Malwarebytes Anti-Exploit

Yes as I did.

 

Wow, thanks! That is a most generous offer!

 

Anyone else still getting this, while running Firefox sandboxed (Sandboxie) and under MBAE protection?



I added the latest MBAE template to "Templates.ini" = Found in C:\Program Files\Sandboxie

and

"Sandboxie.ini" = Found in C:\Windows

Any other way to get it to say "Mozilla Firefox" is protected, rather than cmd is protected?

or is this a case of "For the time being...It is what it is"?

 

LOL the latter it is... Hopefully this gets fixed one day, for the time being is working fine.

 

https://forums.malwarebytes.org/ind...bie-x4-and-mbae-compatible/page-2#entry958379

 

Well, at least MBAE is protecting Firefox.

Thanks for the reply, I appreciate it.

 

Thank you for the link, I appreciate it.

 

1- The counter on the General tab says how many *running* applications are shielded. So if you only have Word open, then the counter would show 1. This is a separate view from the Shields view where you can see to total shieds, add new shields, activate/deactivate shields, etc.
2- Java is not always shielded, it depends on its risk level. For ex if you have a Desktop application that simply uses Java to launch, this is considered safe and MBAE allows this to happen without applying extra mitigations.
3- What profile did you use to shield Access? When adding a shield, the shields get reloaded and this is probable why you got the message from SSM re: IPC.

Yes correct. You can safely install on top and you won't lose your license.

 

@ZeroVulnLabs,
Points 1 and 2 - understood. Your description for 2 is great. Brilliant process.
Point 3 - Access was under MSOffice profile, I double checked.
Several things are working so strangely, that I think I must have mucked something up. For example, when I wanted to run Opera, Access ran instead. Later on it worked.
I decided to remove Outlook from the shields. IPC reported mbae was fiddling with Opera, and two instances of Opera appeared in PE. I was not running Opera. I was able to remove Access with nothing odd happening, other than mbae no longer issues the popup when I start Opera.
This is too weird for comfort. I will uninstall and start over clean. Haven't yet decided if to go back to 1.0.6 which I used for a day, or try this beta again.

I assume the licence will work regardless which version I put in at this point.

 

Latest Beta installs / works fine over last version

 

It's best NOT to make SSM block anything related to MBAE, because it might start to malfunction. MBAE is working on a quite "low level" so it's likely it needs to perform things related to interprocess communication.

 

@act8192, Rasheed is right, you just blinded one of MBAE sensors

 

@Rasheed and Kees,
You are obviously correct. And most likely this is how I messed it all up till it started doing ridiculous things such as running Access when I wanted to run Outlook.

But why on earth, would MBAE be modifying Outlook's memory when Outlook wasn't running, and it happened when I was adding Access to the shields

Anyway, I uninstalled, put in v1.0.6, not the 1.0.7 beta, and am allowing everything it wants to do.
So far so good. Will retry beta because I want to see the logs when I convince myself that no issues with 1.0.6 in my hands.

 

@act8192 can you PM me the SSM log please?

 

Yes, but tomorrow.
1. Can't do attachments in PM, so I'll have to upload to box.
2. I'll have to square SSM's unix dates with my timing, a PITA, to be able to tell you few signposts.
3. Since I'm the guilty party here, those details are important especially since I reverted to 1.0.6.

 

It looks to me that in v1.06 I have no problems. I added Outlook and Access and not a strange peep out of SSM.
Perhaps the odd alerts were due to 1.07. I don't know.
@ZeroVulnLabs, See PM for SSM logs link.

 

It can also be a bug in SSM. With some other HIPS (Neoava Guard) I also sometimes got weird alerts, it's almost like they can't always identify the right process, or it might be a "delayed" alert. But you should normally tick all boxes in SSM to make MBAE fully trusted.

 

Hi guys, i'm brand new to this program, is default settings fine or do I need to tweak things? I am running sandboxie, EXE Radar & Driver Radar along with Voodooshield are there any conflicts or settings I need to adjust?

 

@overkill
There's hardly anything to tweak if you're running Free as it only shields browsers and Java. Your worst tweaking could merely crash your browser and then just un-tweak.

