pbust

Frequently Asked Questions

27 posts in this topic

ID: 1   Posted (edited)

1- What does Malwarebytes Anti-Exploit (MBAE) do exactly?

2- What is an exploit?

3- What is an Advanced Persistent Threat (APT)?

4- What are drive-by download attacks and targeted attacks?

5- Why are traditional security solutions not effective against exploit attacks?

6- Which vulnerability exploits does MBAE protect against?

7- Which applications are shielded by MBAE?

8- Can I also shield other types of browsers, pdf readers, email readers, and other programs?

9- What happens when MBAE detects an exploit attempt?

10- How do I know if MBAE is working correctly?

11- Are there any independent tests that shows that MBAE works against real exploits?

12- Will MBAE upgrade itself automatically to newer versions?

13- How do I turn off auto-renewal after purchasing Malwarebytes Anti-Exploit Premium?

14- Does MBAE disinfect?

15- Will MBAE stop rogue antiviruses and ransomware?

16- Do you implement exploit attack signatures, run applications in a sandbox, or use application white-lists?

17- Do I have to train MBAE on normal application usage?

18- Why is MBAE not integrated into Malwarebytes Anti-Malware?

19- What techniques does MBAE use to detect and block exploits?

20- How is MBAE different from Enhanced Mitigation Experience Toolkit (EMET)?

21- What kind of information is sent to your servers?

22- Does MBAE protect Flash, Silverlight, Shockwave and other browser plugins? I don't see Shields for those in the MBAE interface.

23- When adding a custom shield for my email client, which profile should I use?

24- How do I protect programs running within Sandboxie?

25- How do I protect Metro apps under Windows 8/8.1?

26- The tests from wicar.org are not triggering

Edited by celee
fixed the broken links

Share this post


Link to post
Share on other sites

What does Malwarebytes Anti-Exploit (MBAE) do exactly?
MBAE provides advanced security that combats the problem of exploit attacks against software vulnerabilities by effectively "shielding" popular applications and browsers. Why is this important? Mainly because organized cyber criminals have moved from simple infection techniques used by old viruses and worms to using sophisticated vulnerability exploit attacks to compromise victims without requiring any user interaction (i.e., users get infected by simply visiting a webpage or opening a PDF file).

Share this post


Link to post
Share on other sites

What is an exploit?

From Wikipedia: “An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).”

 

There are typically three stages involved in a typical vulnerability exploit attack:

  1. The exploit triggers a vulnerability through which the attacker is able to run shellcode to bypass the Operating System built-in protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
  2. The exploit shellcode then runs some special instructions called payload.
  3. The payload in turn executes a malicious action. Examples of malicious actions can be "download this EXE from the Internet and execute it" or other more advanced types of actions such as opening a reverse shell to the attacker without any EXE files involved. There have been some very stealth malicious actions in the past such as in the example of the FBI exploit of the Tor Browser Bundle in 2013 where the payload simply executed a call-back packet to the FBI's servers which included the exploited PC's Mac address, the Windows hostname and some other basic personally identifiable information.

Traditional antivirus and endpoint security solutions deal mostly with the payload's malicious action when there is an EXE involved. But the protection from exploits offered by traditional solutions starts taking a dive when the payload is something more advanced and/or in earlier stages of the exploit attack.

Share this post


Link to post
Share on other sites

What is an Advanced Persistent Threat (APT)?

Advanced Persistent Threat (APT) refers to attacks perpetrated by organized groups such as nation states or corporate espionage initiatives which use sophisticated intrusion techniques. Such attacks normally rely on exploitation of known or unknown (i.e., new) zero-day vulnerabilities after luring targets to a drive-by download website or to open a maliciously crafted email attachment. Some examples of APTs are industrial & corporate cyber espionage, state-sponsored attacks which target government classified and private information, and organized cyber-crime which infects users with financial malware that siphons money from banks by making illegal transactions.

Share this post


Link to post
Share on other sites

What are drive-by download attacks and targeted attacks?

