pbust #1 Posted September 5, 2015 The following is a beta preview of the upcoming MBAE 1.08. It introduces some new detection mitigations of advanced exploit techniques. They are all enabled by default. It also includes quite a few bug fixes identified in version 1.07. Simply download and install on top of your existing MBAE version.https://malwarebytes.box.com/s/6n9ac5s8kk6a39awkogaxiaun120ohv3 We are very much interested in any feedback you might have. Please create new threads for new topics in this "Experimental MBAE Builds" sub-forum. Thanks!! Share this post Link to post Share on other sites
SoCalSienna #2 Posted September 5, 2015 So far so good. Optional InfoI installed new beta version (it now shows 1.08.1.1016)Re-activated default settings (ie, Anti-Heapspray ON for browsers)RebootedOpened Firefox -- successful and not blocked by MBAE.Thanks for making the update and putting out the notification Share this post Link to post Share on other sites
regenpijp #3 Posted September 5, 2015 Hi Pedro, could you describe the changes that certain new anti-ROP mitigations have brought?I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations. Cheers,regenpijp Share this post Link to post Share on other sites
Sampei_Nihira #4 Posted September 5, 2015 Hi Pedro, could you describe the changes that certain new anti-ROP mitigations have brought?I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations. Cheers,regenpijp + 1TH Share this post Link to post Share on other sites
Sampei_Nihira #5 Posted September 5, 2015 WOWNew features allow you to pass the tests HPA3: ROP CALL preceded VirtualProtect()Heap Spray 1Anti VM VMwareAnti VM Virtual PcLockdown 1Lockdown 2 Tested on W.XP sp 3 32 bit Share this post Link to post Share on other sites
digmorcrusher #6 Posted September 5, 2015 No issues so far. Share this post Link to post Share on other sites
regenpijp #7 Posted September 5, 2015 WOWNew features allow you to pass the tests HPA3: ROP CALL preceded VirtualProtect()Heap Spray 1Anti VM VMwareAnti VM Virtual PcLockdown 1Lockdown 2 Tested on W.XP sp 3 32 bitI would say, perform a test on Windows 8.1 and inject the tests into IE11 and you'll see different results Share this post Link to post Share on other sites
Sampei_Nihira #8 Posted September 6, 2015 The Heap Spray tests (64 bit) have failed. Share this post Link to post Share on other sites
ky331 #9 Posted September 6, 2015 Preliminary observations: 1) Just to let everyone know (since I'm sure Pedro is already aware of this) that the 1.08 installer now checks for the presence of EMET, and warns/advises the user to uninstall EMET before continuing MBAE's installation. Since I'm trying this beta version intentionally as a test, I disregarded the warning, and allowed MBAE to install alongside EMET. On this particular machine, it's the much-older EMET 3, where there are significantly fewer mitigations protected, meaning there's a reduced chance of conflict. I'll certainly report back as I learn/experience any issues. 2) Also to let everyone (including Pedro) know, Avast's DeepScreen intercepted mbae64.exe during installation, to analyze it, and fortunately decided to allow it. This had not happened with previous versions. Share this post Link to post Share on other sites
pbust #10 Posted September 6, 2015 Thanks for the report ky331. Yes we now check for EMET and give a small warning/notice. However users can ignore the warning and "continue" with the installation. We've done this as some users were not even aware they had EMET installed when they installed MBAE, and this caused some conflicts. As for Avast, this might probably be due to the fact that 1.08 is a new binary and is not very prevalent yet. Share this post Link to post Share on other sites
ky331 #11 Posted September 6, 2015 A "quick test"... just to make sure programs successfully open and can load documents... showed no problems/conflicts so far. Test included standard programs: Firefox, Adobe Reader, Word, and Windows Media Player;as well as user-added shields for: Live Mail, Open Office, PowerPoint Viewer, Trillian, WordPad, and Works Spreadsheet. I have NOT tested IE yet... plan to get around to that later today and/or tomorrow. Share this post Link to post Share on other sites
Tarnak #12 Posted September 6, 2015 I just installed this new beta short time ago...It immediately caused my Opera browser to shut down... Share this post Link to post Share on other sites
pbust #13 Posted September 6, 2015 Hi Tarnak, can you please PM me your MBAE logs? Thanks! Share this post Link to post Share on other sites
Tarnak #14 Posted September 6, 2015 Which ones? Surely, not all. P.S. I think it best to e-mail. Share this post Link to post Share on other sites
pbust #15 Posted September 6, 2015 Yes, typically we ask for a ZIP of the entire directory as different files contain different info such as version, alert details, internal engine calls, exclusions, configurations, etc. You can just attach it in a PM. Share this post Link to post Share on other sites
Tarnak #16 Posted September 6, 2015 Ok ...I can attach, but is it private?...My personal details may show? Share this post Link to post Share on other sites
pbust #17 Posted September 6, 2015 No, we don't record any personal details in our log files. Share this post Link to post Share on other sites
Tarnak #18 Posted September 6, 2015 Just sent by PM... Share this post Link to post Share on other sites
pbust #19 Posted September 6, 2015 Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera. Try the following: MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply Close and re-open Opera and let me know if the problem is resolved. Share this post Link to post Share on other sites
pbust #20 Posted September 6, 2015 Hi Pedro, could you describe the changes that certain new anti-ROP mitigations have brought?I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations. Cheers,regenpijpSorry not ignoring you, just busy with other stuff. Will try to post some insight into it this week. Share this post Link to post Share on other sites
ky331 #21 Posted September 6, 2015 On my 32-bit XP SP3 system, I had to make the following adjustments for MBAE 1.08: To get Word (2000) to open, I had to UNcheck RET ROP Gadget Detection (32-bit) for the MS Office profile [under OS Bypass Protection]. In IE8, the VB Scripting engine is blocked from loading on the Adobe Flash test/version sitehttps://www.adobe.com/software/flash/about/it can be run by UNchecking the Internet Explorer VB Scripting box [under Application Hardening]. (I haven't tested much else... if that's the only page offering VB Script resistance/conflict, I can certainly live with it.) Share this post Link to post Share on other sites
pbust #22 Posted September 6, 2015 Hi ky331,Did you get an alert opening Word or would it t simply not open?Can you please post or PM me your MBAE logs to find the problem?Thanks! Share this post Link to post Share on other sites
ky331 #23 Posted September 6, 2015 Got a popup alert from MBAE, and Word would not open afterwards. Share this post Link to post Share on other sites
sman #24 Posted September 6, 2015 With release of MBAE 1.08 (beta), I tried to cover my online trading software, Dietodin.exe, (which I have been using for years w/o any problem) under 'other' profile, but immediately on trying to run the Trading program, MBAE popped an exploit alert, which is a fasle one. For your study, the links to the MBAE logs and alert is, https://www.dropbox.com/s/jwrlaazt8hlv3m9/Malwarebytes%20Anti-Exploit.7z?dl=0 https://www.dropbox.com/s/9gsrkyc9ltzzyq0/Untitled1.png?dl=0 Share this post Link to post Share on other sites
Tarnak #25 Posted September 6, 2015 Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera. Try the following: MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply Close and re-open Opera and let me know if the problem is resolved. I didn't have to do anything. After a reboot a short time ago, the trayicon for MBAE was back, and Opera browser is OK. Apparently, it just needed a reboot to set things right, after the [over the top] install of the beta earlier this morning.[local time]. Share this post Link to post Share on other sites