Jump to content

pbust

Staff
  • Posts

    3,369
  • Joined

  • Last visited

Posts posted by pbust

  1. So if I purposefully lowered my security settings (which I wouldn't do), and a website did drop and run something without my interaction without using an exploit, MBAE would not stop that one because that wasn't exploit-driven?

    Correct

     

    But if I kept my browser security settings as they are, and accidentally went to a website that attempted a "drop and run" without my interaction or without knowingly lowering my browser settings, MBAE would stop that? A lot of new information, I always thought drop and run were called "drive by" downloads and that they all used an exploit of some sort, my brain is trying to understand all the information you're giving so I hope I'm understanding you correctly and I hope I'm not just asking the same thing over and over.

     

    Correct, MBAE would stop that if the drive-by was performed using an exploit. In reality most drive-by downloads use exploits as the default config of browsers prevents an accidental drive-by without user interaction and without exploit.

  2. So, MBAE would not stop those types of downloads since they do not use exploits to drop and run the payload silently, correct?

    Correct.

     

    But it would protect against the websites that do attempt to drop and run it silently without user interaction? So, say I or another user visits a website that either is compromised unknownst to the website owner, or a website that is dedicated to hosting malware and is known by the owner, and this site attempts to drop and run a payload without interaction, this is what you would consider a drive-by and MBAE would stop the payload from hitting the computer?

    Yes, although there's a slight difference between "drop and run a payload without user interaction" and "drop and run a payload using an exploit". MBAE is focused on blocking exploits, regardless of whether they are utilized in drive-by downloads, targeted attacks, financial attacks, cyber-espionage or advanced persistent threats. There are certain very unlikely situations where you can manually lower the security settings of your browser and a website could then "drop and run a payload without user interaction" without requiring exploits. But this is extremely rare as you would have to purposely and knowingly tweak a bunch of browser settings to allow it to happen.

  3. Some people may refer to drive-by downloads as something completely different. From my perspective a drive-by download makes use of an exploit in order to silently drop and run the malware, i.e. it is not dependent upon user interaction like prompting to run a file. If there is a prompt asking you whether you want to save or run the file, in my opinion it is not a drive-by download but rather a social engineering attack.

     

    Some people in the antivirus industry might even call a straight download of an EXE/COM a "drive-by download", which in my opinion it is not:

    http://www.amtso.org/feature-settings-check.html

      --> "2. Test if my protection against a drive-by download (EICAR.COM) is enabled"

    It might be possible in such cases that they would want you to believe you are protected against "drive-by downloads" when in reality you are not.

  4. No need to apologize for asking questions. Other young and not-so-young users will surely benefit from your questions.

     

    MBAE will protect against drive-by downloads which use application vulnerabilities to exploit a hole in the system and remotely execute code in your machine without requiring any intervention on your part. Basically in these scenarios you get infected simply by visiting a page. A real example of this was a few months ago when the NBC website was compromised for a few hours and any visitors to their website were exposed to the exploit or drive-by download.

     

    In addition to exploit driven drive-by downloads MBAE also protects against other types of vulnerability exploits, such as malicious PDF, DOC, XLS, PPT and other types of maliciously rigged files which exploit vulnerabilities in their corresponding program (Acrobat Reader, MS Word, Excel, etc.). Hackers normally use these tactics and spam out these types of files attached to emails. The moment you open the rigged PDF file with Acrobat Reader it also silently runs some type of malware in your machine.

     

    I hope this clarifies a bit how MBAE protects against exploits.

  5. Thanks for posting Wojtek. This is a known issue. Basically the traybar icon fails to load correctly even though the process mbae.exe and the protection are still running. As a workaround until we fix this try killing mbae.exe from the TaskManager (you will have to run TaskManager as admin) and then running MBAE again from the Start menu.

  6. There are certain OS components that we do shield, as is the case of Windows Scripting Host and Windows Help, as those may be used or have been used in the past by exploits in-the-wild. But we do not shield the entire system (i.e. all running processes) as that could cause system instability. Our technology shields applications and while it is generic/proactive in nature, it is applied on a per application basis.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.