Status
Not open for further replies.

shmu26

Level 85
Verified
Trusted
Content Creator
Would you recommend to run malwarebytes anti-exploit with voodooshield? if malwarebytes cant prevent attack it moves to voodooshield and is user dependent by then?

On topic: Just use products wich have regular updates and avoid products that are outdated and vulnerable because of slow patching
Well, let's put the AV out of the equation for the moment. :) I don't see any reason not to run MB anti-exploit with voodoo, if you think that MBAE will help you. Personally, I think its power is limited, and it may not be worth the troubles it causes. I think that voodoo has you pretty well covered, even without MBAE. Just my personal opinion. If I was looking for a little extra protection, and I didn't want to use a sandboxing or isolation solution, then I would run OSArmor at max settings, rather than MBAE.

If you want a strong anti-exploit, it is called HitmanPro.Alert. It does a lot more than MBAE.
 

Moonhorse

Level 28
Verified
Content Creator
Well, let's put the AV out of the equation for the moment. :) I don't see any reason not to run MB anti-exploit with voodoo, if you think that MBAE will help you. Personally, I think its power is limited, and it may not be worth the troubles it causes. I think that voodoo has you pretty well covered, even without MBAE. Just my personal opinion. If I was looking for a little extra protection, and I didn't want to use a sandboxing or isolation solution, then I would run OSArmor at max settings, rather than MBAE.

If you want a strong anti-exploit, it is called HitmanPro.Alert. It does a lot more than MBAE.
Sorry i forgot to mention i have;
- kaspersky free
- voodooshield
- syshardener

I dont really like use sandboxing tools and ive just heard its either osarmor or syshardener.
MBAE were taking around 10m of ram and i dont think it will conflict, so maybe its worth keeping as extra layer of security
 

shmu26

Level 85
Verified
Trusted
Content Creator
Sorry i forgot to mention i have;
- kaspersky free
- voodooshield
- syshardener

I dont really like use sandboxing tools and ive just heard its either osarmor or syshardener.
MBAE were taking around 10m of ram and i dont think it will conflict, so maybe its worth keeping as extra layer of security
RAM is usually not a problem, I don't worry about it unless there is a real RAM-hog on board. I don't know what Kaspersky Free does. Better to ask someone familiar with that product, I think @Evjl's Rain probably knows it.
 

Moonhorse

Level 28
Verified
Content Creator
RAM is usually not a problem, I don't worry about it unless there is a real RAM-hog on board. I don't know what Kaspersky Free does. Better to ask someone familiar with that product, I think @Evjl's Rain probably knows it.
KFA 2019 improved alot, i have to read myself what it actually contains nowadays. Thanks for post and maybe waiting for more opinions
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
RAM is usually not a problem, I don't worry about it unless there is a real RAM-hog on board. I don't know what Kaspersky Free does. Better to ask someone familiar with that product, I think @Evjl's Rain probably knows it.
kaspersky free HAS exploit protection (network attack blocker). It successfully prevented nonpetya infection before it touched the computer
ESET also did well
ETERNALBLUE vs Internet Security Suites and nextgen protections - MRG Effitas

other well-known dedicated anti-exploits such as malwarebytes and hitmanpro alert failed to block the exploit. HMPA released build 601 to patch it
MBAE by design can never ever block these kinds of exploit, comfirmed by the developers
Does Malwarebytes Premium detect Wannacry?

there is no best anti-exploit
something must be lacking. However, I believe post-exploit protection should do the job better than exploit mitigation (HMPA)
voodooshield, appguard, comodo firewall, NVT ERP can do that
OSArmor is also good but it can only shield exploitation from specific applications. Questionable
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
OSArmor is also good but it can only shield exploitation from specific applications. Questionable
OSArmor at max settings blocks so many abusable processes, I don't know what is left for malware to use. With the exception of rundll32. There are rules blocking certain actions of rundll32, but it is not monitored as closely as with other anti-exe apps such as NVT ERP.
 

lowdetection

Level 7
Verified
I agree with Umbra choice,

also they offer a nice kit, for testing it, included manual, https://dl.surfright.nl/Exploit Test Tool Manual.pdf

Being realistic, I think also knowing all the chrome://flags and how the browser work, could help in setting up a more safer environment, need a bit of time and patience to read, here there are some members that explained how to tweaks the chrome://flags

