Malwarebytes Anti-Exploit

That makes TWO of us!!!!

 

Confused! Are Malwarebytes A-E and Sandboxie now compatible or would I have to do what Rasheed187 describes in post #2056? Thank you!

 

Quasi compatible. You have to do what Rasheed187 describes based on syrinx template: https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-81#post-2486113
This is a manual palliative for dll injection issue.

 

Thank you for the reply! So, would it be presumptuous to think this may become an option or setting, sooner than later, in an update or new version release?

 

No problem. Yes I think it would be as @ZeroVulnLabs hasn't comment anything on this matter yet.

 

Thank you again! I can see M A-E in my future PC life.

 

Very welcome!

 

Yes it's compatible, I didn't notice any problems with the MBAE Free and Sandboxie combo.

 

I rethought my approach about adding Sandboxie's processes, especially the subprocesses (i.e. DCOM, RPC) to MBAE protection by allowing custom shields to do so. Considering a large part of what I use Sandboxie for I consider it purpose defeating to allow things to breach it's defenses like that. Isolation is a big part of my strategy. And intentionally breaching it, let alone depending on it to keep what's in it from getting out is a big flaw in my eyes.

Whether or not you want to make shields for sbiesvc or sbiectrl is another thing ( I don't do that either now, actually). But I don't recommend making shields for it's subprocesses. I guess you could say it depends on how much you trust the app in question... in this case Malwarebytes, with giving it a carte blache to your sandbox. And I do trust it the company, but not sure I trust anything to that degree. Not to mention if there's a vulnerability to it that trust is rendered moot.

So I've removed those SBIE shields.

I did add a shield for Pidgin Messenger.

 

Oh and btw... I'd like to be able to make custom settings for each individual app instead of having to choose just 1, one size fits all template. Because I'm not sure any one of my apps, ideally, abide by just one set of rules. I thought that "custom" would allow me to do this, but I was mistaken.

This would be HUGE and make the product so versatile.

 

Can't argue with you there...much...I haven't run into that specific situation yet but I see where you're going with it and I agree. At the same time, adding such a choice by default would make it much more like EMET and almost as complicated. As MBAE is such a great 'no-user-input' required app for the most part this would make it much more complex if it was added for general choices. Simply being able to create our own profiles and choosing the protections for said profile would solve this issue as it would be entirely optional and user dependent and nothing that the average user needs ever mess with.

As for the SBIE exes, I've actually added them to the list of protected apps since the last time I commented on it and have yet to encounter any issues or false positives. So once again, no harm adding them if you don't experience new issues.

 

bellgamin

 

Maybe nothing is noticeably wrong, but I just don't like the idea of allowing things into Sandboxie considering one of it's main scopes to me is it's isolation.

As for making MBAE more customizable... I don't find EMET that complicating, and like how granular it is. I don't think adding that level of granularity would make it like EMET. It still uses different methods and is much more user friendly.

I'd also like a true manual updating option. Simply unticking the box to auto update then waiting around for a prompt for it to connect out (assuming you even have an outbound FW to get those prompts) isn't the same thing. And people that don't have one (outbound FW) would be oblivious when it happens. And I don't like the idea of things doing stuff behind my back.

Add manual updating and create more granular rule setting for each app and this thing is perfect.

 

@pbust - thanks for soon-coming version to make logging optional. I much prefer the log VS the pop-up.

By the way - as of now, MB-antiexploit makes a sound whenever it initiates protection of an app. I hope the sound will continue after I disable the visual pop-up. Will it?

 

I'm thinking it's Windows that's making the sound. Open the Sound control panel, under the sounds tab, find System Notification and set its Sounds: to (None) or a sound that's more pleasing to you. Does that do it?

 

Windows XP, SP3, 32bit

I have not had any success of Malwarebytes Anti-Exploit running on my system. After installation and reboot there is no icon in the system tray or any indication the program is running. I do receive a message that MBAE is not running and will be terminated. I have made copies of the logs and sent them to Malwarebytes and was told they looked okay. I thought I might try one last time and install the program in safe mode if in fact that can be done. Any recommendations or suggestions would be appreciated and as always I would thank you in advance.

John

 

Hello jpcummins:

Even if you already had started a topic, seen the entire process to completion and have been given the "all clear" termination posting, I believe you should revisit and copy/paste both of the latest/requested Farbar diagnostic logs in Malware Removal Help.

The topic's title could be something like MBAE installs but fails to run.

After that, let's see where you stand and if needed start a new topic in Anti-Exploit Product Support with the requested MBAE logs.

MBAE 1.06.1.1019 will definitely work with XPx86SP3.

Thank you for hanging in there...

 

John, please try a fresh re-install to see if it fixes the issue. This could be due to an incomplete/corrupt auto-upgrade.

1- Close all apps
2- Uninstall MBAE from Control Panel
3- Delete "C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit"
4- Download the latest MBAE version from http://downloads.malwarebytes.org/file/mbae and install

Does this solve the issue?

 

John, its a service. You will, if MBAE service is stopped, have to start the service to get MBAE to run. You can easily do that if you have ProcessHacker2 installed. Click the services tab, scroll down to MBAE and if stopped, click start. This should lead the program to run and the icon should then appear in the system tray. If the icon hasn't appeared in the system tray once you start the service, click the program icon in your Programs folder and then you should see the MBAE icon appear in the system tray.

 

I will be trying again to install the program in a day or so. I have tried the 4 steps you recommended in the past and had no success but I manually closed all apps this next time I will close all apps using the program CloseAll_2.0. Hopefully next time it will work.

 

I don't have ProcessHacker2 installed but I seem to remember looking at the services in TaskManager and I believe it looked as if everything was started but I can't say for sure. And, I don't ever remember seeing an MBAE icon anywhere. Regardless I will in the next day or so again try and install the program. Hopefully next time it will work.

 

ZeroVulnLabs,

This morning I followed the 4 steps you recommended and it did not solve my issue. When I click on the MBAE icon I receive the following "Malwarebytes Anti-Exploit Protection not started. The Anti-Exploit process will be terminated".

NormanF,

I cannot find any Malwarebytes Anti-Exploit Service. I have looked in Administrative Services and no reference to MBAE. I did download ProcessHacker2, and the Malwarebytes services listed are 1) Mbamchameleon, 2) MBAMProtection, 3) MBAMScheduler, 4) MBAMService, and 5) MBAMSwissArmy. Any suggestions?

 

In Process Hacker under the Services tab, look for ESProtectionDriver.

It should be Status Running, Start Type System Start.

(Sidebar: this is listed in Windows Device Manager under Hidden Non-Plug and Play Drivers as "Malwarebytes Anti-Exploit" and is mbae.sys for XP.)

MBAE's uninstaller isn't all that efficient and even the likes of Revo don't whack it and its traces in the Registry.

You could try another MBAE uninstall, reboot, and then see if ESProtectionDriver is still there, delete it with PH, reboot and then re-install MBAE.

Disclaimer: one uses Process Hacker at one's own risk.

Good luck.

 

It is possible you are in the middle of an incomplete or corrupt MBAE upgrade. Try rebooting and repeating the fresh re-install, making sure after the reboot that there is no C:\Program Files\Malwarebytes Anti-Exploit or MBAE user data directory ("C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit").

 

I appreciate very much the suggestions and recommendations regarding my inability to install Malwarebytes Anti-Exploit. I have tried all of them to no avail and I will not be making any further attempts to install MBAE. Perhaps on another system. Thanks!