Jump to content

pbust

Staff
  • Content Count

    3,405
  • Joined

  • Last visited

Posts posted by pbust

  1. Our engine format and configuration in VirusTotal is different than our consumer and corporate products’ default configuration. In VirusTotal we use a command-line engine with different configuration and detection techniques/heuristics which might detect more than the commercial product. There are also false-positive suppression mechanisms in the commercial product which are not present in the command-line engine in VirusTotal.

    This file has been whitelisted for our commercial products and it is not detected anymore.

     

     

    • Thanks 1
  2. Really sorry for the late reply here. I was just made aware of this post.

    For transparency, the aggressive gTLD blocking was introduced when our browser extension was in prototype mode and as a way to test a bunch of really aggressive approaches and heuristics in order to come up with a good balanced blacklist-plus-whitelisting approach. Those gTLDs were selected due to the high ratio of malicious to legitimate websites found in those gTLDs. Many of those aggressive detection approaches are still in the browser extension but some of the whitelisting approaches never solidified as originally intended. The result is an unbalanced aggressive blocking as you're correctly pointing out.

    Having said that, now that the extension is not prototype/beta anymore and it is being pushed by the Premium product, we should revisit and fine-tune a lot of those aggressive detection blocks and heuristics to strike the right balance.

    Thanks for raising this topic. We are investigating fine-tunings based on your feedback.

     

    • Like 2
    • Thanks 1
  3. Unfortunately this is a hard block for the time being. The anti-exploit component prevents any automated execution of scripting apps from Internet-facing applications. If you save the script to disk and execute it from a command line with a non-browser and non-mailclient parent process, it will be allowed to execute.

    We are evaluating some future enhancements to the anti-exploit component to allow more granularity around allowed/blocked dangerous actions.

     

     

  4. 12 hours ago, hake said:

    I regret to say that I am unable to use MBAE 1.13.1.186 or 164 because of the inability of those versions to start reliably with XP.

    It is actually XP that starts unreliably and sometimes it takes longer than others, triggering the MBAE service timeout.

    If you really want to run the latest, try switching the MBAE service to Manual, and then creating a batch script that runs at boot, sleeps for a few minutes, then starts the MBAE service and then runs the mbae UI executable.

  5. Hey hake, long time no talk. Hope you're doing ok.

    Pen-testing is a legitimate activity when done correctly. Some pen-testing tactics mimic malware activity and some don't. We've basically created this option for people who want to detect pen-testing activity even if it is not found in-the-wild in malware attacks.

     

  6. Hi hake, long time no speak. Glad to see you're still around keeping an eye on MBAE! :)

     

    Yes, the team is still very active and introducing lots of improvements into MBAE on a regular basis. Thanks to you and all other testers for helping us keep MBAE effective and evolving over time!

  7. 8 hours ago, lock said:

    I downloaded hmpalert-test.exe  from Sophos to test antiexploit capabilities of MBAM and I did not get any reaction. 

    http://dl.surfright.nl/hmpalert64-test.exe

    Do you care to explain why?

    Because by default MBAE shields certain popular apps (browsers, office, java, pdfreaders, etc.). You need to add hmpalert64-test.exe as a custom shield so it gets protected by MBAE before running the test.

     

  8. MBAE-TEST.EXE simulates exploit behavior like executing from the Heap, ROP gadgets, etc., but it is not weaponized and instead simply pops open the Windows Calculator. But it does trigger exploit behavior to see if the installed protection has real exploit mitigations in place or not.

    The reason that most AVs don't detect MBAE-TEST.EXE is because either (a) they don't want to detect it with signatures as it would make it obvious that they don't have any modern exploit mitigation technology in their product, or (b) they don't have any modern exploit mitigation technology in their products. So yeah, you guessed it, the reality is that most AVs don't have effective and signature-less exploit protection. Sophos' detection is based on their acquisition of SurfRight's HitmanPro.Alert technology, which is similar to Malwarebytes Anti-Exploit technology which does not rely on any signatures.

    Re: the AMTSO PUP crapware, we'll add detection for it to avoid other users questioning whether we have PUP protection in our products or not. But given the irrelevance of AMTSO as an organization, and the fact that their President is the owner of AppEsteem, a certification body whose business model is to certify PUPs in exchange for money, I wouldn't pay much attention to it.

     

  9. Thanks for bringing this to our attention!

    While we hate driver/registry optimizers and crapware bundlers just as much as anybody else, and are glad that Microsoft finally caught up to our aggressive stance against them, one important distinction is that in this case Avast Free is not preventing you from updating drivers without paying, and it is not using outdated drivers as scare tactics to dupe users into purchasing. Also, the bundled software is Google Toolbar and not some other scammy toolbar (although many people would argue that ALL toolbars are crapware).

    We have not shied away from detecting competitors who crossed the line in the past in terms of scare tactics (e.g. PC Pitstop PCMatic), and we will keep an eye on the tactics of this an other optimizers to see if they cross the line in the future.

     

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.