Malwarebytes Anti Exploit

[Nix]

Can anyone confirm that on the new version(MBAE 1.07.1.1015) this line aren't needed:

InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dl

Thanks!

[Mr.X]

Can anyone confirm that on the new version(MBAE 1.07.1.1015) this line aren't needed:

InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dl

Thanks!

Nope. For me they are still needed.

[rm22]

has anyone had success getting a template working for 32-bit XP? I've just tested the posted template for 32-bit - It triggers a prompt for software compatibility, but that's it - no injection

[Craig@Invincea]

has anyone had success getting a template working for 32-bit XP? I've just tested the posted template for 32-bit - It triggers a prompt for software compatibility, but that's it - no injection

We haven't worked on that template. And Given XP has long since sun-setted, I'd more worry about that fact.

[rm22]

We haven't worked on that template. And Given XP has long since sun-setted, I'd more worry about that fact.

right - all the more reason to secure it well i'm just resurrecting an old PC to use as a spare for surfing - so i just need to lock down the browser well - there's no data to steal

[Syrinx]

has anyone had success getting a template working for 32-bit XP? I've just tested the posted template for 32-bit - It triggers a prompt for software compatibility, but that's it - no injection

On Windows XP the template posted will only work alongside SBIE 3.76.

Otherwise with Windows Vista to 8 (and now up to Windows 10) it continues to work with the template and all the latest SBIE versions 4.x-5.x so far (so far being the SBIE 5.13.5 beta and MBAE 1.09.1.x).

I never was able to figure out why it wouldn't work with SBIE 4.x+ on XP but I suspect it's yet another MBAE quirk [Like the one that prevents it from injecting the dll into a sandboxed program in the first place while 99% of other security programs don't have a problem...].

Either way I never saw anything in the (many) procmon (and resource monitor) logs I sifted through that showed access to anything relevant being denied, just for some reason the MBAE service would stop communicating with the sandboxed program shortly after it started trying. I haven't looked at it in a while but I still can't really think of anything else to attempt on this end :-/

[rm22]

On Windows XP the template posted will only work alongside SBIE 3.76.

Otherwise with Windows Vista to 8 (and now up to Windows 10) it continues to work with the template and all the latest SBIE versions 4.x-5.x so far (so far being the SBIE 5.13.5 beta and MBAE 1.09.1.x).
OS
I never was able to figure out why it wouldn't work with SBIE 4.x+ on XP but I suspect it's yet another MBAE quirk [Like the one that prevents it from injecting the dll into a sandboxed program in the first place while 99% of other security programs don't have a problem...].

Either way I never saw anything in the (many) procmon (and resource monitor) logs I sifted through that showed access to anything relevant being denied, just for some reason the MBAE service would stop communicating with the sandboxed program shortly after it started trying. I haven't looked at it in a while but I still can't really think of anything else to attempt on this end :-/

great - thanks for the info. I've just been having a look at the change logs since 3.76 - there have been a few security fixes, but mainly compatibility fixes. I think I'd be better off security wise running 3.76 + MBAE VS the latest Sbie, but am not sure - comments anyone? my current config is

router FW + WFW
Sbie (restrictions locked down)
NVT ERP
Zemana ZAL+ZAM beta
Secunia PSI
Firefox(hardened): uBlockO(global block 3rd Party scripts/frames)

[Syrinx]

great - thanks for the info. I've just been having a look at the change logs since 3.76 - there have been a few security fixes, but mainly compatibility fixes. I think I'd be better off security wise running 3.76 + MBAE VS the latest Sbie, but am not sure - comments anyone?

My primary argument (basically just in my own head thus far) for using MBAE alongside SBIE has been that SBIE doesn't attempt to prevent exploits. SBIE just does its job and contains anything that happens inside [and it does it well] so that even if something bad happens inside it doesn't get onto your system. BUT I'd prefer to stop things like that before the SBIE protections are even needed, which is where MBAE comes in. MBAE could really aid users where an exploit is used even if it [and the end result] is only 'within' that one sandbox.

I haven't had to choose since I'm not stuck with Windows XP but I can't say for sure which I would decide on. There's a decent chance it'd be SBIE as it covers sooo many more scenarios but at the same time I'd hate to lose the exploit [prevention] protection.

In my time using MBAE I haven't encountered a single 'real exploit prevention event' but instead I have seen a couple of false positives, specifically, with java based programs such as Minecraft but *only* when combined with SBIE. I consider myself a safe browser so generally I am just worried about rouge ads or evil server operators making use of an exploit in one of my internet facing apps.

Thankfully I don't have to worry about *actually* making that choice as I can get them to play well together on my Win 7 (and now even a Win10 [Kids]) system(s) but I understand it could be a difficult choice.

SBIE protects in a broad way but MBAE still fills a crucial role (IMO) that SBIE doesn't even attempt to stop, it just contains it if it happens. Anti-Exploits help prevent those bad things from happening but don't do anything to help if it slips past.

