Forgot your password?
in Anti-Exploit Beta
Posted October 4, 2013
Yes, correct, all plugins are protected. Since we look generically at the application itself (iexplore.exe, firefox.exe, etc) everything running within the process space is also automatically protected.
Not only Java, also Acrobat is shown separately. This is because these two are "special" apps. Not only do they function as browser plugins but also as independent apps (think opening a pdf attached to email). They are also by far the most targeted apps in terms of exploits.
Yes, any modules which may be loaded within the browser (such as Flash, Java, Shockwave, Acrobat, Silverlight, etc.) will be protected by MBAE. In the shields tab it doesn't mention each one individually as there may be thousands of available plug-ins, add-ons, etc.
A few months, maybe end of year or beginning of next if everything goes smoothly.
Posted October 2, 2013
Thanks for the report and welcome to the forum. We are aware pf this issue and are working already on a fix. Please keep an eye on this forum for announcements of new versions.
Posted September 26, 2013
I know this might be basic @heresthewire, but check your taskbar icons by clicking the up arrow to make sure that the blue-and-white MBAE shield is there.
If that's not the case, open TaskManager (right-click on the taskbar and choose TaskManager) or ProcessExplorer and see if MBAE.exe is running.
This discussion is quickly moving from "noob questions" to "l33t questions" But it's all good, we like discussing these things openly, thanks for participating matth79!!
In terms of parallels, MBAE is much more similar to EMET than it is to Blade Defender. If you read the Blade Defender paper (I haven't read it since a few years ago, so I might miss a detail or two) the technology works in a completely different way than both EMET and MBAE. They basically have a sandbox mechanism for the actions from protected processes. This is very different from both EMET and MBAE in that we protect the application in real-time by intercepting the execution flow rather than redirecting it. This is an over-simplification but it serves to illustrate the point.
AFAIK the Blade Defender project was purchased by Siri International and my best guess is that it is probably either abandoned or being kept as a secret defense project within the US Military (or more likely, both).
Going back to parallels between MBAE and EMET, I want to stress my point (1) above that MBAE is growing and includes both stage 1 protection techniques similar to EMET as well as stage 2 protection techniques. As opposed to MBAE, EMET cannot grow to include stage 2 protections or even include some of the stage 1 techniques that we are including. This is not a technical limitation but rather a MSFT policy limitation.
Posted September 25, 2013
Thanks for your interest and welcome to the forum matth79!
In terms of comparing MBAE to EMET, let's look first at the differences in the objective.
Some other differences are the following:
Having said all that I also have to say that EMET is great and we are great fans of it since the beginning. If you are a security enthusiast or security paranoid you can install both EMET and MBAE and you will have much more protection than having just one or the other. But for the rest of the regular joe blow and gramma users MBAE is much better fitted as it is truly install-and-forget.
I hope this helped answer your questions.
Thanks for your interest and suggestions. The suggestions you brought up are very similar in nature to other type of product, not for an anti-exploit.
In terms of translators we will need help in the future after the beta testing period. Thanks for offering, we will keep in touch when the time comes.
I'm guessing this is Opera 12.x and not the latest based on Chrome?
We are about to release a new version of MBAE which uses a different technique for the memory checks. It sounds to me like that could be the culprit of the problems you are having. Please keep an eye on this forum for announcement of the new version and try that one instead. It should be released in 2 or 3 weeks if it performs well during QA checks.
Posted September 24, 2013
Thanks for reporting and welcome to the forum!
In terms of Pale Moon and Avant, this should not have anything to do with MBAE as those browsers are not supported by MBAE.
In terms of Opera and Firefox, what is the executable name of the portable versions. Are they still opera.exe and firefox.exe?
Lastly, what version of MBAE is installed. Is it the latest 0.09.3.1000?
As mentioned the next version of MBAE will include an "Exploit Test" application which will allow you to test MBAE. It's kinda like an EICAR but for exploits. This will also allow you to verify if MBAE is working and/or has conflicts with other installed software.
Posted September 17, 2013
Yes the Sandboxie creator is aware of the issue and so are we. However it is not a priority for us, at least during the beta phase. After we finish the engine and go final with 1.0 we will probably take a look at the incompatibility.
Posted September 16, 2013
Hi cyberpau, sorry for the late reply, my fault.
First off let me start by saying that MBAE includes multiple protection layers against exploits, both in Stage 1 as well as Stage 2. Other products such as EMET only include stage 1 protection so if that is bypassed you're out of luck. Having MBAE provides more comprehensive protection.
