Jump to content

The anti-exploit module - How does it actually works?


Recommended Posts

Hi! This is not a question to criticize or to report any problems with the Malwarebytes 3 Anti-Exploit module... but in the documentation provided with Malwarebytes 3 there is nothing that details how the Anti-Exploit really works and what are each of these exploit methods it protects against and how or what the AE does in each of these methods.

I trust that the Anti-Exploit works, but I am an IT student and even that maybe it is a bit of 'overkill' for me to trying to know how it works while I'm only a mere graduate student, but I still want to learn more about it, I'm very curious. I wonder if there is any document detailing these anti-exploit methods and how the software handles them?

Thanks!

Edited by axkazex93
Link to post
Share on other sites

Hi axkazex93,

The principle behind a lot of exploit mechanisms can be found in the user manual of EMET.
You can download it from

https://www.microsoft.com/en-us/download/details.aspx?id=50802

I hope this will help, if you have any questions, feel free to ask. I can't promise I can answer them though.

Regards,
Durew (not an IT student nor an IT professional)

Link to post
Share on other sites

Hello @axkazex93 and :welcome:

In a very simplistic explanation, the original Malwarebytes Anti-Exploit (MBAE) product has been modularized and married to MB3 as its AE Module.  Many of the questions/answers within the original MBAE FAQ may provide some enlightenment.  Please remember that MB3 and MBAE are proprietary products of the Malwarebytes Corporation and revealing trade secrets and code are never possible.

HTH

Link to post
Share on other sites

23 minutes ago, Aura said:

In addition to what was saying above, you could always Google each protection mecanism offered by Anti-Exploit, and get a brief explanation of how it works. Though like 1PW stated, the "special recipe" belongs to Malwarebytes Corporation and won't be revealed publicly.

I don't believe that anyone has asked for a special recipe and yes, 1PW reference to the FAQ actually explains how the protection works without disclosing trade secrets or codes.

This link from the FAQ actually shows and explains the components of MBAE:

<TL;DR> (A picture of "Anti-Exploit Settings" is worth...)

ae.jpg.762b63e01cb3e9e86781df936023a6ca.jpg

In a nutshell, MBAE utilizes various memory protection schemes, some behavior protection and yes, buy disabling certain program functions that mainly utilized by malware. 

</TL;DR>

While MS EMET does a pretty good job for application hardening and memory protection, it falls short in other areas that MBAE provides. Not to mention that updates for MBAE are much more frequent that for EMET. And yes, memory exploit schemes do change, may not be as frequent as viruses/malware in general, but they do...

Edited by dont_touch_my_buffer
Spelling, that I could recognize...
Link to post
Share on other sites

Quote

I don't believe that anyone has asked for a special recipe and yes, 1PW reference to the FAQ actually explains how the protection works without disclosing trade secrets or codes.

I know, though I'm just mentionning it.

Also, the FAQ doesn't go in-depth, it just gives an overview. I would rather Google "DEP Enforcement" to have an overview of how that works rather than rely on the brief explanation given in the FAQ. The OP state that he would like the details of how Anti-Exploit works, hence why I suggested him to Google the protection mecanism name and read more about it.

Link to post
Share on other sites

9 minutes ago, Aura said:

Also, the FAQ doesn't go in-depth, it just gives an overview. I would rather Google "DEP Enforcement" to have an overview of how that works rather than rely on the brief explanation given in the FAQ.

That's a double edged sword...

People who didn't know how MBAE works, asked the question and wanted a simple explanation. The FAQ is great for that. People who did know, already used DDG to learn more about the actual stack/buffer overflow technics... ;):D

Link to post
Share on other sites

Quote

but I am an IT student and even that maybe it is a bit of 'overkill' for me to trying to know how it works while I'm only a mere graduate student, but I still want to learn more about it, I'm very curious. I wonder if there is any document detailing these anti-exploit methods and how the software handles them?

But this is exactly what the OP is asking in this case here so ;) 

Link to post
Share on other sites

Thanks everyone for the answers!
Yeah I wasn't looking for any 'special recipe' just an overview of what are these methods to understand a little bit on how all of this works, just the explanation not the 'secret mechanisms' the anti-exploit uses to remediate them. I'm sorry if the post sounded like I was looking for something "shady".

Link to post
Share on other sites

I looked up each exploit method that MBAE protects against so that I could ask intelligent questions before writing the guide on it.  Burying readers with information that is highly technical alienates more people than it aids.  Google and Wikipedia are great resources for information. Sometimes they cover it completely, and sometimes they open the research door more.  Either way, that's a good thing.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.