Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    How would i add a shield to my Maxthon Browser and Comodo Dragon Browser. Would Dragon.exe and Maxthon.exe be good enough.
     
  2. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Got to the Shield tab and click on "Add Shield"

    Write the name for the application you want to make a shield to.
    On the next line, write that application .exe
    And pick "browser" as the profile.

    This is how I shielded Cyberfox.

    If it works, then when you run that browser a description of "Maxthon or Comodo Dragon is now protected" should be on the logs.
     
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I too would like to hear feedback regarding this. Will it really work?... with no ill side effects? Almost sounds too good to be true.
     
  4. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It did work in my case (if you think on MBAE protecting Sandboxie), just write Start.exe and I will also try out SbieSvc.exe and SbieCtrl.exe to be protected by MBAE these days (right now I'm on job computer, so I can't test if SbieSvc.exe and SbieCtrl.exe work just fine and if they are protected by MBAE when you configure them that way).
     
  5. 142395

    142395 Guest

    That (especially protecting SbieSvc as I think SbieCtrl is just for UI and start.exe is just a launcher) will protect SBIE from exploit but not prevent sandboxed program to be exploited.
    But almost no criminals will target SBIE, so it's not necessary.
    Just protect firefox or chrome or any other browser and plugin by MBAE is almost enough.

    It seems only chrome.exe become child process of SBIE on my Win7x64, IE or firefox are not child.
    Anyway, let's wait for Pedro's reply.
     
    Last edited by a moderator: Dec 8, 2014
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Last edited: Dec 8, 2014
  7. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    On my computer, MBAE does not show any of the browsers protected by MBAE, and by the way what exactly is BottomUp ASLR-this is what I get whenever I start/run Mozilla Firefox unsandboxed or Internet Explorer unsandboxed or Google Chrome unsandboxed!?
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello CoolWebSearch,

    This is how I understand MBAE to work. If you add a custom shield for a particular process, MBAE will only shield that process that you added...
    Adding "Start.exe" to custom shields will only protect that particular process and does not automatically protect every process that it spawns. You can easily test this by seeing if the "mbae.dll" or "mbae64.dll" is being injected to any of the spawned processes. Say for instance you have "Start.exe" shielded, and launch Firefox in the sandbox. If you check "Start.exe" you should see the injected MBAE dll meaning it is protected, but if you check "firefox.exe" you will not see the injected MBAE dll meaning it is not protected.

    I do not use SBIE but this is how MBAE does its protection by injecting a dll into whatever processes you have added a custom shield for. In short, injected dll means shielded and no injected dll means no protection. This is how I understand MBAE to work, but I may be wrong. I am sure Pedro will add to this to clarify...

    HTH...
     
  9. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    You are correct puff-m-d. Not sure what the effect of shielding the Sandboxie processes will be in terms of sandboxed applications, but as you can guess it will not protect them (unless the Sandboxie template is applied) and will only protect Sandboxie itself.
     
  10. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    ZVL, I tried truly everything I looked at configuration and I tried it all, it just doesn't work, I simply cannot protect sandboxed Mozilla Firefox, sandboxed Internet Explorer, and sandboxed Google Chrome with MBAE, Sandboxie simply does not allow sandboxed web-browser protection with MBAE.
     
  11. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I've had trouble with this as well. It's my understanding that there may be a problem with the 32bit dll injection (if you're using 32bit as I am). Anyway, not trying to comment on this as an expert -- it's just what I've heard.
     
  12. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Yes, I do use 32-bit Windows XP and Windows 8.1 also 32-bit.
     
  13. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    What browser has more protection by MBAE a 32bit, or a 64bit (Palemoon) no SBIE.
    Running a 32bit, in the logs I see PM has been enforced with BottomUp ASLR, and Anti-HeapSpraying.
    When running 64bit (PM) it just says is "now protected".

    Also I don't see Add-on's protected with PM unlike FireFox.
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Some of the enforcement are only for 32bit if needed. Also under 32bit, more modern OS and some programs might enforce things like DEP so in those cases MBAE won't.

