[Template_MBAE] ~ local template

[bjm]

Hello Sandboxers,
I want to add MBAE local template. I found this config on Wilders. Anyone know if it looks okay.

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
OpenIpcPath=$:mbae-svc.exe
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

** OpenIpcPath=$:mbae-svc.exe is for XP and
** InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll is for 32bit OS

And.....
May I add Local Template via Sandboxie Control Edit Configuration and Reload.
Do I need to add Local Template to Sandboxie\Templates.
What is Local Template placement "best practice".
Anything else.

Thanks

[btm]

Hopefully someone else will chime in but I can assure you there are no intentional holes or a single line that isn't needed somewhere even if some are only needed on XP or for x64 bit OSs, etc...you can find the original thread along with following how the template reached the state it's in now with a rather detailed list of what each line is for on the third page: http://forums.sandboxie.com/phpBB3/view ... 17&t=19132

As for adding it, I've found pasting it into the sandboxie.ini to be the easiest but if you want to use the GUI adding it to the local area under Applications would be your best bet. I remember someone suggesting doing it that way but I don't remember why I preferred to do it manually. I tend to review my rules reading the INI instead of the interface anyhow. It's been a couple months since I've done anything concerning both MBAE & SBIE though so it's not exactly fresh in my head.

[bjm]

Oh, my bad for not posting to MBAE Thread. I'll ask to be moved there.

So, on W8.1 x64 go for all lines as is...?

Yeah, following as best I could over at Wilders. I found suggest adding by Sandboxie Control > Edit Configuration > Reload and other suggest to add to Official Configuration Template and to Sandboxie Control > Edit Config.

I didn't know if I should touch Official Configuration Template because at top it states.
# Invincea Sandbox Official Configuration Templates
#
# PLEASE DO NOT EDIT

Then again I didn't know where to add lines. Whether placement is critical.

And yes there's suggest Applications > Local > Create New > paste. That seems easiest. And thanks for reminding me.
I just didn't know "best practice" for adding local.
Whether Create New > paste was all I needed to do.

As for adding it, I've found pasting it into the sandboxie.ini

By sandboxie.ini you mean Edit Config or Sandboxie\Templates

Am I looking for per browser sandbox or Global

Thanks,

[btm]

I wasn't suggesting the thread should be moved over to the other one. I just wanted to point you to where you could see the history of the 'user template.'

Adding it to the default template.ini is pointless as that is overwritten upon each upgrade/update of SBIE which would require adding it every time.

I found it easiest to suggest adding the Template=MBAE (along w the actual template you noted before) to the sandboxie.ini as global since it covered 'all base's but I'll also admit that for some reason it behaves a tad differently when added to specific sandbox(s) [different as in the the cmd issue doesn't occur] and that's what I've ended up doing on my end with the ones that I want protected with MBAE (tho I have many other sandboxes; some of which are persistent). A few comments on that subject can be seen in the thread though I never covered those differences after I noticed them and made my initial comments.

I would have to test it again to see why I preferred the 'ini' edit method over adding it to the local section but at this time all I remember is that I did. It could be something as simple as I didn't feel it warranted updating the steps again. :-/

[bjm]

I wasn't suggesting the thread should be moved over to the other one. I just wanted to point you to where you could see the history of the 'user template.'

Yes, I know. I was thinking maybe better there. I read Craig wants to collect Locals to a dedicated board.

Anyway, I'm not versed in the lingo. By Adding it to the default template.ini.... do you mean Sandboxie Control Default Sandbox or do you mean Invincea Sandbox Official Configuration Templates that states PLEASE DO NOT EDIT and what is meant by You may place local (custom) templates in your Sandbox.ini. What is my Sandboxie.ini

Sorry, I'm not versed in speaking sandboxie language.

And ...I'm lost by Template=MBAE. I don't find any Template= with Official Configuration Templates ...so, I don't know where to place Template=MBAE and then where to place template/lines/code from opening post in relationship to Template=MBAE

There's a pattern of spacing and # in the Official Configuration Templates and I don't want to bork it up.

What happens if I just do Application > Local > Create New > paste. Where does paste go.

As you can tell. I'm working with dedicated browser sandboxes that come by Sandboxie Control and that's about the extent of my customization. A few Direct and Full Access.

