Malwarebytes Anti-Exploit update improves exploit protection

Martin Brinkmann
Oct 16, 2013
Antivirus, Security
|
12

Malwarebytes recently released a first public beta version of Anti-Exploit, an exploit mitigation tool for Windows that works very similar to Microsoft's Enhanced Mitigation Experience Toolkit.

The program steps in when exploits bypass the first and second line of security of a computer system. So, instead of allowing the exploit to run on the system, they are blocked from doing so by anti-exploit software.

This is of course only true if these special security programs support the blocking of those exploits on the system.

Malwarebytes Anti-Exploit runs silently in the background for the most part. It does not offer as many configuration options as EMET, but it is still a solid choice when it comes to this kind of protection. Especially since it can be run alongside EMET on the same system.

Anti-Exploit

malwarebytes anti-exploit

Today's update of Malwarebytes Anti-Exploit brings the version of the application to 0.09.4.1000. It is still an early version and still listed as beta. What's interesting about this new version is that it includes several new features that users will find useful.

If you are already running an earlier version of the software, do the following before you run the new version's installer:

  1. Close the Anti-Exploit version running on the system with a right-click on the system tray icon and the selection of Exit.
  2. Close all programs that are protected by it, including web browsers, Microsoft Office applications and other programs that run on the system.

You can then install the new version which will get installed over the old one.

As far as new features are concerned, there are three that are noteworthy.

  1. Malwarebyte's Anti-Exploit previously contained what the company calls "stage 2 anti-exploit techniques". The new version introduces "stage 1 anti-exploit techniques" to the application which can detect and block exploits at an earlier stage of execution.
  2. The memory protection techniques have been improved in regards to stability, performance and compatibility with shielded applications.
  3. The new program version ships with a text program that you find in the program folder. Execute mbae-test.exe to test that the program is running and properly working.

You can use the test program to test your system's security setup to see if your regular antivirus software and programs catch those exploits, or if they let them slip past their defenses. Just closes Anti-Exploit prior to launching the test program to see how these other programs do.

Additional information about the changes are listed in the official changelog that you can access here.

Verdict

The improvements that Malwarebytes has added to the latest version of Anti-Exploit improve the program significantly. It is still a beta version, and should not be run on productive environments because of this. While it is very likely that you won't notice any ill-behavior if you do, it may be better to wait for the final release of the application instead.

Now Read: Improve system security by whitelisting applications

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. David Chapman said on April 22, 2014 at 8:54 pm
    Reply

    I use Revo Uninstaller Pro to ensure I get rid of any left-over garbage from unwanted/no-longer-required software. It includes a scan feature that detects and lists any remaining registry entries and also any left-over files and/or folders, which it gives you the option to delete as you wish. I find it woks extremely well and recommend it to anyone who’s serious about clean uninstalls. Hope this info helps somewhat. Cheers…

  2. Mike Corbeil said on December 31, 2013 at 4:46 am
    Reply

    Somewhat hilarious MAE installation problem:

    Let me first say that this isn’t a rant or complaint against you, Mark. MAE evidently works fine for you and just doesn’t for me. This comment is only about my experience and any mockery, if there is any, definitely isn’t aimed at you.

    I just installed MAE while Firefox was open and MAE’s installation produced a pop-up saying the following after the installation ran its course:

    “The beta testing period has finished and Malwarebytes Anti-Exploit is not protecting you anymore.
    Please contact us to obtain a newer version”

    I just downloaded it yesterday!

    MAE was installed, so I opened the interface using the icon in the system tray. The General tab says that the number of shielded applications is -1. How they derive less than 0 is ?, but it’s protecting nothing, so this matches the prompt or pop-up mentioned just above.

    That’s a lousy way for an app. to work. If there’s an update or upgrade, then the user should be informed of this while [also] being provided with a link for the website or its page for MAE, but MAE doesn’t provide a link.

    Commically, number of shielded apps is -1 and Start Protection button is disabled, but Stop Protection button is enabled. Clicking on Stop … cause Start … to become enabled and the Stop one to become disabled, but two things that don’t change are the -1 and the enabled Close button.

    MAE un-installation problem:

    I just downloaded MAE again from Malwarebytes.org, but before running this installer, I uninstalled the dysfunctional installation from yesterday’s download. At the end of the un-install a pop-up says the following:

    “Malwarebytes Anti-Exploit uninstall complete.
    Some elements could not be removed. These can be removed manually.”

    That’s a joke for software development. The uninstall clearly isn’t complete, since some elements remain installed or changes, like to Windows registry, f.e., remain. And there’s no indication of what elements remain.

