Is MBAE doing anything? Prove it.

[RedDoofus]

Hi All,

 

New to this forum. Question about MBAE. I've seen it and tried it out myself and its claims seem great and so it appears from its settings. But, is there any way to see or prove its activity? What I mean to ask is: is there any way for me to prove to myself that it is actually providing protection? Is there any way I can intentionally invoke it's functions? Anything that should happen without it, but won't happen because of it. Possibly a log file where I can see that it blocked this and that or something like that. Maybe a site I can visit, or a download I can try. In short: show that it's doing something, actively or passively.

Any ideas?

[daledoc1]

Hello and welcome, @RedDoofus:

Have a look here: How to verify that MBAE is working correctly

Cheers,

[RedDoofus]

@daledoc1 That looks like what I'm looking for. Will check out later. Thank you

[RedDoofus]

4 hours ago, daledoc1 said:

Hello and welcome, @RedDoofus:

Have a look here: How to verify that MBAE is working correctly

Cheers,

Ok. Checked that out. Well, it's 70% of what I was looking for. When running the exploit mode, I get a notification from MBAE  that it blocked the action. But I've never seen such a notification before. I asked a friend, who's running MBAE for two years, and he's never seen such a notification either. I won't go as far to say that the notification is a show, but I'm trying to get e real-world indication that MBAE is providing additional protection. A malicious website or malicious download would probably be the best candidates, but doesn't have to be. Let me put it this way: I want to go out in the big world, find me a big angry thug, get on his bad side, and see MBAE protecting me. A scenario which I would then compare to no MBAE. Obviously, I'd try such tests in isolated VMs.

[RedDoofus]

I also checked that MBAE's dlls were being injected into processes, as the post there describes. But for me, that doesn't add anything. I know MBAE is running properly. I see its process and service running, icon in the taskbar, it also says that its protection is running. I want to test it. Every other AV, firewall breaks something. That is the simplest proof that it's doing something. That's what I want to see here

[RedDoofus]

4 hours ago, olduser said:

Agree with you!

See:

 

Looks like we ran into the same wall. Even the explanation of the VB topic (on your thread), is missing the point. He explains one thing, but the logs are still useless. Even that one explanation is too general and still doesn't give satisfactory protection data, even on the VB topic.

Malwarebytes, pleeeeezzzz address this issue

[KenW]

You would have to find a site that has something that the program blocks. I sure as hell not going to try that kind of test.

You do it and the other guy that posts junk.

Edited August 9, 2016 by KenW

[KenW]

Englash ???  Search the internet for a website that may post nasty stuff. I am sure you can find one.

[RedDoofus]

21 hours ago, olduser said:

 

English, please!

If it's obvious that someone doesn't understand the basic problem, arguing with them is futile. It won't produce any useful or relevant info. Leave him alone

[AdvancedSetup]

I'm sorry @RedDoofus but for obvious reasons we do not have or provide such a test for users. If you're unable to test on your own to your satisfaction then you can submit for a refund. Someone that has driven a car for 40 years and has never had an accident, does not mean they don't need insurance. The very next day they could be in a major accident that totals the car. I've been using computers now for over 20 years and have never been infected by accident. Often where you go, what you do with your computer can determine if you ever do run into attacks.

MBAE Exploits How they work

Malwarebytes Anti-Exploit in action

Product information for Malwarebytes Anti-Exploit

 

As this topic is treading on abusive comments it will soon be closed if it continues in that direction.

Thank you

 

[AdvancedSetup]

I hope you realize @olduser that any company that provides access to dangerous software to "prove" their software works would soon be out of business. No software company is going to provide users with that. That would be unprofessional, dangerous, and open them up for a lawsuit.

There are sites out there that do test our program but that is on them and they should be trained. Home users are not trained. We do not provide any such testing for home users.

 

[RedDoofus]

@AdvancedSetup no no no. Let me explain and put things into perspective. I'm not asking Malwarebytes to provide malicious code to test MBAE. I DO believe Malwarebytes that MBAE does provide additional protection, by blocking certain potential exploits. That's not what I'm questioning here. It's one thing, from two angles.

 

1) MBAE, like EVERY other security software, should log its activity and detections, and people should be able to see it, somehow. It doesn't need to be a terrifying blow-up window. It can be an ugly log file as well. This is what I was initially looking for, and I believe that this is what @olduser also wants too.

 

2) Now, it is perfectly possible that I've simply never encountered code that MBAE stops, so obviously there's nothing to see. And as you said, that doesn't negate the need for protection, like car insurance. But as things seem to me now, this protection is simply not necessary for me. I'm apparently not around the relevant threats. I assume that you don't walk around always with a bullet proof helmet and vest, kneepads, elbowpads and such gear, even though there's no arguing that all those protect their wearers. Without this gear you are certainly vulnerable to harm, possibly even death. That friend I mentioned, who's been running MBAE for over two years, he's not as knowledgeable about security and like most people, is not careful with what he visit and what he runs. I always see traces of malicious activity on his computer. Viruses, trojans etc. So, apparently, he's also never run into the relative threats. It seems to me, very simply, that the protection that MBAE provides is not relevant to standard users.

