A Symantec VP recently proclaimed that antivirus is dead. Many would disagree, but it's true that a traditional antivirus utility can't protect against zero-day exploits that attack vulnerabilities in the operating system and applications. That's where Malwarebytes Anti-Exploit Premium ($24.95) comes in. It's specifically designed to detect and repulse exploit attacks, and it has no need for prior knowledge of the exploit in question.
Because there's no signature database, the product is quite small, just 3MB. There's also no need for regular updates. A free edition, called Malwarebytes Anti-Exploit Free, injects its protective DLL into popular browsers (Chrome, Firefox, Internet Explorer, and Opera) and Java. The Premium edition, reviewed here, extends this protection to Microsoft Office applications and to popular PDF readers and media players. With the Premium edition, you can add custom shields for other programs, too.
How It Works
According to the documentation, Malwarebytes Anti-Exploit Premium "wraps protected applications in three defensive layers." The first layer of this patent-pending protection system watches for attempts to bypass OS security features, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Layer two keeps an eye on memory, in particular for any attempt to execute exploit code from memory. The third layer blocks attacks on the protected application itself, including "sandbox escapes and memory mitigation bypasses."
This all sounds good. It would be pretty tough for any attacker to exploit a vulnerable program without hitting one of these tripwires. The only problem is, it's awfully hard to see this protection in action.
Tough to Test
Most antivirus, suite, and firewall products that include exploit protection handle it much the way they do antivirus scanning. For each known exploit, they generate a behavioral signature that can detect the exploit at the network level. When I tested Norton AntiVirus (2014) using exploits created by the CORE Impact penetration tool, it blocked every single one and reported the precise CVE (Common Vulnerabilities and Explosures) number for many of them.
McAfee AntiVirus Plus 2014 caught about 30 percent of the attacks but only identified a handful by CVE name. Trend Micro Titanium Antivirus+ 2014 caught a bit over half, identifying most as "dangerous pages."
The thing is, most of those exploits probably couldn't have done any damage even if not blocked by Norton. Typically an exploit works against a very specific version of a particular program, relying on widespread distribution to ensure it hits enough vulnerable systems. I like the fact that Norton lets me know some site attempted an exploit; I won't go there again! But most of the time the detected exploit couldn't have actually done any damage.
Malwarebytes' protection gets injected into each protected application. Unless an actual exploit attack targets the precise version of that application, it does nothing at all. A testing tool supplied by the company verified that the software works, and an analysis tool I used showed that the Malwarebytes DLL had been injected into all the protected processes. But where's my hands-on verification that it will block a real-world exploit?
Commissioned Test
Because it's so hard to test this product, Malwarebytes engaged the services of a security blogger known only as Kafeine. Kafeine attacked a test system using 11 widespread exploit kits: Angler EK, Fiesta, FlashPack, Gondad, GrandSoft, HiMan EK, Infinity, Magnitude, Nuclear Pack, Styx, and Sweet Orange. In each case, he tried several variations on the basic attack.
While this test did reveal one bug in the product, once that bug was fixed it made a clean sweep. In every case it detected and prevented the exploit attack. You can view the full report on Kafeine's blog, Malware don't need Coffee.
No comments:
Post a Comment