MBAE 1.08 Beta Preview

[pbust]

The following is a beta preview of the upcoming MBAE 1.08.

 

It introduces some new detection mitigations of advanced exploit techniques. They are all enabled by default. It also includes quite a few bug fixes identified in version 1.07.

 

Simply download and install on top of your existing MBAE version.

https://malwarebytes.box.com/s/6n9ac5s8kk6a39awkogaxiaun120ohv3

 

We are very much interested in any feedback you might have. Please create new threads for new topics in this "Experimental MBAE Builds" sub-forum.

 

Thanks!!

[SoCalSienna]

So far so good.

 

Optional Info

• I installed new beta version (it now shows 1.08.1.1016)
• Re-activated default settings (ie, Anti-Heapspray ON for browsers)
• Rebooted
• Opened Firefox -- successful and not blocked by MBAE.

Thanks for making the update and putting out the notification 

[regenpijp]

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

[Sampei_Nihira]

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

 

+ 1

TH

[Sampei_Nihira]

WOW

New features allow you to pass the tests HPA3:

 

ROP CALL preceded VirtualProtect()

Heap Spray 1

Anti VM VMware

Anti VM Virtual Pc

Lockdown 1

Lockdown 2

 

 

 

Tested on W.XP sp 3 32 bit

[digmorcrusher]

No issues so far.

[regenpijp]

WOW

New features allow you to pass the tests HPA3:

 

ROP CALL preceded VirtualProtect()

Heap Spray 1

Anti VM VMware

Anti VM Virtual Pc

Lockdown 1

Lockdown 2

 

 

 

Tested on W.XP sp 3 32 bit

I would say, perform a test on Windows 8.1 and inject the tests into IE11 and you'll see different results

[Sampei_Nihira]

The Heap Spray tests (64 bit) have failed.

[ky331]

Preliminary observations:

 

1) Just to let everyone know (since I'm sure Pedro is already aware of this) that the 1.08 installer now checks for the presence of EMET, and warns/advises the user to uninstall EMET before continuing MBAE's installation. 

Since I'm trying this beta version intentionally as a test, I disregarded the warning, and allowed MBAE to install alongside EMET.   On this particular machine, it's the much-older EMET 3, where there are significantly fewer mitigations protected, meaning there's a reduced chance of conflict.   I'll certainly report back as I learn/experience any issues.

 

2) Also to let everyone (including Pedro) know, Avast's DeepScreen intercepted mbae64.exe during installation, to analyze it, and fortunately decided to allow it.   This had not happened with previous versions.

[pbust]

Thanks for the report ky331.

 

Yes we now check for EMET and give a small warning/notice. However users can ignore the warning and "continue" with the installation. We've done this as some users were not even aware they had EMET installed when they installed MBAE, and this caused some conflicts.

 

As for Avast, this might probably be due to the fact that 1.08 is a new binary and is not very prevalent yet.

[ky331]

A "quick test"... just to make sure programs successfully open and can load documents... showed no problems/conflicts so far.   Test included standard programs:   Firefox, Adobe Reader, Word, and Windows Media Player;

as well as user-added shields for:  Live Mail, Open Office, PowerPoint Viewer, Trillian, WordPad, and Works Spreadsheet.

 

I have NOT tested IE yet... plan to get around to that later today and/or tomorrow.

[Tarnak]

 I just installed  this new beta short time ago...It immediately caused my Opera browser to shut down...

 

[pbust]

Hi Tarnak,

 

can you please PM me your MBAE logs?

 

Thanks!

[Tarnak]

Which ones?  Surely, not all.

 

 

P.S. I think it best to e-mail.

 

 

 

 

[pbust]

Yes, typically we ask for a ZIP of the entire directory as different files contain different info such as version, alert details, internal engine calls, exclusions, configurations, etc.

 

You can just attach it in a PM.

[Tarnak]

Ok ...I can attach, but is it private?...My personal details may show?

[pbust]

No, we don't record any personal details in our log files.

[Tarnak]

Just sent by PM...

[pbust]

Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera.

 

Try the following:

 

MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply

 

Close and re-open Opera and let me know if the problem is resolved.

[pbust]

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

Sorry not ignoring you, just busy with other stuff. Will try to post some insight into it this week.

[ky331]

On my 32-bit XP SP3 system, I had to make the following adjustments for MBAE 1.08:

 

To get Word (2000) to open, I had to UNcheck RET ROP Gadget Detection (32-bit) for the MS Office profile [under OS Bypass Protection].

 

In IE8, the VB Scripting engine is blocked from loading on the Adobe Flash test/version site

https://www.adobe.com/software/flash/about/

it can be run by UNchecking the Internet Explorer VB Scripting box [under Application Hardening].   (I haven't tested much else... if that's the only page offering VB Script resistance/conflict, I can certainly live with it.)

[pbust]

Hi ky331,

Did you get an alert opening Word or would it t simply not open?

Can you please post or PM me your MBAE logs to find the problem?

Thanks!

[ky331]

Got a popup alert from MBAE, and Word would not open afterwards.

 

 

[sman]

With release of MBAE 1.08 (beta), I tried to cover my online trading software, Dietodin.exe, (which I have been using for years w/o any problem) under 'other' profile, but immediately on trying to run the Trading program, MBAE popped an exploit alert, which is a fasle one.

 

For your study, the links to the MBAE logs and alert is,

 

https://www.dropbox.com/s/jwrlaazt8hlv3m9/Malwarebytes%20Anti-Exploit.7z?dl=0

 

https://www.dropbox.com/s/9gsrkyc9ltzzyq0/Untitled1.png?dl=0

[Tarnak]

Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera.

 

Try the following:

 

MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply

 

Close and re-open Opera and let me know if the problem is resolved.

 

 

I didn't have to do anything. After a reboot a short time ago, the trayicon for MBAE was back, and Opera browser is OK. Apparently, it just needed a reboot to set things right, after the [over the top] install of the beta earlier this morning.[local time].