Antivirus/Anti-malware templates for SBIE

Utilities designed for use with Sandboxie
Post Reply
Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area
Contact:

Antivirus/Anti-malware templates for SBIE

Post by Craig@Invincea » Fri May 13, 2016 8:50 am

This is where we will collate templates for 3rd party security products, etc. be used with SBIE to enable certain compatibility with programs running under the authority of SBIE...

If you have templates, please feel free to add them in this thread. I will search the forum and add ones I find as well. I'll edit the title as needed to ensure consistency if needed. Thanks!

Also, templates that are baked into SBIE already, many are showing their age and have not been updated and are stale. So, if anyone has edits to them that you'd like to post, please do that. We'll also review those submissions to possibly be included in future SBIE releases.

:!: The use of any such templates in this thread (or otherwise in this forum) will be at the discretion of the end user and shall not guarantee any level of support and the end user shall hold harmless the creator of said template as well as Sandboxie Holdings (Invincea, inc.) with that understanding. You also accept the knowledge that using such templates may open up security hole(s) within Sandboxie and may expose the user to unknown threats while online and/or cause SBIE not function correctly.

Sandboxie Holdings / Invincea recommends Windows Defender with SBIE.

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area
Contact:

HomeGuard

Post by Craig@Invincea » Fri May 13, 2016 8:53 am

@Syrinx
In light of the positive response from 'yoavpol' found here about the added line solving his problem with the web filter in HomeGuard Activity Monitor I'd like to submit the solution for review and potentially have it added/updated within the existing templates.ini for the HomeGuard template if it isn't deemed abnormally dangerous.

Even if it isn't updated in the templates, I'll repost it here in case any other HomeGuard Activity Monitor users also need to use the website filter within a program protected by Sandboxie.
The solution was to open a named pipe under [Global Setings] of the Sandboxie.ini, much like the default sandboxie templates are applied globally:

Code: Select all

OpenPipePath=\device\namedpipe\vg145erxiii*
Current Template as of 5.07.2

Code: Select all

[Template_HomeGuard]
Tmpl.Title=HomeGuard Activity Monitor
Tmpl.Class=Security
Tmpl.Url=http://veridium.net/
Tmpl.Scan=s
Tmpl.ScanService=HomeGuard AMC
OpenIpcPath=*\BaseNamedObjects*\*Ipc2Map*
OpenIpcPath=*\BaseNamedObjects*\*Ipc2Mutex*
OpenIpcPath=*\BaseNamedObjects*\mc2SWDIJ*
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW2*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\*AnswerBuf*Event*
OpenIpcPath=*\BaseNamedObjects*\*AnswerBuf*Map*
OpenIpcPath=$:vglset.exe
As a side note, there were a couple more numbers (sorry don't recall them) where I placed the * but I wasn't sure if they would change between pcs or versions of HomeGuard so I opted to add the * there but it may not have been needed~I only tested in one VM.

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area
Contact:

Mirillis Action

Post by Craig@Invincea » Fri May 13, 2016 8:54 am

@Syrinx
Here's another template in case anyone needs to use this program with sandboxed software. It can be used with Mirillis Action!. Action!, created some issues after injecting sandboxed programs (in this case Mumble) and causing them to crash when it couldn't communicate as (it) expected in some instances. The template doesn't allow Mirillis Action to be sandboxed, but rather just gets Action! to 'work correctly' with sandboxed programs. eg Action! must still be installed on the host [it uses a service] and no template will change that.

Code: Select all

[Template_MAction]

Tmpl.Title=Mirillis Action
Tmpl.Class=Misc
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mirillis Action!
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mirillis Action!
OpenWinClass=*ACTION_X*
OpenIpcPath=*\BaseNamedObjects*\ActionIpc*

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area
Contact:

MBAE Template

Post by Craig@Invincea » Fri May 13, 2016 8:55 am

Courtesy of @BTM aka @Syrinx

Windows Vista/7/8/10 32 bit & SBIE 4.x/5.x

Code: Select all

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
Windows Vista/7/8/10 64 bit & SBIE 4.x/5.x

Code: Select all

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

Craig@Invincea
Sandboxie Support
Sandboxie Support
Posts: 3523
Joined: Thu Jun 18, 2015 3:00 pm
Location: DC Metro Area
Contact:

Comodo Internet Security(CIS)

Post by Craig@Invincea » Fri May 13, 2016 8:56 am

Courtesy of @rpljhun

Comodo Internet Security(CIS) Compatibility Setting.
Enable CIS compatibily settings in sandboxie.
Add this under global settings:

Code: Select all

ClosedFilePath=*\guard64.dll
For CIS Enabled HIPS:
Add HIPS Rules for SbieSvc.exe set to Installer or Updater

For CIS Enabled Autosandbox:
You need to add ignore sandbox rules for any unrecognized applications by CIS
By default any unrecognized applications will be auto sandbox by CIS
To avoid inconvenience disable autosandbox.

If everything goes well, you may update the template.

Code: Select all

[Template_ComodoInternetSecurity]
Tmpl.Title=Comodo Internet Security / Antivirus / Firewall
Tmpl.Class=Security
Tmp.Url=http://www.comodo.com/home/internet-security/free-internet-security.php
Tmpl.Scan=s
Tmpl.ScanService=cmdGuard
ClosedFilePath=*\Guard32.dll
ClosedFilePath=*\guard64.dll

Syrinx
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

Malwarebytes 3

Post by Syrinx » Tue Feb 21, 2017 11:02 am

This is just a minor tweak to the old MBAE template [found above] to work with the new build of Malwarebytes 3 which now includes the Anti-Exploit module.
The only real difference is a path change to point at the new location of the dll with this program.

If you didn't install MB3 with the default directory selected you'll still need to manually alter the path of the InjectDll= lines to reflect the mbae*.dlls real locations.

Code: Select all

[Template_MB3]

Tmpl.Title=Malwarebytes 3 Anti Exploit Component (Vista,7,8,10)
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanService=MBAMService
InjectDll64=C:\Program Files\Malwarebytes\Anti-Malware\mbae64.dll
InjectDll=C:\Program Files\Malwarebytes\Anti-Malware\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
Goo.gl/p8qFCf

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest