Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    No worries, license is in the registry and will be picked up automatically when you install the regular non-experimental build.
     
  2. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes, we're working on the RC already which should be released next week if nothing major happens. Please stay tuned.
     
  4. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,982
    Thanks for clarifying that. :thumb:
     
  5. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Suggestion:
    Show the number of "shielded applications" in the tray Icon (incorporated in the icon), so you don't have to click the icon to see if it's doing the job. Kind of like DefenseWall.
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Somehow I don't think very many people would actually like that idea. But who knows, maybe as an option. Most people don't need to watch the numbers increasing/decreasing to know that it is working. We need to simply just trust Malwarebytes dev team. :)
     
  7. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I just added this template to SBIE. However, when I open Firefox under Sandboxie, I'm still not seeing any reference to Firefox listed in the MBAE logs. Have I done something wrong?
     
  8. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    Add the following in [GlobalSettings] in Sandboxie.ini,then click Reload Configuration in Sandboxie
     
  9. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I already have Template=MBAE in Sandboxie's [Global Settings], which is the template name. Is this incorrect?

    Do you also have to add Sandboxie itself to the MBAE Shields? If so, what *.exe do you use?
     
    Last edited: Nov 28, 2014
  10. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    I haven't added any Sandboxie's Process to MBAE Shield.

    Please make the following changes which are highlighted in Green.:)

    [Template_MBAE]

    Tmpl.Title=MBAE
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\WoW6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mAH*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*mix*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*mAH*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
     
    Last edited: Nov 28, 2014
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    You're also missing the Wow6432Node ScanKey entry for 64bit OS.
     
  12. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I've done all of this now "exactly" as indicated, but I'm still not seeing anything about Firefox showing up in the MBAE log.

    Can someone please help me figure this out.
     
    Last edited: Nov 28, 2014
  13. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    You've probably done this already, add MBAE to "Software Compatibility" ?
     
  14. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    The section within the brackets minus "Template_" must match whatever is added (if doing it manually) to the "Template=" section


    [Template_Malwarebytes Anti-Exploit]
    would require
    Template=Malwarebytes Anti-Exploit]
    *Note however that I do not recall seeing and have never tested spaces in these areas and they may not work.*

    My original posts used (as well as my actual config)
    [Template_MBAE]
    (Global settings reflected in the sandboxie.ini added manually or after using the software compatibility page in sandboxie)
    Template=MBAE

    This as well as the "Tmpl.Title=" can be changed to whatever you want. The title will be what is displayed on the sandboxie software compatibility window and does not need to be the same as the [template rule name]

    However if added manually the bracketed [Template_] must be the same as the Template= in the global settings for the rule(s) to be used.


    So here is my ruleset that works on 32 bit and 64 bit OS's.

    Code:
    [Template_MBAE]
    
    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    
    After being pasted into the sandboxie.ini appropriately.
    It could be enabled manually, or using the Sandboxie software compatibility window.
    Either way would end up placing a rule of "Template=MBAE" among the [GlobalSettings] using the template as it is posted above.
     
  15. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Exactly, what do you do with MBAE in the SBIE Software Compatibility window -- add the exe, add +, add -, blanko_O?
     
  16. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Should (automacticly) show or ask if you did the config right, or did not check the box "In the future, don't check software compatibility". Just have to add the "+".
    [+] Malwarebytes Anti-Exploit
     
  17. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I assume Sandboxie 4.10 is current enough for the template based compatibility with MBAE -- right?
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Last edited: Dec 1, 2014
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Awesome job as always, MBAE dev team. Always lots of great goodies within each changelog. You guys work hard!

    Changelog (1.05.1.1014):
     
  20. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Any significant changes since the last Experimental version? Just curious.
     
  21. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Just a couple of minor bug fixes found during QA on some of the new features.
     
  22. topguynow

    topguynow Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    61
    Is anyone else having trouble with the compatibility between MBAE 1.05.1.1014 and Sandboxie 4.14 32 bit? The MBAE test still fails when run in Sandboxie.
     
  23. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    In my preliminary tests x64 injection still requires the use of a workaround to inject with sandboxie 4.x =(

    Also as of 1.05.1.1014 RELEASE Build I've noted some changes (differences) in the 32/64 dll communications requiring a subtle change with two rules on the template formerly posted.

    Code:
    [Template_MBAE]
    
    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    
    Basically the 64 bit dll doesn't use an underscore "_" after "MBAE_IPC_PROTECTION" like the 32 bit dll. (anymore) The above changes two lines, removing two underscores and restores workaround functionality with x64 exe's & sandboxie 4 with the current version.
     
  24. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    When is the next beta being released? I love that this application is constantly being updated and improved.
     
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Well we just got done releasing 1.05 and are already working on 1.06.
    Give us about a month or a month and a half to release a beta for 1.06.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.