 

A log, like every proper software does, would answer all questions. A proper log is also an expected thing. That would've prevented this whole discussion

[RedDoofus]

@AdvancedSetup Also, I'm a decade in IT, and I've never seen a security software AV/firewall/IDS/IPS and so on that never breaks anything. While I never saw MBAE (even with settings stricter than the defaults) break anything. Every other security tactic I use breaks something, except MBAE

[RedDoofus]

The test.exe that you provide is good for testing that MBAE is functioning, not for what I'm after

[Porthos]

2 hours ago, RedDoofus said:

1) MBAE, like EVERY other security software, should log its activity and detections, and people should be able to see it, somehow. It doesn't need to be a terrifying blow-up window. It can be an ugly log file as well. This is what I was initially looking for, and I believe that this is what @olduser also wants too.

MBAE Has a log function. It is not on by default. Under the settings tab place a check by log protection events.

[RedDoofus]

@Porthos yes, I know that, and am referring to that too. I see that it logs that processes are protected. Firefox is protected and so on. I also see there the blockings of the test.exe, when running the exploit mode. And that's my problem. If those are its only activities, and it hasn't blocked anything else, then its protection is apparently not relevant to me, as I explained above

[RedDoofus]

I should add that I do not run any anti virus or any other security software. Just the OS and its built-in firewall. Windows defender is also disabled. Completely disabled (not revealing how I did that). So there isn't anything else that may have intercepted the malicious actions before MBAE.

 

This topic can be summarized into short words: Is MBAE doing anything for me? Do I need it? If yes, then I want to see it. If not (which it seems so to me), well, good to know.

[Porthos]

12 minutes ago, RedDoofus said:

if those are its only activities, and it hasn't blocked anything else, then its protection is apparently not relevant to me, as I explained above

I understand you stance. I have had it block only once myself but it is there and not causing any problems so it stays. I belive it is your choice and If you dont see a purpose for it then by all means take them up on the refund offer.

[RedDoofus]

3 minutes ago, Porthos said:

I understand you stance. I have had it block only once myself but it is there and not causing any problems so it stays. I belive it is your choice and If you dont see a purpose for it then by all means take them up on the refund offer.

Finally someone understood the topic

I'm not at this for a refund. I'm running a trial version. This is not my first trial. I tried this out many times over the last 2 years, on different OSs, always with the same observations. I needed to work this out, just to know. IT pros are curious people

 

Thanks,

[Porthos]

3 minutes ago, RedDoofus said:

I should add that I do not run any anti virus or any other security software. Just the OS and its built-in firewall. Windows defender is also disabled. Completely disabled (not revealing how I did that). So there isn't anything else that may have intercepted the malicious actions before MBAE.

 

You are NOT an average computer user. You know how and what to avoid and how to mitigate any issues you may encounter.

Like you I know everything I do with my computer. I also do not have ant detection's from my security except a occasional block from the web protection of MBAM.

[AdvancedSetup]

MBAE is much like the Enhanced Mitigation Experience Toolkit from Microsoft, but we believe a much better exploit protection.

What is the Enhanced Mitigation Experience Toolkit?
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.

 

[btmp]

In earlier versions the log actually had a lot more helpful info and I for one was sad when it was removed. I liked being able to see the protection types being applied, eg (Bottom up ASLR) While I'm not sure this is actually what you are after I think it might have helped by being able to read a log where such things were recorded. These days, for a user, it's very much a leap of faith that it's actually doing what you have it set up to do [think potential bugs or conflicts with other security programs] especially if you aren't visiting random sites or getting fed bad ads. Never hearing a peep out of MBAE could certainly lead one to wonder. I expect the logs in the ProgramData folder still hold such information but it's not something a user can just open up and read... :-/

[pbust]

In our blog you can see plenty of examples of MBAE providing protection against sites which have been caught/known to be distributing malware through exploit kits. There's a lot of good reading there.

https://blog.malwarebytes.com/category/threat-analysis/exploits-threat-analysis/

In addition recently we started this page to show MBAE in action against interesting exploits:

https://blog.malwarebytes.com/malwarebytes-anti-exploit-itw/

Finally the Webinar and youtube videos and channel referenced by Ron are also a good resource.

 

[RedDoofus]

I finally found something that proved MBAE real-time. HitmanPro has a tool that can simulates many exploits. Well, it doesn't simulate, it actually carries out a list of exploit vectors. It doesn't do anything harmful, but the vector is what matters and should be intercepted. That tool actually gave me what I was looking for. It proved MBAE, and MBAE did very well. Alas, this issue is resolves and answered (in my view).

[RedDoofus]

I know that the test-tool provided here does the same thing (for one type of test) but from an outsider's critical perspective, it is not the answer to this question. HitmanPro's tool is the answer.