Author Topic: Can ExploitShield browser version be used next to avast resident av?  (Read 66269 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #120 on: June 20, 2013, 01:56:18 PM »
Hi craigb,

Yes that is also what I assume, that they wanted a wide-scale beta test and then incorparate it in their MBAM Pro-flagship.
Well as long as it is available I use it. The crashes of the very early days have now subsided, so it is getting more and more stable...
This was what was quarantined through my earlier beta version:

awt.dll_20130314-150605.zvl & awt.dll_20130314-150842.zvl & swt-win32-3740.dll_20130129-173409.zvl.

swt-win32-3740.dll_20130129-173409.zvl could not be a threat but the action might be based on unexpected activity or was user generated activity...
for awt.dll see: http://www.processlibrary.com/directory/files/awt/80697/  (it was a jawa initiated process that was stopped in it tracks)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #121 on: June 20, 2013, 02:15:00 PM »
We'll just have to wait and see/hope ;)

Thanks for replying Polonus :)

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7170
  • When you think you know, Think Again
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #122 on: June 20, 2013, 08:48:47 PM »
I've been using/testing the 'corporate edition'(This edition has many more shielded programs, not just Browser).
 I'm not sure how this edition figures into the Malwarebytes Anti Exploit development. I have made inquiries, no response as yet. :)

Edit: My answer.


Re: Malwarebytes Acquires ZeroVulnerabilityLabs

Postby ROCKNROLLKID » Thu Jun 20, 2013 12:01 pm
Currently, there is only one edition and it has all the same features of free and corporate combined. Sorry I missed that part. Once stable versions are released, it will be like MBAM pro and have different editions to it.
« Last Edit: June 20, 2013, 10:06:21 PM by schmidthouse »

timcan

  • Guest

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7170
  • When you think you know, Think Again
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #124 on: June 20, 2013, 09:51:26 PM »
Hi folks,
 
It seems it is no fud and snake-oil as ithas now been acquired and  incorporated by MBAM.
The new beta can be downloaded here: http://downloads.malwarebytes.org/file/mbae_beta

polonus

Well I've liked 'Z' right from the beginning; and it did it's job! 8)
After using this little program for many, many months it good to see it's capability confirmed. ;D ;D ;D

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #125 on: June 20, 2013, 11:19:56 PM »
Yes, schmidthouse, we are users of the first hour (after you came introducing it here).

Analysis Report for mbae.exe: http://anubis.iseclab.org/?action=result&task_id=1e7f68e540ccf0fb4c1a666eac9683ed4&format=html
and for mbaeLoader32.exe: http://anubis.iseclab.org/?action=result&task_id=1bf8cf4c133eea864e546a2e436f5bf86&format=html
Analysis Report for mbae.dll: http://anubis.iseclab.org/?action=result&task_id=11e7403b4a6c46644998e1b86169933d6&format=html

Some characteristics found in the last mentioned analysis -
Program Output Renaming input file to .\d1.tmp.dll see further down  attack code also found from Aimbot hack
found dll entry point at 0x1000eaa0 (single entry point  is the main()function)
Dll is not a BHO
Invoking regsvr32
calling DllMain
{
This is clever, and we need to evaluate it using http://www.nirsoft.net/utils/dll_export_viewer.html
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}    ItemData    0x5eab304f957a49896a006c1c31154015   is shared with something like Buster Sandbox Analyzer code...
Processes Created: Executable Command Line C:\WINDOWS\system32\regsvr32.exe regsvr32.exe /c /s , also found in bot code (AIMBOT)
Control Communication Control Code 0x00090028 as use in NtTrace API is provided by ntdll.dll, and not very well documented (clever choice)
camouflage code Attack code found from Aimbot hack: Command Line:...regsvr32.exe /c /s .\d1.tmp.dll

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #126 on: June 22, 2013, 01:12:25 AM »
What is also remarkable about the loader is the windows SEH exeption: Exception 0xc0000135 at 0x7c96478e is an unknown target exception (also anti-analysis measure to Anubis-analysis for example). Execution is suspended because the executable is somewhere else...it requires the execution of code outside the normal flow of control.
Software-enforced DEP does not protect against execution of code in data pages, but instead counters SEH overwrite, another type of attack. Contrasts structured exemption handling with standard C++ exception handling and comes in from the game developer experience, that the developers of Exploit Shield posess from their background, and all sort of protection and tricks from the gamer developer arena were brought into this protection tool. MBAM base must be glad they have acquired also that expertise now.....this is alphagrade code..
Quote
SEH is fast, but SEH depends on (a new small)  API functions and specialized code. Deallocation code (including its logic) has to be written once per instance. SEH must remain tied to structured programming (that is why the name). SEH is not portable across platforms. Another minus from a security point of view is that SEH uses only an unsigned int value, its value might conflict with exceptions defined by other code

(above evaluation quotes on SEH were taken from info provided and posted by "null-pointer" via gamedev net)....

A further read on another implementation, libseh, to be found here: http://www.programmingunlimited.net/siteexec/content.cgi?page=libseh (link article author = Tom Bramer)

polonus
« Last Edit: June 22, 2013, 01:51:40 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #127 on: October 08, 2013, 01:22:44 PM »
The beta testing phase for MalwareBytes Anti-Exploit goes on, and see that there are still bugs appearing. Here a belated notification of Windows FW cause MBAE.exe had to be closed and a new session to be started manually. Read all of the EventViewer report and analysis here: http://forums.malwarebytes.org/index.php?showtopic=134558  (reported there by "analyzer") -> had to update to version 0.09.3.1000 available here:
http://downloads.malwarebytes.org/file/mbae_beta  checked for via -> VT results
https://www.virustotal.com/en/url/8e6bb5032768e0bc23e1e643990956b33b9d6f0b7cc36af1d9a7b49e15195d56/analysis/1381231450/

polonus
« Last Edit: October 08, 2013, 01:28:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!