Cyber criminals employ ”exploit kits” to infect victims. These are specially configured servers whose only purpose is to infect victims using drive-by download attacks. The victim is lured into visiting a webpage (normally by sending spam or by injecting iframes into legitimate websites). Once the webpage loads it queries the browser and helper applications (Java, Flash, etc.) and automatically sends the victim the most appropriate exploit which executes malicious code (malware) on the victim's computer transparently and without requiring any user interaction. These attacks are mostly used to infect users with banking and identity theft trojans, rogue antivirus, and botnet malware. These types of infection vectors often use server-side polymorphism (the ability to change its “appearance” to escape detection), which makes the malware mostly undetectable by traditional antivirus signatures.

 

Targeted attacks consist typically of specially crafted malicious documents (PDF, DOC, XLS, PPT, AVI, WMV, etc) which, when opened with the vulnerable host application (Acrobat Reader, Microsoft Office, Windows Media Player, etc.), are able to automatically and transparently execute malicious code. These attacks are used mostly to infect companies and governments but are also used frequently to infect home users with financially-driven malware that steals money from peoples’ bank accounts.

Share this post


Link to post
Share on other sites

Why are traditional security solutions not effective against exploit attacks?

Because of the complexity and polymorphism of these attacks there are very few solutions available in the market to tackle these type of problems. Most existing solutions fall short because they were either designed to be reactive, rely on advanced knowledge of the behavior, or are simply too complex for end users to use:

  • Blacklisting security applications such as antivirus signatures, web filtering, intrusion detection, and other such technologies require previous knowledge of the malicious code or attack and are not effective enough to protect against newer attacks launched by cyber criminals.
  • Generic techniques like static emulation heuristics and run-time behavioral analysis are built upon previous knowledge of malware family traits or features which cyber criminals have become experts in evading.
  • Newer techniques on the market such as advanced HIPS, white-listing or anti-exe and sandboxing, while more effective, are complex to set up by non-technical users, require a very high degree of maintenance or rely too much on the end user to make the correct decision when presented with detection options. In short, they are not install-and-forget.

Share this post


Link to post
Share on other sites

Which vulnerability exploits does MBAE protect against?

There are many different types of vulnerabilities which can be exploited in different ways, from local to remote, from simple information disclosure through directory traversals, privilege escalation, cross-site scripting to complete system compromise via arbitrary code execution. MBAE protects against the most dangerous types of exploits, the ones that result in complete system compromise by running arbitrary malicious code and which are normally used by cyber criminals to infect users with financial-driven malware, botnet infections, or corporate espionage malware. MBAE focuses on protecting popular applications against attacks which result in system compromise by executing malicious code. MBAE will not protect against exploits which take advantage of insufficient or incorrect configuration or information disclosures, XSS, SQL injection, etc.

Share this post


Link to post
Share on other sites

Which applications are shielded by MBAE?

The following list shows the current applications being shielded by MBAE by default. This list can change over time as we develop, test, and implement new shields.

 

MBAE Free, Premium and For Business:

  • Internet Explorer (and add-ons)
  • Google Chrome (and add-ons)
  • Mozilla Firefox (and add-ons)
  • Opera (and add-ons)
  • Java

MBAE Premium and For Business:

  • Microsoft Word
  • Microsoft Excel
  • Microsoft PowerPoint
  • Adobe Reader
  • Adobe Acrobat
  • Foxit Reader
  • Foxit Phantom
  • Windows Media Player
  • VideoLAN VLC Player
  • QuickTime Player
  • Winamp Player

 

Custom shields can be created in MBAE Premium and For Business for any number of third-party or legacy applications. It is suggested to do so for Internet-facing applications and not for Operating System components.

Share this post


Link to post
Share on other sites

Can I also shield other types of browsers, pdf readers, email readers, and other programs?

