# New Malwarebytes Anti-Exploit



## TheMailMan78 (Jun 24, 2014)

Still trying to figure our what exactly it does other than stop zero day java drive-bys. MSE or any free to download anti-virus should have an exe. blocker that does the same thing. Malwarebytes seems to becoming a tad bit redundant with "Install a antivirus then install Malwarebytes and then install this New Malwarebytes Anti-Exploit!" Really? I'm all about safe browsing habits and security but this new program seems to be digging a hole in the ground just because its got a shovel. Not because I need a hole.


Meh. What do you guys think?

https://www.malwarebytes.org/antiexploit/


----------



## Nordic (Jun 24, 2014)

I didn't read too much, but it sounds like it is probably a sandbox program.

I like malwarebytes but the paid version is pointless. It has no need to run automatically.


----------



## puma99dk| (Jun 24, 2014)

another Malwarebytes product i will properly use in the near future at work ^^


----------



## Kursah (Jun 24, 2014)

I think it might be handy for larger sites, depending on the implementation but it should come with the Malwarebytes Premium instead of a different product imho. There's still a few hundred of the lifetime licenses to MBAM: https://www.malwarebytes.org/eureka/

I like some of the extra features, but they're not necessary to reap the benefits of Malwarebytes. Free is plenty good. This could be useful. I'd like to test it on a site with 20-100 workstations and see how it responds...those are the kinds of places where this could be useful imho... but if it's a resource hog, then pass. Our monitoring agent runs scans from Malwarebytes on all monitored workstations as it stands. This product will come under heavy fire if it slows the browsing experience down and let's things get by. It'll be annoying if it adds a toolbar or too many popups. It should have a server-side host that the client reports to...and maybe it does. I didn't read too far into it. For home use, the free version is probably plenty for many.

I may try it just so I can form an educated and experienced opinion about it at least...I'm curious to see how it does.


----------



## Mindweaver (Jun 24, 2014)

I've used it and it's not that bad, but it's not that great either. The whole update system is bad. If they update it then you internet browser won't work until you uninstall it.. I've not used it in a few few months and they may have resolved it...


----------



## 95Viper (Jun 24, 2014)

This looks to be the next direction... stopping drive-bys, exploits, etc.

You can gather a little more info here --> Introducing Malwarebytes Anti-Exploit

As you will notice Malwarebytes' has a version for home users and business.

Microsoft has the (basically) same for free... EMET (Enhanced Mitigation Experience Toolkit) and it is driven toward enterprise; however, home users can get benefit from it if they want.
Right now the EMET is at version 4.1 or you can try the tech preview of version 5.
And, there are pdf files on the use and setup of EMET.


Be aware that this type of software may break some installed software.


----------



## Steevo (Jun 24, 2014)

I believe that was the job of Avast and its sandbox mode, but it had a failure recently under testing and even with a password protection some malware was able to damage it and reboot a PC causing damage. Security is OS/400 or being unplugged from the internet with no external drives or inputs other than keyboard and mouse.


----------



## TheMailMan78 (Jun 25, 2014)

Well I gave it a try and it seems to slow down my ability to load sites and their normal rate. A lil to much real-time scanning I guess. However it is lightweight and easy to use. Just don't know how effective it is and not sure its even worth the slow down so I uninstalled it. They should just add it to the normal malwarebytes as an option IMO.



95Viper said:


> This looks to be the next direction... stopping drive-bys, exploits, etc.
> You can gather a little more info here --> Introducing Malwarebytes Anti-Exploit
> As you will notice Malwarebytes' has a version for home users and business.
> Microsoft has the (basically) same for free... EMET (Enhanced Mitigation Experience Toolkit) and it is driven toward enterprise; however, home users can get benefit from it if they want.
> ...




Might break installed software? Can you elaborate? I almost installed EMET a month ago but didn't see a need.


----------



## 95Viper (Jun 25, 2014)

TheMailMan78 said:


> Might break installed software? Can you elaborate? I almost installed EMET a month ago but didn't see a need.