:)
 

shmu26

Level 85
Verified
Trusted
Content Creator
OSArmor at max settings blocks so many abusable processes, I don't know what is left for malware to use. With the exception of rundll32. There are rules blocking certain actions of rundll32, but it is not monitored as closely as with other anti-exe apps such as NVT ERP.
Forgot to mention: I made for myself a custom block rule in OSA for rundll32, and I made the necessary exceptions of course, so as far as I can see, OSA is a very fine and customizable post-exploit tool. You can also make it into an anti-exe, if you add a few more custom block rules.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Yeah, the "Department of Chromeland Security" is doing a good job. Better to spend our time worrying about exploits on MS Office and Adobe products. That's where the action is.
Basically, if you use these or other vulnerable products, you can take one of two approaches: disable as much of Windows as you can (I would call that the @Lockdown approach), or sandbox/isolate as much as you can. Or do both, if you are uber-paranoid.
 
Right now, I'm using Malwarebytes Anti-Exploit. This helps me protect my computer against all known and unknown vulnerability exploits and it works well in Internet Explorer, Firefox, Chrome, and Opera browsers. Also, it is compatible with most common anti-malware and antivirus products. So, try using this one.
 

lowdetection

Level 7
Verified
1$, someone with enough skills to write a payload and specific module for Arduino, result: pwned

Instead, using Hitman.Pro Alert, with BADUSB enabled, will avoid this:

or this


Furthermore, there was a old comparison graphic showing how MalwareBytes antiexploit covered only some aspects, not sure if nowadays is different, as no one wanted get into competitions :D

But for final user making a choice, should be important to know... No?
 

SearchLight

Level 9
Verified
Based on the all the advice here, I installed OSA out of the box set and forget running with ESET IS.

What are the Max settings?


Could I just set them and forget it or would OSA become more talkative, and I need to have a good understanding of my running processes in Windows 10?
 

shmu26

Level 85
Verified
Trusted
Content Creator
Based on the all the advice here, I installed OSA out of the box set and forget running with ESET IS.

What are the Max settings?


Could I just set them and forget it or would OSA become more talkative, and I need to have a good understanding of my running processes in Windows 10?
Max settings means going to the advanced tab and ticking everything or almost everything.
You will likely get a few prompts, but it's pretty easy to make the needed exceptions for your regular, installed programs, just catch the prompt while it is showing, and it will make an exclude rule for you, with minimum effort on your part. If you miss the prompt, and you have to make the exclude rule on your own, it is more work. Sometimes, if there is a recurring command line with a random string of characters, you will need to replace that string of characters with *.

At max settings, you will probably need to temporarily disable OSA when installing or uninstalling software.
 

SearchLight

Level 9
Verified
Max settings means going to the advanced tab and ticking everything or almost everything.
You will likely get a few prompts, but it's pretty easy to make the needed exceptions for your regular, installed programs, just catch the prompt while it is showing, and it will make an exclude rule for you, with minimum effort on your part. If you miss the prompt, and you have to make the exclude rule on your own, it is more work. Sometimes, if there is a recurring command line with a random string of characters, you will need to replace that string of characters with *.

At max settings, you will probably need to temporarily disable OSA when installing or uninstalling software.
What settings are at Max for you?

All? If not, what did you leave unchecked?
 

shmu26

Level 85
Verified
Trusted
Content Creator
What settings are at Max for you?

All? If not, what did you leave unchecked?
I don't actually have OSA installed right now on my main computer, but when I do, I just go and put a check in every possible box, and it works fine for me. If a certain rule is giving you grief, and you can't make exceptions for it, just leave it unchecked.
I also made some custom block rules to tweak it even further, but that is another story...
 

SearchLight

Level 9
Verified
Just out of curiosity, is anyone using anything else similar to or other than OSA to supplement their AV?

If so, what is it, and how did it have to be configured or just set and forget? Thanks.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Just out of curiosity, is anyone using anything else similar to or other than OSA to supplement their AV?

If so, what is it, and how did it have to be configured or just set and forget? Thanks.
I am using Software Restriction Policy, configured by Andy Ful's Hard_Configurator.
It takes a bit of skill to understand what it does, and set it up right, but it packs a very big punch, for zero money and no impact on system performance. Malware is not going to get past it.
 
Status
Not open for further replies.
Top