Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

MBAE and Quarri


sman
 Share

Recommended Posts

Further on MyPOQ, once logged into Quarri site (from any browser other than IE), it launches the Quarri Install Agent Helper which starts IE in a protected / Secure environment (much like Trusteer securing the Browser), but IE not covered by MBAE (no instance in Process explorer or UI alert).. It is not a remote Browser in the Box, but a local browser run w/o any plugins/add-ons..

 

So, how can IE be secured under this run? Tks..

Link to post
Share on other sites

Thanks @pbust for the reply.. One correction, one Quarri Agent add-on is running in IE and setting up the protected/secure environment. Yes. IE process run is shown by Process explorer (but no MBAE dll injection) , I tried to add shield for Enforcerx64.exe (Quarri process) but though there was UI alert no dll injection found in Process explorer. I then tried to add shield for "Quarri Launch Helper.exe" which is covered by MBAE and found for mbae64.dll in Process explorer.

 

The bottom line is, IE is not covered by MBAE.. Hope this helps..

Link to post
Share on other sites

Yes. once the protected browser session is closed and you launch IE normally, it is protected by MBAE (with both mbae.dll & mbae64.dll injections)..

 

This Quarri MyPOQ is a free service and just needs a registration and then subsequently login for launching it for running the protected browser session, launching the local IE browser with Quarri Agent add-on..

 

Even session run is limited (say 5-10 mts session only, since login with Quarri site server) but can be run any number of times (only session time is limited)..

 

I think will get better idea with a actual session run , registering with Quarri.com .. MRG effitas has given a good report of Quarri for online banking security usage..

 

Hope this helps..

Link to post
Share on other sites

Yes. I fully agree with you on the unique exclusive functioning of Quarri Agent, not allowing MBAE to cover IE. Normally when MBAE sees any apps to be covered by it running, on launch it immediately starts covering/protecting those apps.. Here, even though IE is running, it is unable to cover it, because of Quarri..

 

Thanks pbust, I will try to check with Quarri, if there is any way out..

Link to post
Share on other sites

I have written to Quarri for white listing and allowing of MBAE protection and waiting for the reply..

Meanwhile, I checked what happens if IE is already running and Quarri Agent is started. It is found that the Quarri Agent immediately senses the MBAE injection and pops a warning abt presence of MBAE injection and terminates.

It seems, it is the Enforcerx64.exe injection into IE by Quarri, which works similar to MBAE and protects the processess from any malicious code injection. It shd also be noted that a Quarri agent add-on is also in place in IE during Quarri run..

But whether the combo of Enforcerx64.exe and Quarri browser add-on, will protect the Browser from all exploit threats like MBAE is not known.

On this, there is pdf article at https://www.quarri.com/files/partners/Quarri_POQ_Technical_WP.pdfwhere in Page 10 under Browser Process Integrity , it is mentioned abt. code injection into Browser process and states this as a malware attack vector and need for preventing any code injection.

Now, Quarri's reply can only shed further light on it's working/protection and looking forward to their response..

For your views, please.. Tks..

Link to post
Share on other sites

This is the reply from Quarri..

 

- Quote

 

Let me answer your questions below:

Q: My problem is when IE11 launches as Protected session with Quarri Agent, MBAE is prevented from protecting the IE11 Browser against exploit threats, (which it does in normal IE11 run)..
A: Quarri actively sandboxes an encrypted IE11 session and protects that session from anything attempting to inject into our process space, or even debugging it. If anything were to enter our process space, the protected browser would be forced to terminate and restart the session to a new clean session.

Q: Now, is it possible to include some white list for MBAE protection cover also in Quarri Protected browser session?
A: Yes, if you purchase our product you obtain the ability to define "policies" for running Quarri that allow you to whitelist software, and includes many other security controls/options.

Hopefully this answers your questions. Let me know if you need any further assistance.

Regards,

Eric Wells
Quarri Technologies
Senior Client Services Engineer

 

- Unquote

 

Any views, please..

Link to post
Share on other sites

It seems to me that the two security solutions - Quarri and MBAE - are just not compatible with each other (at least the free version of Quarri). Just try to whitelist MBAE in Quarri as suggested by their support team and see what happens. If this doesn't work either, you will have to uninstall one of these security solutions because of this software incompatibility.

Link to post
Share on other sites

Quarri has replied to my further queries,

 

- Quote

 

To answer your follow up questions:
1. Yes, Quarri prevents from ANY attempt to inject into our space, regardless of whether it's from a legitimate source or not. We can allow processes into our sandbox via a "whitelisting" method built into the management of the program as well. This can be accomplished via several different methods.

2. We don't protect system software outside the sandboxed session. However, our keylogger defense does extend out of our protected session. We do have exploit mitigation within our protected space, but how it compares to EMET I am unsure of. However, we do a very good job at blocking 0days.

3. The only software that we actually protect are Microsoft Office products and Adobe Reader.

Regards,

Eric Wells
Quarri Technologies
Senior Client Services Engineer

 

- Unquote

 

On this, my questions to Quarri were,

 

- Quote

 

1. Now, "Protect any attempt to inject into process space", does this

mean that IE will be protected from all forms of exploit attempts, not
only running process but also from any change to its executable
associated files in storage?

2. Does Quarri have in-built EMET or other exploit mitigation
functionality to protect process (software) against vulnerabilities?

3. What happens if other apps . programs are called during the session
(say opening some mail attachment say word/excel doc, pdf, media files
etc.). Are these processess also protected?

 

- Unquote

 

So, with Quarri also having exploit mitigation functionality, it would be conflicting with MBAE working.. So, probably, for online banking and related activity Quarri may be suited for with it's protection features.

 

Tks..

Link to post
Share on other sites

Concluding msg's with Quarri :

 

- Quote

 

It's not necessarily that they can't co-exist on the same system. It's just that MBAE is protecting the entire system, while Quarri will cut out it's own space on the system and protect only that space and what's done inside it. No other processes are allowed inside, including MBAE, unless allowed in the Quarri policy that can be tuned within the Quarri Management console. Tuning the policy, however, is not a feature offered to MyPOQ users.

As far as what security product to use (for something like your online banking session), I would highly recommend Quarri as we provide a vast number of protections from data leakage.

Regards,

Eric Wells
Quarri Technologies

-----
Hello Eric Wells,

As any user, I only understand that it is the question of whether IE requires Quarri & MBAE for exploit protection (prior to release of patches against vulnerabilities).. The question of conflicts in functionality may also warrant turning off the functionality that conflict (probably by Quarri) if they r to work alongside.. MBAE will anyhow be protecting/shielding other apps in its cover against exploits and is only prevented to cover IE by Quarri,

So, it may go beyond white listing and if the IE session is under robust protection with Quarri in action, MBAE's protection may not be required.

Pl. correct me if I'm wrong.

Thanks..
--------------
That sounds correct. Is there anything else I can help you with? Would you like to be put in touch with a sales rep? Please let me know if this is resolved and we can close this support ticket.

Regards,

Eric Wells
Quarri Technologies
----------

Thank you Eric Wells..

I think we have come to conclusions on the aspects of interest and may well may be treated as final & closed.

Thanks once again.
--------------
 

- Unquote

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.