Zero-day attacks are a nightmare for businesses that use Windows because, by definition, there is no patch to prevent them, and traditional anti-virus programs may not have signatures to identify them. Some anti-virus companies have used approaches based on heuristics — identifying virus-like behaviour — to block them, but Malwarebytes Anti-Exploit takes a different approach: it shields selected applications from attack.
"We're not looking at how but at what," said Pedro Bustamante, Malwarebytes' director of special projects, in a telephone interview. "We're looking at the attack behaviour rather than the malware behaviour."
Exploit attack behaviour includes things like redirects and attempts to corrupt memory and download executable code. All this happens before the virus is even downloaded. It precedes any analysis of malware behaviour, which is the basis of heuristic defences.
The result is very light weight (3MB) background protection program that runs alongside traditional anti-virus software. It's very low-maintenance because it doesn't use or need any virus signature updates. You just install it then forget about it.
The free version of Malwarebytes Anti-Exploit (MBAE) protects the leading Windows browsers and Java, and stops them from executing exploit code. The premium version adds protection for the core Microsoft Office applications (Word, Excel and PowerPoint) and other popular targets. These include Adobe Acrobat and Reader, VLC Player, and Apple's QuickTime Player.
The Premium version costs $24.95 per year. The business version uses a management console and centralized reporting, with a reduced price for 25-49 seats. Deals can be negotiated for 50+ seats.
Bustamante co-founded Zero Vulnerability Labs and launched the first version of the program as ExploitShield about two years ago. Malwarebytes bought the company, and the MBAE version has spent the past year in beta test. "Since then, we've advanced it a lot," he says.
Malwarebytes hired Kafeine, a "world-renowned threat researcher", to test its product against the 11 most commonly used exploit kits (EKs) and the 14 most common exploits. It passed all the tests. On his blog, Kafeine concluded: "Malwarebytes Anti-Exploit is working as expected against all widely used exploit kit. It works on Java exploit where Emet wouldn't. This product sounds like a good additional layer against unpatched ('0day') exploit as well even if I have some doubts on his ability to stop Kernel level exploit." (EMET is the Enhanced Mitigation Experience Toolkit, Microsoft's attempt at blocking exploits, which is in technical preview at the moment.)
Kafeine also posted two videos. The first shows a virtual PC falling to the recent CryptoWall virus, dropped by the Rig EK during a visit to a soccer kit website. The second video (below) shows the free version of MBAE being installed and blocking the exploit.
Marcin Kleczynski, Malwarebytes' CEO, said in a statement: "With the advanced threat landscape becoming increasingly exploit-led, this new proactive technology puts people and companies back on solid ground. This is especially important for those still running Windows XP."
I've been running MBAE on my main Windows 7 PC and have not been able to detect any adverse effects, so I'm planning to install the free version on all our Windows machines. It hasn't blocked any exploits so far, but if it had saved me from having CryptoWall encrypt my PC then I'd be duly grateful. And I reckon there's a better chance of me avoiding the next unknown exploit by running MBAE than by not running it.