So, be gentle with me.

[btm]

The templates.ini is the 'default' or shall we say "real" SBIE template pool which can be found in the installation directory, normally : C:\Program Files\Sandboxie\Templates.ini (I also used the entries there to create most of the rules in the end after my initial attempts proved limited)
That's the one that gets replaced every update or install and contains the 'official' compatibility entries. (That'd be the one that says # PLEASE DO NOT EDIT)
Adding anything to that one is kinda pointless since it gets replaced.

As for the addition of the Template=MBAE
that line was related to adding it to the C:\Windows\Sandboxie.ini directly though that's only to skip checking "Configure > Software Compatibility" through the GUI 'after' the template is added. I figured if someone is adding the template directly one more line shouldn't be that hard but perhaps the local template approach would be easier for most people in the end. I'll have to test it again soon to figure out why I didn't like that option....

So for now let's say you should add it to the Applications > Local templates through the GUI and then check the Menu > Configure > Software Compatibility to ensure it was 'detected' and activate it if its not enabled already after adding the template.

The last few 'InjectDll' lines are for the default location of MBAE though, so if you've selected another installation path those will need to be updated or the Template will not work. This is due to a continuing issue with MBAE not even trying to inject into SBIE protected programs (I haven't figured out why) and were it not for those lines or the ability to inject them directly 'via SBIE', they may not work together for most people even today.

It's still not a clean solution but it does work in most situations with XP being a noticeable exception. The template continues to function with 5.x (so far) and MBAE on my end.

As a last side note, during the info I left in that thread I mentioned needing to remove the BlockProcessAccess Addon in order to prevent crashes along w MBAE. This hasn't been the case with newer versions of MBAE and the template along w SBIE in its current form and I still use it as a limited form of 'sandboxie+appguard' inside the box though with my setup it's a bit repetitive..

[bjm]

Okay, before reading your last message.
I added template/lines from opening post to Applications > Local > Create New
So, I have [+] Malwarebytes Anti-Exploit in Local (unofficial) in my Firefox sandbox.

Firefox not sandbox'd shows Firefox is now protected....
Firefox sandbox'd shows cmd is now protected...

I now find Template=Local_MBAE
[Firefox]

ConfigLevel=7
Template=Local_MBAE
Template=Firefox_Force
Template=BlockPorts

1) Okay, from here on templates.ini is C:\Program Files\Sandboxie
2) Software Compatibility does not show [ ] Malwarebytes Anti-Exploit
3) MBAE is default location Program Files (x86)
4) I ran the little Exploit test and logged two events fwiw.
5) I do not find evidence of MBAE in Sandboxie Control > Sandbox Firefox ...?
6) Do I need Full Access for MBAE like I had with HMP.A..?
7) Do I leave MBAE running with browser closed...?
Is there any in browser test to run...to test injection is satisfied...?
9) I'm not running AG at this time. Is there issue with MBAE or Sandboxie..?
10) re: BlockProcessAccess Addon.... not following...sorry!
Thanks

[btm]

I'd need to run it thorugh a fresh VM to be sure but from what you've said it looks like MBAE is working inside that Firefox sandbox. Enabling MBAE's logs and checking those could help you verify that but I'd also suggest you download and use the MBAE test program to be sure. I believe it launches calc or (pops up with an exploit block alert and) prevents it (when working). I always found the easiest way to check injection was using Process Explorer but that may only because it's one of my go to apps already.

Evidence of if the template is active wouldn't be found inside a specific box but rather the "Software Compatibility" section under the "Configure" menu option found in the main GUI.

https://support.malwarebytes.org/custom ... ?b_id=6440
As for testing it, try downloading then right clicking on that utility and running it sandboxed in the box you are concerned with to see if it is working there. [It sounds like you may have done this but it was hard to tell so I wanted to be sure]

Much of the other info I mentioned about AppGuard or the Block Process Access was just 'extra stuff' I added in an effort to be precise with my experience but wasn't actually related to you or your question here.

MBAE normally runs 'in the background' (not counting the gui) so unless you manually shut it down it should either function (within sandboxie) while the template is working properly or not. Nothing to mess with on that end...There are no instances I am aware of where full access should be made available [anywhere] in order to get them to play nicely.