    As for Palemoon, it doesn't say add-ons protected because it is a custom shield, but they are protected if they are running inside the browser process space.
     
  15. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    When you do a custom shield for Palemoon if you type in Palemoon and (add-ons) when you set up the new shield it should show up that way in the Log as it did with me with Comodo Dragon and (plug-ins).
     
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    After today's Window's update my MBAE Netflix stating it has blocked an exploit and after I close the warning I see that "the Silverlight plug-in has crashed."

    I shielded Silverlight in MBAE because I have been unable to install one of last month's Windows updates that cleared an exploit in Silverlight.

    Has anyone else shielded Silverlight and getting this?

    Using Firefox 33.xxxx
     
  17. Paranoya

    Paranoya Registered Member

    Joined:
    Nov 4, 2013
    Posts:
    59
    Hi,

    I'm using EMET and Sandboxie and decided to also try MBAE. First thing I noticed was that I needed to disable SimExecFlow in EMET for my browsers. I assume this is a known conflict? (haven't seen any note about it though)

    Then I applied the MBAE template in Sandboxie but it didn't work. Having read about the workaround for 64 bit apps with Sandboxie I gave that a try even though I only have a 32 bit system. It worked :)

    I've created a batch file to simplify the process, although slightly customized for my needs. It needs to be started as administrator to stop/start the service. And I've added a pause because Firefox starts very slow when EAF and EAF+ is enabled in EMET, and it doesn't work without it on my system. Also when the MBAE service is stopped it closes the MBAE app on the desktop/systray, so it is restarted after the service with a 2 second delay which I'm not sure is really needed. And because the batch runs as admin I've reduced some permissions when mbae.exe is restarted.

    Is it possible to add some parameter to mbae.exe to show the GUI immediately when it's started?

    Code:
    @echo off
    echo Stopping MBAE service
    sc stop MbaeSvc
    
    echo.
    echo Starting SBIE.... PRESS ANY KEY WHEN FF SHOWS
    "C:\Program Files\Sandboxie\Start.exe" explorer.exe "C:\Program Files\Mozilla Firefox\firefox.exe"
    pause
    
    echo Starting MBAE service
    sc start MbaeSvc
    
    echo Starting MBAE
    timeout /t 2
    runas /trustlevel:0x20000 "C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe"
     
  18. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    I'm sorry, it was NetFramework 3.5 I had to add a shield to, not silverlight

    MBAE log is reporting it found an exploit code in FF

    Was using FF 33.xxx--- Upgrading to FF 34 same result.

    Will do clean reinstall.
     
  19. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    I just installed Chrome and got the same problem. There is some issue with today's Silverlight Windows Update or MBAE is throwing off a false positive.
     
  20. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    The Issue appears to be with today's update of Silverlight.

    I Uninstalled Silverlight and reinstalled. Everything is fine. BUT, the fresh reinstall DOES NOT INCLUDE today's Silverlight Update. I did a check for new updates and Windows Update now shows I need to install today's Silverlight Update.

    So it appears I am faced with a decision to not use MBAE or not re-install today's Silverlight Update.
     
  21. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    OoPs-Just noticed a [SOlVED] MBAE Silverlight Thread on their forum from a few weeks ago.

    A newer version of MBAE, a version 1.05.xx, deals with some Silverlight issues

    I'm still using a 1.04.xxxxxx Version -- Didn't know there was a newer version that apparently deals with Silverlight issues.

    But still, the issue only arose after today's Windows Silverlight Update.
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    We've been testing this all day. Seems that the Microsoft Silverlight upgrade is causing crashes even without MBAE.
     
  23. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have not installed the December updates yet. Which update is for Silverlight.
     
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    You can easily find it. It's just entitled Update for Microsoft Silverlight (KBxxxx) = 11.7MB
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Rule of thumb. Wait a week before installing updates.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.