Malwarebytes Anti-Exploit

[Jeff T]

Malwarebytes has got a thing called Anti-Exploit. What does it do and should
I buy it?

 

[Paul]

Malwarebytes has got a thing called Anti-Exploit. What does it do and should
I buy it?

There is a free version.

The vendor website has a poor explanation of what it does.

Bleepingcomputer offers these tidbits.

http://www.bleepingcomputer.com/download/malwarebytes-anti-exploit/

"Blocks unknown and common exploit kits, including
Blackhole, Sakura, Phoenix, and Incognito

Doesn’t use a signature database—no need for constant updating
"

Sakuta apparently attempts Javascript in PDF attack or attack
on libTIFF if not patched. Windows has had a couple image decoder
attacks around for a while. You could patch out the image ones by
using Windows Update. The Javascript one is similarly easy to
deal with. The two steps I use for that, are change all Acrobat
settings to "Save As", no opening of PDFs from within a browser.
And secondly, going into Acrobat Reader preferences and disable
Javascript via the tick box. That should really be the shipping
default for Acrobat Reader, it shouldn't have been turned on in
the first place.

Some of the others, have Wikipedia articles.

http://en.wikipedia.org/wiki/Blackhole_exploit_kit

"A potential victim loads a compromised web page or
opens a malicious link in a spammed email.

The compromised web page or malicious link in the spammed
email sends the user to a Blackhole exploit kit server's landing page.

This landing page contains obfuscated JavaScript that
determines what is on the victim's computers and loads
all exploits to which this computer is vulnerable and
sometimes a Java applet tag that loads a Java Trojan horse.

If there is an exploit that is usable, the exploit loads
and executes a payload on the victim's computer and informs
the Blackhole exploit kit server which exploit was used to load the payload."

A combination of NoScript and uninstalling Java, would deal with some
aspects of that. Of course, legit pages won't load properly
if you stop their Javascript, so this solution is not without
side effects.

So I would say "it's doing something". The comments about
the initial beta release of the software weren't very good,
but I'm sure it's better by now.

If you're the kind of person who wildly clicks on everything
while surfing the web, then I guess this is the software for
you. If doesn't cover a lot of things, but then again,
it isn't an AV and doesn't conflict with them. If an exploit
does get through, the next step is downloading malware, and then
it's up to the heuristic detection of your AV, as to whether
a further infection occurs. Heuristic, because my assumption
is, an exploit kit connecting to a live web site, also gets
"fresh-daily" malware for downloading. Not stale stuff from
two years ago, that can be detected by signature.

Paul

 

[VanguardLH]

There is a free version. The vendor website has a poor explanation of
what it does.

http://www.bleepingcomputer.com/download/malwarebytes-anti-exploit/

"Blocks unknown and common exploit kits, including
Blackhole, Sakura, Phoenix, and Incognito

Doesn’t use a signature database—no need for constant updating"

I'm not sure why they bother in the payware version of MalwareBytes's
Anti-Exploit with the following (unless they're covering really old
versions of software that had different defaults):

- PDF shield.
Configure your PDF viewer to: (1) Disable Javascript - rarely needed so
enable when it is needed which is mostly just for company and gov't docs
and mostly to validate input data type into a field, or configure to
prompt on Javascripting to let you know and choose to opt-out or opt-in;
(2) Allow only .pdf attachments to a PDF, or prompt if any other type of
attachment (yes, PDFs can have buried attachments, even .exe's); and (3)
Disable the "launch" feature of PDFs (yes, you can attach a file to a
..pdf and have it launched when opening that PDF and have an external
filetype handler load or open it).

- MS Office shields
Doesn't this just block or prompt when a doc has a macro in it? If so,
how long has it been since the MS Office components defaulted to
"Disable all macros with notification"? You get prompted a macro has
been disabled with the choice to enable it.

- Shields media players
Doesn't say how. You need more software rather than go into the
program's options to disable scripting? or configure other security or
privacy settings already present in those programs?

When it comes to Microsoft's EMET (Enhanced Mitigation Experience
Toolkit) versus MalwareBytes Anti-Exploit, EMET is better but targets
sysadmins whereas MBAR is easier (no config) and targets end users (the
types that are uneducated and prefer to stay that way). At Pwn2Own
2014, all major browsers were hacked but no hacker won the $150,000
grand prize for IE 11 + EMET. Some of EMET's features are not available
under Windows XP but then MBAR couldn't support them there, either.

MalwareBytes Anti-Rootkit is still in beta status despite they have a
payware (premium) version. I can't tell from the freeware product's
description if it is an on-access (real-time) scanner (with the option
of a manually initiated scan) or just an on-demand scanner (you have to
run it). Users have noted that not all its drivers get loaded so they
have to reboot to fix that before they can use it to initiate a manual
scan of their host. Read its forum to get a handle on the problems with
the beta product.