In terms of your suggestions:
Hope I clarified your doubts and again sorry for the late reply.
Posted September 15, 2013
This is known issue #7:
Will be fixed when 8.1 becomes final. Right now it is still beat.
We have repliacted the problem with HMP.Alert and will be fixing it in one of the next beta versions.
I would try to reproduce that issue, but now there is another one - I have installed Windows 8.1 Pro x64 RTM and MBAE doesn't start at all, there is an issue with driver loading, but I have already started new topic, in order not to litter that one.
Will be fixed when 8.1 becomes final. Right now it's still beta.
Yes, this is known issue #4:
It seems Sandboxie is blocking MBAE's injection to the browser.
Posted September 13, 2013
Cool, glad I could help!
So if I purposefully lowered my security settings (which I wouldn't do), and a website did drop and run something without my interaction without using an exploit, MBAE would not stop that one because that wasn't exploit-driven?
But if I kept my browser security settings as they are, and accidentally went to a website that attempted a "drop and run" without my interaction or without knowingly lowering my browser settings, MBAE would stop that? A lot of new information, I always thought drop and run were called "drive by" downloads and that they all used an exploit of some sort, my brain is trying to understand all the information you're giving so I hope I'm understanding you correctly and I hope I'm not just asking the same thing over and over.
Correct, MBAE would stop that if the drive-by was performed using an exploit. In reality most drive-by downloads use exploits as the default config of browsers prevents an accidental drive-by without user interaction and without exploit.
WOW, that's a lot of security apps!
Very soon we will release a small tool that simulates an exploit and will allow you to check that MBAE is working correctly. Please keep an eye on this sub-forum announcements.
So, MBAE would not stop those types of downloads since they do not use exploits to drop and run the payload silently, correct?
But it would protect against the websites that do attempt to drop and run it silently without user interaction? So, say I or another user visits a website that either is compromised unknownst to the website owner, or a website that is dedicated to hosting malware and is known by the owner, and this site attempts to drop and run a payload without interaction, this is what you would consider a drive-by and MBAE would stop the payload from hitting the computer?
Yes, although there's a slight difference between "drop and run a payload without user interaction" and "drop and run a payload using an exploit". MBAE is focused on blocking exploits, regardless of whether they are utilized in drive-by downloads, targeted attacks, financial attacks, cyber-espionage or advanced persistent threats. There are certain very unlikely situations where you can manually lower the security settings of your browser and a website could then "drop and run a payload without user interaction" without requiring exploits. But this is extremely rare as you would have to purposely and knowingly tweak a bunch of browser settings to allow it to happen.
Posted September 12, 2013
It works for me though (even with restart) ,I'm using Windows 7 SP1 32-Bit (don't ask why am I using 32-Bot)
What do you mean by "it works for me"? You mean the exclusions work and they are persistent after a reboot?
Some people may refer to drive-by downloads as something completely different. From my perspective a drive-by download makes use of an exploit in order to silently drop and run the malware, i.e. it is not dependent upon user interaction like prompting to run a file. If there is a prompt asking you whether you want to save or run the file, in my opinion it is not a drive-by download but rather a social engineering attack.
Some people in the antivirus industry might even call a straight download of an EXE/COM a "drive-by download", which in my opinion it is not:
--> "2. Test if my protection against a drive-by download (EICAR.COM) is enabled"
It might be possible in such cases that they would want you to believe you are protected against "drive-by downloads" when in reality you are not.
No need to apologize for asking questions. Other young and not-so-young users will surely benefit from your questions.
MBAE will protect against drive-by downloads which use application vulnerabilities to exploit a hole in the system and remotely execute code in your machine without requiring any intervention on your part. Basically in these scenarios you get infected simply by visiting a page. A real example of this was a few months ago when the NBC website was compromised for a few hours and any visitors to their website were exposed to the exploit or drive-by download.
In addition to exploit driven drive-by downloads MBAE also protects against other types of vulnerability exploits, such as malicious PDF, DOC, XLS, PPT and other types of maliciously rigged files which exploit vulnerabilities in their corresponding program (Acrobat Reader, MS Word, Excel, etc.). Hackers normally use these tactics and spam out these types of files attached to emails. The moment you open the rigged PDF file with Acrobat Reader it also silently runs some type of malware in your machine.
I hope this clarifies a bit how MBAE protects against exploits.