-
Posts
3,369 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by pbust
-
-
Did you have a previous install of MBAE or ExploitShield in the same computer? It might be a leftover as that counter is read from the registry. Please post the full log mbae-default.log to see what is going on with those exploit attempts.
In regards to Pale Moon, a little while ago I posted some instructions on how to do that with Pale Moon portable. I'm sure the regular install would be a similar fix:
http://www.wilderssecurity.com/showpost.php?p=2249912&postcount=194
-
Yes, definitely an FP from Panda. Will contact them to get this fixed.
-
It's due to how some programs (ie, chrome, acrobat, etc) open and close some sub-processes with the same name and which also get hooked. For the new GUI we'll do something different. Suggestions are welcomed. IIRC one user suggested some time ago to somehow highlight the protected app similar to what Sandboxie does. Any other ideas?
-
Ok please try the following now:
1- Close the mbae.exe process if it's running
2- Open an elevated CMD prompt (run as admin)
3- Change directory to %ProgramFiles%\Malwarebytes Anti-Exploit
4- Run mbae-uninstaller.exe
5- Try installing the latest 1400 build again.
The Desktop shortcut icon is known issue. We fixed it already and will be released in the next build.
-
I've updated the upgrade instructions in the release notes to try to avoid this problem in the future. We are looking into fixing this asap.
-
Looking into this.
Can you please try the following:
1- Post or PM me the contents of mbae-default.log
2- Close all shielded apps.
3- Close if present the process mbae.exe. If you can't close post the error msg.
4- Uninstall from control panel.
5- Delete %ProgramFiles%\Malwarebytes Anti-Exploit
6- Reboot
7- Install the 1400 build.
-
Thanks for reporting!
The mbae-uninstaller.exe is supposed to behave that way as it is a DOS program which runs and exits very quickly.
In regards to the shortcut icon this is a problem. We've already fixed it and it will be released in the next build.
-
Some of the known issues have been fixed. Some other known issues, specifically the ones related to the GUI/traybar will be solved in future releases when we integrate the engine into a completely new Malwarebytes GUI.
-
Hey zootman, the latest build 1400 should fix this. Please download and try to replicate the problem to make sure it is fixed:
http://forums.malwarebytes.org/index.php?showtopic=129243
Thx!
-
This should be fixed now in the new 1400 build. Pleas download and re-test:
-
We just released build 1400 which fixed this problem. Can you please download and install and try to replicate to verify that everything is working normally?
-
Can you please try again with the 1400 build to see if the install/uninstall problem is fixed?:
-
Thanks for reporting this Georgi. We're QA'ing the next build which will be released asap. If you could check this error with the new version as soon as it is released it would be very helpful. Thanks again!
-
We believe we have fixed this. The fix will be released with the next build which is currently in QA. Thanks for reporting!
-
Thanks for reporting this. We believe we've fixed this in the next build which should be released in the next few days or weeks. Please stay tuned for announcements regarding new builds.
-
Thanks for reporting. Can you please post your PC config (OS, architecture, other security software, etc.) as well as how to reproduce the error?
-
We only inject if the process is named iexplore.exe (for Internet Explorer) so unless palemoon.exe calls iexplore.exe for whatever reason, what you are seeing in the log is probably from a previous IE session.
-
What is the process name for Pale Moon?
-
One of the reasons for joining with Malwarebytes was to use their awesome R&D to improve the old ExploitShield. One area of improvement is the hooking framework which is currently still from a third party and which suffers from many shortcomings such as some of the ones you mention. Over time we will make this a great product thanks to Malwarebytes. But please be patient, it's only been a week and a half since we joined forces.
-
Muchas gracias zootman, I was able to replicate it. We will get this fixed asap.
-
Thank you pbust, that is what I needed to know. I may have uninstalled Mbae on my Vista, But still have it on Win 7 32 bit n XP Home Media Edition in a VB. Any issues, I'll report them to you
Thanks, much appreciated !!
-
Yes that is obviously a bug. We are trying to get this fixed ASAP. Thanks for reporting.
Please do post your system specs:
OS:
Architecture:
Service Pack:
Other security software:
-
Application shields are hard-coded into MBAE. For now there's no option to add new application shields. We are adding them based on prevalence of the application and whether it is attacked in the wild.
Once MBAE blocks an exploit payload, it will show up in the LOG tab of the GUI. From there you can select it and choose "Exclude" so it won't be blocked anymore.
Yes, MBAE would protect these apps even if they are installed in a different partition or %ProgramFiles% folder.
No, we don't shield Silverlight just yet. See above for criteria for adding new shields.
Don't have a help or chm file yet. We are building a new GUI for Malwarebytes Anti-Exploit and it should be included there once it is released.
-
There are many layers involved in such an attack. An AV/AM might block the visit to an exploit site by URL/IP filtering blacklists (signatures). However blacklists cannot protect 100% of the times so sometimes the URL/IP filter might not detect a new or fresh exploit site. Once you hit the exploit site, some AV/AM have detection for the malicious javascript or java component of the exploit. But again this relies on blacklisting and the bad guys are changing encoding and evasion every day to bypass these signatures. Once the above fails, that's when MBAE will block an exploit from successfully running a payload on the machine. Looking at it from the perspective of the exploit, MBAE would block the payload (EXE) before it gets to the AV/AM, but after the AV/AM URL/IP filter and javascript sigs.
So in conclusion sometimes MBAE will block before and sometimes after, depending on whether the AV/AM used sigs to block access to the site in the first place.
I hope this helps in clarifying and not making things more complicated.
[SOLVED] Shielded Apps and Blocked exploit attempts
in Anti-Exploit Beta
Posted
Check the file at %ProgramFiles%\Malwarebytes Anti-Exploit\mbae-default.log and post it here or PM it to me.
The counter for the blocked attempts are stored in HKLM/SOFTWARE/Malwarebytes Anti-Exploit.
In regards to Pale Moon, it is not oficially supported yet. Only the browsers that show up in the SHIELDS tab are oficially supported.