Jump to content

MBAE 1.08 Beta Preview

pbust

By pbust
in Anti-Exploit Beta

 Share

Recommended Posts

  • Staff
pbust

pbust

Posted
  • Staff
Posted

The following is a beta preview of the upcoming MBAE 1.08.

 

It introduces some new detection mitigations of advanced exploit techniques. They are all enabled by default. It also includes quite a few bug fixes identified in version 1.07.

 

Simply download and install on top of your existing MBAE version.

https://malwarebytes.box.com/s/6n9ac5s8kk6a39awkogaxiaun120ohv3

 

We are very much interested in any feedback you might have. Please create new threads for new topics in this "Experimental MBAE Builds" sub-forum.

 

Thanks!!

Link to post
Share on other sites
  • Replies 386
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

ky331

ky331

Posted
Posted

Preliminary observations:

 

1) Just to let everyone know (since I'm sure Pedro is already aware of this) that the 1.08 installer now checks for the presence of EMET, and warns/advises the user to uninstall EMET before continuing MBAE's installation. 

Since I'm trying this beta version intentionally as a test, I disregarded the warning, and allowed MBAE to install alongside EMET.   On this particular machine, it's the much-older EMET 3, where there are significantly fewer mitigations protected, meaning there's a reduced chance of conflict.   I'll certainly report back as I learn/experience any issues.

 

2) Also to let everyone (including Pedro) know, Avast's DeepScreen intercepted mbae64.exe during installation, to analyze it, and fortunately decided to allow it.   This had not happened with previous versions.

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Author
  • Staff
Posted

Thanks for the report ky331.

 

Yes we now check for EMET and give a small warning/notice. However users can ignore the warning and "continue" with the installation. We've done this as some users were not even aware they had EMET installed when they installed MBAE, and this caused some conflicts.

 

As for Avast, this might probably be due to the fact that 1.08 is a new binary and is not very prevalent yet.

Link to post
Share on other sites
ky331

ky331

Posted
Posted

A "quick test"... just to make sure programs successfully open and can load documents... showed no problems/conflicts so far.   Test included standard programs:   Firefox, Adobe Reader, Word, and Windows Media Player;

as well as user-added shields for:  Live Mail, Open Office, PowerPoint Viewer, Trillian, WordPad, and Works Spreadsheet.

 

I have NOT tested IE yet... plan to get around to that later today and/or tomorrow.

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Author
  • Staff
Posted

Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera.

 

Try the following:

 

MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply

 

Close and re-open Opera and let me know if the problem is resolved.

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Author
  • Staff
Posted

Hi Pedro,

 

could you describe the changes that certain new anti-ROP mitigations have brought?

I am especially interested in seeing what type of attacks should be covered by the new: "Layer0 Dynamic Anti-HeapSpraying" and "Layer1 ROP-RET gadget detection" mitigations.

 

Cheers,

regenpijp

Sorry not ignoring you, just busy with other stuff. Will try to post some insight into it this week.

Link to post
Share on other sites
ky331

ky331

Posted
Posted

On my 32-bit XP SP3 system, I had to make the following adjustments for MBAE 1.08:

 

To get Word (2000) to open, I had to UNcheck RET ROP Gadget Detection (32-bit) for the MS Office profile [under OS Bypass Protection].

 

In IE8, the VB Scripting engine is blocked from loading on the Adobe Flash test/version site

https://www.adobe.com/software/flash/about/

it can be run by UNchecking the Internet Explorer VB Scripting box [under Application Hardening].   (I haven't tested much else... if that's the only page offering VB Script resistance/conflict, I can certainly live with it.)

Link to post
Share on other sites
sman

sman

Posted
Posted

With release of MBAE 1.08 (beta), I tried to cover my online trading software, Dietodin.exe, (which I have been using for years w/o any problem) under 'other' profile, but immediately on trying to run the Trading program, MBAE popped an exploit alert, which is a fasle one.

 

For your study, the links to the MBAE logs and alert is,

 

https://www.dropbox.com/s/jwrlaazt8hlv3m9/Malwarebytes%20Anti-Exploit.7z?dl=0

 

https://www.dropbox.com/s/9gsrkyc9ltzzyq0/Untitled1.png?dl=0

Link to post
Share on other sites
Tarnak

Tarnak

Posted
Posted

Thanks for the logs Tarnak. It seems like an FP with the new RET-ROP mitigation under XP and Opera.

 

Try the following:

 

MBAE UI -> Settings -> Advanced settings -> OS Bypass Protection -> RET ROP (32 & 64) -> Uncheck for Browsers -> Apply

 

Close and re-open Opera and let me know if the problem is resolved.

 

 

I didn't have to do anything. After a reboot a short time ago, the trayicon for MBAE was back, and Opera browser is OK. Apparently, it just needed a reboot to set things right, after the [over the top] install of the beta earlier this morning.[local time].

 

post-2134-0-90042700-1441578676_thumb.gi

 

post-2134-0-68212500-1441578731_thumb.gi

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.