Jump to content

Recommended Posts

I have just tried Ant-exploit, mindful of it being in beta.  I run MS EMET 4.1 (on WEindows XP SP3) which I think might be causing conflicts.  I would like to be able to disable apps from the protection of anti-exploit and to add ones not on the list.  Also it is not presently possible to identify the treename of application executables.

 

I like the idea and hope that it makes it to production release.  At the moment it has some way to go.  It can lock up a system and so I decided to uninstall and wait for a later release before trying again.

Link to post
Share on other sites

I have tried Anti-Exploit.  Deep hooks seems not to be a probable cause of difficulties on my Windows XP system.  I have noted a a couple of points and don't forget that EMET 4.1 is running: -

 

First, Adobe Reader 11.0.5 wouldn't run at first while Protected Mode was enabled.  Once I done this, I found that Acrobat Professional 6 then worked (it initially froze) and I was able to re-enable Adobe Reader 11.0.5 Protected Mode so that works also.

 

Second, EMET 4.1 GUI now throws an unhandled exception, behaviour which remains after uninstalling Anti-Exploit.

 

I have a URL, the content of the web age it points to you guys might care to rebutt : -

http://blog.trailofbits.com/2012/10/29/ending-the-love-affair-with-exploitshield/

Admittedly it is written about ExploitShield.

 

It appears that Anti-Exploit uses a driver and mbae.exe is for the GUI.

 

ExploitShield apparently also existed as a cut down browser only version.  This is where the home user really wants protection.  Two browsers that are not on the list are Comodo Dragon (I prefer this to Google Chrome as it has a nice easy to use feature to force https on) and Safari.

Link to post
Share on other sites

  • Staff

Yes we have conflicting reports about EMET 4.1 Deep Hooks and MBAE. We have to take a closer look at this as it may behave differently in different OS, architectures and third-party security software.

 

As of the issues with Adobe Reader and Pro, is you can isolate these (without EMET or other stuff installed) and replicate them consistently that would be very helpful. If you manage to do this please post a step-by-step for repro purposes.

 

The blog post about ExploitShield was about version 0.7, the very first beta of ExploitShield over a year ago. MBAE has grown a lot since then and most if not all of the gripes mentioned in that URL no longer hold valid.

 

As for support for other browsers, please post your feedback here:

https://forums.malwarebytes.org/index.php?showtopic=137726

Link to post
Share on other sites

Just to add some alternate information.

I run both emet4.1 and AE on both W8.1 and xpSP3 with no conflicts. I

Keep in mind emet was installed with default/Recommended and Popular software, Cert Trust etc. setting. :)

Link to post
Share on other sites

Just to add some additional alternate information. :)

 

I run windows 7, with sandboxie 4.06, MBAE 0.09.4.2000 and EMET 4.0. EMET is set to (almost) full paranoia-mode (See attachment) and/so the deephooks are set.

So far EMET and MBAE have not clashed/conflicted. But I must admit that most applications that MBAE protects run almost all the time inside a sandbox, outside the reach of MBAE. Only Microsof Office programs run regularly outside the sandbox. Firefox is occasionally run outside the sandbox (for updating) and I recently ran adobe reader outside the sandbox.

 

If you'd like some more info about the configuration of my system or would like me to try something, please ask.

 

 

 

 

P.S. For those who dared to read the emet_config.xml: I actively tried to crash the system using EMET settings (without directly editing the registry), so far I did not "succeed". I should note that EMET fails to protect certain processes.

 

 

 

 

emet_config.xml

Link to post
Share on other sites

Hi Pedro.

I have not added any additional configuration settings??

Simply installed on both OS's, imported the 'Recommended, Popular software and CertTrust and walked away.

No added user input. :)

Link to post
Share on other sites

@pbust:

That EMET and MBAE don't get much chance to conflict is true. That's why I figured I should mention it. I don't know how 'reliable' the clashes are, but if you find one I could try running the program that causes it on my system outside the sandbox to see if I run into the same problem. (If that would help you any further.)

