Jump to content

MBAE 1.08 Beta Preview

pbust

By pbust
in Anti-Exploit Beta

 Share

Recommended Posts

  • Replies 386
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

tony321

tony321

Posted
Posted

It seems the Kaspersky update re-introduced the problem.

 

We're currently investigating. In the meantime please deactivate the shield for the browsers or switch AV. We'll post back here asap.

Norton updated yesterday as well i wonder if it messed with the stuff on my end. 

Link to post
Share on other sites
sman

sman

Posted
Posted

i encountered the first real problem today.. Wanted to try out 'Trusteer rapport' and installation went off well, but when I opened IE11, MBAE immediately alerted abt 'OS Bypass - ROP gadget detection blocking'.. The homepage loaded and IE11 was still working and MBAE services, UI were in place.. BUt, no Browser protection pop-ups further on in the session, whether it was with chrome/FF/Edge etc.. Also, 'Trusteer console' did not open up..

 

On reboot, MBAE browser protection alerts were back but the moment I tried IE11, the problem returned.. I then had no other option but to uninstall Trusteer, but as it's native uninstall tool was of no help, used 3rd party tool and had it uninstalled.. Immediately after it's uninstall, MBAE browser alerts were back (w/o need for re-boot)..

 

Clearly, there is some conflict between Trusteer and MBAE.. I do want to try out 'Trusteer' but how to go abt? @pbust can u offer any help?

Link to post
Share on other sites
sman

sman

Posted
Posted

Hi @pbust,

 

While uninstalling Trusteer, I ignored it's request to seek it's online support.. Now, to reinstall, it requires me to contact support. So, I will be able to confirm on MBAE & Trusteer working only after I get Trusteer running again..

 

The real problem, is the Trusteer's add-on to IE11, which it tries to add-up whenever IE is started up, which invariably is flagged/blocked by MBAE, which is not a problem with chrome/FF.. It is also the reason, why IE still works fine, even after the MBAE alert/block..

 

Once, I get Trusteer running, I will also check, if after adding the add-on in IE, if I re-enable the RET ROP protection, what is the effect?

 

But of all the things, I'm not clear as to how Trusteer works (it is said that there is no DNS resolve and it authenticates website after getting the IP and the website signature with it;s database).. When there is no DNS resolve involved, how effective it can be, how it can prevent Man in the middle, browser in the middle attacks, and whether my AV;s 'Secure DNS' will take care of the website authentication and traffic protection?

 

Meanwhile, I look up to your views.. Tks..

Link to post
Share on other sites
sman

sman

Posted
Posted

Phew.. it was quite an effort.. Whatever I did to install Trusteer back ended up with that nagging error and Trusteer support was of no help (I did 3 chats without any way out).. All along every installation attempt, needed going thru with download of abt. 45 MB of Trusteer installer, can very well imagine how testing it was..

 

It then struck me, as to whether MBAE could be the culprit and started with stopping protection and attempting install.. Then, stopping/killing MBAE services in toto, but still no success. Finally, I uninstalled MBAE and tried the install, voila, success at last..

 

MBAE was installed back.. Now, the question was as to which ROP protection to be disabled (as there were CALL & RET for 32 bit & 64 bit).. I then decided to disable both CALL & RET protection of 64 bit and yes, this worked..

 

No exploit block by MBAE any more.. At this point, I was surprised to note, that IE was present in both Program files and also in Program files (x86) and check of the process explorer, showed dll injections for both 32 & 64 bit processess of IE, whether IR was run from Program files or from Program files (x86).. Since, I turned off only 64 bit protection, I checked IE from both folders and no problem whatsoever..

 

The interesting thing was, no add-on of Trusteer got added to IE except for a icon to the address bar in one corner..

 

Then , the final step, I restored the ROP 64 bit protection in MBAE and ran the check with IE.. It held as I hoped so..

 

Now, no issues whatsoever and MBAE too back to its default settings.. Hope this helps.. Tks..

Link to post
Share on other sites
siliconman01

siliconman01

Posted
Posted

1039 does not fix the finger print issue with attachments in IE11 with gmail etc as reported previously.

 

Only a problem on one computer although the others also have Windows 7 64 bit SP1

IE 11.

 

Blocking occurs with IE11 the moment the attach button is clicked.

 

 

I agree.  It does not fix the IE 11 finger print issue on Windows 10 x64 Professional when attempting to download a program and selecting "Save As" to store the downloaded program to a different location instead of the default C:\Users\UserName\Download folder. :(

Link to post
Share on other sites
hake

hake

Posted
Posted

MBAE 1.08.1.1039 works without any issues for me.

