Malwarebytes Anti-Exploit

I understand that Sandboxie 3.76 or earlier is necessary to run MBAE in co-operation with Sandboxie. In the Sandboxie folder in Program Files is a file named Templates.ini

Add the following text to the end of that file : -
________________________________________________________________

Tmpl.Title=MBAE
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

________________________________________________________________


Having done that, start Sandboxie and double click the Sandboxie system tray icon. A window titled 'Sandboxie Control' should popup. Via the Configure menu, click the 'Software Compatibility' menu item and then enable MBAE in the popup window titled 'Software Compatibility' by doing the following: -
You should be able to see the entry '[ ] MBAE'. Click between the square brackets and the + character should appear, i.e. [+]. If the + is already displayed then MBAE must already have been enabled but I would not expect to see this.

Thats it, done and dusted.

 

I believe I had posted these on the sandboxie forum before but as that is now gone I figured I'd do it here as well. This is the last revision I did around two, three years ago? Haven't heard of anything needing updating or others having issues but I no longer use MBAE or SBIE

Code:

[Template_XPMBAE]

Tmpl.Title=MBAE (For use on XP with SBIE 3.76 ONLY;template_32MBAE still required)
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
OpenIpcPath=$:mbae-svc.exe

[Template_32MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit (x86) Vista,7,8,10
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

[Template_64MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit (x64) Vista,7,8,10
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

 

Hey @loungehake & @syrinx,

Thanks for the info on how to get MBAE and Sandboxie working together. I greatly appreciate it!

 

Malwarebytes Anti-Exploit Beta 1.13 Build 125 (November 11, 2019)
https://forums.malwarebytes.com/top...i-exploit-113-build-125-released-nov-11-2019/

Download: http://downloads.malwarebytes.org/file/mbae

Spoiler: Changes

Protection:

• Improved protection techniques for browsers and MS Office applications
• Improved exclusion capabilities

Usability:

• Updated shield list to include Chrome and Edge Browsers
• Improvements to reduce False Positives

Stability/issues fixed:

• Bug fixes
• Fixed false positives with wscript
• Fixed false positive detections with MS Office applications
• Improved Logging capabilities
• Internal Product Improvements

 

in my case the program takes too long to boot and I receive a prompt that tells me that, or it doesn't boot

 

@ lucd

Your issue isn't the same as I experience, but the fix might be...

On this latest 1.13.1.125 I was prompted to restart and upon doing so the service could not be found.

The Services "Path to executable" pointed to mbae-svc.exe in a system temp folder even though it was also in C:\Program Files (x86)\Malwarebytes Anti-Exploit.

I've run into this here and there over the many years and so randomly so that I keep forgetting the restart prompt is a botched install red flag. An uninstall/reinstall fixes it.

I use Revo Pro (Free should work OK) and ignore the folders deletion step, especially for the Malwarebytes Anti-Exploit folder in ProgramData where tweaked settings and custom shields, etc. data are stashed.

There's probably a geeky-er fix but the uninstall/reinstall is over with in a about a minute and half.

Cheers.

 

@Surt
thanks I'll give it a try, on some pcs antiexploit works on some other it has the described symptoms. On 1 pc it works rock solid without said issues
install/reinstall seams to work (albeit temporarily), I'll try to keep the program data leftover

A separate problem is that it has no interface under normal user account, you need at least administrator. There is an interface after installing it, but you don't get the interface after a reboot (there is a pop up message that informs you of that issued by malwarebytes), and so if the described above issue occurs you don't get to know if it has been loaded, especially without an interface

I want to keep it since it saved me once against process hollowing technique started by an executable on local drive

 

yes it works if you leave programdata intact during uninstall, then install back , thanks

 

Malwarebytes Anti-Exploit Beta 1.13 Build 127 (December 5, 2019)
https://forums.malwarebytes.com/top...ti-exploit-113-build-127-released-dec-5-2019/

Download: https://downloads.malwarebytes.org/file/mbae

Spoiler: Changes

Protection:

• Improved protection techniques for browsers and MS Office applications
• Improved exclusion capabilities

Usability:

• Updated shield list to include Chrome and Edge Browsers
• Improvements to reduce False Positives

Stability/issues fixed:

• Bug fixes
• Fixed false positives with wscript
• Fixed false positive detections with MS Office applications
• Improved Logging capabilities
• Internal Product Improvements

 

Still the new Chromium-based Edge (msedge.exe) and Vivaldi (vivaldi.exe) are not included / shielded.
I have to add them manually.

 

This is indeed really disappointing, I wonder how long it will take for them to add this?

 

Good grief... manually!!! You must be exhausted.

 

At some point a browser grows popular enough that a company should add it to their database.

I'm still waiting for CCleaner to add Brave. Privazer already does.

 

Seeing as CCleaner tries to sneak Chrome into your computer when you install it, I have my doubts that they will.

 

@anon -- I was just pulling your leg. You are one of my favorite, most respected posters on these boards.

 

Explanation accepted, post deleted.

 

Those using MBAE together with Malwarebyte Anti-Ransomware Beta will currently find that newly updated MBARW to build 274 causes the mbae.exe process to be suspended. The MBAE services remain running but MBARW build 274 seems to consider mbae.exe to be ransomware. In the event of MBAE terminating processes I guess that no information on the event will be presented to users. No MBAE icon currently appears in the system tray if MBARW build 274 continues. I have noticed that automatic updates to MBARW seem to have ceased after Malwayebytes became aware of the problem.

 

Malwarebytes Anti-Exploit Beta 1.13 Build 146 (February 18, 2020)
https://forums.malwarebytes.com/top...i-exploit-113-build-146-released-feb-18-2020/

Download: https://downloads.malwarebytes.org/file/mbae

Spoiler: Changes

Protection:

• Protection for the new Edge browser and MS ACCESS application
• Fixed false detection of Grammarly plugin and OfficeConnect plugin during updates
• Protection against new exploit attack techniques

Usability:

• Fixed false detection of Grammarly plugin and OfficeConnect plugin during updates

Stability/issues fixed:

• Bug fixes
• Fixed false positive detections with MS Office applications
• Improved Logging capabilities
• Internal Product Improvements

 

Just got silently updated to v1.13.1.164 a short time ago.

 

Malwarebytes Anti-Exploit Beta 1.13 Build 164 (April 14, 2020)
https://forums.malwarebytes.com/top...i-exploit-113-build-164-released-apr-14-2020/

Download: https://downloads.malwarebytes.org/file/mbae

Spoiler: Changes v1.13 Build 164

Protection:

• Protection improvements for Chrome and Edge browsers
• Protection against new exploit attack techniques

Usability:

• Fixed false detection of Grammarly plugin during updates

Stability/issues fixed:

• Bug fixes
• Fixed false positive web-based Java detections
• Fixed false positive detections and crashes with MS Office applications
• Improved Logging capabilities

• Internal Product Improvements

 

Thanks. The only product I use these days from Malwarebytes.

 

10Q to the nth @Tarnak and @mood !!!

 

I wonder what those new advanced exploits mean, they are using this taxonomy since 3 patches now
so the previous exploits were not advanced?

 

I have a paid license for Malewarebytes, but I use only (my choice) MBAE 1.13.1.164 together with HitmanPro.Alert 2.65.77. Does this old version of HMPA still provide some protection? I have asked the guys at the HMPA forum too (I have a paid license for HMPA too), but maybe you have a different take on the issue and some useful feedback. Thanks.