Jump to content

Compatible with whitelisting software?


Weyoun
 Share

Recommended Posts

Hi all,

 

I was wondering, is MBAE compatible with whitelisting software? I use whitelisting software and on my secondard hard drive (that I use for betas) I use MBAE. I haven't seen any conflicts so far, but I wanted to ask to make sure.

 

Thanks,

 

Weyoun :)

Link to post
Share on other sites

Okay Pedro, will do. If MBAE stopped the download from occuring, then I imagine no conflict would result, but if MBAE blocked the file from executing, this is what may present the problem for the whitelist software is where I was wondering. I can test this with the MBAE test file and set my whitelist software to block the calculator and let you know if anything happens.

 

Shran

Link to post
Share on other sites

From the start of my trialling of MBAE, I have assumed that MBAE doesn't block downloads but instead reacts to unwanted/malicious behaviour when a download attempts to become active.  Is this assumption correct?

Link to post
Share on other sites

From what I understand here, MBAE will block the download if it was initiated by an exploit, i.e. without the user clicking "save" or "run", in it's stage 1 layer. In it's stage 2 layer if the exploit was successful and got past stage 1, then stage 2 would block it (the downloaded malware) from executing. But we'll have to wait for Pedro to confirm this for us :) .

Link to post
Share on other sites

  • Staff

It's close enough but not quite correct. The FAQs describe the protections in terms of stages of an exploit attack (stage1 and stage2).

 

From an internal perspective MBAE has 3 layers of protections and each layer includes multiple techniques:

- Layer1: Advanced memory protections that prevent exploit shellcode from ever running. Detects exploits sometimes before the OS DEP protection.

- Layer2: Malicious memory calls blocker.

- Layer3: Exploit behavior blocker. Prevents exploits from executing their malicious payloads.

 

In the case of the MBAE-TEST utility, it is blocked by one of the memory protection techniques, so there is no "download and run" attempt. The behavior you both are referring to is the one from layer3 which blocks applications from downloading and/or running code in an exploit-like manner. But in most of the cases MBAE will protect with its layer1 or layer2 protections. Layer3 protection, aka anti-payload, is a backup protection in case an exploit is able to bypass all of the OS protections as well as MBAE's memory protections.

 

I hope this makes it clearer. I might update the FAQ to reflect this information.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.