Jump to content

How does it work, so to speak ?


Wide_Glide
 Share

Recommended Posts

  • Staff

Basically MBAE looks at the behavior of applications such as browsers, PDF readers, MS Office, media players and others and blocks behaviors which are exploit-like. As such it is a generic approach which does not rely on signatures nor updates. The product itself is very lightweight (about 3MB installed) and designed in an install-and-forget approach.

 

Hope this helps!

Link to post
Share on other sites

Thanks, but not the information I was needing.   With the security software I posted above, would Mbae throw a Block FIRST?    After Avast or Mbam?

Without Mbae, Avast covers about 90% of threats detected, Mbam covers what Avast misses(Just as it's designed to do, ;) ).

IF Mbae should throw a Block first(With a Known Threat), I need to report a MISS on Reveton Ransomware

Link to post
Share on other sites

  • Staff

Thanks, but not the information I was needing.   With the security software I posted above, would Mbae throw a Block FIRST?    After Avast or Mbam?

Without Mbae, Avast covers about 90% of threats detected, Mbam covers what Avast misses(Just as it's designed to do, ;) ).

IF Mbae should throw a Block first(With a Known Threat), I need to report a MISS on Reveton Ransomware

Does Avast! detect actual exploits, or just the dropers/infectors the exploits try to install? Also, if Avast! does detect exploits, does it do so via a browser plugin or by some other means?
Link to post
Share on other sites

  • Staff

There are many layers involved in such an attack. An AV/AM might block the visit to an exploit site by URL/IP filtering blacklists (signatures). However blacklists cannot protect 100% of the times so sometimes the URL/IP filter might not detect a new or fresh exploit site. Once you hit the exploit site, some AV/AM have detection for the malicious javascript or java component of the exploit. But again this relies on blacklisting and the bad guys are changing encoding and evasion every day to bypass these signatures. Once the above fails, that's when MBAE will block an exploit from successfully running a payload on the machine. Looking at it from the perspective of the exploit, MBAE would block the payload (EXE) before it gets to the AV/AM, but after the AV/AM URL/IP filter and javascript sigs.

 

So in conclusion sometimes MBAE will block before and sometimes after, depending on whether the AV/AM used sigs to block access to the site in the first place.

 

I hope this helps in clarifying and not making things more complicated.

Link to post
Share on other sites

Does Avast! detect actual exploits, or just the dropers/infectors the exploits try to install? Also, if Avast! does detect exploits, does it do so via a browser plugin or by some other means?

 

 

All I can tell you is that the threats were detected through Avast's Web and Network Shields.

The above test I did was on Reveton's Primary server(HOME BASE)

Primary server hit first and then 3 to 5 sec's later the backup Hit.  Avast blocked both

 

 

I hope this helps in clarifying and not making things more complicated.

 

Thank you pbust, that is what I needed to know.   I may have uninstalled Mbae on my Vista, But still have it on Win 7 32 bit n XP Home Media Edition in a VB.  Any issues, I'll report them to you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.