 

Regarding Trusteer Rapport, I have tried on many occasions in the past five years to use it and am constantly frustrated.  Trusteer are unable to reliably keep up with Google Chrome versions so you never know if the green address bar thingy will be absent when a new version of Google Chrome is installed.  The slowdowns that Rapport inflicts on older PCs suggests that the low-level/driver-level Rapport software could be better implemented.

 

So paranoid am I about my online banking, especially with the advent of Dridex, that I use an older PC which is used solely for online banking.  Naturally it is protected by MBAE, along with Agnitum Outpost Firewall Pro (LAN TCP/IP disabled to keep out worms).  I use Firefox ESR with heavy NoScript-imposed restrictions.  I also use dns-crypt using the port 443 over TCP option.  No email client is installed.

Link to post
Share on other sites
truthmail

truthmail

Posted
Posted

Download link updated to build 1039.

 

This solves the Kaspersky and Comodo conflicts.

 

Please download and install over the top of existing installation and report back any issues.

 

Thanks!

 

Thank you

 

So far:

 

1) This still does not solve this IE issue: https://forums.malwarebytes.org/index.php?/topic/173445-dynamic-anti-heapspraying-fp-under-win7-ie11/

 

2) It did not remember the shields that I added myslef -- had tto re-add them, but it's not a big deal, takes only a minute

Link to post
Share on other sites
hake

hake

Posted
Posted

Trusteer Rapport endpoint protection

 

Following some recent comments I made in this section of the forum about Trusteer Rapport, I installed Trusteer Rapport endpoint protection (3.5.1507.77, the latest version) on a Windows 7 Ultimate 64-bit system.  I was pleasantly surprised with its behaviour, the previously reported sluggish performance seemingly much improved.  I accessed my online banking facility using IE11, Google Chrome and Firefox ESR (all are the latest versions) without any problems whatsoever.  MBAE beta 1.08.1.1039 is installed with all advanced settings boxes ticked.  I am also running AVG free 2015, Agnitum Outpost Firewall Pro 9.1,and EMET 5.2 (EAF and ROP mitigations disabled for all MBAE protected applications).

 

Rapport installed smoothly.  I have enabled all of its options in Security Policy (i.e. to include my own choices of protected sites).  After a little hesitance by the system on initial install, I restarted the system and it ran well thereafter.  At no time did MBAE beta 1.08.1.1039 take exception to anything.

 

As a consequence, I am resuming regular use of Rapport endpoint protection.  It even worked well in Firefox ESR on which an extremely restrictive setup  of NoScript is installed, i.e. nothing but secure web pages from my bank's website are allowed any functionality.  Rapport works quite happily with this and dns-crypt also works well.

Link to post
Share on other sites
hake

hake

Posted
Posted

Thank you sman.  That is very interesting. Phew!  It's the Q2 report, BTW.

 

Since Rapport is not regarded by me as anti-malware, firewall or HIPS, I am going to continue to use it.  AVG is good, Outpost detects keyboard and screen copying (among many things) and EMET/MBAE detect exploits which are the vehicles for importing the malware.  I'm not complacent and being a distrustful cynic am fairly resistant to social engineering.

 

This information you have furnished me with is my bonus for trying Rapport out as a challenge to MBAE beta.  I have satisfied myself that Rapport and MBAE can work together.

 

I guess that the combination of MBAE, EMET, Rapport, AVG and Outpost comprises a decent layered defense.

Link to post
Share on other sites
hake

hake

Posted
Posted

Outpost Firewall and Outpost Security Suite each guard internet settings (including DNS) among many other registry settings.  A prompt is issued if attempts are made to alter those settings.  I have used Outpost since version 1.

 

My preferred way of avoiding MiTM/MiTB is to use a dedicated PC and encrypted (Open)DNS via remote TCP port 443.  The PC is 16 years old, running Windows XP Pro SP3 (with access to POSReady security updates), MBAE, BufferShield (a PaX type tool originally developed for Linux - the old hardware lacks DEP), Outpost, AVG 2015 and Firefox ESR with NoScript.  No unnecessary software is installed.  Firefox is right up at the latest and best standards of  SSL/TLS capabilities.  Unless HSBC's web site is infected, I consider it unlikely that my transactions with the bank will be compromised.  Local network traffic is via Novell IPX only on that PC.  There must be an Achilles heel somewhere but my less than expert knowledge has not yet revealed it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.