Jump to content

ardaulairesh

Members
  • Posts

    14
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Under the active development and great customer support offered by Pedro and Malwarebytes, MBAE is going to be the number one Anti-Exploit Application available in the very soon future. Therefore, it itself is going to be the target of attacks! Such as modification/elimination of MBAE files (including program files and logs files directory), tampering with its registry keys and termination of MBAE processes. Are there any self-defense mechanisms already implemented into protecting MBAE? Such as Malwarebytes Chameleon which is implemented as a self-protection module in MBAM 2 Beta. Are there any (further) plans for future self-protection techniques? I can see that with alpha version 0.10.0.0200, you introduced a new architecture which runs MBAE as a Windows Service. This made "mbae.exe" process to run with limited rights and therefore less exposure. The situation was different during the whole beta phase in which mbae.exe process was fully elevated. I was playing with MBAE service "MbaeSvc" which is running under LocalSystem account and tried to change its account type and run it under LocalService account which has a lower level of privileges than the previous one and consequently reducing the surface attack of Mlwarebytes Anti-Exploit! Naively "MbaeSvc" failed to launch! Also, with this new architecture non-admin users can not stop protection of MBAE nor they can manage exclusions of MBAE's excluded list, which are in my opinion very good additions. Currently, I am protecting both "mbae-svc.exe" and "mbae.exe" processes with EMET 4.1!They are configured with ALL EMET mitigations enabled.
  2. For me, this new alpha build 0.10.0.0300 is not conflicting anymore with EMET's SimExecFlow mitigation! Chrome, Word, Excel, PowerPoint, Windows Media Player and Adobe Reader all (except Google Chrome) are added to EMET's protection list with ALL mitigations enabled and in the same time all are properly shielded by MBAE. Anybody out there experiencing this?
  3. Installed Trusteer Rapport (Version: Emerald Build 1304.13) alongside MBAE 0.09.4.2000. There are no conflicts or compatibility issues between MBAE & Trusteer. Google chrome opens normally. I can verify that Chrome is properly shielded by MBAE through viewing mbae.dll injected into the browser processes spaces and in the same time I can see Chrome is properly manipulated by Trusteer through injecting its module "rooksbas.dll". However, as a side note for those using EMET, MBAE, Trusteer Rpport and Chrome,it seems that there is a compatibility issue between EMET & Trusteer while trying to open Chrome. Chrome shutdowns instantly when it is protected by EMET and in the same time is manipulated by Trusteer. I removed Chrome from the list of protected applications by EMET and the problem gone. Now, chrome opens normally and is protected by both MBAE & Trusteer.
  4. Is there still any conflict or compatibility issues between MBAE and Rapport Trusteer? I am asking because in past (MBAE 0.9.2.1200) I had problems opening Google chrome due to incompatibility with rapport trusteer so I dubbed trusteer in favor of MBAE.
  5. I did what you said and I am awaiting for the problem to happen (hopefully!) and send you the dump file. Just to make sure is "complete memory dumps" is the same as "Kernel memory dump"? That is because in "write debugging information" drop-down there are two options for me "small memory dump (256 KB) & Kernel memory dump" and there are not such options as automatic and complete memory dumps. Regarding WSA you are welcome.
  6. I tried a lot in different ways but not succeeded to replicate it even once. I will let you know if this happens again or if I would be able to replicate it. Just to let you know I was able to configure WSA to allow MBAE injections and now they both work like charm together. Settings of "Identity Protection" of WSA >>> "Application Protection" tab >>>> "Add Application" button >>>> added both "mbae.exe & mbae-loader.exe" in the MBAE's program files folder and SELECTED "Allow" for both of them.
