Jan 5 2014, 06:27 PM, updated 12y ago
Malwarebytes Anti-Exploit BETA protects you from zero-day exploits targeting browser and application vulnerabilities. Its proprietary technology protects you in that critical period between the release of a new exploit and its security patch. And, unlike antivirus products, Malwarebytes Anti-Exploit BETA proactively prevents the exploit from installing its payload. Before it can do damage.
Features
Shields software vulnerabilities
•Lightweight
•Runs silently in the background
•Install and forget—no management necessary
•Compatibility with anti-malware and antivirus products
•No signature database—no need for daily updates
Browser protection
•Internet Explorer
•Mozilla Firefox
•Google Chrome
•Opera
•Java, Flash, Shockwave, Acrobat, and any other browser plugin
Application protection
•Microsoft Word
•Microsoft Excel
•Microsoft PowerPoint
•Adobe Acrobat Reader
•Adobe Acrobat PRO
•Foxit Reader
Operating Systems:
Windows 8.1® (32-bit, 64-bit)
Windows 8® (32-bit, 64-bit)
Windows 7® (32-bit, 64-bit)
Windows Vista® (32-bit, 64-bit)
Windows XP® (32-bit, 64-bit)
Windows 2008® (32-bit, 64-bit)
Windows 2003® (32-bit, 64-bit)
Official Website
DOWNLOAD
Frequently Asked Questions:
» Click to show Spoiler - click again to hide... «
1- What does Malwarebytes Anti-Exploit (MBAE) do exactly?
MBAE provides advanced security that combats the problem of exploit attacks against software vulnerabilities by effectively "shielding" popular applications and browsers. Why is this important? Mainly because organized cyber criminals have moved from simple infection techniques used by old viruses and worms to using sophisticated vulnerability exploit attacks to compromise victims without requiring any user interaction (i.e., users get infected by simply visiting a webpage or opening a PDF file).
2- What is an exploit?
From Wikipedia: “An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).”
3- What is an Advanced Persistent Threat (APT)?
Advanced Persistent Threat (APT) refers to attacks perpetrated by organized groups such as nation states or corporate espionage initiatives which use sophisticated intrusion techniques. Such attacks normally rely on exploitation of known or unknown (i.e., new) zero-day vulnerabilities after luring targets to a drive-by download website or to open a maliciously crafted email attachment. Some examples of APTs are industrial & corporate cyber espionage, state-sponsored attacks which target government classified and private information, and organized cyber-crime which infects users with financial malware that siphons money from banks by making illegal transactions.
4- What are drive-by download attacks and targeted attacks?
Cyber criminals employ ”exploit kits” to infect victims. These are specially configured servers whose only purpose is to infect victims using drive-by download attacks. The victim is lured into visiting a webpage (normally by sending spam or by injecting iframes into legitimate websites). Once the webpage loads it queries the browser and helper applications (Java, Flash, etc.) and automatically sends the victim the most appropriate exploit which executes malicious code (malware) on the victim's computer transparently and without requiring any user interaction. These attacks are mostly used to infect users with banking and identity theft trojans, rogue antivirus, and botnet malware. These types of infection vectors often use server-side polymorphism (the ability to change its “appearance” to escape detection), which makes the malware mostly undetectable by traditional antivirus signatures.
Targeted attacks consist typically of specially crafted malicious documents (PDF, DOC, XLS, PPT, AVI, WMV, etc) which, when opened with the vulnerable host application (Acrobat Reader, Microsoft Office, Windows Media Player, etc.), are able to automatically and transparently execute malicious code. These attacks are used mostly to infect companies and governments but are also used frequently to infect home users with financially-driven malware that steals money from peoples’ bank accounts.
5- Are traditional security solutions not effective against exploit attacks?
Because of the complexity and polymorphism of these attacks there are very few solutions available in the market to tackle these type of problems. Most existing solutions fall short because they were either designed to be reactive, rely on advanced knowledge of the behavior, or are simply too complex for end users to use:
•Blacklisting security applications such as antivirus signatures, web filtering, intrusion detection, and other such technologies require previous knowledge of the malicious code or attack and are not effective enough to protect against newer attacks launched by cyber criminals.
•Generic techniques like static emulation heuristics and run-time behavioral analysis are built upon previous knowledge of malware family traits or features which cyber criminals have become experts in evading.