I'm a firm believer in prevention instead of curing but with SBIE in the mix the cure is generally just to end the session and remove the contents of the sandbox [assuming you even know something bad is inside but auto delete is also good in mitigating this]. It doesn't get much easier. For XP, where they don't get along though, it'd really be a matter of what you think is best for your setup. There are, of course, other options aside from MBAE that you could use for exploit protection while still retaining the latest versions of SBIE even on XP. It's also possible to create rather strict rules within SBIE that would mitigate a great many exploits. That's up to the user to define such rules though.

Then there's the other side where some Windows based kernel flaw might get exploited and SBIE doesn't have a chance [purely theoretical] but a layer in MBAE or some other anti-exploit has a chance of detecting and preventing it. Dealing with such what-ifs is something of a lottery before (if) they happen though.

So, basically, I'd suggest you weigh things yourself and decide what you think is best for YOUR setup. (Don't you love it when someone makes you read a ton of words and doesn't answer the question?!)

[Peter2150]

You guys's need to pressure the MBAE folks. HMPA works alongside SBIE, because the authors made the effort to make it work. Pedro Bustamonte didn't. If you don't force the issue with him and marcyn then nothing will happen.

[rm22]

I haven't had to choose since I'm not stuck with Windows XP but I can't say for sure which I would decide on. There's a decent chance it'd be SBIE as it covers sooo many more scenarios but at the same time I'd hate to lose the exploit [prevention] protection.

Thanks for the reply - I'm just looking at rolling back to Sbie 3.76 so I can use MBAE as well. I wouldn't consider using XP without Sbie.

[rm22]

Well I had to roll back to Sbie 3.76 anyway because of what seems to be a compatibility issue with XP - the "Hide" notification rules weren't working in 5.12, but they are working fine with 3.76. I haven't seen this issue on any other Windows version so likely just an XP issue.

I still can't get MBAE to work with Sbie 3.76 on XP - looking through this forum more closely, it doesn't look like anyone else ever succeeded in getting a template working on XP either. So I think I'll give up on this and move on

[Craig@Invincea]

I still can't get MBAE to work with Sbie 3.76 on XP

Why are you using such an antiquated version of SBIE? Even on XP?

To hide notifications, simply add this to the ini

Code: Select all

SbieCtrl_HideWindowNotify=n

For security and a better user experience, I suggest you use 5.12 or the most recent beta. We won't troubleshoot the old of a version.

[Syrinx]

I still can't get MBAE to work with Sbie 3.76 on XP - looking through this forum more closely, it doesn't look like anyone else ever succeeded in getting a template working on XP either. So I think I'll give up on this and move on :)

OpenIpcPath=$:mbae-svc.exe (Added recently only for SBIE 3.x and XP as I still haven't gotten SBIE 4.x and MBAE on XP to play nice though I can't find anything being blocked in the Resource Access Monitor or by manually looking through several procmon instances; doesn't seem to be needed on any other combo and I don't use it. | Can't recall if I tested this with 3.x on Vista or 7 so it may be needed there as well though I am unsure...though it never popped up with SBIE 4.x on my Win 7 x64)

There are some older templates floating around so I'm not sure which one you used but here is the last set I worked on that should do the trick for XP up to 10 broken down into three sub templates so that you don't have any un-needed lines active.
XP will need the XPMBAE & 32MBAE templates active and still only works with 3.x.
Also please take Note of the InjectDll= lines. If you changed the install path of MBAE the dll paths won't work unless you update them in the template as they won't be found and as such won't get injected.

[Template_XPMBAE]

Tmpl.Title=MBAE (For use on XP with SBIE 3.76 ONLY;template_32MBAE still required)
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ModuleCompatibility
OpenIpcPath=$:mbae-svc.exe

[Template_32MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit (x86) Vista,7,8,10
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

[Template_64MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit (x64) Vista,7,8,10
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

[rm22]

Why are you using such an antiquated version of SBIE? Even on XP?

To hide notifications, simply add this to the ini

Code: Select all

SbieCtrl_HideWindowNotify=n

For security and a better user experience, I suggest you use 5.12 or the most recent beta. We won't troubleshoot the old of a version.

Hi Craig - sorry, I should have addressed my post to 'Syrinx', I know you guys have moved on from XP

But just FYI if you're interested, with Sbie 5.12 on XP, the "hide" commands in the GUI are not functioning - no rules are added to the ini file - and if I add the rules manually to the ini file they don't work anyway (but i did put them in the [sandbox] section, not 'user settings' so not sure if that caused the issue?). But Sbie 3.76 seems to be fully functional on XP

[rm22]

XP will need the XPMBAE & 32MBAE templates active and still only works with 3.x.
Also please take Note of the InjectDll= lines. If you changed the install path of MBAE the dll paths won't work unless you update them in the template as they won't be found and as such won't get injected.

aahhh - Thanks!! I missed the XPMBAE template. I'll give it a try tomorrow