  7. I deactivated WSA 2014 only and NOT Comodo Firewall. Bingo, MBAE is now working as it is supposed to do! So, in brief the problem was due to WSA in my case. I hope there will be a solution to this conflict in the near future. Just to let you know here are some observations by me: 1) Google chrome and MBAE are protected by EMET 4. When both MBAE & EMET are running I fire up Google chrome and it is going to be protected and shielded properly by both EMET & MBAE . So, there is no conflicts (by my side) between EMET 4 & MBAE 0.09.4.1000. 2) I have 25 chrome.exe processes (with extensions), but MBAE just shows "Shielded Applications 6" in the general tab. However through process hacker I can verify that all 25 chrome.exe processes are injected by mbae.dll. 3) All Microsoft products (Word, Excel, and PowerPoint) are injected properly but "Shielded Applications" counter in general tab shows zero as well the "Logs" tab does not show anything and it is empty. However through process hacker I can verify that all three applications are injected by mbae.dll. 4) Adobe reader & Windows media player are properly shielded and correctly shown in the "Shielded Applications" and "Logs" tabs. 5) For me the second known Issue in the "Known Issues & Conflicts" is not present. That is the Shielded apps counter does decrease when closing shielded applications. However the "Date" column in the "Logs" tab does not update when reopening a shielded application. The date indicates to the first time this application was opened. 6) As it is obvious from the image the mbae.exe process is elevated. Would it be possible to run it with limited rights as it is dangerous in case of a vulnerability in MBAE that could be exploited under the full rights of MBAE. 7) I can see that the Hitmanpro Alert bug is still exist. 8) mbae-test is protected by MBAE when pressing Normal button and blocked by MBAE when pressing Exploit button. However, when mbae-test.exe is added to EMET and pressing Exploit button EMET detect it and block it through EAF mitigation. 9) Sometimes when trying to exit MBAE the second message below appears. Pressing Retry button several times and MBAE exit.
  8. The previous version of MBAE was working properly with WSA 2014, Comodo Firewall 6.3.294583.2937, and EMET 4 installed . All the shielded applications (Google chrome, Adobe reader, Windows media player, ... etc) were working properly. But with this new version of MBAE no application is shielded whatsoever. I installed MBAE 0.09.4.1000 as it is instructed by pbust in this website. It did install with no problems, but no application is shielded by this new version. Through process hacker no "mbae.dll or mbae64.dll" is found to be injected into any processes. mbae-default.log
  9. When trying to open google chrome (while MBAE is running of course) it crashes instantly. No browser window opens at all, but through Process Hacker it's possible to see that a chrome.exe process starts and terminates within a second. This happens also with all chrome extensions disabled. I also tried running GC with administrative privileges but still the same result. All this happens without any notifications from MBAE either from its logs tab or the general tab. In contrast, while MBAE is running Microsoft Internet Explorer 9 (both versions 32 bit & 64 bit) is running normally and shielded by MBAE. Due to the known bug of "Shielded applications counter in GENERAL tab sometimes does not show correct count" it's possible to use Process Hacker to see if IE 9 is really shielded or not. This can be investigated through the fact that mbae.dll should be loaded with iexplore.exe process (and mbae64.dll should be loaded with the 64 bit version of IE), and yes this was the situation, both IE versions were really shielded by MBAE. The only way to run GC was either to exit MBAE or stop protection of MBAE. An interesting point was after running GC I started the protection of MBAE again, then I opened a new browser window (not a new tab), guess what happened, the Shielded applications counter in GENERAL tab showed a shielded application and in LOGS tab there's a "Google Chrome is now protected" message. Again through Process Hacker I investigated whether this message was true or not. Unfortunately GC was not protected as the module mbae.dll was not loaded (then the above message was due to the mentioned bug). I tried to manually inject mbae.dll into the chrome.exe process but it did not work. Any idea about this problem? Any help is appreciated.
  10. The new feature of Exclusions in MBAE is not working and it's not active at all. It seems like a bug. Any idea about that?
  11. I have a similar problem. In my case when trying to open google chrome it crashes instantly, but there are no problems opening internet explorer and it runs normally. When MBAE is exited or its protection stopped google chrome opens normally.
  12. Did what you asked for, but still the same results are happening.
  13. It is set to safe mode. By the way I have no problems running internet explorer while running MBAE.
  14. Hello ROCKNROLLKID, When google chrome is started it instantly crashes down due to MBAE running. When I either stop the MBAE through the stop protection button or exit it the mentioned browser opens normally. I have comodo firewall, webroot secureanywhere and Rapport trusteer. Any help is highly appreciated.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.