Should I in this case use an anti-exploit program instead of anti-exe?

[CoherentCrayon]

Hi!

Currently I have VoodooShield installed and mainly uses it to prevent web exploits when visiting websites (prevent exe-payload). But as I mainly use VoodooShield for this (I see no other specific use for it), would I get the same level of protection with an anti-exploit software (Malwarebytes Anti-Exploit BETA)? I don't know how good Norton prevents exploits.

What can you recommend, do I need an anti-exploit software and in that case what? Is MBAE BETA enough stable? And should I keep VoodooShield as I don't really see what to use it for other than exploit protection?

 

[Arequire]

If you keep Windows and all your software updated I see very little reason to use an anti-exploit. Even if some exploit kit manages to slither its way onto your system and finds something exploitable (unlikely if you keep everything updated), VS will block whatever payload is dropped.

Saying that, if you're adamant about using an anti-exploit, HMPA or EMET is the way to go. MBAE beta only protects a limited set of applications making it ultimately less useful than EMET. I'm not aware if you're able to purchase a premium version of MBAE beta or not; if so then MBAE Premium would replace EMET as my suggestion but HMPA still reigns supreme.

 

[Peter2150]

Voodooshield by itself is excellent. I've tested against a lot of malware, and non got by it.

 

[BoraMurdar]

There is a hard misconception of exploit in general. Anti-exe cannot stop (patch) the exploit itself, it can only stop unpermitted executable from running where attacker used an exploit and taking advantage of the vulnerability. There are number of methods where malicious actions won't need an executable to run in order to compromise the system.
So use anti-exe from stopping unallowed exes and use some anti-exploit if you are concerned that your system will be exploited, which is highly unlikely.
Update your Windows and don't worry.

 

[l0rdraiden]

If you keep Windows and all your software updated I see very little reason to use an anti-exploit. Even if some exploit kit manages to slither its way onto your system and finds something exploitable (unlikely if you keep everything updated), VS will block whatever payload is dropped.

Saying that, if you're adamant about using an anti-exploit, HMPA or EMET is the way to go. MBAE beta only protects a limited set of applications making it ultimately less useful than EMET. I'm not aware if you're able to purchase a premium version of MBAE beta or not; if so then MBAE Premium would replace EMET as my suggestion but HMPA still reigns supreme.

You are assuming that the patching happens before the exploit discovered/used and usually is the other way around

 

[HarborFront]

If you ask me I would say use HMPA as a full-fledged anti-exploit and keep VS as an anti-exe

If you do NOT use HMPA then use the combo of anti-exploit in MBAE + VS besides using VS as an anti-exe

 

[HarborFront]

He could use both if he likes the combo. Then he has VS and if he makes a bad choice by allowing or he ever does fall into the hands of a file-less exploit attack then maybe HMP.A will kick in hopefully and block he payload.

You mean MBAE cannot protect against file-less exploits?

 

[Deleted member 178]

Hi!

Currently I have VoodooShield installed and mainly uses it to prevent web exploits when visiting websites (prevent exe-payload). But as I mainly use VoodooShield for this (I see no other specific use for it), would I get the same level of protection with an anti-exploit software (Malwarebytes Anti-Exploit BETA)? I don't know how good Norton prevents exploits.

Against exploit , an anti-exploit is necessary , not an anti-exe.
Don't be confused by "anti-exploit" and "exploit prevention", those are different.

What can you recommend, do I need an anti-exploit software and in that case what? Is MBAE BETA enough stable? And should I keep VoodooShield as I don't really see what to use it for other than exploit protection?

Yes .VS isn't an anti-exploit, it can only block exploit launched from exe (like all deny-default apps), or an exe launched by the exploit (in this case it is already too late). Nothing more.
It can't stop the exploit code itself, just its dropper if the dropper is an exe; big difference.

There is a hard misconception of exploit in general. Anti-exe cannot stop (patch) the exploit itself, it can only stop unpermitted executable from running where attacker used an exploit and taking advantage of the vulnerability. There are number of methods where malicious actions won't need an executable to run in order to compromise the system.
So use anti-exe from stopping unallowed exes and use some anti-exploit if you are concerned that your system will be exploited, which is highly unlikely.
Update your Windows and don't worry.

+1, i can't say better.

If you ask me I would say use HMPA as a full-fledged anti-exploit and keep VS as an anti-exe
If you do NOT use HMPA then use the combo of anti-exploit in MBAE + VS besides using VS as an anti-exe

+1

 

[l0rdraiden]

Not always. Sometimes old exploits are abused to target individuals using outdated software, and someone could discover a vulnerability but it could be found by the vendor within the time it takes the attacker to make use of that vulnerability as an advantage.


He could use both if he likes the combo. Then he has VS and if he makes a bad choice by allowing or he ever does fall into the hands of a file-less exploit attack then maybe HMP.A will kick in hopefully and block he payload.

I know, is what I said, therefore anti-exploits products are important and having the software update is not enough.

 

[Freki123]

If it's just about worrying about exploits when visiting websites maybe "Sandboxie" could give you same peace of mind. Create a browsing sandbox and restrict it to just let a browser run in it and only give the browser internet access and use "drop rights". It doesn't help when you recover and be clickhappy about stange exe's or so unsandboxed.
Or maybe try shadow defender. If in shadowed mode and you don't trust the website you visited just reboot and all changes that were made are gone. For the differences in a nutshell better ask a native speaker here
Either way always update windows and your software.

 

[CoherentCrayon]

If you keep Windows and all your software updated I see very little reason to use an anti-exploit. Even if some exploit kit manages to slither its way onto your system and finds something exploitable (unlikely if you keep everything updated), VS will block whatever payload is dropped.

