Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    That change was mainly for SBIE 3.76 on Windows XP, for some reason it would fail in certain cases if the mbae.dll didn't have write access. You should be able to remove that line if you aren't on XP.
    You could also remove the one below it if you're on a x64 system as it's just a 32 bit path that won't exist: InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
    Ah ok, fine. Currently working on Win7 and 8.1 both architectures so I'm good without that line, Thanks a lot.
     
  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,971
    thank you. here some manual for insertation:
    source: http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=20782

    /me meanwhile forgot that procedure, i write new templates in template.ini and renewing each install ;)

    templates are inserted in the sandboxie.ini at the end. so insertation into konfiguration file (open from "sandboxie control") is also possible.
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    I am running MB Anti-Exploit 1.06.1.1019 Premium. It no longer logs. Yes, I realize that this lack of information is deemed to be a "feature". But the tooltips do NOT happen. Yes, I clicked the settings to allow tooltips.

    So now I have no idea if a given browser is being protected by MBAE or not. Help please!
     
  5. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,875
    Location:
    New York City
    The field "Shielded applications" on the general tab should help.
    If you are running Windows XP, this may help:
    http://www.howtogeek.com/howto/windows/how-to-fix-system-tray-tooltips-not-displaying-in-windows-xp/
     
    Last edited: May 2, 2015
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    Thanks Thankful. The "Shielded Apps" list is not the answer. It merely tells me what SHOULD be protected. It does not tell me what IS being protected.

    Tool tips work for all my other programs. Therefore the glitch is with MBAE ONLY.

    I need a fix for this PLEASE. Are there any alternatives to MBAE which do keep you informed? I prefer to stay with MBAE but I must know for sure if MBAE's protection is actually taking place.

    Why not make logging (or not logging) a user option?
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,875
    Location:
    New York City
    I am not talking about the application list. On the "General" tab, there is a number after the field "Shielded applications".
     
  8. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,087
    Location:
    North of the 38th parallel.
    1. Please reply with the Windows system edition and architecture.
    2. When updated to MBAE 1.06.1.1019 Premium, was the previous version of MBAE completely uninstalled (and C:\ProgramData\Malwarebytes Anti-Exploit\ deleted) first, or was build 1019 installed over-the-top of the previous version?
    3. What is the DWord value at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip ?
    Thank you. :)
     
    Last edited: May 2, 2015
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,339
    Location:
    Hawaii
    @ Thankful -- I get it. Yep, value = 1 at the moment, for my browser. I added my email clint... value now =2. All is well. Thanks!

    @ 1PW -- Q1 Win Home edition =XP SP3. Architecture= Huh? || Q2 Probably I installed it on top. || Q3 DWord Value =1 at specified registry location

    @ ZeroVulnLabs -- PLEASE make logging (or not logging) a user option.
     
    Last edited: May 3, 2015
  10. testsoso

    testsoso Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    138
    IE 10 crashed after install both EMET 5.2 and MBAE free. on windows 8 pro 64 bit.
     
  11. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Yes, there's a number there but it would be nice if it would tell you (somewhere) a list of exactly what is being protected. When I fire up Firefox sandboxed 5 of those boxes pop up at light speed, and I can only make out the last one (FF). I know that it is being protected, along with SBIEsvc & SBIEctrl... but no idea what the other 2 are. I'd guess the RPC & DCOM processes as well but it would be nice to know for sure.

    I agree there should be a list that clearly shows what is being protected, and not just a number. And have logging be optional.

    Besides that I'm a very happy (new) user of this product, and am about to go into that in the next post along with how I got it to work great with my setup, as I still see some confusion over what to do.
     
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Known 'issue'.

    Just don't run them at the same time.
     
  13. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,875
    Location:
    New York City
    I believe something as critical as what applications are protected should be written to a log file.
     
  14. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,087
    Location:
    North of the 38th parallel.
    Hello bellgamin:

    Please check to see if a XP registry DWORD entry might exist for:
    Code:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
    If that entry does exist, what is its hex DWORD value please.

    Thank you.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Well I want to congratulate you on a fine product. My original assessment was correct, back when it was still a 1 man team, that it would be the best security app since Sandboxie. And now I have the two working together in perfect harmony after some tinkering yesterday... I had my doubts for a long time that it would be possible, and lost some hope about MBAE... no more.

    I still see confusion over exactly how to get it to protect your browser, namely Firefox under Sandboxie. And that on 64-bit systems and/or versions 4.x of SBIE it's flat out impossible. Not true...

