novice 20 Posted July 12, 2015 Posted July 12, 2015 Hi, Under HIPS I selected "Enable exploit blocker" and I downloaded from MBAE a test utility mbae-test.exe which would simulate a behavior typical to an exploit. Here is the explanation: "The attached mbae-test.exe utility was developed by Malwarebytes to simulate an exploit behavior in order to verify that MBAE is installed and working correctly. The utility only has two buttons labeled Normal and Exploit. The Normal button will open the Windows Calculator (calc.exe) using normal system calls which are typically used when users are trying to open the Calculator. The Exploit button will attempt to open the Windows Calculator using system calls which are typically used by exploits to launch their payloads (i.e. malware). Keep in mind that mbae-test.exe is NOT malicious. Even if you don't have MBAE install and click the "Exploit" button, the only thing that will happen is that the Windows Calculator will open. However if you have MBAE installed and running correctly, you will see an alert popup window from MBAE." hxxps://forums.malwarebytes.org/index.php?/topic/139368-how-to-verify-that-mbae-is-working-correctly/ I did not get any reaction from Nod32. Any idea?
FleischmannTV 9 Posted July 13, 2015 Posted July 13, 2015 (edited) The tool from Malwarebytes doesn't exploit vulnerable applications which ESET's exploit blocker is watching. Hence there are no alerts. I suggest you try the Exploit Test Tool from Surfright. This tool allows you to choose the application which is exploited. From there you can select your browser or pdf reader. Then you should get alerts from ESET. hxxp://www.surfright.nl/en/downloads/ Edited July 13, 2015 by FleischmannTV
itman 1,802 Posted July 13, 2015 Posted July 13, 2015 (edited) The tool from Malwarebytes doesn't exploit vulnerable applications which ESET's exploit blocker is watching. Hence there are no alerts. I suggest you try the Exploit Test Tool from Surfright. This tool allows you to choose the application which is exploited. From there you can select your browser or pdf reader. Then you should get alerts from ESET. hxxp://www.surfright.nl/en/downloads/ My experience with the this test tool is as follows. First and most important, only do browser tests with the Surfright test tool. Eset's exploit protection only works for apps that are being monitored by protocol filtering. Eset will not block tests from the test tool itself. Both ekrn.exe and egui.exe must be excluded from Eset's protocol filtering. That done, Eset will block the test exploit payload i.e. calc.exe from executing. You will receive no alert or log entry from Eset. Additionally, the shell of the browser being tested will still be running after Eset has blocked the test exploit payload and delivery process i.e. the exploit test tool. There will be multiples of these browser shells if you do all the tests in one session. You will have to manually terminate those processes using Task Manager or Process Explorer/Hacker. Note the above behavior is running the x64 version of the test tool on a x64 WIN 7 OS. When I did 32 bit browser testing, I believe the 32 bit test tool actually allowed IE 10 x86 to open and close. All calc.exe test exploit payloads were blocked however. Edited July 13, 2015 by itman
novice 20 Posted July 14, 2015 Author Posted July 14, 2015 Hi itman, Thank you for your answer! I have to be honest, I did not understand a lot from what were you saying.... In simple words, ESET's exploit blocker is protecting against what??? and is better or worse than MBAE? Thanks!
itman 1,802 Posted July 14, 2015 Posted July 14, 2015 (edited) Hi itman, Thank you for your answer! I have to be honest, I did not understand a lot from what were you saying.... In simple words, ESET's exploit blocker is protecting against what??? and is better or worse than MBAE? Thanks! I will try to simplify as much as possible. On a recent NSS Labs test that was done ad hoc i.e. Eset did not sponsor or pay for the test, Eset's exploit protection against 32 bit exploits running on 32 bit WIN 7 was for all practical purposes 100%. You can read the details here: https://www.nsslabs.com/reports/consumer-endpoint-protection-test-report-eset-smart-security-exploits On another recent exploit test done by Malware Research Group against 32 and 64 bit exploits running on 64 bit WIN 7, Eset scored 80%. In comparison to other vendors tested, Eset ranked slightly below the middle. This test however was sponsored and paid for by Surfright for the purpose of specifically testing their HitmanPro Alert product. You can read details here: https://www.mrg-effitas.com/wp-content/uploads/2015/04/MRG_Effitas_Real_world_exploit_prevention_test.pdf Bottom line - I don't fully trust Eset's exploit blocker on a 64 bit OS running 64 bit software. Note that 64 bit exploits are rare but are increasing in frequency. Presently I personally am supplementing Eset with MBAE free since I run 64 bit WIN 7 and 64 bit IE10. Edited July 14, 2015 by itman
Recommended Posts