-
Posts
3,369 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by pbust
-
-
So if I purposefully lowered my security settings (which I wouldn't do), and a website did drop and run something without my interaction without using an exploit, MBAE would not stop that one because that wasn't exploit-driven?
Correct
But if I kept my browser security settings as they are, and accidentally went to a website that attempted a "drop and run" without my interaction or without knowingly lowering my browser settings, MBAE would stop that? A lot of new information, I always thought drop and run were called "drive by" downloads and that they all used an exploit of some sort, my brain is trying to understand all the information you're giving so I hope I'm understanding you correctly and I hope I'm not just asking the same thing over and over.
Correct, MBAE would stop that if the drive-by was performed using an exploit. In reality most drive-by downloads use exploits as the default config of browsers prevents an accidental drive-by without user interaction and without exploit.
-
WOW, that's a lot of security apps!
Very soon we will release a small tool that simulates an exploit and will allow you to check that MBAE is working correctly. Please keep an eye on this sub-forum announcements.
-
So, MBAE would not stop those types of downloads since they do not use exploits to drop and run the payload silently, correct?
Correct.
But it would protect against the websites that do attempt to drop and run it silently without user interaction? So, say I or another user visits a website that either is compromised unknownst to the website owner, or a website that is dedicated to hosting malware and is known by the owner, and this site attempts to drop and run a payload without interaction, this is what you would consider a drive-by and MBAE would stop the payload from hitting the computer?
Yes, although there's a slight difference between "drop and run a payload without user interaction" and "drop and run a payload using an exploit". MBAE is focused on blocking exploits, regardless of whether they are utilized in drive-by downloads, targeted attacks, financial attacks, cyber-espionage or advanced persistent threats. There are certain very unlikely situations where you can manually lower the security settings of your browser and a website could then "drop and run a payload without user interaction" without requiring exploits. But this is extremely rare as you would have to purposely and knowingly tweak a bunch of browser settings to allow it to happen.
-
It works for me though (even with restart) ,I'm using Windows 7 SP1 32-Bit (don't ask why am I using 32-Bot)
What do you mean by "it works for me"? You mean the exclusions work and they are persistent after a reboot?
-
Some people may refer to drive-by downloads as something completely different. From my perspective a drive-by download makes use of an exploit in order to silently drop and run the malware, i.e. it is not dependent upon user interaction like prompting to run a file. If there is a prompt asking you whether you want to save or run the file, in my opinion it is not a drive-by download but rather a social engineering attack.
Some people in the antivirus industry might even call a straight download of an EXE/COM a "drive-by download", which in my opinion it is not:
http://www.amtso.org/feature-settings-check.html
--> "2. Test if my protection against a drive-by download (EICAR.COM) is enabled"
It might be possible in such cases that they would want you to believe you are protected against "drive-by downloads" when in reality you are not.
-
No need to apologize for asking questions. Other young and not-so-young users will surely benefit from your questions.
MBAE will protect against drive-by downloads which use application vulnerabilities to exploit a hole in the system and remotely execute code in your machine without requiring any intervention on your part. Basically in these scenarios you get infected simply by visiting a page. A real example of this was a few months ago when the NBC website was compromised for a few hours and any visitors to their website were exposed to the exploit or drive-by download.
In addition to exploit driven drive-by downloads MBAE also protects against other types of vulnerability exploits, such as malicious PDF, DOC, XLS, PPT and other types of maliciously rigged files which exploit vulnerabilities in their corresponding program (Acrobat Reader, MS Word, Excel, etc.). Hackers normally use these tactics and spam out these types of files attached to emails. The moment you open the rigged PDF file with Acrobat Reader it also silently runs some type of malware in your machine.
I hope this clarifies a bit how MBAE protects against exploits.
-
Can some of you with HMP.Alert try to replicate the issue of the "disappearing exclusion" but this time instead of a reboot, simply exit MBAE and run it again. Is the exclusion also gone when you do this?
-
Thanks for posting Wojtek. This is a known issue. Basically the traybar icon fails to load correctly even though the process mbae.exe and the protection are still running. As a workaround until we fix this try killing mbae.exe from the TaskManager (you will have to run TaskManager as admin) and then running MBAE again from the Start menu.
-
Interesting, thanks for reporting. What version are you using to compile? Also, can you provide a sample code that when compiled will replicate the problem?
-
There are certain OS components that we do shield, as is the case of Windows Scripting Host and Windows Help, as those may be used or have been used in the past by exploits in-the-wild. But we do not shield the entire system (i.e. all running processes) as that could cause system instability. Our technology shields applications and while it is generic/proactive in nature, it is applied on a per application basis.
-
MBAE should not interfere with any add-ons for any browsers. But since we are in beta, if you do think there is any interference or incompatibility please do post it here so that we may fix it.
-
Yes, Malwarebytes Anti-Exploit will continue providing and supporting anti-exploit protection for Windows XP even after Microsoft drops support for this platform.
-
It does start automatically every time you boot the computer.
-
BD W8 Security also blocks the VLC program's update feature.
You mean BitDefender??
-
Thanks for reporting. What other AV or security products do you have installed on that same machine?
-
You can watch it in action against many different types of exploits at the following channel:
www.youtube.com/user/zerovulnlabs
-
Thanks for reporting Reacto! We will try to replicate this internally.
-
Thanks shaggy! Please post details internally on how to replicate so that we can fix it.
-
Great, thanks for posting confirmation Stevie!!
-
Please download and install the latest version to see if you still receive the same alert:
-
It worked for me without showing an exploit attempt under Win8 x64 with the latest Firefox.
What OS, architecture, browser and MBAE version are you using?
-
Thanks for reporing Firefox! I don't see an alert event in the logs. We'll have to try to replicate this. Are the specs on your sig the ones from the system where this happened?
-
Yes, that will work as well. Thanks Firefox!
-
Yes this is expected behavior under VLC Player for now. As a workaround open MBAE and navigate to the LOG tab. Then highlight the VLC block even and click the "Exclude" button. Then try upgrading VLC again and it should upgrade correctly.
[SOLVED] A bit of a noob question
in Anti-Exploit Beta
Posted
Cool, glad I could help!