Quote from MS site "The Enhanced Mitigation Experience Toolkit":



> *Are there restrictions as to the software that EMET can protect?*
> EMET can work together with any software, regardless of when it was written or by whom it was written. This includes software that is developed by Microsoft and software that is developed by other vendors. However, you should be aware that some software may not be compatible with EMET. For more information about compatibility, see the "Are there any risks in using EMET?" section.
> 
> *Are there any risks in using EMET?*
> The security mitigation technologies that EMET uses have an application-compatibility risk. Some applications rely on exactly the behavior that the mitigations block. It is important to thoroughly test EMET on all target computers by using test scenarios before you deploy EMET in a production environment. If you encounter a problem that affects a specific mitigation, you can individually enable and disable that specific mitigation. For more information, refer to the EMET user's guide.



Edit:  If you download the EMET Guide pdf file it explains some of the caveats in sections 5.1 and 5.2.
Download-->  _*EMET*_ 4.0 User's _*Guide*_ - Download Center - Microsoft



And, MBAE has it own growing pains, see here --> Known Issues & Conflicts


----------



## pbust (Jun 29, 2014)

Hi I'm pbust from Malwarebytes, in charge of the MBAE development team. Found this thread by searching around for references to MBAE. I wanted to jump in and clarify a few misconceptions and misinterpretations of what MBAE does and how it works.

First off for more info I really recommend reading the MBAE FAQs which can give a very good insight into the technology and product.

As for some of the comments:



TheMailMan78 said:


> Still trying to figure our what exactly it does other than stop zero day java drive-bys. MSE or any free to download anti-virus should have an exe. blocker that does the same thing. Malwarebytes seems to becoming a tad bit redundant with "Install a antivirus then install Malwarebytes and then install this New Malwarebytes Anti-Exploit!" Really? I'm all about safe browsing habits and security but this new program seems to be digging a hole in the ground just because its got a shovel. Not because I need a hole.


In addition to Java zero-days it also blocks browser zero-days, Flash zero-days, Silverlight zero-days, Acrobat Reader zero-days, Word zero-days and basically vulnerability exploits in a large number of other applications. Unlike traditional security solutions like antivirus and anti-malware that look at WHAT is infecting, MBAE looks at HOW it is infecting. This means it is proactive rather than reactive. It specializes in shielding running applications and monitoring their behavior (via API monitoring and application behavior) to determine if a shielded application (browser, pdf reader, office app, media player, etc.) is being attacked by a vulnerability exploit. Exploits are the most dangerous type of infection vectors nowadays as they do not require any user interaction like social engineering type of infection vectors. By simply visiting a site, even a very popular non-malicious site, one can be exposed to an exploit via an iframe redirector, a malicious flash advertisement or other means. Measures such as NoScript are not always a viable solution as sometimes the exploits are hosted in the same compromised website we are visiting.




james888 said:


> I didn't read too much, but it sounds like it is probably a sandbox program. I like malwarebytes but the paid version is pointless. It has no need to run automatically.


It is not a sandbox, it is not whitelisting and it is not blacklisting. It is basically behavior analysis of the shielded applications. More information here, here and here.




Kursah said:


> I think it might be handy for larger sites, depending on the implementation but it should come with the Malwarebytes Premium instead of a different product imho. There's still a few hundred of the lifetime licenses to MBAM: https://www.malwarebytes.org/eureka/


Please read this.




Kursah said:


> I like some of the extra features, but they're not necessary to reap the benefits of Malwarebytes. Free is plenty good. This could be useful. I'd like to test it on a site with 20-100 workstations and see how it responds...those are the kinds of places where this could be useful imho... but if it's a resource hog, then pass. Our monitoring agent runs scans from Malwarebytes on all monitored workstations as it stands. This product will come under heavy fire if it slows the browsing experience down and let's things get by. It'll be annoying if it adds a toolbar or too many popups. It should have a server-side host that the client reports to...and maybe it does. I didn't read too far into it. For home use, the free version is probably plenty for many.


It is not a resource hog at all. It takes less than 3MB in memory and since it does not use signature databases, only API and behavior monitoring, it is extremely light. Of course no toolbars are included with the installer. This is Malwarebytes after all, we hate toolbars and we love disinfecting them! As for the server-side, Malwarebytes Anti-Exploit for Business does come with a centralized management server that manages both Malwarebytes Anti-Malware (MBAM) and Malwarebytes Anti-Exploit (MBAE) under the same console.




