Anti Exploit Battle

  • Total voters
    75

bitbizket

Level 3
Depends on my security setup, i use both seperately.
HMPA has more features doubling as a virus scanner but given by complexity of other security programs nowdays they may conflicts.
While MBAE is pure AE, its simpler approach make it easy to setup, i believe PBust had that in mind.
 

chrcoluk

Level 1
MBAE free does protect firefox forks such as palemoon and cyberfox, however plugin-container.exe is not in the free version which seems an oversight.

Also some options for chrome are disabled by default, I think this is due to advise from chrome developers who state those protections are not needed on their browser.
 

frogboy

In memoriam 1961-2018
MBAE free does protect firefox forks such as palemoon and cyberfox, however plugin-container.exe is not in the free version which seems an oversight.

Also some options for chrome are disabled by default, I think this is due to advise from chrome developers who state those protections are not needed on their browser.
It works fine here using Cyberfox. ;)
 

Azure

Level 26
Verified
Content Creator
MBAE free does protect firefox forks such as palemoon and cyberfox, however plugin-container.exe is not in the free version which seems an oversight.

Also some options for chrome are disabled by default, I think this is due to advise from chrome developers who state those protections are not needed on their browser.
plugin-container.exe is already protected
Is Firefox Plugin Container process protected by MBAE Free ? - News, Questions and Comments - Malwarebytes Forum

MBAE has a different a category for "normal" browsers and "chrome-like(chromium)" browsers. And yeah some mitigations are not only disable by default but also grey-out(most likely to prevent the user from enabling it)

Interestingly I don't think HitmanPro.Alert separates browsers and chrome-browsers, so they all have the same mitigations. Never had any problem with Chrome.
 

chrcoluk

Level 1
I just tried an old test on hit man pro alert and wow it failed.

I used the old sys-manage buffershield test tool which tests launching a process to bypass DEP.

The test runs successfully on my rig which has hitman pro alert installed.

To successfully mitigate that test the following works.

Set DEP to always on in windows which prevents executables disabling NX via compatibility layer.
Enable DEP for the process in EMET which blocks the behaviour, of course this requires specific blacklisting to be effective.

I cannot blacklist the app in hitman pro alert, it seems more limited than EMET in that functionality.
 

chrcoluk

Level 1
It works fine here using Cyberfox. ;)
Check the preconfigured shields, you will notice plugin-container.exe is not in the list. I also have in the past ran tests on plugin-container and they were not blocked by MBAE free, only blocked by EMET after I added the exe to EMET's list. I hope the same isnt the case with hitman pro alert which I not tested yet on plugin-container (this is important as E10 firefox spawns browsing processes with that exe). Mitigation limitations are not inherited by child processes of a different name, this is a massive oversight of these security vendors if thats what they are assuming.

My above test already proves that as the buffershield test spawns an overflow process which is not mitigated. (the buffershield exe is added to HMPA but not overflow exe)
 
Last edited:

frogboy

In memoriam 1961-2018
Check the preconfigured shields, you will notice plugin-container.exe is not in the list. I also have in the past ran tests and they were not blocked by MAE, only blocked by EMET after I added the exe to EMET's list. I hope the same isnt the case with hitman pro alert which I not tested yet. Mitigation limitations are not inherited by child processes of a different name, this is a massive oversight of these security vendors if thats what they are assuming.
See here. Malwarebytes Anti-Exploit Added Support for Cyberfox - 8pecxstudios Support Forums
 
Top