•Newer techniques on the market such as advanced HIPS, white-listing or anti-exe and sandboxing, while more effective, are complex to set up by non-technical users, require a very high degree of maintenance or rely too much on the end user to make the correct decision when presented with detection options. In short, they are not install-and-forget.
6- Which vulnerability exploits does MBAE protect against?
There are many different types of vulnerabilities which can be exploited in different ways, from local to remote, from simple information disclosure through directory traversals, privilege escalation, cross-site scripting to complete system compromise via arbitrary code execution. MBAE protects against the most dangerous types of exploits, the ones that result in complete system compromise by running arbitrary malicious code and which are normally used by cyber criminals to infect users with financial-driven malware, botnet infections, or corporate espionage malware. MBAE focuses on protecting popular applications against attacks which result in system compromise by executing malicious code. MBAE will not protect against exploits which take advantage of insufficient or incorrect configuration or information disclosures, XSS, etc.
7- Which applications are shielded by MBAE?
The following list shows the current applications being shielded by MBAE by default. This list can change over time as we develop, test, and implement new shields.
•Internet Explorer
•Google Chrome
•Mozilla Firefox
•Opera
•Microsoft Word
•Microsoft Excel
•Microsoft PowerPoint
•Adobe Reader
•Adobe Acrobat Pro
•Foxit Reader
•Windows Media Player
•VideoLAN VLC Player
•QuickTime Player
•Winamp Player
•Oracle Java
It is important to note that the MBAE technology can be applied to any number of applications to protect it from vulnerability exploits which result in arbitrary code execution. If your company uses a legacy application or you think a popular application should also be shielded, please contact us.
8- Why aren’t you shielding other types of browsers, email readers, and other programs?
During the beta development phase we are focused on finishing the exploit detection engine while at the same time providing effective protection against exploits in the wild (exploits found circulating on the web). The list of applications we currently protect is based on a thorough study of the current state of affairs of exploits in the wild. If we see other applications subject to and/or being attacked in the wild we will add it to MBAE. However, we are not yet adding new applications which are not attacked in the wild; it takes time to add new applications to MBAE, and we are currently focused on completing MBAE 1.0.
9- What happens when MBAE detects an exploit attempt?
When MBAE detects a shielded application being exploited it automatically stops the malicious code from executing. Once the malicious code is stopped, it will automatically close the attacked application. We do this for stability as an attacked application might not function properly after experiencing a vulnerability exploit attempt.
10- How do I know if MBAE is working correctly?
There is a test application (Exploit-Test) included in the installation of Malwarebytes Anti-Exploit. By running this application, users can verify that their installation of MBAE is working correctly. During installation the application is copied to C:\Program Files\Malwarebytes Anti-Exploit\mbae-test.exe. UPDATE: as of version 0.09.5 the mbae-test.exe utility is available for download from here.
11- Will MBAE upgrade itself automatically to newer versions?
At least during the beta development phase MBAE does not upgrade itself automatically. Users need to download and install the new version. Prior to installing the new version, it is advised to exit the old MBAE by right-clicking on the tray bar icon and choosing “Exit” as well as closing all shielded applications.
12- Will MBAE be free once it comes out of beta?
Even though plans are not finalized, the most likely scenario is that MBAE will become commercial software. However, there will be some type of free version of the product with limited features.
13- Does MBAE disinfect?
Unlike a traditional antivirus and security products, MBAE does not need to disinfect as it prevents vulnerability-driven infections in the first place. When MBAE blocks a vulnerability exploit attack, the exploit is stopped on its tracks and the malware is prevented from running and infecting the machine. MBAE does not need to scan your hard-drive in search of malware. MBAE is a real-time only permanent protection against vulnerability exploits and malware execution.
14- Will MBAE stop rogue antiviruses and ransomware?
There are two types of attacks when it comes to rogue antivirus and ransomware campaigns. In the first type of attack, using social engineering to fool users, a webpage simulating an antivirus scan is shown and the user is prompted to download and install the solution to the problem (which is the malicious or rogue antivirus). In the second, more advanced and dangerous type of attack, the user is lured into visiting a malicious webpage which exploits one or multiple vulnerabilities to automatically and transparently run the rogue antivirus or ransomware on the target system without any user interaction. In the first type of attack it is the responsibility of the antivirus to detect malicious executables, since MBAE is designed to prevent applications from being exploited automatically, when there is no user intervention involved. MBAE is not a white-listing or anti-exe solution which requires maintenance and user-based input. The second type of attack will be blocked by MBAE as it does rely on exploiting software vulnerabilities to run automatically and transparently without user interaction.