I'm running Premium and I've built 19 custom shields. All my advanced settings are maxed out (every box checked). No problems after several weeks of use.

I dumped Java years ago, so nothing tweaked there; I just unchecked 'em all because that makes sense. But three of four are checked by default, so again, hardly anything to tweak.

 

I'm running mbae free and never ever install java, so i'm good to go I suppose?

 

I have an issue, when I run my browsers outside of sbie mbae gives me the tray alert that i'm protected, but not when in sbie

Here's my sbie ini

Spoiler

[GlobalSettings]

Template=MBAE
Template=NVT_ERP
Template=7zipShellEx
Template=OfficeLicensing

[DefaultBox]

ConfigLevel=7
AutoRecover=y
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
Enabled=y

[UserSettings_111E0283]

SbieCtrl_UserName=family
SbieCtrl_NextUpdateCheck=1435430675
SbieCtrl_UpdateCheckNotify=n
SbieCtrl_ShowWelcome=n
SbieCtrl_HideWindowNotify=n
SbieCtrl_WindowCoords=181,267,893,511
SbieCtrl_ActiveView=40021
SbieCtrl_EnableLogonStart=y
SbieCtrl_EnableAutoStart=y
SbieCtrl_AddDesktopIcon=y
SbieCtrl_AddQuickLaunchIcon=y
SbieCtrl_AddContextMenu=y
SbieCtrl_AddSendToMenu=y
SbieCtrl_AutoApplySettings=n
SbieCtrl_SettingChangeNotify=n
BoxDisplayOrder=Chrome,IE,FirefoxPortable,TiaxatiPortable,MiponyPortable,DefaultBox
SbieCtrl_BoxExpandedView=DefaultBox,FirefoxPortable,MiponyPortable,TiaxatiPortable
SbieCtrl_TerminateWarn=n

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

[Template_NVT_ERP]

Tmpl.Title=No Virus Thanks Exe Radar Pro
Tmpl.Class=Security
Tmpl.Scan=s
OpenPipePath=*\mailslot\NVTInj\*

[Chrome]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=Chrome_Force
Template=Chrome_Bookmarks_DirectAccess
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=D:
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,chrome.exe,cmd.exe,EGMonitor.exe
ProcessGroup=<InternetAccess>,chrome.exe
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
NotifyStartRunAccessDenied=y
DropAdminRights=y
ForceProcess=eagleget.exe
AutoDelete=y
NeverDelete=n
ClosedIpcPath=!<StartRunAccess>,*

[IE]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=IExplore_Favorites_RecoverFolder
Template=IExplore_Favorites_DirectAccess
Template=IExplore_Force
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl
AutoDelete=y
NeverDelete=n
ForceProcess=eagleget.exe
NotifyInternetAccessDenied=y
ProcessGroup=<InternetAccess>,iexplore.exe,dllhost.exe
ProcessGroup=<StartRunAccess>,iexplore.exe,dllhost.exe
NotifyStartRunAccessDenied=y
DropAdminRights=y
ClosedIpcPath=!<StartRunAccess>,*
ClosedFilePath=!<InternetAccess>,InternetAccessDevices

[FirefoxPortable]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl

[MiponyPortable]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl

[TiaxatiPortable]

Enabled=y
ConfigLevel=7
AutoRecover=y
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=Chrome_Phishing_DirectAccess
Template=Firefox_Phishing_DirectAccess
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Favorites%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,ttl

 

Try this one instead:
https://forums.malwarebytes.org/ind...frequently-asked-questions/page-2#entry911676

 

You modified the original template @Overkill, maybe you missed or deleted some lines you shouldn't.

 

I was following the post in that thread from btm and removed the lines for x64 OS's which I don't have, and the one for XP which I don't use but evidently it messes things up so I put the original template back that you gave me which seems to be working...

When I start IE MBAE says i'm protected and when I start Chrome it says cmd is protected, is this normal or should it say chrome is protected?

 

It's ok if it says cmd. It's a side effect of the forced injection within Sandboxie. It has no negative effect on the protection offered by MBAE.