Kursah said:


> I may try it just so I can form an educated and experienced opinion about it at least...I'm curious to see how it does.


We commissioned a test from renowned independent exploit researcher @Kafeine to verify that MBAE (Free version, mind you!) protects against all exploit kits in circulation in the wild. His test results can be seen at http://malware.dontneedcoffee.com/2014/06/mbae.html.




Mindweaver said:


> I've used it and it's not that bad, but it's not that great either. The whole update system is bad. If they update it then you internet browser won't work until you uninstall it.. I've not used it in a few few months and they may have resolved it...


I'm not sure what you mean by update... you mean install or install of a new version on top of a previous version? Since MBAE hooks into the applications process space (we inject mbae.dll/mbae64.dll into target processes) the injection/uninjection might cause a couple of seconds of the browser becoming unresponsive. But this is only in the case of initial installation. After that I guarantee that you won't ever feel it. It was designed to be install-and-forget.



95Viper said:


> Microsoft has the (basically) same for free... EMET (Enhanced Mitigation Experience Toolkit)


You can read about the differences between MBAE and EMET here.




TheMailMan78 said:


> Well I gave it a try and it seems to slow down my ability to load sites and their normal rate. A lil to much real-time scanning I guess. However it is lightweight and easy to use. Just don't know how effective it is and not sure its even worth the slow down so I uninstalled it. They should just add it to the normal malwarebytes as an option IMO.


Even though MBAE Free provides real-time protection for browsers, addons and Java, impact on system, browser load time and browsing time is very very negligible. If you find otherwise please do let me know as I'm here to help in case you run into any problems.


----------



## 95Viper (Jun 29, 2014)

pbust said:


> You can read about the differences between MBAE and EMET here.



Thank you for the link and the read.



95Viper said:


> Microsoft has the (basically) same for free...



I knew of the differences; and, that is why I added the above word "(basically)" in a previous post.

Just a little FYI, incase you have not heard and wish to update your F.A.Q.... Version 5.X of EMET will have the ability to block java exploits.
It does use a multi-layer protection.
It will have a new GUI and be a lot easier to use.


You can read up on it here --> Announcing EMET 5.0 Technical Preview

And, here--> Windows EMET Tool Guards Against Java Exploits

Both products have something to offer and I just presented some info to the OP... it is their decision to use it or not.
As you will see going forth... both MBAE, EMET, (and, maybe others) will have competing products that go through growing pains and changes to attract an audience.
Some may even include Anti-Exploit capabilities in their Security Bundles.

Also, welcome to TPU.


----------



## techfreak (Jun 29, 2014)

I am not a fan of malwarebytes myself it does not really get rid of all your malware and can sometimes slow your computer up more than it did before you installed it.


----------



## Solaris17 (Jun 29, 2014)

A legitimate manufacturer response? well color me surprised.


----------



## RealNeil (Jun 29, 2014)

It's good that they care to reply at all. I use the free versions of Malwarebytes software already and Webroot Secure Anywhere for AV solution.


----------



## pbust (Jun 30, 2014)

Solaris17 said:


> A legitimate manufacturer response? well color me surprised.


Some of us dinosaurs still exist


----------



## pbust (Jun 30, 2014)

@TheMailMan78, responding to your PM here as the forum software will not allow me to respond via PM for some reason.

-----------
Thanks for the welcome and for your honest feedback.

The three criteria we used while designing Malwarebytes Anti-Exploit (MBAE) are that (1) it has pretty much no performance impact, (2) it is install and forget and (3) it provides enough protection for free.

Were you running the latest version 1.03.1.1220 when these slowdowns happened? We did have a few cases of conflicts with IE11 in one of the earlier betas, but that was fixed.

Also make sure you are not running any of the potential software that conflicts with MBAE. There is a post labeled "Known Issues & Conflicts" in our forum. There are not many but if you have one of them this could be the cause of the slowdown.
----------



95Viper said:


> Just a little FYI, incase you have not heard and wish to update your F.A.Q.... Version 5.X of EMET will have the ability to block java exploits.


Thanks for the welcome also 
Please don't misinterpret my response to this. I am a great fan of EMET and applaud Microsoft for developing it. But it does not protect against Java exploits, it merely disables the Java plugin in the browser. This is OK if you don't need Java, in fact if you don't need it you should uninstall it altogether, but the fact is that many users still need it (online banking, games, etc.) and even more companies also rely on Java for their business applications.