[bjm]

Hello btm,
I think we may be close .....but,......

Software Compatibility does not show Malwarebytes Anti-Exploit.
I'm thinking Software Compatibility is Global only.

1) Exploit Test run out-side sandbox > bubble dialog = Malwarebytes Anti-Exploit Test is now protected by Malwarebytes Anti-Exploit.
2) Exploit Test run in-side sandbox > bubble dialog = for a nano-second > cmd is now protected by Malwarebytes Anti-Exploit....then bubble dialog changes to > Malwarebytes Anti-Exploit Test is now protected by Malwarebytes Anti-Exploit.
3) Exploit Test Normal = Calculator and Exploit = Exploit dialog in and not in sandbox.

A) Firefox run in-side sandbox > bubble dialog = cmd is now protected by Malwarebytes Anti-Exploit.
I never see in bubble dialog Firefox is now protected by Malwarebytes Anti-Exploit.

Note: Exploit Test shows in bubble for a nano-second cmd then shows in the bubble Malwarebytes Anti-Exploit Test.

Note: Firefox in-side sandbox shows cmd in bubble dialog and never changes to Firefox in the bubble dialog.

B) I'm imagining, with Firefox sandbox.... I should see Firefox is now protected by Malwarebytes Anti-Exploit.
The same way I see Malwarebytes Anti-Exploit Test is now protected by Malwarebytes Anti-Exploit.

C) Exploit Test run in / out of sandbox renders bubble Malwarebytes Anti-Exploit Test is now protected by Malwarebytes Anti-Exploit.

*** Firefox run in-side sandbox renders bubble > cmd is now protected by Malwarebytes Anti-Exploit.

*** Firefox run out-side sandbox renders bubble > Mozilla Firefox (and add-ons) is now protected by Malwarebytes Anti-Exploit.

*** I'm thinking Firefox run in-side sandbox should render bubble dialog > Mozilla Firefox (and add-ons) is now protected by Malwarebytes Anti-Exploit.

W8.1 x64 + Firefox x64 + v5.06 ~~ Sandboxie Control > Configure > Edit Configuration >

Code: Select all

[GlobalSettings]

ActivationPrompt=y
FileRootPath=C:\Sandbox\%USER%\%SANDBOX%
TemplateReject=7zipShellEx
TemplateReject=SynapticsTouchPad
TemplateReject=WindowsLive
TemplateReject=OfficeLicensing
EditAdminOnly=n
ForceDisableAdminOnly=n
ForgetPassword=n

[UserSettings_026000CD]

SbieCtrl_UserName=bj
SbieCtrl_BoxExpandedView=DefaultBox
SbieCtrl_NextUpdateCheck=1434702450
SbieCtrl_UpdateCheckNotify=n
SbieCtrl_ShowWelcome=n
SbieCtrl_WindowCoords=200,150,1031,527
SbieCtrl_ActiveView=40021

[UserSettings_082E01AD]

SbieCtrl_UserName=bjms
SbieCtrl_ShowWelcome=n
SbieCtrl_NextUpdateCheck=1555555555
SbieCtrl_UpdateCheckNotify=y
SbieCtrl_AutoApplySettings=n
SbieCtrl_WindowCoords=383,99,1031,626
SbieCtrl_ActiveView=40021
SbieCtrl_HideWindowNotify=n
SbieCtrl_TerminateWarn=n
SbieCtrl_SettingChangeNotify=n
SbieCtrl_ProcessViewColumnWidths=250,70,300
SbieCtrl_EnableLogonStart=n
SbieCtrl_EnableAutoStart=y
SbieCtrl_AddDesktopIcon=n
SbieCtrl_AddQuickLaunchIcon=n
SbieCtrl_AddContextMenu=y
SbieCtrl_AddSendToMenu=y
SbieCtrl_AutoRunSoftCompat=y
SbieCtrl_HideMessage=2221,dllhost.exe [Firefox]
SbieCtrl_HideMessage=1301,iexplore.exe
SbieCtrl_HideMessage=1301,chrome.exe
SbieCtrl_HideMessage=2221,dllhost.exe [TestBox]
SbieCtrl_HideMessage=1301,firefox.exe
SbieCtrl_HideMessage=2221,rundll32.exe [InternetExplorer]
SbieCtrl_HideMessage=2221,dllhost.exe [InternetExplorer]
SbieCtrl_HideMessage=1307,dllhost.exe [InternetExplorer]
SbieCtrl_RecoverTarget=C:\Users\bjms\Desktop
SbieCtrl_SaveRecoverTargets=y
SbieCtrl_ReloadConfNotify=n
SbieCtrl_EditConfNotify=n
SbieCtrl_BoxExpandedView=Chrome,Default,Firefox,InternetExplorer,TestBox,WMPlayer

