Jump to content
pbust

MBAE 1.08 Beta Preview

Recommended Posts

The following is a beta preview of the upcoming MBAE 1.08.

 

It introduces some new detection mitigations of advanced exploit techniques. They are all enabled by default. It also includes quite a few bug fixes identified in version 1.07.

 

Simply download and install on top of your existing MBAE version.

https://malwarebytes.box.com/s/6n9ac5s8kk6a39awkogaxiaun120ohv3

 

We are very much interested in any feedback you might have. Please create new threads for new topics in this "Experimental MBAE Builds" sub-forum.

 

Thanks!!

Share this post


Link to post
Share on other sites

So far so good.

 

Optional Info

  • I installed new beta version (it now shows 1.08.1.1016)
  • Re-activated default settings (ie, Anti-Heapspray ON for browsers)
  • Rebooted
  • Opened Firefox -- successful and not blocked by MBAE.

Thanks for making the update and putting out the notification  :)

Share this post


Link to post
Share on other sites

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

Share this post


Link to post
Share on other sites

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

 

+ 1

TH

Share this post


Link to post
Share on other sites

WOW

New features allow you to pass the tests HPA3:

 

ROP CALL preceded VirtualProtect()

Heap Spray 1

Anti VM VMware

Anti VM Virtual Pc

Lockdown 1

Lockdown 2

 

 

 

Tested on W.XP sp 3 32 bit

Share this post


Link to post
Share on other sites

WOW

New features allow you to pass the tests HPA3:

 

ROP CALL preceded VirtualProtect()

Heap Spray 1

Anti VM VMware

Anti VM Virtual Pc

Lockdown 1

Lockdown 2

 

 

 

Tested on W.XP sp 3 32 bit

I would say, perform a test on Windows 8.1 and inject the tests into IE11 and you'll see different results ;)

Share this post


Link to post
Share on other sites

Preliminary observations:

 

1) Just to let everyone know (since I'm sure Pedro is already aware of this) that the 1.08 installer now checks for the presence of EMET, and warns/advises the user to uninstall EMET before continuing MBAE's installation. 

Since I'm trying this beta version intentionally as a test, I disregarded the warning, and allowed MBAE to install alongside EMET.   On this particular machine, it's the much-older EMET 3, where there are significantly fewer mitigations protected, meaning there's a reduced chance of conflict.   I'll certainly report back as I learn/experience any issues.

 

2) Also to let everyone (including Pedro) know, Avast's DeepScreen intercepted mbae64.exe during installation, to analyze it, and fortunately decided to allow it.   This had not happened with previous versions.

Share this post


Link to post
Share on other sites

Thanks for the report ky331.

 

Yes we now check for EMET and give a small warning/notice. However users can ignore the warning and "continue" with the installation. We've done this as some users were not even aware they had EMET installed when they installed MBAE, and this caused some conflicts.

 

As for Avast, this might probably be due to the fact that 1.08 is a new binary and is not very prevalent yet.

Share this post


Link to post
Share on other sites

A "quick test"... just to make sure programs successfully open and can load documents... showed no problems/conflicts so far.   Test included standard programs:   Firefox, Adobe Reader, Word, and Windows Media Player;

as well as user-added shields for:  Live Mail, Open Office, PowerPoint Viewer, Trillian, WordPad, and Works Spreadsheet.

 

I have NOT tested IE yet... plan to get around to that later today and/or tomorrow.

Share this post


Link to post
Share on other sites

 I just installed  this new beta short time ago...It immediately caused my Opera browser to shut down...

 

post-2134-0-56763300-1441553705_thumb.gi

Share this post


Link to post
Share on other sites

Yes, typically we ask for a ZIP of the entire directory as different files contain different info such as version, alert details, internal engine calls, exclusions, configurations, etc.

 

You can just attach it in a PM.

Share this post


Link to post
Share on other sites

Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera.

 

Try the following:

 

MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply

 

Close and re-open Opera and let me know if the problem is resolved.

Share this post


Link to post
Share on other sites

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

Sorry not ignoring you, just busy with other stuff. Will try to post some insight into it this week.

Share this post


Link to post
Share on other sites

On my 32-bit XP SP3 system, I had to make the following adjustments for MBAE 1.08:

 

To get Word (2000) to open, I had to UNcheck RET ROP Gadget Detection (32-bit) for the MS Office profile [under OS Bypass Protection].

 

In IE8, the VB Scripting engine is blocked from loading on the Adobe Flash test/version site

https://www.adobe.com/software/flash/about/

it can be run by UNchecking the Internet Explorer VB Scripting box [under Application Hardening].   (I haven't tested much else... if that's the only page offering VB Script resistance/conflict, I can certainly live with it.)

Share this post


Link to post
Share on other sites

Hi ky331,

Did you get an alert opening Word or would it t simply not open?

Can you please post or PM me your MBAE logs to find the problem?

Thanks!

Share this post


Link to post
Share on other sites

With release of MBAE 1.08 (beta), I tried to cover my online trading software, Dietodin.exe, (which I have been using for years w/o any problem) under 'other' profile, but immediately on trying to run the Trading program, MBAE popped an exploit alert, which is a fasle one.

 

For your study, the links to the MBAE logs and alert is,

 

https://www.dropbox.com/s/jwrlaazt8hlv3m9/Malwarebytes%20Anti-Exploit.7z?dl=0

 

https://www.dropbox.com/s/9gsrkyc9ltzzyq0/Untitled1.png?dl=0

Share this post


Link to post
Share on other sites

Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera.

 

Try the following:

 

MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply

 

Close and re-open Opera and let me know if the problem is resolved.

 

 

I didn't have to do anything. After a reboot a short time ago, the trayicon for MBAE was back, and Opera browser is OK. Apparently, it just needed a reboot to set things right, after the [over the top] install of the beta earlier this morning.[local time].

 

post-2134-0-90042700-1441578676_thumb.gi

 

post-2134-0-68212500-1441578731_thumb.gi

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.