for a few hours and any visitors to their website were exposed to the exploit or drive-by download.

     

    In addition to exploit driven drive-by downloads MBAE also protects against other types of vulnerability exploits, such as malicious PDF, DOC, XLS, PPT and other types of maliciously rigged files which exploit vulnerabilities in their corresponding program (Acrobat Reader, MS Word, Excel, etc.). Hackers normally use these tactics and spam out these types of files attached to emails. The moment you open the rigged PDF file with Acrobat Reader it also silently runs some type of malware in your machine.

     

    I hope this clarifies a bit how MBAE protects against exploits.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.