[Default]

ConfigLevel=7
Template=Chrome_Profile_DirectAccess
Template=Firefox_Profile_DirectAccess
Template=IExplore_Cookies_DirectAccess
Template=AutoRecoverIgnore
Template=LingerPrograms
Template=BlockPorts
Template=WindowsFontCache
Template=IExplore_Favorites_DirectAccess
RecoverFolder=%Desktop%
RecoverFolder=%Personal%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%My Pictures%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,plugin-container.exe,firefox.exe,chrome.exe,iexplore.exe,crashreporter.exe,dllhost.exe,AdblockPlusEngine.exe,rundll32.exe,broker64.exe,KeePass.exe,notepad.exe,FlashPlayerPlugin_17_0_0_188.exe,SnippingTool.exe,nacl64.exe,cmd.exe,WerFault.exe,coNatHst.exe,control.exe
ProcessGroup=<InternetAccess>,chrome.exe,firefox.exe,iexplore.exe,dllhost.exe,rundll32.exe,crashreporter.exe,coNatHst.exe
NotifyStartRunAccessDenied=y
OpenPipePath=\Device\NamedPipe\hmpalert
OpenPipePath=*\mailslot\NVTInj\*
DropAdminRights=y
OpenFilePath=C:\Windows\CryptoGuard\
OpenFilePath=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
OpenFilePath=C:\Program Files (x86)\WOT\WSS.exe
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
ClosedIpcPath=!<StartRunAccess>,*

[TestBox]

Enabled=y
ConfigLevel=7
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
BorderColor=#00FFFF,off
BoxNameTitle=n
NotifyStartRunAccessDenied=y
NotifyInternetAccessDenied=y
OpenPipePath=*\mailslot\NVTInj\*
RecoverFolder=%Desktop%
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
AutoDelete=y
NeverDelete=n
DropAdminRights=y

[InternetExplorer]

ConfigLevel=7
Template=IExplore_Force
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=n
ProcessGroup=<StartRunAccess>,iexplore.exe,AdblockPlusEngine.exe,rundll32.exe,dllhost.exe
ProcessGroup=<InternetAccess>,iexplore.exe,AdblockPlusEngine.exe
NotifyStartRunAccessDenied=y
OpenPipePath=*\mailslot\NVTInj\*
OpenFilePath=C:\Program Files (x86)\WOT\WSS.exe
OpenFilePath=C:\Windows\CryptoGuard\
NeverDelete=n
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
LeaderProcess=iexplore.exe
ClosedIpcPath=!<StartRunAccess>,*
AutoDelete=y
DropAdminRights=y

[Chrome]

ConfigLevel=7
Template=Chrome_Force
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#4080FF,off
Enabled=y
BoxNameTitle=y
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,plugin-container.exe,chrome.exe,KeePass.exe,SnippingTool.exe,dllhost.exe,nacl64.exe,cmd.exe,conathst.exe,WerFault.exe
ProcessGroup=<InternetAccess>,chrome.exe,conathst.exe
NotifyStartRunAccessDenied=y
DropAdminRights=y
OpenFilePath=C:\Program Files (x86)\WOT\WSS.exe
OpenFilePath=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
OpenFilePath=C:\Windows\CryptoGuard\
LeaderProcess=chrome.exe
OpenPipePath=*\mailslot\NVTInj\*
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
AutoDelete=y
NeverDelete=n
ClosedIpcPath=!<StartRunAccess>,*

[Firefox]