15- Do you implement exploit attack signatures, run applications in a sandbox, or use application white-lists?
No, no and no. Our protection approach is completely proactive and does not rely on attack signatures or network intrusion detection signatures. Applications run as they normally would without any impediment, such as those posed by sandboxing (a technique used by anti-virus software to test suspected malicious code) or other similar approaches. The protection offered by MBAE is completely install-and-forget, does not interfere with the user, and does not require maintenance of any white-lists.
16- Do I have to train MBAE on normal application usage?
No, MBAE is not a Host Intrusion Prevention System (HIPS), a behavioral analysis or white-listing solution. It does not require users to configure any settings, train applications on normal usage, or determine sandbox directories or file recovery options. It is truly a completely transparent install-and-forget anti-exploit solution
17- What techniques does MBAE use to detect and block exploits?
MBAE incorporates multiple exploit detection and blocking techniques at different stages of the typical exploit attack to provide a truly complete solution against all types of current and future exploits.
•Stage 1 Layer: This layer of MBAE incorporates multiple techniques to detect and block exploits during stage 1 of the exploit attack, before the shellcode is allowed to run. In some cases, MBAE detects and prevents exploits before the operating system Data Execution Protection (DEP) protection.
•Stage 2 Layer: This layer of MBAE incorporates multiple memory protection and payload execution techniques which prevent exploits from executing their stage 2 payload, thereby protecting the computer even if operating system protections and stage 1 protection techniques have been bypassed.
18- How is MBAE different from Enhanced Mitigation Experience Toolkit (EMET)?
EMET is a great tool for enforcing operating system protections. These protections are applied to third-party applications and also incorporate some additional protection techniques. However, there are two main areas where MBAE improves on the protection offered by EMET:
•As EMET enforces OS protections, older OS versions such as Windows XP, do not benefit from some of the protections offered by EMET in newer operating systems such as Windows 8.
•As EMET incorporates only Stage 1 protections, if an exploit manages to bypass EMET's protections, the computer will be compromised. There are already a few documented cases of this. With MBAE, there's the Stage 2 Layer of protections, which prevents compromise even in the case where Stage 1 protections have been bypassed.
It is important to note that MBAE is compatible with EMET and both of them can be run alongside each other.
19- What kind of information is sent to your servers?
We are not sending absolutely any private or exploit detection information to our servers from the MBAE client except some basic system information such as for example installations, operating system (OS) version, and language.
Official forum
MBAE provides advanced security that combats the problem of exploit attacks against software vulnerabilities by effectively "shielding" popular applications and browsers. Why is this important? Mainly because organized cyber criminals have moved from simple infection techniques used by old viruses and worms to using sophisticated vulnerability exploit attacks to compromise victims without requiring any user interaction (i.e., users get infected by simply visiting a webpage or opening a PDF file).
2- What is an exploit?
From Wikipedia: “An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).”
3- What is an Advanced Persistent Threat (APT)?
Advanced Persistent Threat (APT) refers to attacks perpetrated by organized groups such as nation states or corporate espionage initiatives which use sophisticated intrusion techniques. Such attacks normally rely on exploitation of known or unknown (i.e., new) zero-day vulnerabilities after luring targets to a drive-by download website or to open a maliciously crafted email attachment. Some examples of APTs are industrial & corporate cyber espionage, state-sponsored attacks which target government classified and private information, and organized cyber-crime which infects users with financial malware that siphons money from banks by making illegal transactions.
4- What are drive-by download attacks and targeted attacks?
Cyber criminals employ ”exploit kits” to infect victims. These are specially configured servers whose only purpose is to infect victims using drive-by download attacks. The victim is lured into visiting a webpage (normally by sending spam or by injecting iframes into legitimate websites). Once the webpage loads it queries the browser and helper applications (Java, Flash, etc.) and automatically sends the victim the most appropriate exploit which executes malicious code (malware) on the victim's computer transparently and without requiring any user interaction. These attacks are mostly used to infect users with banking and identity theft trojans, rogue antivirus, and botnet malware. These types of infection vectors often use server-side polymorphism (the ability to change its “appearance” to escape detection), which makes the malware mostly undetectable by traditional antivirus signatures.
