Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    OK.
    Thanks for trying.
     
  2. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Using this template, mbae popup window shows "cmd is now protected", not "Firefox" as with the old templateo_O

    Windows7 64bit
    Mbae 1.06.1.1019
    Sbie 4.17.2 (64bit)
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    syrinx already pinpointed that. We are awaiting for ZeroVulnLabs for feedback on this matter.
     
  4. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Sorry missed that, I will use the older Template until this is sorted out.
     
  5. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you please send me your MBAE logs and a procmon capture?
     
  6. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    @ZeroVulnLabs I believe you must change 1018 to 1019 in your sig! :)
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    So has anyone been able to make MBAE work with SBIE on Win 8 64 bit? I'm not in the mood to experiment at the moment.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Done, thanks for the reminder :)
     
  9. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I believe that according to Mr X the new template is working on Win 8 x64 for him (if my memory isn't failing, which it prolly is, fact check time?). That said, the new template does seem to create a few new issues (notifications such as cmd and / or protecting other apps not in the mbae list but protected by sbie) which means you may not want to try it until we can sort them out if you don't want to experiment.

    Kinda a huge step forward, small step back situation.

    If you happen to feel the urge to test though please let us know what you find, more input equals better chances of figuring this stuff out!
     
    Last edited: Apr 25, 2015
  10. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    I believe I have found an incompatibility between MBAE and the current Zemana Antimalware Beta (not the classic Zemana Antilogger). MBAE cannot start its protection and shuts down if I don't uninstall ZAM. Notice that ZAM always starts with Windows even if you check the setting to not start with Windows! Instead, it starts and then quits, but there seems to be always one ZAM process running anyway.

    I'm not sure which one triggered the incompatibility because ZAM updated yesterday and MBAE auto updated this morning, I think. I downloaded and installed 1.06.1.1019 after having this issue but nothing changed until I uninstalled ZAM.

    I'm on XP 32 SP3, see my signature for the rest of my software.
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks vojta, we'll try to replicate internally.
     
  12. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Hi pbust, I just had a question about Pale Moon and MBAE that I've not seen anyone else address yet.

    From looking in the Pale Moon forums, it appears the author has compiled Palemoon with with SAFESH and DYNAMICBASE enabled, and for that reason the author recommends against using EMET (at least for SEHOP and ALSR).

    Given that information, would there be any likely conflict that could result in stability issues in Pale Moon with the way MBAE works? Many thanks.
     
  13. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I will see what happens, you only need to add the MBAE template right? It would be cool if it worked, because I'm having troubles with HMPA, it makes SBIE malfunction on my system.
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    We haven't heard of any conflicts between Palemoon and MBAE yet, at least not as far as I can remember. But recommending not to use some type of exploit mitigations nowadays is a little risky.
     
  16. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Hi vojta, our QA was not able to replicate on the same conditions as you mentioned. Can you replicate this on another machine and/or provide more details for replication?
     
  17. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    me too o_O
     
  18. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    The culprit is Webroot 8.0.8.77 beta, when I unistall it MBAE and ZAM coexist pacifically. I'll take this issue to the Webroot beta forum after checking a couple more things.
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Last edited: Apr 27, 2015
  20. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes I heard about these before with the Webroot beta. Please do let them know in their forum so they are aware of it. Thanks!
     
  21. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    Yes adding the newer template should allow the DLL to inject (forces it it actually) within (all) programs ran inside sandboxie on any system (except XP atm; which I suspect may be related to another oddity I noticed here) but it does create a few extra notifications such as mbae is now protecting cmd and (generic?) guarding of any app ran inside sandboxie but thanks to pbusts initial check into this matter I'm a bit more comfortable suggesting that it should be used despite the generic guarding. If you do notice any new issues though, please speak up.

    As of today this is the latest template.
    Code:
    [Template_MBAE]
    
    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    OpenIpcPath=$:mbae-svc.exe
    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
    
     
    Last edited: Apr 27, 2015
  22. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I use MBAE and palemoon, previously I was stuck with the x86 version but since the new template I've been using 25.3.1 x64 (portable+sandboxed) with no issues. (I even ticked on ALL the protections in Advanced Settings.)

    Windows 7 x64 here
     
    Last edited: Apr 27, 2015
  23. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    Sorry if you took it wrong, I was commiserating with Rasheed187. hmpa is appears to be a great app, and some folks are doing very well with it. Short version is I installed public build .181 on 12apr (same date as my above post) with comment installed ok, but not really tested it yet... Unfortunately, the next day, I had a BSOD and that's very rare on my xp, so I uninstalled .181 and the xp just purrs :) I've been too jammed with other projects to untangle BSOD specifics. I doubt posting that I had a BSOD in the hmpa thread, would have been helpful to me or to you. I like hmp, I've been a paid user for a year or 2 or three... and wish you success with hmpa. I'm sure I'll try it again.
     
  24. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    2,015
    I wish in Advanced settings there is a button to Enable all protections.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,793
    Location:
    .
    Thanks a lot! I see you added the line in red color. What does it do?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.