Jump to content

Anti-Exploit ?


Recommended Posts

Malwarebytes' Anti-Malware ( MBAM ) - Works at the file and Internet address levels.  It detects malicious files and blocks them or removes them as well as blocking access to Internet addresses and/or sites listed in its database.   MBAM will also correct/fix modifications made to the Operating System that malware may make.
Malwarebytes' Anti-Exploit ( MBAE ) - is an action level application.  It blocks the malicious action of exploiting software vulnerabilities or blocks exploits of a software performed in an unusual or unintended fashion.
Heuristic detection - If it walks like a duck and squawks like a duck then it must be a duck.  This is a characteristic detection instead of a signature based detection.  Because heuristics makes an assumption, it can have a higher False Positive result level.  At the same time it can catch malware based on a characteristic even though there is no signature for it and it hasn't been seen before.

When one talks about an "exploit" there are two basic kinds.
*  Exploiting a software vulnerability to gain elevated privileges to effect a compromise
*  Taking advantage of a capability to use in their benefit in an unexpected or unanticipated way.
As an example of the first case I'll use the Lovsan/Blaster worm.  It exploited a software vulnerability in the Operating System RPCSS/DCOM which uses TCP port 135.  The Lovsan/Blaster worm would send a specific set or string of characters to TCP port 135 to create a "buffer overflow with an elevation of privileges" condition where if successful, the worm would create a BLASTER.EXE on the target system and then execute it.  Once the PC was infected it would seek new hosts and the Lovsan/Blaster worm would spread exponentially.
As an example of the second  case I'll use the Wimad trojan.  The Wimad trojan takes advantage of the Digital Rights Management (DRM) incorporated in media files such as MP3, WMV and other music and video files.  By taking advantage of the DRM, it would be used in combination of Social Engineering and one's desire for "free music" or a "free movie" to cause the person to download and run some malicious program.
Therefore you use an anti exploitation application to thwart the malicious activity of deliberately exploiting a vulnerability to effect a system compromise.
One may use a specially crafted...

  • PDF file to exploit a vulnerability in a PDF viewer like Adobe Reader or FoxIt.
  • MOV file to exploit a vulnerability in a Apple's QuickTime renderer.
  • GIF file to exploit a vulnerability in Microsoft's Graphics Device Interface (GDI).
  • DOC, XLS or other MS Office document file to exploit a vulnerability in Microsoft Office or to use a macro to download and execute a file or extract an embedded file and execute it.
  • RMP file to exploit a vulnerability in RealPlayer.

It is for situations as enumerated above where an anti exploit application will be used to monitor and shield a given application, which exhibits vulnerabilities, from attempts using the vulnerability/exploitation attack vector.  It is not for untrusted applications.
The intention is to monitor and shield a given application which has a propensity of being exploited.


Link to post
Share on other sites


Thanks for the explanation.  Makes sense and easy to follow thinking pattern behind the product.  I teach Security to Seniors and I can use your explanation for the inevitable question of "Why do I need that too?".


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.