    One point of confusion is that there are 2 templates to mod. When people talk about these tweaks they rarely mention this fact and act as if it all goes in the same place... not the case. The first thing you do is go to: C(or OS partition):\Windows\Sandboxie.ini , open/mod the file using Notepad by adding: Template=MBAE under the [GlobalSettings] entry found at the top of the page. Save the file. Then open Sandboxie Control in your Taskbar, Configure tab, and choose Reload Configuration. Depending on your settings in "Lock Configuration" you may have to remove your password temporarily, until you're done, or even log in as Admin if you're not already to do this.

    Now it's time to edit the other template... the one in Sandboxies program files folder. For most this will be: C:\Program Files\Sandboxie - and open/mod the Templates.ini file (again with Notepad). Scroll down to the "Security" entries and throw it somewhere in there. For XP users using v3.76 of SBIE use this template here:

    [Template_MBAE]

    Tmpl.Title=Malwarebytes Anti-Exploit
    Tmpl.Class=Security
    Tmpl.Scan=s
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
    Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
    OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
    OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
    OpenIpcPath=*\RPC CONTROL*\*MBAE_IPC_PROTECTION*
    OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
    OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
    OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
    OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
    OpenIpcPath=$:mbae-svc.exe
    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

    -----------------------------------------------------------------------------------------------------------------

    And there you go. Again, you may not use the C: directory like me so keep that in mind. If using Windows 7 32-bit add this line in as well:

    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll

    --------------------------------------------------------------------------------------------------------------

    If using a 64-bit version of Windows 7, use a 4.x version of Sandboxie first of all, and add this line as well:

    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

    ----------------------------------------------------------------------------------------------------------------------------

    Save this to make your new template. Then once again go into Sandboxie and Reload Configuration like you did before. If you didn't already after modding the first template, you should now see Malwarebytes Anti-Exploit listed under Software Compatibility. Make sure it is checked/+'d/enabled. In MBAE I went ahead and made custom shields then for SbieCtrl, SbieRPC, SbieDCOM, SbieCrypto, SbieBITS, & SbieSvc.

    I then took the measure of disabling both Sandboxie and MBAE, both from the taskbar and in System Services. And then turning them back on. And then rebooting my computer. And viola... working like a charm. Firefox is protected within Sandboxie along with Sandboxie's processes as well.

    Also if you're a D+ user that runs a tight ship (like I do), make sure to put all of SBIE's & FF's rules for Interprocess Memory Access to "Ask", along with any other programs you'll be using MBAE to protect. As mbae-svc.exe will need access to them. Then set it back to block after. Also make sure to keep the Interprocess Memory Access in the "Protection Settings" tab as Inactive, or it'll interfere. And do not create a shield for Sandboxie's "Start" process, or it'll prevent the sandbox from closing/deleting properly, at least to my experience.

    Hopefully this will clarify some things for people using this. With the right tweaks you can indeed get this thing working well with Sandboxie/Firefox, Comodo/D+, and everything else on my setup it seems. I feel this has made an already strong setup even better and I feel really good about where I'm at now.

    Congrats on a great product.
     
  16. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    @luciddream
    I've been using MBAE Premium with Sandboxie/Firefox for a while now.f And to the best of my knowledge, it's been working fine. However, I just checked our your template and it looks like I've been using basically the same thing. However, I noticed that my template does not include the last two lines of your template (bolded above). What do these do -- and are they necessary?

    Also, I was wondering why you created the custom shields in MBAE that you mentioned (also bolded above). Are these really necessary?
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,960
    I just got the auto update to premium v1.06.1.1019, after booting into my WSA/MBAE snapshot, a short time ago. :)
     
  18. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    The last four lines were recently added for various reasons.

    OpenIpcPath=$:mbae-svc.exe
    [added for SBIE 3.76 and XP in specific scenarios; I have yet to find evidence this is needed anywhere else! Still awaiting pbusts input on the risks w this, I don't like it but it does seem to be needed on XP sometimes! My suggestion is if you aren't on XP, REMOVE this line! I didn't want to publish multiple templates and add to the confusion but I really don't like this line and do NOT use it myself on Win7 x64!]

    InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
    [added to manually inject the dll on x86 systems from XP to 8]

    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
    [added to manually inject the 32 bit dll on a x64 system when a x86 process is launched in SBIE.]

    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
    [added to manually inject the 64 bit dll on a x64 system when a x64 process is launched in SBIE.]

    This allows the template to work on just about any system (and w SBIE 4.x; XP users are still stuck with 3.76 atm) without waiting for an updated detection\injection system for MBAE by manually injecting the dll using SBIE itself. A semi-dirty solution that will result in 'cmd is now protected' alerts from MBAE on SBIE apps but now allows it to do its job without manually toggling the protections inside MBAE after the app is launched in SBIE.

