Malwarebytes Anti-Exploit

Running 1.05.3.1012 beta. No problems thus far. Installed over existing beta.

 

+1

Updated download link to build 1012 which includes a couple of small bug fixes.
.

 

Thanks, updating.

 

+1

 

I am almost ready to purchase this amazing software.
Main reason for not would be:

"I tried to create a shield for palemoon 64 bit while it was running in sandboxie and continued to use it. To my surprise it was shielded by MBAE. After i closed palemoon and reopened MBAE was not shielding it. Continued this experiment with cyberfox with same result. MBAE shields 64 bit browser only if the shield is created while the browser is already running inside SBIE..... But as of now it will not shield once you close the browser and reopen."
When this is fixed Hell yes I will buy!

How does this interact with AppGuard?
Thanks!

After this maybe not : For Illinois, Ohio and California state residents, applicable sales tax will be applied.

 

How do you manually upgrade to 1.05.3.1012 ?

fenadur

 

https://forums.malwarebytes.org/index.php?/topic/160317-mbae-experimental-10531010/#entry902831

 

You don't have to re-create the shield every time you want your 64bit process protected by both MBAE and Sandboxie. You can also simply stop MBAE protection or deactivate the shield, then start the browser within Sandboxie and then start MBAE protection or activate the shield. This will have the same effect of MBAE protecting the Palemoon64 browser while within Sandboxie.

As a temporary workaround you could create a batch script that stops MBAE service, launches Palemoon64 within Sandboxie and starts the MBAE service. Then simply double-click on the batch script to launch your MBAE/Sandboxie-protected Palemoon64.

 

Is this strictly for 64bit processes? What about Firefox 32bit running in SBIE?

 

Only for 64bit processes. For 32bit processes if you apply the Sandboxie template for MBAE it should work automatically.

 

Where do I find the Sandboxie "template?"

 

There's a few posted a few pages up in this thread.

 

Is this it? If so, what do you do with it - where do you put it?


[Template_Malwarebytes Anti-Exploit]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mAH*Process*API*
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mix*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\Mutex*mAH*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

 

Just purchased, and how do I make PaleMoon 64bit run with SBIE?
I added to global settings? Not working.

[GlobalSettings]

Template=a2AntiMalware
Template=BookmarkBuddy
Template=InternetDownloadManager
ActivationPrompt=y
TemplateReject=LogitechSetPoint
TemplateReject=WindowsRasMan
TemplateReject=OfficeLicensing

[Template_Malwarebytes Anti-Exploit]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mAH*Process*API*
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mix*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\Mutex*mAH*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*


PLEASE HELP!
Thank you.

 

It doesn't need to be 'IN' the global settings area just the C:\Windows\SANDBOXIE.ini, the [] brackets are used to define new areas in the ini and you certainly don't want it pasted anywhere between anything in the global settings area of the ini. Any section after any other is fine. It can be appended at the end if you want though I generally do it directly after the [GlobalSettings] ends.

mine looks something like this for instance:

Code:

[GlobalSettings]

Template=KCSDK_ZA
Template=NOD32
Template=MBAE
Template=LingerPrograms
Template=AutoRecoverIgnore
NotifyStartRunAccessDenied=y

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

[Template_KCSDK_ZA]

Tmpl.Title=KeyCryptSDK (Zemana AntiLogger)
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\KeyCryptSDK
OpenWinClass=TKeyCryptIPCServerClass

[DefaultBox]

As noted above even with the latest 1.05.3.1012, x64 processes are not being properly injected and only by using a workaround will they be usable with mbae and sandboxie 4. 32 bit processes are working perfectly in my tests and being injected properly. The template below will allow communication "once" the mbae dll has been injected. (Still iffy for x64 atm!) I also use palemoon, previously 64 but have switched over to the 32 bit version so I can use both sandboxie 4.x and mbae without effort.

This is the one that should be used for now as it also includes an extra scan for x64 systems.
After the template has been added you may need to go into the sandboxie control panel then click on the configure menu, software compatibility, then make sure the "Malwarebytes Anti-Exploit" is listed and checked with the +. Once the template is added it will allow communication with MBAE assuming the dll has actually been injected.

Code:

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

I see from your snippet of the ini that the template was added (missing one line for x64 scan) but not active. Adding the following line to your template should allow the scan to find it on x64 systems.

Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit

Alternatively you could manually add a different line with the other templates to activate it with the title you have given your template. (these particular template title lines are in the global settings) Notice how mine was labeled [Template_MBAE] and yours was [Template_Malwarebytes Anti-Exploit] The title you give it is up to you but to add yours as it was pasted would be:

Template=Malwarebytes Anti-Exploit

So your global settings would start off looking something like this:

Code:

[GlobalSettings]

Template=a2AntiMalware
Template=BookmarkBuddy
Template=InternetDownloadManager
Template=Malwarebytes Anti-Exploit

I haven't tested spaces in the [template names] though, not sure if they work as the ones I've seen don't use spaces....may want to change it to MalwarebytesAntiExploit at the very least if it still doesn't activate properly using the spaced name.

 

I thought v1.05 was working pretty well for me on my old Win XP SP3 machine. However, after using it a little longer, I found that it was really slowing things down -- a lot -- probably the memory component. I only have 2GB of RAM.

Went back to 1.04 and things seem pretty much back to normal.

 

Is there a setting somewhere to prevent MBAE from starting with Windows?

 

RAM usage is minimal.
MBAE:0.6MB & MBAE service:1.6MB, total:2.2MB only.

MBAE v1.05 & Windows Pro 8.1U2, 32-bit.

 

That's probably not it then. I didn't bother to actually check anything -- I was just guessing. Not sure what it could be, but my overall performance seems to drop off quite significantly with 1.05.

 

Which version of 1.05 were you running? We had some aggressive logging turned on in two of the Experimental builds but that's been fixed in the latest build 1012.

 

Thanks syrinx, it's working now.
Changed to 32bit PaleMoon since it is easier to deal with.
Has anyone made a batch file as mentioned by ZeroVulnLabs in post #1233?
It seems like they are working on a solution for the 64bit browser. That will be nice.

 

Actually, it was 1012, Pedro. It may be my imagination, but I almost seem to think that 1011 performed better (at least for me).

 

There aren't basically any differences between 1011 and 1012 other than turning off lots of logging and a couple minor bug fixes unrelated to protection or performance. If anything 1012 should be smoother. Sounds like maybe there was some conflict with your 1012 install. Try uninstalling, rebooting and reinstalling to ensure a clean install.

 

Will definitely give that a try tomorrow.

 

Forgot to mention. . . I'm a Premium user. If I uninstall, what about my license?