Register    Login    Search    Articles & downloads     Who We Are    Donate    Jaylach Free Sites

Board index » Technical Forums » Security




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post Posted: Sun Oct 11, 2015 7:05 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 9435
Location: The state of confusion; I just use Wyoming for mail.
I just installed this as an extra security layer to try out. There are free and paid versions. Especially if you still have JAVA installed you may want to take a look.
https://www.malwarebytes.org/antiexploit/

Free version covers:
1) Shields browsers and browsers add-ons
(including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera and others).

2) Shields Java.

Paid version adds:
1) Shields PDF readers
(including Adobe Reader, Adobe Acrobat, Foxit Reader).

2) Shields media players
(including Microsoft Windows Media Player, VideoLAN VLC Player, QuickTime Player, Winamp Player)

3) Ability to add/manage custom shields.

They DO offer links on the above page for tests and results. It seems to have topped the 'reverse' list put out by PC Security Labs and they offer what looks to be an 'in house' test with an independent resource doing the testing.

I have zero idea at this point as to how it actually works but suspect that it sets up isolated SandBoxie type situations or, at least, uses something similar.

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Sun Oct 11, 2015 9:10 pm 
Offline
welcoming committee

Joined: Sun Apr 15, 2012 5:52 pm
Posts: 970
Hi Jay

No sandboxing at all. I don't use MBAE, but another product HitmanPro Alert, which I personally feel is better.

In terms of exploits

It has the following mitigations

Code Mitigations
1 Control-flow integrity Stops ROP attacks
2.IAT filtering which prevents abuse of the import address table

and 5 others

Also Memory Mitigations

Enforce DEP
Mandatory ALSR
Null Page which stops exploits that jump via page 0
and others.

Other protections include Process Protection which prevents process hollowing. (this is where the process is modified as it runs.

It also has some other neat types of protections. It protects a lot of precesses by injecting a DLL into them, and learning what DLL's should be there, so if something is added it detects it.

Also protects against the crypto exploits effectively.

I've tested as many of these as I've been able to figure out how to test, and they are effective.

Anyway you are probably totally confused now.


Top 
 Profile  
Reply with quote  
 Post Posted: Mon Oct 12, 2015 7:40 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 9435
Location: The state of confusion; I just use Wyoming for mail.
I don't know about confused... ;)

I DO know that it is hard to really give an opinion about something like this as I have had zero exploitation attempts show in the log as of yet. Does this mean that Malwarebytes anti Exploit (MBAE from now on) is doing nothing? I doubt it. Since I practice pretty safe hex I figure it more likely that I just have not hit a nasty site. I DID run the supplied MBAE test code and it was detected by MBAE while not by MSE. According to reports I've seen this test is also not seen by Norton, McAfee, Avast, etc.. Does this mean that it is doing its job? Can't honestly say as I'm sure that the test code is designed to be detected.

PC Magazine gives a good review... sigh used to love that site but now you have to wade through ads.

I have seen where there were issues with Win 8.1 especially when also running MBAM Pro but these seem to be when MBAE was in beta.

While it is reported to work well with most AV software there are reported issues involved with Kaspersky AV.

There was an issue with Win 8.1 Update 1(???) and the ability to open IE11 and Office but this was back in April, 2014 and apparently has been fixed. I have not yet installed on 8.1 so cannot say anything for fact. I intend to install on both 8.1 and 10 within the next few days.

Task Manager shows it only using a touch over 4K of memory and effectively 0% of processor usage.

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Tue Oct 13, 2015 10:26 am 
Offline
welcoming committee

Joined: Sun Apr 15, 2012 5:52 pm
Posts: 970
Hi Jay

Let me see if I can explain some more. I will use HMPA as my guide, as i originally compared both MBAE paid with HMPA, and HMPA is a much fuller featured piece of software.

That none of the AV's didn't detect the test stuff from MBAE is no surprise. They aren't designed to do that. And it's especially not surprising with MSE. When I tested it against 5 pieces of malware it flunked all of them.

Anyway back to exploits. Let me give you the best analogy I've seen.

Country A wants to attack country B, so it sets up a missle launch site, brings in fuel, the missle, a warhead, assembles it all, and launches. Country B then attempts to intercept and stop the warhead. The warhead is the payload that Country is attempting to stop. This is comparable to AV's, Sandboxes, Antiexecutable and similar software do. They are blocking the payload. But consider this. Before the missle is launched you have to assemble the the launcher, bring in the rocket, mount the warhead and fuel the rocket. All this this correlates to the exploit. So Anti exploit software is equivalent to destroying all that stuff before the rocket can get launched.

Jay, I can't say I've encountered an exploit either, but I have seen HMPA effectiveness against some of it's other protections, and it stops stuff no AV can stop. I consider it well worth the price.

Pete

PS if you are interested in trying a full version of HMPA, I can probably get you a test license.


Top 
 Profile  
Reply with quote  
 Post Posted: Tue Oct 13, 2015 11:46 am 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 9435
Location: The state of confusion; I just use Wyoming for mail.
Thanks for the license offer but not at this time. Mayhaps after I'm done playing with MBAE. Well I guess that you could send but I won't get to it right away. Actually what do you mean by 'test license'? Would I become a tester or do you mean a trial license?

It is definite that HMPA offers a wider range of protection as MBAE is designed strictly for exploits (zero day attacks).

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Tue Oct 13, 2015 12:05 pm 
Offline
welcoming committee

Joined: Sun Apr 15, 2012 5:52 pm
Posts: 970
Basically just a license you don't have to buy. They would do it just for the exposure here. Let me know


Top 
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
 
Post new topic Reply to topic  [ 6 posts ] 

Board index » Technical Forums » Security


Who is online

Registered users: No registered users

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:

Similar topics


Jump to:  

cron