Malwarebytes Anti Exploit

[peterw]

Hi all

Is Malwarebytes Anti Exploit compatable with Sandboxie ? I cannot get them to work together.
Is there a workaround for this ?

[Der Moloch]

They currently don't work together and there is no workaround for this issue yet.

[henryg]

How don't they work together please? Will MBAE not work correctly outside a sandbox if Sandboxie is installed?

[peterw]

@henryg
The programs inside my Sandboxie do not get protected by Malwarebytes Anti Exploit. so You could say Sandboxie is doing its job well.

I would like it if Sandboxie could work with Malwarebytes Anti Exploit like Emet is allowed to I wonder if there are any plans for this ?

( I think its to do with mbae.dll and mbae64.dll stopped )

[henryg]

Thanks Peter. I would only be worried should anything run outside or get out of a sandbox, and MBAE not work.

And I found yesterday that HitmanPro.Alert seems to work well again with Firefox (31b); and it has always worked with Sandboxie. So now I can run both again

[Nix]

Alternative: use version 3.76... MBAE works here(partially), It doesn't show the warning when it stop the MBAE-test, rather it terminates the sandbox instantly.

[ky331]

henryg,

You can safely install/use both MBAE and Sandboxie on your system. While MBAE itself does not function inside Sandboxie, MBAE will still do its job when running a NON-sandboxed application: For example, if you run Firefox inside Sandboxie, FF will have Sandboxie's protection; while if you run FF "normally" (i.e., outside of Sandboxie), FF will have MBAE's protection.

There are, however, (potential) conflicts between MBAE and HitmanPRO.Alert that you will have to consider... most users are discovering that they have to choose just one of these.

[Nix]

@henryg

As MBAE is incompatible for now, IMO Hitmanpro alert will suffice as most of us don't do browsing like we did b4(w/o sandboxie). The alert notification is what's important, specially now new form of crypto malware are around. If an alert pops up, it's just a simple Ctrl+Shift+X, instantly terminates my sandboxed browser.

https://www.youtube.com/watch?v=lz9yug6ccH4

[Curt@invincea]

I do not know what the issues are with MBAE. In searching their forum, (https://forums.malwarebytes.org/index.p ... sandboxie/), I see that they state that Sbie is blocking them from injecting into the sandbox. I am not sure what they mean by this as Sbie does no such blocking. There are many other AV and security apps that can see & inject into sandboxed apps just fine.

No one from Malwarebytes has contacted Invincea. They must have been only dealing with Ronen.

[ky331]

Curt,

I have just copied/pasted your most recent reply into the MBAE thread you cited in your post.

Hopefully, you and pbust will be able to discuss the issue, and come to a mutually-satisfactory solution.

It would really be nice to see these two programs operating compatibly.

[henryg]

It can be an advantage! MBAE kills the performance of any Java app, so running them in a sandbox solves 2 problems: they run at full speed; and I trust a self-deleting sandbox more than MBAE.

For a long time I didn't have Java installed, but I have one program that requires it. Sandboxie rules!

[lylejk]

I've been running MBAE for months now; it's, of course, out of beta. Had no idea that it wasn't protecting anything inside the sanboxie sessions, but still, I like having it to sort of protect my VM. I do run EMET in my host OS (Win7) but not in XP nor will I. Of course I'm not running either Sandboxie or MBAE in my host itself since i rarely if ever browse with my host OS save very trusted sites (I know; still a risk). Still, SBIE is my main defense against anything and recovering my VM to a know golden set point often has been a combination that's saved me (drive bys as I mentioned in other threads a while back).

[btm]

I still use 3.76 due to an unresolved issue with 4.x and Skype eating cpu needlessly. I refuse to use skype unsandboxed so I'm still stuck w 3.76.
I decided to install and test Anti Exploit even after reading that it was incompatible here.
After watching the Resource Access Monitor I came up with this.

[Template_MalwareBytes_AntiExploit]
Tmpl.Title=MalwareBytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_*
OpenIpcPath=\RPC Control\*MBAE_IPC_*

The sandboxed apps can now be injected with the mbae.dll and show up as shielded in the MBAE gui. Haven't done extensive testing but so far all seems good. Don't know if it'll work with 4.x but perhaps it'll be helpful for anyone still on 3.76 and wanting to use MBAE.

[ky331]

btm,

I would like to test your suggestion/workaround for MBAE in Sandboxie 4.x, and want to make sure I understand how to implement it.

Do I simply copy/paste your template into Sandboxie.ini (located in C:\Windows for me), or do I copy/paste it into another file/location? After copying, must anything else be done to "activate" the template's use?

Or must it be created going through the Sandboxie control? --- if so, could you please detail the steps.

I tried a simple copy/paste into Sandboxie.ini, but nothing seems to be happening here.

[btm]

Pasting it into the ini then reloading the configuration in the control panel should allow it to be enabled as long as it detects the registry key for AntiExploit. (It's possible though unlikely that it uses different keys on x64 systems.) You may need to go to Software Compatibility after that to see if it pops up in the list or you could manually enable it in the ini settings:
Template=MalwareBytes_AntiExploit

The edit, reload and Software Compatibility are all found under the 'Configure' menu in the gui

Most likely there is something they may need to actually change in the 4.x builds for compatibility reasons or someone would have added something like this a long time ago.