Saying that, if you're adamant about using an anti-exploit, HMPA or EMET is the way to go. MBAE beta only protects a limited set of applications making it ultimately less useful than EMET. I'm not aware if you're able to purchase a premium version of MBAE beta or not; if so then MBAE Premium would replace EMET as my suggestion but HMPA still reigns supreme.

Actually MBAE is now integrated in Malwarebytes 3, but the beta version is still available as standalone. The (free) beta version contains all premium shields according to their forum. HMPA is too expensive for me, as I already have a paid-for AV installed.

/steel9

There is a hard misconception of exploit in general. Anti-exe cannot stop (patch) the exploit itself, it can only stop unpermitted executable from running where attacker used an exploit and taking advantage of the vulnerability. There are number of methods where malicious actions won't need an executable to run in order to compromise the system.
So use anti-exe from stopping unallowed exes and use some anti-exploit if you are concerned that your system will be exploited, which is highly unlikely.
Update your Windows and don't worry.

Yep, that's why I said I use VoodooShield to prevent the exe-payload from possible exploits. But if I use an anti-exploit, there should be no exe-payload that could be dropped (from an exploit) right?

/steel9

 

[CoherentCrayon]

Voodooshield by itself is excellent. I've tested against a lot of malware, and non got by it.

That's right, but it also blocks a lot of non-malware stuff, and it also blocks installs/updates if you don't disable it.

/steel9

 

[509322]

...there should be no exe-payload that could be dropped (from an exploit) right?

/steel9

That argument is based upon the presumption that the anti-exploit will prevent the exploit. A 2nd layer, in case the 1st layer fails, is prudent.

 

[BoraMurdar]

Yep, that's why I said I use VoodooShield to prevent the exe-payload from possible exploits. But if I use an anti-exploit, there should be no exe-payload that could be dropped (from an exploit) right?

Theoretically yes, but you can never know what's coming. If you are too concerned about it, it's always better to use a layered protection.

 

[Arequire]

You are assuming that the patching happens before the exploit discovered/used and usually is the other way around

Far more vulnerabilities are found and patched than actively exploited. The majority of exploits are levied against outdated software because a proportion of the population don't keep their software promptly updated.
The security industry screaming about a few zero-day exploits targeting Flash every year is negligible.

Actually MBAE is now integrated in Malwarebytes 3, but the beta version is still available as standalone. The (free) beta version contains all premium shields according to their forum. HMPA is too expensive for me, as I already have a paid-for AV installed.

Are you able to add your own applications to MBAE beta?

That's right, but it also blocks a lot of non-malware stuff, and it also blocks installs/updates if you don't disable it.

The solution is to set it to training mode before installing something yourself.

 

[CoherentCrayon]

Far more vulnerabilities are found and patched than actively exploited. The majority of exploits are levied against outdated software because a proportion of the population don't keep their software promptly updated.
The security industry screaming about a few zero-day exploits targeting Flash every year is negligible.


Are you able to add your own applications to MBAE beta? If so that's a pretty sweet deal.


The solution is to set it to training mode before installing something yourself.

Yes, you can add custom shields to MBAE (add whichever program you want to it), and then you select an anti-exploit profile to use for that program.

Yes, when installing something manually it's not a problem to set VoodooShield to training mode/OFF, but the problem occurs when your applications auto-update and VoodooShield blocks regsvr32 for example. Otherwise it's a really good product.

/steel9

 

[Arequire]

Yes, you can add custom shields to MBAE (add whichever program you want to it), and then you select an anti-exploit profile to use for that program.

That's a pretty sweet deal.

your applications auto-update and VoodooShield blocks regsvr32 for example.

Ah. I update all my applications manually which is why I never experienced this.

 

[l0rdraiden]

Far more vulnerabilities are found and patched than actively exploited. The majority of exploits are levied against outdated software because a proportion of the population don't keep their software promptly updated.
The security industry screaming about a few zero-day exploits targeting Flash every year is negligible.

Obiously, not all the patches fix stuff that can be exploited.
The thing is you only know about vulnerabilities when they are patched maybe after years of being exploited, as we could saw with all the NSA malware, and probably the same thing is happening now.
You are assuming that the patching happens right after the exploit is introduced but most of the time exploits are alive for years, having your software patched doesn't mean anything.
It would be more secure an obsolete chrome with MBAE than an updated chrome alone

 

[Arequire]

Obiously, not all the patches fix stuff that can be exploited.
The thing is you only know about vulnerabilities when they are patched maybe after years of being exploited, as we could saw with all the NSA malware, and probably the same thing is happening now.
You are assuming that the patching happens right after the exploit is introduced but most of the time exploits are alive for years, having your software patched doesn't mean anything.
It would be more secure an obsolete chrome with MBAE than an updated chrome alone

That argument is based upon the presumption that the anti-exploit will prevent the exploit.

as we could saw with all the NSA malware

Anti-exploit programs couldn't defend against EternalBlue because it was a network based attack outside their scope.

 

[l0rdraiden]

So basically you are saying that we should all leave our software to be outdated and just simply rely on an Anti-Exploit if keeping software updated 'doesn't mean anything'?

I beg to differ that it would be more secure to have an updated Chrome with MBAE than with an obsolete chrome, so any recent security patches are applied which lowers the attack targets which said AE may not necessarily cover.

Anti-Exploit software doesn't have a scope of everything. It has areas it can monitor within its scope to help protect us but it isn't guaranteed to always kick in.

No, I didn't say that read it again.
And then think how exploits are discovered... usually When they have been already exploited for days l, weeks years and analyst discover it so updated software won't protect you.
I have never said that you shouldn't update just that is not enough