Yes, users of the Premium and ForBusiness versions of Malwarebytes Anti-Exploit can add custom shields. Typically custom shields should be added for Internet-facing applications. When adding custom shields the application to be protected needs to be classified under a "profile". The profile tells Malwarebytes Anti-Exploit how to adapt its exploit mitigation techniques to the newly protected application. It is important that the correct profile is applied. Current profiles are "browser", "pdfreader", "office" and "mediaplayer". If the application to be shielded does not belong to any of these profiles it should be created using the "other" profile.

Share this post


Link to post
Share on other sites

What happens when MBAE detects an exploit attempt?

When MBAE detects a shielded application being exploited it automatically stops the malicious code from executing. Once the malicious code is stopped, it will close the attacked application. We do this for stability as an attacked application might not function properly after experiencing a vulnerability exploit attempt.

 

There are no special actions required by the user upon an exploit attempt blocked by MBAE. When MBAE detects an exploit attempt and kills the attacked application, it has prevented the infection and there is no additional steps required by the user.

 

If you would like additional information about the attack please post your MBAE logs in this forum and a moderator will be able to assist you in getting details about the attack.

Share this post


Link to post
Share on other sites

How do I know if MBAE is working correctly?

There is a test application (Exploit-Test) that is available to verify that an installation of MBAE is working correctly. The test application simulates two methods of running the Windows calculator; a non-exploit and an exploit-like method. The following post also includes guidance on how to manually verify that MBAE is protecting individual applications. The mbae-test.exe utility and instructions is available for download from here.

Share this post


Link to post
Share on other sites

Are there any independent tests that shows that MBAE works against real exploits?

Malwarebytes contracted the help of Kafeine, a world-renowed Exploit Kit researcher, to pit MBAE against all the Exploit Kits he could find in the wild. The instructions were simple: with only MBAE as protection, visit as many Exploit Kits as you can and try to get infected. Kafeine tested MBAE Free for about 2 months and was not able to infect any of his machines during the test. The details of the test results can be found at http://malware.dontn...14/06/mbae.html.

Share this post


Link to post
Share on other sites

Will MBAE upgrade itself automatically to newer versions?

Yes, Malwarebytes Anti-Exploit Free and Premium will automatically upgrade to newer versions as they are released.

 

Malwarebytes Anti-Exploit for Business does also include auto-upgrades although they are not enabled by default. There are multiple ways to upgrade the Anti-Exploit for Business client on the endpoints:

 

1- Enabling auto-upgrades from the Management Console Policy configuration.

2- By upgrading the Management Server and re-deploying (instructions here)

3- Individually by running the updated installer manually over the top of the existing endpoint client.

4- Across the network like (3) but by using a third-party endpoint management platform (SCCM, Tamium, etc.) to execute the updated installer over the top (can be done with silent switches).

Share this post


Link to post
Share on other sites

How do I turn off auto-renewal after purchasing Malwarebytes Anti-Exploit Premium?

Upon purchase of MBAE Premium you will receive a confirmation email with your download link, the ID and KEY that needs to be entered into MBAE to unlock Premium and some additional information. In the confirmation email there is a link in an orange box labeled "Cancel your subscription to Malwarebytes Anti-Exploit Premium". Clicking that link will take you to a page where you need to confirm your wish to cancel the subscription. Once you confirm your subscription will be cancelled. For additional protection consider using PayPal to purchase goods and services over the Internet.

Share this post


Link to post
Share on other sites

Does MBAE disinfect?

Unlike a traditional antivirus and security products, MBAE does not need to disinfect as it prevents vulnerability-driven infections in the first place. When MBAE blocks a vulnerability exploit attack, the exploit is stopped in its tracks and the malware is prevented from running and infecting the machine. MBAE does not need to scan your hard-drive in search of malware. MBAE is a real-time only permanent protection against vulnerability exploits and malware execution. For disinfecting malware from a machine we recommend running Malwarebytes Anti-Malware Free.

Share this post


Link to post
Share on other sites

Will MBAE stop rogue antiviruses and ransomware?

