Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAE and EMET


  • Please log in to reply
20 replies to this topic

#1 philfil

philfil

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:02 PM

Posted 09 December 2015 - 09:24 AM

The free version of malwarebytes anti-exploit (MBAE) protects a  range of browsers together with Java.  However, it doesn't protect other applications such as Adobe reader or an email client such as Thunderbird. These, and other applications, could be protected by use of  Microsoft EMET (Enhanced mitigation experience toolkit). If both MBAE and EMET were to be used to protect the same application, such as Firefox, then there could be some conflict which might not be apparent but which could reduce the effectiveness of either MBAE or EMET or both. However, if EMET was restricted to applications which are not protected by MBAE then one would expect the risk of such conflicts to be less. The question is, is this a reasonable approach?

 

One could use EMET by itself to protect every application but it isn't the most user-friendly tool. MBAE, however, is easy to install and trouble free so there is a case for taking advantage of that. Does anyone know of any problems which could arise if MBAE and EMET were used together but on different applications on a computer running Windows 7?


Edited by philfil, 09 December 2015 - 09:29 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 09 December 2015 - 12:18 PM

Some anti-virus and anti-malware programs include built-in exploit protection. For example, Emsisoft Anti-Malware uses advanced behavior blocking analysis which is extremely difficult to penetrate...it continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. Emsisoft also has the ability to detect unknown zero-day attacks without signatures. ESET Antivirus and Smart Security uses Exploit Blocker which is designed to fortify applications that are often exploited, such as web browsers, PDF readers, email clients or MS Office components.
 

Some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of Return-oriented programming (ROP) and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running.

ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts. Many advanced exploits relay on ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).



However, EMET Security Technology is not impenetrable...

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:02 PM

Posted 09 December 2015 - 12:39 PM

Thank you for your comments.

 

"Some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of Return-oriented programming (ROP)"

 

That is the sort of thing which concerns me about using more than one anti-exploit program. However, I am unsure about how it applies to tools such as MBAE and EMET which can be aimed at specific and different applications. A related question is what does EMET do if it is not  configured to protect any application? Is there some kind of residual anti-exploit behaviour operating in the background?

 

I have read a number of things on the internet about  running MBAE and EMET together but they all seem to relate to the more complicated scenario in which both programs are used to protect the same application (usually a browser).

 

Thanks for the comments about Exploit Blocker. I will read up on that. One solution rather tha two would be better.



#4 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:01:02 PM

Posted 09 December 2015 - 01:19 PM

Some may find the following interesting: How is MBAE different from Enhanced Mitigation Experience Toolkit (EMET)?

HTH


Edited by 1PW, 09 December 2015 - 01:19 PM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 09 December 2015 - 04:13 PM

If it helps any, I use MBAE with the following....I also use Emsisoft Anti-Malware (EAM) and ESET NOD32 Antivirus. While there is no need for using both EAM and ESET, I installed each a long time ago for testing purposes and when I did not notice any performance degradation, I continued to use them together.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:02 PM

Posted 09 December 2015 - 04:50 PM

If it helps any, I use MBAE with the following....

 

I have used MBAE for some time. It behaves very well. All you have to do is install it and forget it. In contrast, EMET can be very disruptive. What surprises me is that MBAE can do what it claims to do with so little impact on other applications.

 

To 1PW; thank you for the link. Its final statement reflects my own experience, "MBAE is extremely easy to use. It is truly install-and-forget."

 

The only way I have found of handling EMET is to configure one application at a time, make a note of everything done, and then wait to find out what problems emerge.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 09 December 2015 - 05:08 PM

Everything I use is essentially install-and-forget...unless you get an alert.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Umbra

Umbra

    Authorized Emsisoft Rep


  • Members
  • 139 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:02 AM

Posted 12 December 2015 - 12:09 AM

MBAE free + EMET =  recommended

MBAE premium + EMET = not recommended



Emsisoft Community Manager


#9 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:02 PM

Posted 12 December 2015 - 04:26 AM

MBAE free + EMET =  recommended

 

That's the way I am going at the moment, but with EMET configured so that it only protects applications which are not protected by MBAE.

 

Despite its awkwardness, EMET has some appealing features such as the ability to enable Data Execution Prevention (DEP) across the system. This is a security feature that is built into Windows 7 and it can be fully enabled within Windows. However, many users won't know that it is there and by default, it isn't fully enabled. EMET allows easy control of such features as DEP and Structured Exception Handling Overwrite Protection (SEHOP) which are not fully enabled by default.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 12 December 2015 - 07:34 AM

EMET Resources


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:01:02 PM

Posted 12 December 2015 - 03:25 PM

Hello philfil:
 
If you have not already done so, please be familiar with the last bullet point:
 
https://forums.malwarebytes.org/index.php?/topic/135127-known-issues-conflicts/#entry743823

Thank you.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#12 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:02 PM

Posted 12 December 2015 - 06:58 PM

Hi 1PW,

 

   actually, I have gone the whole way and installed all protections in EMET and uninstalled MBAE Free (perhaps temporarily).  For a while I had both on together and protecting the same browsers - surprisingly, there didn't appear to be any problem. Everything worked as expected. However, that isn't the same as saying that both were working as they should. I tested MBAE with the test tool which Malwarebytes provides and MBAE passed even with EMET looking over its shoulder. But I am still uneasy about that kind of arrangement so I decided to try EMET on its own. Microsoft don't make a test tool for EMET but there is an exploit test tool for HitmanPro.Alert (hmpalert-test.exe), which can be used for applications other than HitmanPro, and EMET passed all tests (about 20 of them) provided by that.  So far.EMET on its own seems to  be doing its job and I haven't had any crashes. Fingers crossed!


Edited by philfil, 12 December 2015 - 07:03 PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 12 December 2015 - 07:40 PM

For those interested.

HitmanPro.Alert Exploit Test Tool Manual
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:02 PM

Posted 13 December 2015 - 04:05 AM

Thanks quietman. I have found those tools useful and others might do also. Unlike the Malwarebytes tool, which is a single test  with no target application specified, they can be used to test for a variety of exploits and they can target particular applications such as Firefox or Chrome. It should be noted that the 64 bit version is intended to test 64 bit applications such as the 64 bit version of Internet Explorer. Testing Firefox (32 bit) on a 64 bit machine requires the 32 bit version of hmpalert.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 PM

Posted 13 December 2015 - 04:38 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users