Anti Exploit Battle: Malwarebytes Anti-Exploit vs HitmanPro.Alert

bitbizket

Level 3
Jul 26, 2011
250
Depends on my security setup, i use both seperately.
HMPA has more features doubling as a virus scanner but given by complexity of other security programs nowdays they may conflicts.
While MBAE is pure AE, its simpler approach make it easy to setup, i believe PBust had that in mind.
 

chrcoluk

Level 1
Verified
Aug 6, 2015
23
MBAE free does protect firefox forks such as palemoon and cyberfox, however plugin-container.exe is not in the free version which seems an oversight.

Also some options for chrome are disabled by default, I think this is due to advise from chrome developers who state those protections are not needed on their browser.
 

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
MBAE free does protect firefox forks such as palemoon and cyberfox, however plugin-container.exe is not in the free version which seems an oversight.

Also some options for chrome are disabled by default, I think this is due to advise from chrome developers who state those protections are not needed on their browser.
It works fine here using Cyberfox. ;)
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
MBAE free does protect firefox forks such as palemoon and cyberfox, however plugin-container.exe is not in the free version which seems an oversight.

Also some options for chrome are disabled by default, I think this is due to advise from chrome developers who state those protections are not needed on their browser.
plugin-container.exe is already protected
Is Firefox Plugin Container process protected by MBAE Free ? - News, Questions and Comments - Malwarebytes Forum

MBAE has a different a category for "normal" browsers and "chrome-like(chromium)" browsers. And yeah some mitigations are not only disable by default but also grey-out(most likely to prevent the user from enabling it)

Interestingly I don't think HitmanPro.Alert separates browsers and chrome-browsers, so they all have the same mitigations. Never had any problem with Chrome.
 
  • Like
Reactions: Cats-4_Owners-2

chrcoluk

Level 1
Verified
Aug 6, 2015
23
I just tried an old test on hit man pro alert and wow it failed.

I used the old sys-manage buffershield test tool which tests launching a process to bypass DEP.

The test runs successfully on my rig which has hitman pro alert installed.

To successfully mitigate that test the following works.

Set DEP to always on in windows which prevents executables disabling NX via compatibility layer.
Enable DEP for the process in EMET which blocks the behaviour, of course this requires specific blacklisting to be effective.

I cannot blacklist the app in hitman pro alert, it seems more limited than EMET in that functionality.
 
  • Like
Reactions: Cats-4_Owners-2

chrcoluk

Level 1
Verified
Aug 6, 2015
23
It works fine here using Cyberfox. ;)

Check the preconfigured shields, you will notice plugin-container.exe is not in the list. I also have in the past ran tests on plugin-container and they were not blocked by MBAE free, only blocked by EMET after I added the exe to EMET's list. I hope the same isnt the case with hitman pro alert which I not tested yet on plugin-container (this is important as E10 firefox spawns browsing processes with that exe). Mitigation limitations are not inherited by child processes of a different name, this is a massive oversight of these security vendors if thats what they are assuming.

My above test already proves that as the buffershield test spawns an overflow process which is not mitigated. (the buffershield exe is added to HMPA but not overflow exe)
 
Last edited:

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Check the preconfigured shields, you will notice plugin-container.exe is not in the list. I also have in the past ran tests and they were not blocked by MAE, only blocked by EMET after I added the exe to EMET's list. I hope the same isnt the case with hitman pro alert which I not tested yet. Mitigation limitations are not inherited by child processes of a different name, this is a massive oversight of these security vendors if thats what they are assuming.
See here. Malwarebytes Anti-Exploit Added Support for Cyberfox - 8pecxstudios Support Forums
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top