    Next step:

    Before bothering with trying to find the remaining elements in order to remove them manually, I downloaded MAE again a few minutes ago and then installed this. VirusTotal detects the same, unchanged version, 0.09.4.2000, which was downloaded yesterday.

    I went back to your article about MAE, this page, here, to check if you said anything about needing to close any particular applications before installing MAE. And I also checked at the MAE download page, where a very short list of protected apps is provided. I don’t use by far most of the specified apps, but do use Firefox. So I closed Firefox, as well as closing WinPatrol, System Explorer, Secunia PSI and Malware Defender, just in case these might be recognized by MAE while simply not being mentioned in the list of protected apps shown in the MAE download page.

    Then I reinstalled MAE using the new download. The same problem happens again, except that instead of getting the popup at the end of installation, it appears when MAE is being run or started, thereafter.

    This truly is an entry-level programmer piece of work, like from someone with experience, but very little of it; for creating software, aka programming, that is.

    This wasn’t beta. It at best is alpha. If the thing is going to install and refuse to provide any protection whatsoever, then it should uninstall itself automatically while informing the person trying to do the installation to get the update or upgrade and then try again.

    The MAE prompt popped up again after I downloaded the Web installer for Microsoft .Net Framework 4.0 in order to be able to install EMET, as well as downloading “Malicious Software Removal Tool (KB890830)”, and then trying to upload these to Virustotal.com. It’s actually with the Removal Tool upload attempt that the MAE popup occurred, not having popped up when I uploaded, first, .Net Framework 4.0 installer. The Removal Tool download is too large to be able to upload it to VT using the small app. that VT provides so that users can do uploads using the right-click context menu in a file/folder manager.

    MAE is not protecting anything, it says, but it clearly isn’t minding its own business, silently, either. If it’s not protecting anything, then it’s worthless and should be silent.

    I rebooted Windows before doing the uploads to VT, using the Web interface to be able to upload the Removal Tool; in case you’re wondering if I did a reboot, or not.

    So, MAE is going to now be uninstalled and left forgotten until there’s a mature version available. There’s no point in having a security app. installed when all it’ll tell you is that you is that it’s providing you with no protection.

    Someone might think that the absence of protection is due to not having any apps supported by MAE installed, but I have IE and there is some MS Office stuff. I don’t have MS Office, but there’re some Office-related things from Windows Update. I don’t know if that stuff might be necessary for LibreOffice, so I leave the stuff installed.

    Anyway, I’ll now uninstall MAE and will install .Net Framework 4.0, after which EMET will be installed.

  3. Mike Corbeil said on December 29, 2013 at 7:44 am
    Reply

    When you say at the end, “It is still a beta version, and should not be run on productive environments because of this”, do you mean production environments, aka workplaces, or any Windows system that’s productively used by a user? By the latter, I mean any person who simply makes a lot of use of their system.

    I’m very productive with my Windows XP system, but it’s entirely for personal and private use, and I don’t make use of very many applications. It’s mostly using Web browsers (Firefox and Opera), email app. (Thunderbird), two multimedia players (PotPlayer and VLC), PDF reader, LibreOffice (mainly for Writer), Avira Antivir Free, Malwarebytes Anti-malware (free version and therefore only on demand), Malware Defender, WinPatrol, Secunia PSI, and occasionally some other apps.

    Comparisons:

    I’ve now read your two articles for EMET and Malwarebytes Anti-Exploit (MAE), but I’ve been using Avira Antivir Free and WinPatrol for many years, and began using Malware Defender around two years ago in real-time mode. I also just downloaded Avira Free Antivirus 14.0.2.286, which I guess is Avira Free Antivirus 2014, tonight for installation as soon as I close Firefox and it seems that this newer version of Avira Free AV includes Web browsing protection, based on the user guide for which there’s a download link next to or beneath the link for downloading the free AV.

    Even without the Avira update, I’m developing a “feeling” that I wouldn’t really benefit from EMET or MAE when using Malware Defender real-time. And if we consider MD running real-time while Antivir and WinPatrol are also running real-time, then the “feeling” only becomes stronger.

    With MD, I have all 4 protection guards or shields running real-time: file, registry, network (not that I really need it, but it doesn’t affect system performance), and application.

    Do you think or know that EMET and/or MAE would be really beneficial with this setup I already have?

    Extra FYI:

    I primarily use Firefox and have NoScript and RequestPolicy add-ons, as well as AdBlock Plus. Opera is used only occasionally for testing. It’s to see what happens with a Web page when something that should be working in a Web page doesn’t work in Firefox.