Targeted attacks consist typically of specially crafted malicious documents (PDF, DOC, XLS, PPT, AVI, WMV, etc) which, when opened with the vulnerable host application (Acrobat Reader, Microsoft Office, Windows Media Player, etc.), are able to automatically and transparently execute malicious code. These attacks are used mostly to infect companies and governments but are also used frequently to infect home users with financially-driven malware that steals money from peoples’ bank accounts.
5- Are traditional security solutions not effective against exploit attacks?
Because of the complexity and polymorphism of these attacks there are very few solutions available in the market to tackle these type of problems. Most existing solutions fall short because they were either designed to be reactive, rely on advanced knowledge of the behavior, or are simply too complex for end users to use:
•Blacklisting security applications such as antivirus signatures, web filtering, intrusion detection, and other such technologies require previous knowledge of the malicious code or attack and are not effective enough to protect against newer attacks launched by cyber criminals.
•Generic techniques like static emulation heuristics and run-time behavioral analysis are built upon previous knowledge of malware family traits or features which cyber criminals have become experts in evading.
•Newer techniques on the market such as advanced HIPS, white-listing or anti-exe and sandboxing, while more effective, are complex to set up by non-technical users, require a very high degree of maintenance or rely too much on the end user to make the correct decision when presented with detection options. In short, they are not install-and-forget.
6- Which vulnerability exploits does MBAE protect against?
There are many different types of vulnerabilities which can be exploited in different ways, from local to remote, from simple information disclosure through directory traversals, privilege escalation, cross-site scripting to complete system compromise via arbitrary code execution. MBAE protects against the most dangerous types of exploits, the ones that result in complete system compromise by running arbitrary malicious code and which are normally used by cyber criminals to infect users with financial-driven malware, botnet infections, or corporate espionage malware. MBAE focuses on protecting popular applications against attacks which result in system compromise by executing malicious code. MBAE will not protect against exploits which take advantage of insufficient or incorrect configuration or information disclosures, XSS, etc.
7- Which applications are shielded by MBAE?
The following list shows the current applications being shielded by MBAE by default. This list can change over time as we develop, test, and implement new shields.
•Internet Explorer
•Google Chrome
•Mozilla Firefox
•Opera
•Microsoft Word
•Microsoft Excel
•Microsoft PowerPoint
•Adobe Reader
•Adobe Acrobat Pro
•Foxit Reader
•Windows Media Player
•VideoLAN VLC Player
•QuickTime Player
•Winamp Player
•Oracle Java
It is important to note that the MBAE technology can be applied to any number of applications to protect it from vulnerability exploits which result in arbitrary code execution. If your company uses a legacy application or you think a popular application should also be shielded, please contact us.
8- Why aren’t you shielding other types of browsers, email readers, and other programs?
During the beta development phase we are focused on finishing the exploit detection engine while at the same time providing effective protection against exploits in the wild (exploits found circulating on the web). The list of applications we currently protect is based on a thorough study of the current state of affairs of exploits in the wild. If we see other applications subject to and/or being attacked in the wild we will add it to MBAE. However, we are not yet adding new applications which are not attacked in the wild; it takes time to add new applications to MBAE, and we are currently focused on completing MBAE 1.0.
9- What happens when MBAE detects an exploit attempt?
When MBAE detects a shielded application being exploited it automatically stops the malicious code from executing. Once the malicious code is stopped, it will automatically close the attacked application. We do this for stability as an attacked application might not function properly after experiencing a vulnerability exploit attempt.
10- How do I know if MBAE is working correctly?
There is a test application (Exploit-Test) included in the installation of Malwarebytes Anti-Exploit. By running this application, users can verify that their installation of MBAE is working correctly. During installation the application is copied to C:\Program Files\Malwarebytes Anti-Exploit\mbae-test.exe. UPDATE: as of version 0.09.5 the mbae-test.exe utility is available for download from here.
11- Will MBAE upgrade itself automatically to newer versions?
