Jump to content

pbust

Staff
  • Posts

    3,369
  • Joined

  • Last visited

Posts posted by pbust

  1. Did you have a previous install of MBAE or ExploitShield in the same computer? It might be a leftover as that counter is read from the registry. Please post the full log mbae-default.log to see what is going on with those exploit attempts.

     

    In regards to Pale Moon, a little while ago I posted some instructions on how to do that with Pale Moon portable. I'm sure the regular install would be a similar fix:

    http://www.wilderssecurity.com/showpost.php?p=2249912&postcount=194

  2. It's due to how some programs (ie, chrome, acrobat, etc) open and close some sub-processes with the same name and which also get hooked. For the new GUI we'll do something different. Suggestions are welcomed. IIRC one user suggested some time ago to somehow highlight the protected app similar to what Sandboxie does. Any other ideas?

  3. Ok please try the following now:

     

    1- Close the mbae.exe process if it's running

    2- Open an elevated CMD prompt (run as admin)

    3- Change directory to %ProgramFiles%\Malwarebytes Anti-Exploit

    4- Run mbae-uninstaller.exe

    5- Try installing the latest 1400 build again.

     

    The Desktop shortcut icon is known issue. We fixed it already and will be released in the next build.

  4. Looking into this.

     

    Can you please try the following:

     

    1- Post or PM me the contents of mbae-default.log

    2- Close all shielded apps.

    3- Close if present the process mbae.exe. If you can't close post the error msg.

    4- Uninstall from control panel.

    5- Delete %ProgramFiles%\Malwarebytes Anti-Exploit

    6- Reboot

    7- Install the 1400 build.

  5. Thanks for reporting!

     

    The mbae-uninstaller.exe is supposed to behave that way as it is a DOS program which runs and exits very quickly.

     

    In regards to the shortcut icon this is a problem. We've already fixed it and it will be released in the next build.

  6. One of the reasons for joining with Malwarebytes was to use their awesome R&D to improve the old ExploitShield. One area of improvement is the hooking framework which is currently still from a third party and which suffers from many shortcomings such as some of the ones you mention. Over time we will make this a great product thanks to Malwarebytes. But please be patient, it's only been a week and a half since we joined forces.

  7. Application shields are hard-coded into MBAE. For now there's no option to add new application shields. We are adding them based on prevalence of the application and whether it is attacked in the wild.

     

    Once MBAE blocks an exploit payload, it will show up in the LOG tab of the GUI. From there you can select it and choose "Exclude" so it won't be blocked anymore.

     

    Yes, MBAE would protect these apps even if they are installed in a different partition or %ProgramFiles% folder.

     

    No, we don't shield Silverlight just yet. See above for criteria for adding new shields.

     

    Don't have a help or chm file yet. We are building a new GUI for Malwarebytes Anti-Exploit and it should be included there once it is released.

  8. There are many layers involved in such an attack. An AV/AM might block the visit to an exploit site by URL/IP filtering blacklists (signatures). However blacklists cannot protect 100% of the times so sometimes the URL/IP filter might not detect a new or fresh exploit site. Once you hit the exploit site, some AV/AM have detection for the malicious javascript or java component of the exploit. But again this relies on blacklisting and the bad guys are changing encoding and evasion every day to bypass these signatures. Once the above fails, that's when MBAE will block an exploit from successfully running a payload on the machine. Looking at it from the perspective of the exploit, MBAE would block the payload (EXE) before it gets to the AV/AM, but after the AV/AM URL/IP filter and javascript sigs.

     

    So in conclusion sometimes MBAE will block before and sometimes after, depending on whether the AV/AM used sigs to block access to the site in the first place.

     

    I hope this helps in clarifying and not making things more complicated.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.