There are two types of attacks when it comes to rogue antivirus and ransomware campaigns. In the first type of attack, using social engineering to fool users, a webpage simulating an antivirus scan is shown and the user is prompted to download and install the solution to the problem (which is the malicious or rogue antivirus). In the second, more advanced and dangerous type of attack, the user is lured into visiting a malicious webpage which exploits one or multiple vulnerabilities to automatically and transparently run the rogue antivirus or ransomware on the target system without any user interaction. In the first type of attack we recommend running Malwarebytes Anti-Malware Premium as it provides the best and most timely protection against ransomware. The second type of attack will be blocked by MBAE as it does rely on exploiting software vulnerabilities to run automatically and transparently without user interaction.

Share this post


Link to post
Share on other sites

Do you implement exploit attack signatures, run applications in a sandbox, or use application white-lists?

No, no and no. Our protection approach is completely proactive and does not rely on attack signatures or network intrusion detection signatures (i.e. blacklists). Applications run as they normally would without any impediment, such as those posed by sandboxing (a technique used by anti-virus software to test suspected malicious code) or other similar approaches. The protection offered by MBAE is completely install-and-forget, does not interfere with the user, and does not require maintenance of any white-lists.

Share this post


Link to post
Share on other sites

Do I have to train MBAE on normal application usage?

No, MBAE is not a Host Intrusion Prevention System (HIPS), a behavioral analysis or white-listing solution. It does not require users to configure any settings, train applications on normal usage, or determine sandbox directories or file recovery options. It is truly a completely transparent install-and-forget anti-exploit solution.

Share this post


Link to post
Share on other sites

Why is MBAE not integrated into MBAM?

Malwarebytes has always taken the approach of providing complementary products to existing solutions, especially for features that are typically lacking in traditional antivirus and security solutions. In the case of MBAM it is detection and disinfection of zero-day malware. In the case of MBAE it is detection and blocking of zero-day exploits. Both these areas are notably lacking in the typical Symantec/McAfee/TrendMicro/etc offerings and this is why Malwarebytes is so awesome. But at the same time the Malwarebytes approach is a layered approach, i.e. if you want to increase protection against zero-day malware, install MBAM. If you want to increase protection against zero-day exploits, install MBAE. Some people (especially in corporate environment) might prefer (or are required) to keep their McAfee and just need/want MBAE and not MBAM. In addition MBAM just had a major program update and MBAE was just introduced. Both are the result of very long development and beta processes. Trying to mold them together quickly into a single piece would have resulted in a mess, given the amount of time involved and the complexity. Maybe one day they'll be one, but not now.

Share this post


Link to post
Share on other sites

What techniques does MBAE use to detect and block exploits?

MBAE incorporates multiple exploit detection and blocking techniques at different stages of the typical exploit attack to provide a truly complete solution against all types of current and future exploits.

  • Layer 0: Application Hardening
    Collection of techniques to make applications more resilient against vulnerability exploits, even if those applications are not up-to-date with the latest patches.
  • Layer 1: Protection Against Operating System Security Bypasses
    This is the first and foremost protection against exploits. It consists of multiple advanced memory protection techniques to detect exploit attempts which try to bypass the build-in Operating System protections such Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
  • Layer 2: Memory Caller Protection
    This protection layer incorporates multiple memory techniques to prevent exploit code from executing from memory.
  • Layer 3: Application Behavior Protection
    This protection layer is the last defense against exploit attempts. In case an exploit is able to bypass all memory protections and/or uses sandbox escape techniques such as those typically used in Acrobat Reader and Java exploits, this layer prevents the exploit payload from executing its malicious actions on the protected system.

Share this post


Link to post
Share on other sites

How is MBAE different from Enhanced Mitigation Experience Toolkit (EMET)?

