Jump to content

mbae-test tool


lock

Recommended Posts

1 hour ago, exile360 said:

I honestly don't know how the Malwarebytes exploit test works, but it is my understanding that it does actually replicate exploit behavior to test exploit detection

With all due respect, if you do not know how the Malwarebytes exploit test works, based on what you assume that actually replicate exploit behavior???????

As I said (and inquired several times on this forum) , mbae-test.exe  is not detected by anybody else as an exploit ( I tested with al least 5 security solutions), so clearly is just an innocent file with the signature added to mimic detection.

Edited by lock
Link to post
Share on other sites

As I said, I don't know the specifics as it was outside my purview when I was employed by Malwarebytes, but if you don't trust the test then you can test using the HitmanPro.Alert test tool.  It contains several tests that do replicate exploit behavior so you can see for yourself how the Exploit Protection in Malwarebytes deals with it.

Link to post
Share on other sites

@lock curious, what security vendors did you test? I just tested with Sophos and triggered a block instantly.

I don't have the technical expertise to speak to the intricacies of how our Exploit Protection module works, but I do know that it is not signature based, and so your claim that we have simply added our test tool signature to our protection database is just not true. Screen Shot 2018-08-21 at 9.46.51 AM.png

Edited by dcollins
Link to post
Share on other sites

Sophos Home detected the exploit as " Malwarebytes Anti-Exploit -Exploit test" ; that means the test is not detected as a generic exploit but rather based on a specific signature added by Sophos .

 

Just tested with Vipre and ZERO reaction!!!!

Edited by lock
Link to post
Share on other sites

1 hour ago, lock said:

Tested also on ESET and ZERO reaction again.

Yeah, I used to use ESET.  They claim to have exploit protection in their product but I've honestly never seen it detect one.  In fact, most vendors still appear to rely primarily on signatures, though most have at least migrated to a more heuristics/pattern based approach (something Malwarebytes was into from the very beginning and in fact why it was created due to polymorphic rogues and Trojans that couldn't be nailed down using traditional hashing based methods still commonly in use across the AV industry at the time).

If you look at the modules that have been added to Malwarebytes over the years you'll likely notice a pattern, they've been getting further and further away from traditional signature detection methods and rely more and more on behavior based and signature-less approaches to threat and breach detection to stop malware earlier in the attack chain, something that is invaluable these days since most threats are polymorphic and many don't even use files/binaries any more so traditional detection methods are useless against them.  Even PUPs are often employing rootkits these days as well as polymorphism to try to escape detection.

Link to post
Share on other sites

1 hour ago, lock said:

Tested also on ESET and ZERO reaction again.

Your original argument is listed below:

Quote

mbae-test.exe  is not detected by anybody else as an exploit

We have proven that to be false by showing at least one competitor who does in fact detect the exploit. It's hard for us to say why other companies don't detect it since we don't have access to their code. You could go ask their developers though.

Edited by dcollins
Link to post
Share on other sites

19 minutes ago, dcollins said:

We have proven that to be false by showing at least one competitor who does in fact detect the exploit

When on Virus Total   "one competitor" detects something and the other 75 NOT, we do not assume that the "one competitor" is wright and the rest of them wrong. Simply we classify the item as FP and we do not go and ask the other 75 why they did not detect it.

21 minutes ago, dcollins said:

You could go ask their developers though

In fact I did ask ESET , some time ago , and the answer was: mbae-test.exe  it is not an exploit and doesn't behave like an exploit, that's why is not detected.

Link to post
Share on other sites

  • Staff

MBAE-TEST.EXE simulates exploit behavior like executing from the Heap, ROP gadgets, etc., but it is not weaponized and instead simply pops open the Windows Calculator. But it does trigger exploit behavior to see if the installed protection has real exploit mitigations in place or not.

The reason that most AVs don't detect MBAE-TEST.EXE is because either (a) they don't want to detect it with signatures as it would make it obvious that they don't have any modern exploit mitigation technology in their product, or (b) they don't have any modern exploit mitigation technology in their products. So yeah, you guessed it, the reality is that most AVs don't have effective and signature-less exploit protection. Sophos' detection is based on their acquisition of SurfRight's HitmanPro.Alert technology, which is similar to Malwarebytes Anti-Exploit technology which does not rely on any signatures.

Re: the AMTSO PUP crapware, we'll add detection for it to avoid other users questioning whether we have PUP protection in our products or not. But given the irrelevance of AMTSO as an organization, and the fact that their President is the owner of AppEsteem, a certification body whose business model is to certify PUPs in exchange for money, I wouldn't pay much attention to it.

 

Link to post
Share on other sites

Did you configure it to execute the exploit through a protected process such as the option it has to use Internet Explorer instead of Calculator?  If not, then that would be why since the Exploit Protection in Malwarebytes primarily shields web facing applications like browsers and commonly exploited processes like media players and office software (though there are some exceptions such as some of the kernel shielding components and generic process/system hardening components).

When I ran the test I got detections for all but a few of the tests in the HitmanPro.Alert tool with Malwarebytes (I even reported my findings to Pedro as I thought he might find it useful).

I'll perform the test again later on today after I've finished with my work and will report my findings here.

Link to post
Share on other sites

  • Staff
8 hours ago, lock said:

I downloaded hmpalert-test.exe  from Sophos to test antiexploit capabilities of MBAM and I did not get any reaction. 

http://dl.surfright.nl/hmpalert64-test.exe

Do you care to explain why?

Because by default MBAE shields certain popular apps (browsers, office, java, pdfreaders, etc.). You need to add hmpalert64-test.exe as a custom shield so it gets protected by MBAE before running the test.

 

Link to post
Share on other sites

4 hours ago, pbust said:

You need to add hmpalert64-test.exe as a custom shield so it gets protected by MBAE before running the test.

Yes, but I  added iexplorer.exe in hmpalert64-test.exe and I got only 1 alert from all the tests, with IE open.

Link to post
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.