How does it work, so to speak ?

[Wide_Glide]

Trying to figure out exactly when this @ Mbae will throw a block.

 

With this security software installed:

Avast v8 Free

Mbam Pro

SAS Free

 

Is it supposed to act upon a threat first or what?

[pbust]

Basically MBAE looks at the behavior of applications such as browsers, PDF readers, MS Office, media players and others and blocks behaviors which are exploit-like. As such it is a generic approach which does not rely on signatures nor updates. The product itself is very lightweight (about 3MB installed) and designed in an install-and-forget approach.

 

Hope this helps!

[Wide_Glide]

Thanks, but not the information I was needing.   With the security software I posted above, would Mbae throw a Block FIRST?    After Avast or Mbam?

Without Mbae, Avast covers about 90% of threats detected, Mbam covers what Avast misses(Just as it's designed to do, ).

IF Mbae should throw a Block first(With a Known Threat), I need to report a MISS on Reveton Ransomware

[exile360]

Thanks, but not the information I was needing.   With the security software I posted above, would Mbae throw a Block FIRST?    After Avast or Mbam?

Without Mbae, Avast covers about 90% of threats detected, Mbam covers what Avast misses(Just as it's designed to do, ).

IF Mbae should throw a Block first(With a Known Threat), I need to report a MISS on Reveton Ransomware

Does Avast! detect actual exploits, or just the dropers/infectors the exploits try to install? Also, if Avast! does detect exploits, does it do so via a browser plugin or by some other means?

[pbust]

There are many layers involved in such an attack. An AV/AM might block the visit to an exploit site by URL/IP filtering blacklists (signatures). However blacklists cannot protect 100% of the times so sometimes the URL/IP filter might not detect a new or fresh exploit site. Once you hit the exploit site, some AV/AM have detection for the malicious javascript or java component of the exploit. But again this relies on blacklisting and the bad guys are changing encoding and evasion every day to bypass these signatures. Once the above fails, that's when MBAE will block an exploit from successfully running a payload on the machine. Looking at it from the perspective of the exploit, MBAE would block the payload (EXE) before it gets to the AV/AM, but after the AV/AM URL/IP filter and javascript sigs.

 

So in conclusion sometimes MBAE will block before and sometimes after, depending on whether the AV/AM used sigs to block access to the site in the first place.

 

I hope this helps in clarifying and not making things more complicated.

[Wide_Glide]

Does Avast! detect actual exploits, or just the dropers/infectors the exploits try to install? Also, if Avast! does detect exploits, does it do so via a browser plugin or by some other means?

 

 

All I can tell you is that the threats were detected through Avast's Web and Network Shields.

The above test I did was on Reveton's Primary server(HOME BASE)

Primary server hit first and then 3 to 5 sec's later the backup Hit.  Avast blocked both

 

 

I hope this helps in clarifying and not making things more complicated.

 

Thank you pbust, that is what I needed to know.   I may have uninstalled Mbae on my Vista, But still have it on Win 7 32 bit n XP Home Media Edition in a VB.  Any issues, I'll report them to you

[pbust]

Thank you pbust, that is what I needed to know.   I may have uninstalled Mbae on my Vista, But still have it on Win 7 32 bit n XP Home Media Edition in a VB.  Any issues, I'll report them to you

 

Thanks, much appreciated !!