At least during the beta development phase MBAE does not upgrade itself automatically. Users need to download and install the new version. Prior to installing the new version, it is advised to exit the old MBAE by right-clicking on the tray bar icon and choosing “Exit” as well as closing all shielded applications.
12- Will MBAE be free once it comes out of beta?
Even though plans are not finalized, the most likely scenario is that MBAE will become commercial software. However, there will be some type of free version of the product with limited features.
13- Does MBAE disinfect?
Unlike a traditional antivirus and security products, MBAE does not need to disinfect as it prevents vulnerability-driven infections in the first place. When MBAE blocks a vulnerability exploit attack, the exploit is stopped on its tracks and the malware is prevented from running and infecting the machine. MBAE does not need to scan your hard-drive in search of malware. MBAE is a real-time only permanent protection against vulnerability exploits and malware execution.
14- Will MBAE stop rogue antiviruses and ransomware?
There are two types of attacks when it comes to rogue antivirus and ransomware campaigns. In the first type of attack, using social engineering to fool users, a webpage simulating an antivirus scan is shown and the user is prompted to download and install the solution to the problem (which is the malicious or rogue antivirus). In the second, more advanced and dangerous type of attack, the user is lured into visiting a malicious webpage which exploits one or multiple vulnerabilities to automatically and transparently run the rogue antivirus or ransomware on the target system without any user interaction. In the first type of attack it is the responsibility of the antivirus to detect malicious executables, since MBAE is designed to prevent applications from being exploited automatically, when there is no user intervention involved. MBAE is not a white-listing or anti-exe solution which requires maintenance and user-based input. The second type of attack will be blocked by MBAE as it does rely on exploiting software vulnerabilities to run automatically and transparently without user interaction.
15- Do you implement exploit attack signatures, run applications in a sandbox, or use application white-lists?
No, no and no. Our protection approach is completely proactive and does not rely on attack signatures or network intrusion detection signatures. Applications run as they normally would without any impediment, such as those posed by sandboxing (a technique used by anti-virus software to test suspected malicious code) or other similar approaches. The protection offered by MBAE is completely install-and-forget, does not interfere with the user, and does not require maintenance of any white-lists.
16- Do I have to train MBAE on normal application usage?
No, MBAE is not a Host Intrusion Prevention System (HIPS), a behavioral analysis or white-listing solution. It does not require users to configure any settings, train applications on normal usage, or determine sandbox directories or file recovery options. It is truly a completely transparent install-and-forget anti-exploit solution
17- What techniques does MBAE use to detect and block exploits?
MBAE incorporates multiple exploit detection and blocking techniques at different stages of the typical exploit attack to provide a truly complete solution against all types of current and future exploits.
•Stage 1 Layer: This layer of MBAE incorporates multiple techniques to detect and block exploits during stage 1 of the exploit attack, before the shellcode is allowed to run. In some cases, MBAE detects and prevents exploits before the operating system Data Execution Protection (DEP) protection.
•Stage 2 Layer: This layer of MBAE incorporates multiple memory protection and payload execution techniques which prevent exploits from executing their stage 2 payload, thereby protecting the computer even if operating system protections and stage 1 protection techniques have been bypassed.
18- How is MBAE different from Enhanced Mitigation Experience Toolkit (EMET)?
EMET is a great tool for enforcing operating system protections. These protections are applied to third-party applications and also incorporate some additional protection techniques. However, there are two main areas where MBAE improves on the protection offered by EMET:
•As EMET enforces OS protections, older OS versions such as Windows XP, do not benefit from some of the protections offered by EMET in newer operating systems such as Windows 8.
•As EMET incorporates only Stage 1 protections, if an exploit manages to bypass EMET's protections, the computer will be compromised. There are already a few documented cases of this. With MBAE, there's the Stage 2 Layer of protections, which prevents compromise even in the case where Stage 1 protections have been bypassed.
It is important to note that MBAE is compatible with EMET and both of them can be run alongside each other.
19- What kind of information is sent to your servers?
We are not sending absolutely any private or exploit detection information to our servers from the MBAE client except some basic system information such as for example installations, operating system (OS) version, and language.
Official forum
This post has been edited by Angel of Deth: Jan 6 2014, 03:58 AM
Quote
0.0229sec
0.38
5 queries
GZIP Disabled