----------



## RealNeil (Jun 30, 2014)

I saw a sale on Newegg earlier and bought my second Lifetime copy of MBAM for just $19.99. Good deal.
Got a few more to go, but this is one of the free versions that is worth paying for.


----------



## Mindweaver (Jun 30, 2014)

pbust said:


> I'm not sure what you mean by update... you mean install or install of a new version on top of a previous version? Since MBAE hooks into the applications process space (we inject mbae.dll/mbae64.dll into target processes) the injection/uninjection might cause a couple of seconds of the browser becoming unresponsive. But this is only in the case of initial installation. After that I guarantee that you won't ever feel it. It was designed to be install-and-forget.



Yea, whenever a new version was released if I tried to open my browser it would tell me that Anti-Exploit needed to be updated before the browser loaded with no simple solution to update it like a redirect to the site to update. I would have to uninstall it then open my browser and navigate to the download page, but I was an early adopter and this issue has probably been resolved. This was the only thin*g* I didn't like about it, but the software itself was fine. I've just been waiting for it to mature enough before I jumped back in.


----------



## pbust (Jun 30, 2014)

Ahh ok I know what you mean now. Those were the beta versions which included an expiration date to force users to upgrade to the latest beta versions.

We are since out of beta and MBAE doesn't do that anymore. Now both Free and Premium upgrade automatically and transparently to the latest version.


----------



## GLD (Jun 30, 2014)

pbust

Always nice to see a tech rep take the time to come on TPU in response to their wares. I am a fan of your work and have bought 4 copies of Malwarebytes. It works great for us. Thank's for the good work.


----------



## rtwjunkie (Jun 30, 2014)

@pbust, i just wanted to give a big thanks to you for appearing here to explain the use of this new product! I've always been a fan of mbam (it's caught a few things), and tried mbar for awhile too. I love it when reps get involved in forums!


----------



## Ahhzz (Jun 30, 2014)

Always glad to see a tech rep involved in our forums. As an IT consultant, MBAM is one of the top three pieces of software we recommend for our clients. Not too sure about the new MABE, will have to see it in action. Also, one of the prime selling points for our clients has been the lifetime license for MBAM, so I'm not overly pleased with the new pricing model. Time will tell, I suppose, if it's worth it. Thanks for popping in, hoping to see you around a good bit.


----------



## pbust (Jul 1, 2014)

As for seeing it in action, there's a few things you can do:

1- Independent test of MBAE Free against Exploit Kits -> http://malware.dontneedcoffee.com/2014/06/mbae.html
2- Using our own Exploit-Tester -> https://forums.malwarebytes.org/ind...how-to-verify-that-mbae-is-working-correctly/
3- Recent video against RIG Exploit Kit dropping cypto ransomware -> 







4- Install Metasploit to test MBAE against many different exploits -> http://www.rapid7.com/products/metasploit/download.jsp


----------



## Arjai (Jul 1, 2014)

Thanks @pbust !!

I just downloaded MBAE, and have been a MBAM fan for years!! I still also use Glary, another great product. Both free!!!

Thanks a bunch for explaining MBAE from the inside. 

I for one truly appreciate you posting in our forum!!


----------



## Jetster (Jul 1, 2014)

One of the smartest things you can do is not use your Admin account surf the web. Just use a limited user account and scripts wont exploit your admin privilege to install stuff


----------



## fullinfusion (Jul 1, 2014)

Subbed


----------



## pbust (Jul 1, 2014)

Agreed @Jetster that using a Limited User Account (LUA) should be the first step in secure computing. But it is only a step, not a complete solution. With exploits the actual shellcode and payload still executes within your browser, and a LUA will only prompt for certain types of payload malicious actions, such as downloading and executing an EXE. Even then the bad guys know this and have some tricks like for example trying to launch the EXE 30 times until the user gets tired and clicks "Yes" on the UAC prompt. Most soccer-mom users won't last more than 2 or 3 UAC prompts before they click Yes. Also LUAs won't stop some memory-only or file-less exploit payloads which execute in memory or are able to open a reverse backdoor shell to the attacker.


----------