ConfigLevel=7
Template=Local_MBAE
Template=Firefox_Force
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,firefox.exe,plugin-container.exe,mbae-test.exe
ProcessGroup=<InternetAccess>,firefox.exe
NotifyStartRunAccessDenied=y
LeaderProcess=firefox.exe
NeverDelete=n
AutoDelete=y
DropAdminRights=y
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
OpenFilePath=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\prefs.js
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\permissions.sqlite
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\content-prefs.sqlite
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\places.sqlite
OpenPipePath=*\mailslot\NVTInj\*
ClosedIpcPath=!<StartRunAccess>,*

[WMPlayer]

Enabled=y
ConfigLevel=7
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off
BoxNameTitle=n
ForceProcess=wmplayer.exe
NotifyInternetAccessDenied=y
ClosedFilePath=InternetAccessDevices
NotifyStartRunAccessDenied=y
DropAdminRights=y
ProcessGroup=<StartRunAccess>,wmplayer.exe,explorer.exe,rundll32.exe
ClosedIpcPath=!<StartRunAccess>,*
AutoDelete=y
NeverDelete=n
LeaderProcess=wmplayer.exe
OpenPipePath=*\mailslot\NVTInj\*

[Template_Local_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
OpenIpcPath=$:mbae-svc.exe
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
Tmpl.Class=Local

[Craig@Invincea]

LOL. And I did collect this for my on going repository. No worries on moving it. Once I gather some more, they all will be posted under a new section.

[btm]

Yeah it looks like you're seeing the 'side effect' of the forced injection via SBIE which tries to inject/protect everything ran. SBIE uses cmd in the background and so this is why it shows up instead when launching.

The cmd notifications are not supposed to ever show up, so they are a direct result of the forced injection. I don't think there's an easy way currently without disabling the notifications altogether, but that's not a solution. We'll have to take a closer look at that sometime.

https://forums.malwarebytes.org/index.p ... ble/page-2

I just checked my logs in MBAE and it does still show cmd followed by the actual program, it just happens so quickly that it doesn't update the notification alert fast enough to see both in most cases. If you enable 'Log protection events' in the settings of MBAE then you should see something similar with Firefox being logged around a second of the cmd protection that the pop up shows. I have the notification tooltips disabled so I'm not bothered by this inconsistency. It'll still pop up with an alert box in most cases when it protects you though.

I'd still have to check to be sure but if its not showing up in the Software Compatibility section then that would be enough of a reason for me to continue suggesting adding it manually.
If you wanted to add it globally (inside SBIE) and be able to see it in that section yours would end up looking like (I also removed a few lines from the template you shouldn't need on Win8 x64):

Code: Select all

[GlobalSettings]

ActivationPrompt=y
FileRootPath=C:\Sandbox\%USER%\%SANDBOX%
Template=MBAE
TemplateReject=7zipShellEx
TemplateReject=SynapticsTouchPad
TemplateReject=WindowsLive
TemplateReject=OfficeLicensing
EditAdminOnly=n
ForceDisableAdminOnly=n
ForgetPassword=n

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

[UserSettings_026000CD]

SbieCtrl_UserName=bj
SbieCtrl_BoxExpandedView=DefaultBox
SbieCtrl_NextUpdateCheck=1434702450
SbieCtrl_UpdateCheckNotify=n
SbieCtrl_ShowWelcome=n
SbieCtrl_WindowCoords=200,150,1031,527
SbieCtrl_ActiveView=40021

[UserSettings_082E01AD]

SbieCtrl_UserName=bjms
SbieCtrl_ShowWelcome=n
SbieCtrl_NextUpdateCheck=1555555555
SbieCtrl_UpdateCheckNotify=y
SbieCtrl_AutoApplySettings=n
SbieCtrl_WindowCoords=383,99,1031,626
SbieCtrl_ActiveView=40021
SbieCtrl_HideWindowNotify=n
SbieCtrl_TerminateWarn=n
SbieCtrl_SettingChangeNotify=n
SbieCtrl_ProcessViewColumnWidths=250,70,300
SbieCtrl_EnableLogonStart=n
SbieCtrl_EnableAutoStart=y
SbieCtrl_AddDesktopIcon=n
SbieCtrl_AddQuickLaunchIcon=n
SbieCtrl_AddContextMenu=y
SbieCtrl_AddSendToMenu=y
SbieCtrl_AutoRunSoftCompat=y
SbieCtrl_HideMessage=2221,dllhost.exe [Firefox]
SbieCtrl_HideMessage=1301,iexplore.exe
SbieCtrl_HideMessage=1301,chrome.exe
SbieCtrl_HideMessage=2221,dllhost.exe [TestBox]
SbieCtrl_HideMessage=1301,firefox.exe
SbieCtrl_HideMessage=2221,rundll32.exe [InternetExplorer]
SbieCtrl_HideMessage=2221,dllhost.exe [InternetExplorer]
SbieCtrl_HideMessage=1307,dllhost.exe [InternetExplorer]
SbieCtrl_RecoverTarget=C:\Users\bjms\Desktop
SbieCtrl_SaveRecoverTargets=y
SbieCtrl_ReloadConfNotify=n
SbieCtrl_EditConfNotify=n
SbieCtrl_BoxExpandedView=Chrome,Default,Firefox,InternetExplorer,TestBox,WMPlayer