And it would seems that Microsoft Word does not cause EMET's deep hooks en MBAE to clash.

 

EMET indicates which processes it protects in it's main windows. Some processes that are configured to be protected by EMET but start before EMET starts, so EMET can't inject it's dll into the process. (That's what I remember reading about it.) Thus leaving the process unprotected. I found the following examples of processes that EMET fails to protect, there may be more:

Winlogon.exe

Wininit.exe
csrss.exe

smss.exe

 

As soon as the image of my C-drive is done I can try to find some more.

 

 

@Wilpower:

You can find whether you have deep-hooks enabled by opening the main EMET window (double click on the EMET icon in the tray), than click on 'apps', a window opens and there you can find whether deep hooks are enabled. (See below, here the deep hooks are enabled)

 

 

post-146800-0-11614300-1386413584_thumb.

 

Link to post
Share on other sites

  • Staff
I don't know how 'reliable' the clashes are, but if you find one I could try running the program that causes it on my system outside the sandbox to see if I run into the same problem. (If that would help you any further.)

 

Try running the browsers normally (outside Sandboxie) to see if EMET's DeepHooks conflict with MBAE.

Link to post
Share on other sites

I've done some browsing around with firefox and a little with Internet Explorer. (I don't have Chrome on my system.) To see if any dll's where injected by MBAE I used Process Explorer. (using: find "mbae.dll') So far I doubt I found anything but there are two candidates.

The first: When watching video's on youtube (in firefox), MBAE only injects it's dll into "plugin_container.exe" and not into "flashPlayerPlugin_11_9_900_152.exe". I don't know if it was supposed to, but killing the flashplayer proces does stop the video from playing any further, so I assumed that MBAE might have tried to inject an DLL into the flashplayer process (and failed).

Before I killed the flashplayer-process there where no issues in playing the video. If I didn't use Process Explorer I wouldn't have known.

The second:

When sing internet explorer (outside the sandbox) I was opening a page with only Silverlight content, the window remains white. (I was trying to run the Wizards of the Coast Characterbuilder.)

Within the sandbox (outside MBAE reach) the plugin works fine.

I should note that firefox has no such problems.

I've tried loading the site http://www.zbuggie.com/Default.aspx (as it uses silverlight) but this one works fine (even in an unsandboxed instance of IE)

Turning off MBAE and restarting IE outside the sandbox (no MBEA.dll injected) did not solve this problem. This leads me to suspect that MBAE and EMET are not the culprits behind it. I'll leave it to you to craw you own conclusion. (I'm not the expert after all.)

That's all I've got so far. If I find anything else, I'll post it. Is there anything I should specificly be looking for or just crashes/bugs that don't occur when MBAE.dll is not injected in the relevant process. (Due to either sandboxie or MBAE being turned off.)

Link to post
Share on other sites

  • Staff

If you would have experienced the conflict between DeepHooks and MBAE it would have prevented the browser from opening, at least that's what seems to happen in the reports I've received. It is still unclear what the true root of the conflict is. It might not be EMET itself with some combination of third-party security software + EMET + MBAE.

 

As for Sivlerlight, if you still get the white screen even with MBAE turned off then it's probably not due to MBAE.

Link to post
Share on other sites

  • 1 month later...

The traybar icon should be able to indicate if Anti-Exploit is protecting or not.  Perhaps the inverted V could be green for 'on' and red for 'off'.  Thus, at a glance, the user could have visual confirmation of the status of Anti-Exploit.

Link to post
Share on other sites

The traybar icon should be able to indicate if Anti-Exploit is protecting or not.  Perhaps the inverted V could be green for 'on' and red for 'off'.  Thus, at a glance, the user could have visual confirmation of the status of Anti-Exploit.

 

Strongly agree with this suggestion. Perhaps the whole icon itself could either turn red or grey like the MBAM icon does when some or all of the protection is disabled. Also, to add to the suggestion, maybe when you hover the mouse over the tray icon, it can say "protection enabled" or "protection disabled" in addition to the icon going red or gray.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.