    I call it semi-dirty because it does what it's meant to but with a slight side affect. I managed to test this through the use of an older MBAE version that still showed the applied protections in the logs to verify that it worked as intended with guarded apps. It's not ideal and causes some odd 'cmd' notifications for SBIE apps that aren't designated as protected on some (most) systems but in the end it gets the job done and allows the use of both apps. Hopefully we will eventually get a cleaner solution with tweaks to the injection process making the last few lines old news but for now it's the simplest (although by no means elegant) solution for those wanting to use SBIE and MBAE together like I do. I'd like to see that day but at the same time I don't expect MB to spend a ton of resources figuring this issue out and I'd rather have them focused on making the product more secure as exploits evolve daily. I'll admit the injection issue has confused the &#@* outta me. (but then they won't let me debug it without signing legal documents [not that it'd likely help if I did debug it, rather n00b at that] :p so I've done all I can at this point.) Use the template or don't, I've reached the end of my abilities as far as aiding others in using both programs together for now goes.

    FYI: The sbie icons still stink! /glare @Peter2150 /justforfun
     
    Last edited: May 3, 2015
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
    Like TomAZ I'm still a bit concerned about this shields. Are you sure they are really necessary?
     
  20. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I can't comment on that much, tbh the only one I have guarded is SbieSvc.exe (protected as 'other') as it is launched in each SBIE box app and I felt safer that way (the others should be considered children and guarded anyhow but I haven't verified this~guess I should...) I haven't noticed any ill affects so it certainly shouldn't hurt....

    Initial check w ProcExp shows that SandboxieRpcSs and SandboxieDcomLaunch are protected w mbae64.dll though if this is through the template or a result of being children of sbiesvc remains unclear atm. ( I was checking my browser which uses the x64 dll injection now) off for more tests....

    Well I tested Skype (x86) and the SandboxieCrypto exe was NOT showing an mbae dll in the process. I still don't see why they'd be 'needed' but unless you recognize a side affect I can't argue against such rules.
     
    Last edited: May 3, 2015
  21. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I wish I could answer this, but I literally just started playing around with this thing yesterday. I guess it could be misguided of me to mention it as if I'm recommending it to others while knowing so little. I'm in the process of feeling it out to find the answer to that question... and perhaps others can too now. I agree with the person above (who was instrumental in providing a lot of the info. that helped me out) that it likely can't hurt. But besides SbieSvc (which I can imagine benefits for) might not help either.

    But it's my hope that this gets people brighter than me finding those answers. Or given more time maybe even myself.
     
  22. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Thank you so much... your input has been invaluable.
     
    Last edited: May 3, 2015
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,958
    Location:
    Mexico
  24. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Your welcome... but I did make a few mistakes. One pretty big one it seems. Apparently the template should go in the same, main Windows folder as the title. No wonder I was confused as to why I'd never heard it mentioned before to have to modify not just one, but two templates. But for some reason when I tried to put it all in there it didn't work for me. It only worked the way I explained in my post. I'll figure out why when I have time. My way it wouldn't be persistent in the event of an update. But then again I'll probably never, ever upgrade from v3.76 as long as I'm on XP anyway so it's pretty much irrelevant for me (but not everyone else obviously).

    And maybe syrinx will point out my other more minor oversights.

    My intentions were good anyway...
     
  25. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    You did a very good job and I appreciate the effort! Only a few minor corrections are needed to avoid further confusion. As he stated it is best to add the template to the sandboxie.ini rather than the template.ini as the sandboxie.ini persists through sandboxie versions whereas the template.ini is overwritten by each SBIE update and would require adding it each time SBIE is updated. Aside from that just a few minor path corrections across windows builds.

    Code:
    
    ----------------------------------------------------------------------------------------------------
    
    And there you go. Again, you may not use the C: directory like me so keep that in mind
    and update paths to reflect the actual install locations. If using Vista to Win 8 32-bit no extra
    lines will need to be included but feel free to remove the "OpenIpcPath=$:mbae-svc.exe"
    line as it (so far) only has been needed on XP. Use a 4.x version of Sandboxie!
    
    ----------------------------------------------------------------------------------------------------
    
    ----------------------------------------------------------------------------------------------------
    
    If using a 64-bit version of Windows Vista up to 8, use a 4.x version of Sandboxie first of all,
    and add these line as well:
    
    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
    
    and feel free to remove the "OpenIpcPath=$:mbae-svc.exe" line as it (so far) has only been
    needed on XP. And feel free to remove the "C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll" line as it only exists on x86 ONLY systems.
    ----------------------------------------------------------------------------------------------------
    
    The template as it exists on the MBAE forum is meant to be one-for-all and it works that way but steps such as this do show the control that could (should?) be used with the current template at the risk of complicating matters even more. Now that I've finally 'agreed' that this current template isn't a bad thing I'll soon make another 'better' guide for it including
    Brummelchen's info which allows us to add the template via the gui which I some how missed all this time ~ after I double check it myself!
     
    Last edited: May 3, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.