    I don’t have security add-ons for Thunderbird, but I also don’t open attachments without truly knowing what they are and who the sender is. If I recognize a sender but have no idea what the attachment is about, then I’ll contact the person to inquire as to the purpose of the attachment. If all seems okay with that file, then it’ll be saved to a folder where I’ll select the file and run Avira Antivir and free Malwarebytes Anti-malware, plus upload to VirusTotal. That’ll be done before opening the saved attachment file, especially if it’s an executable. If it isn’t executable, then it may still be uploaded to Virustotal, otherwise I’ll only use the locally installed Avira Antivir and Malwarebytes Anti-malware.

    Also, I spot spam and other email to be flagged as JUNK in Thunderbird usually without needing to open the email. When selecting an email, Thunderbird displays the sender at the bottom of the TB window frame, the status area, I guess it might be called. Based on the sender, I can delete most of these emails without opening them only to find that they’re junk, sometimes also potentially malicious, such as with phishing crap. I have 3 email accounts and they’re all accessed using TB. Only Yahoo allows junk and worse, apparently without limitation, too. Gmail and my ISP account email addresses operate “clean as a whistle” (a clean one).

    If I’m not sure if an email is junk, then I can open it, but if there’s an attachment, then the email will be immediately junked if I don’t know the sender. There’s no “toying around” with the attachment; no risk taken with it. If there’s no attachment, then I just quickly check what the email is about. So far, these seem to be mostly phishing expeditions and it’d take an awfully novice user to respond to the email with the information requested.

    I was getting an email earlier this year from a sender using the Hotmail email address of a woman who owns the house where I used to room and it was garbage email, so I contacted her by telephone to inquire what this was about. She said that she knew nothing about this, so I had her go to her PC to check her sent email in order to verify if she had any that were sent to my address. This was in case someone else might be using her PC, someone wanting to pester me with nonsense email. She found nothing, so I had her run her AV and contact Miscrosoft, which a little Web searching indicated owns Hotmail. And I also contacted Microsoft.

    The problem didn’t occur again.

    If there had been an attachment, then I would’ve done the same thing, possibly a little more emphatically, albeit I was quite emphatic about it anyway.

    So, given the way my system is run and my very careful Web browsing habits, I wonder if EMET and/or MAE would really be beneficial. With Malware Defender, I already have plenty of prompts to respond to when installing software, and domains to temporarily or permanently permit with NoScript and RequestPolicy in Firefox.

    1. Martin Brinkmann said on December 29, 2013 at 10:14 am
      Reply

      Since both programs, I’m talking about EMET and MAE, are not using a lot of RAM, I would highly suggest that any Windows user adds at least one of them to his setup.

      About the beta: I mean in business / Enterprise environments. Running beta software is usually less of an issue on home PCs, regardless of how they are used. I have been running both EMET and MAE for a long time and never experienced any issues.

      1. Mike Corbeil said on December 31, 2013 at 12:47 am
        Reply

        Thanks. I downloaded them both, yesterday, and will install them. Regarding the beta, I was sure you had to be meaning business production environments but wanted to make sure. As productive as some people are with their home PCs, I’ve never read or heard of the home environment being referred to as a production environment. But, it could happen.

  4. Roman Shaman said on October 17, 2013 at 12:36 pm
    Reply

    Installed new beta over old, and having both (mbae64, v0.09.3.1000 and mbae, v0.09.4.1000) running now?

    1. Martin Brinkmann said on October 17, 2013 at 1:29 pm
      Reply

      That should not have happened Roman. Can you check in the system tray if you have two entries for the program as well? Did you close the old version before you install the new one?

      1. Roman Shaman said on October 19, 2013 at 3:17 pm
        Reply

        The easy fix was to fully uninstall the old version first, instead of simply closing it. Well, at least in my case. Running Windows 7 x64 Pro.
        Best regards.

      2. Anonymous said on October 18, 2013 at 11:57 pm
        Reply

        Martin, my answer to both questions is yes. Blue and orange icons in system tray, mbae64.exe and mbae.exe in Task Manager, respectively.

      3. Martin Brinkmann said on October 18, 2013 at 11:59 pm
        Reply

        That sounds almost as if the first version installed as a 32-bit version, and the second as the 64-bit version of the application.

  5. tinwheeler said on October 16, 2013 at 7:27 pm
    Reply

    Martin, a heads up if anyone gets a window error saying the mbae driver cannot be opened. Completely uninstall MBAE. In the registry delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ESProtectionDriver, reboot and reinstall MBAE and it should work.

    1. Martin Brinkmann said on October 16, 2013 at 7:29 pm
      Reply

      Thanks. I did not experience any issues, but good to know for those who do.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.