EMET is a great tool for enforcing operating system protections. These protections are applied to third-party applications and also incorporate some additional protection techniques. However, there are a few areas where MBAE improves on the protection offered by EMET:

  • Some exploit mitigation techniques are similar to EMET, some are different and some are unique to MBAE.
  • If an exploit manages to bypass EMET's memory protections, the computer will be compromised. MBAE incorporates a Layer 3 Application Behavior protection which prevents compromise even in the case where memory protections have been bypassed.
  • Due to the above, MBAE protects against Java exploits whereas EMET does not. Although EMET has Attack Surface Reduction (ASR), this is basically disabling Java, not actually blocking Java exploits. Also ASR applies only to Microsoft products, so Firefox, Chrome, etc. would not be protected by EMET, but they are with MBAE. Customers that need or rely on Java are not protected by EMET.
  • The exploit mitigation techniques of MBAE are fine-tuned to the application profile in order to improve compatibility with third-party applications and to reduce conflicts and false positives.
  • MBAE provides much more detailed information about exploit attacks, such as the malicious process that the exploit was trying to execute, the URL where the payload malicious file is coming from, etc.
  • MBAE comes pre-configured to protect popular applications such as Firefox, Chrome, etc. whereas EMET needs to be configured manually to protect some popular non-Microsoft applications.
  • Adding protection to a new application is extremely easy in MBAE whereas it is extremely difficult in EMET. Users have to have some advanced knowledge of vulnerabilities and exploits in order to configure EMET to protect new applications.
  • MBAE is extremely easy to use. It is truly install-and-forget.

Share this post


Link to post
Share on other sites

What kind of information is sent to your servers?

We are not sending absolutely any private information to our servers from the MBAE client except some basic system information such as for example installations, operating system (OS) version, and language. As of version 1.04 we also send some telemetry on blocked exploit attacks.

Share this post


Link to post
Share on other sites

Does MBAE protect Flash, Silverlight, Shockwave and other browser plugins? I don't see Shields for those in the MBAE interface

Yes, MBAE automatically protects all browser plugins without requiring any additional configuration by the user. The plugins don't show up in the MBAE interface because they run within the process space of the browser. But they are all automatically protected by MBAE.

 

The only exception is FlashPlayer which runs as its own process under Firefox (firefox.exe -> plugin-container.exe -> FlashPlayer*.exe). In this case MBAE automatically protects both plugin-container.exe as well as any FlashPlayer*.exe sub-process of Firefox even if it only shows "Firefox is now protected" in the MBAE interface. To verify this, technically inclined users can use the DLL injection verification method.

 

In short, all browser plugins are automatically protected by MBAE and there is no additional tasks necessary by the user to configure MBAE.

Share this post


Link to post
Share on other sites

When adding a custom shield for my email client, which profile should I use?

There are many different email clients and each behaves differently. The recommendation is to first start using the "browser" profile. If this profile exhibits any symptoms of problems or conflicts with your email client, then delete the custom shield and re-create it using the "other" profile.

Share this post


Link to post
Share on other sites

ID: 25   Posted (edited)

How do I protect programs running within Sandboxie?

According to reports from multiple users, Sandboxie  can be configured to allow MBAE to protect applications running within Sandboxie.

 

Under 32bit Operating Systems -> Use Sandboxie 3.76

Under 64bit Operating Systems -> Use Sandboxie 4.x

 

In order to enable this workaround users must manually edit the C:\Windows\Sandboxie.ini file with the following entries and reload the configuration.
Once the Sandboxie.ini is open (notepad works fine for this) add "Template=MBAE" to the Global Settings found at the top.

 

Example

[GlobalSettings]Template=MBAE

Then scroll down to the bottom of the Sandboxie.ini and append this template.

[Template_MBAE]
Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
OpenIpcPath=$:mbae-svc.exe
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

Once the changes have been added, save the file and open Sandboxie Control. Select the menu option 'Configure' then 'Reload Configuration'.

MBAE should now be able to protect applications contained within Sandboxie.
 

Hat-tip to btmp aka syrinx for his great work and thorough tests to come up with this excellent guidance for running MBAE alongside Sandboxie.

Edited by pbust

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.