[Default]

ConfigLevel=7
Template=Chrome_Profile_DirectAccess
Template=Firefox_Profile_DirectAccess
Template=IExplore_Cookies_DirectAccess
Template=AutoRecoverIgnore
Template=LingerPrograms
Template=BlockPorts
Template=WindowsFontCache
Template=IExplore_Favorites_DirectAccess
RecoverFolder=%Desktop%
RecoverFolder=%Personal%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%My Pictures%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,plugin-container.exe,firefox.exe,chrome.exe,iexplore.exe,crashreporter.exe,dllhost.exe,AdblockPlusEngine.exe,rundll32.exe,broker64.exe,KeePass.exe,notepad.exe,FlashPlayerPlugin_17_0_0_188.exe,SnippingTool.exe,nacl64.exe,cmd.exe,WerFault.exe,coNatHst.exe,control.exe
ProcessGroup=<InternetAccess>,chrome.exe,firefox.exe,iexplore.exe,dllhost.exe,rundll32.exe,crashreporter.exe,coNatHst.exe
NotifyStartRunAccessDenied=y
OpenPipePath=\Device\NamedPipe\hmpalert
OpenPipePath=*\mailslot\NVTInj\*
DropAdminRights=y
OpenFilePath=C:\Windows\CryptoGuard\
OpenFilePath=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
OpenFilePath=C:\Program Files (x86)\WOT\WSS.exe
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
ClosedIpcPath=!<StartRunAccess>,*

[TestBox]

Enabled=y
ConfigLevel=7
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
BorderColor=#00FFFF,off
BoxNameTitle=n
NotifyStartRunAccessDenied=y
NotifyInternetAccessDenied=y
OpenPipePath=*\mailslot\NVTInj\*
RecoverFolder=%Desktop%
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
AutoDelete=y
NeverDelete=n
DropAdminRights=y

[InternetExplorer]

ConfigLevel=7
Template=IExplore_Force
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=n
ProcessGroup=<StartRunAccess>,iexplore.exe,AdblockPlusEngine.exe,rundll32.exe,dllhost.exe
ProcessGroup=<InternetAccess>,iexplore.exe,AdblockPlusEngine.exe
NotifyStartRunAccessDenied=y
OpenPipePath=*\mailslot\NVTInj\*
OpenFilePath=C:\Program Files (x86)\WOT\WSS.exe
OpenFilePath=C:\Windows\CryptoGuard\
NeverDelete=n
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
LeaderProcess=iexplore.exe
ClosedIpcPath=!<StartRunAccess>,*
AutoDelete=y
DropAdminRights=y

[Chrome]

ConfigLevel=7
Template=Chrome_Force
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#4080FF,off
Enabled=y
BoxNameTitle=y
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,plugin-container.exe,chrome.exe,KeePass.exe,SnippingTool.exe,dllhost.exe,nacl64.exe,cmd.exe,conathst.exe,WerFault.exe
ProcessGroup=<InternetAccess>,chrome.exe,conathst.exe
NotifyStartRunAccessDenied=y
DropAdminRights=y
OpenFilePath=C:\Program Files (x86)\WOT\WSS.exe
OpenFilePath=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
OpenFilePath=C:\Windows\CryptoGuard\
LeaderProcess=chrome.exe
OpenPipePath=*\mailslot\NVTInj\*
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
AutoDelete=y
NeverDelete=n
ClosedIpcPath=!<StartRunAccess>,*

[Firefox]

ConfigLevel=7
Template=Firefox_Force
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%My Pictures%
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off
Enabled=y
BoxNameTitle=n
NotifyInternetAccessDenied=y
ProcessGroup=<StartRunAccess>,firefox.exe,plugin-container.exe,mbae-test.exe
ProcessGroup=<InternetAccess>,firefox.exe
NotifyStartRunAccessDenied=y
LeaderProcess=firefox.exe
NeverDelete=n
AutoDelete=y
DropAdminRights=y
ClosedFilePath=!<InternetAccess>,InternetAccessDevices
OpenFilePath=C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\prefs.js
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\permissions.sqlite
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\content-prefs.sqlite
OpenFilePath=%AppData%\Mozilla\Firefox\Profiles\br0fgu8r.default\places.sqlite
OpenPipePath=*\mailslot\NVTInj\*
ClosedIpcPath=!<StartRunAccess>,*

[WMPlayer]

Enabled=y
ConfigLevel=7
Template=WindowsFontCache
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
RecoverFolder=%{374DE290-123F-4565-9164-39C4925E467B}%
RecoverFolder=%Personal%
RecoverFolder=%Desktop%
BorderColor=#00FFFF,off
BoxNameTitle=n
ForceProcess=wmplayer.exe
NotifyInternetAccessDenied=y
ClosedFilePath=InternetAccessDevices
NotifyStartRunAccessDenied=y
DropAdminRights=y
ProcessGroup=<StartRunAccess>,wmplayer.exe,explorer.exe,rundll32.exe
ClosedIpcPath=!<StartRunAccess>,*
AutoDelete=y
NeverDelete=n
LeaderProcess=wmplayer.exe
OpenPipePath=*\mailslot\NVTInj\*

[bjm]

I just checked my logs in MBAE and it does still show cmd followed by the actual program, it just happens so quickly that it doesn't update the notification alert fast enough to see both in most cases. If you enable 'Log protection events' in the settings of MBAE then you should see something similar with Firefox being logged around a second of the cmd protection that the pop up shows. I have the notification tooltips disabled so I'm not bothered by this inconsistency. It'll still pop up with an alert box in most cases when it protects you though.

I have 'Log protection events' enabled.
Is reference to Mozilla Firefox before or after reference to cmd. I only see reference to cmd by Firefox sandbox'd.

When I run Exploit Test sandbox'd I see reference to Malwarebytes.
When I run Exploit Test sandbox'd, I'm calling cmd. Correct Yes/No ?
Tell me again why running Firefox sandbox'd only shows cmd. Why does cmd not resolve to Mozilla Firefox for me but, apparently resolves for you. Are you suggesting some quirk timing anomaly. cmd remains until bubble fades.
I've read 'Is there a way to make SBIE x4 and MBAE compatible' earlier. Not understanding most at the time.

Posted 26 April 2015 - 10:50 PM
The cmd notifications are not supposed to ever show up, so they are a direct result of the forced injection. We'll have to take a closer look at that sometime.

Posted 26 April 2015 - 10:50 PM ..... wonder if they're still looking...

So, if I follow. cmd is okay and in essence somehow means Mozilla Firefox (and all add-ons) is protected by.....
Just that from my perspective the dialog 'cmd is protected' is not telling the same as '(and all add-ons) protected'. cmd is protected means SBIE injection is protected.

Well, I'll clean up [Template_MBAE] and observe. Did you make any other changes....?

[bjm]

Looked in Logs. Time Stamp anomaly is logging what I'm not seeing. Bizarre. Thank

MBAE cmd and Mozilla is now protected.PNG

(I also removed a few lines from the template you shouldn't need on Win8 x64):

Your revised code left line > InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll < for 32bit OS
and removed > InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
Edit: see correction below

[btm]

The revised template was correct:

InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
Inject this dll for a 32 bit application on a 64bit OS
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
Inject this dll for a 64 bit application on a 64bit OS

InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
That line only works on a 32bit OS as on a 64bit OS it's installed under C:\Program Files (x86)\ so that Inject path won't exist

If they were broken down it'd end up something like this:

XP & Sandboxie 3.x ONLY

Code: Select all

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
OpenIpcPath=$:mbae-svc.exe
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

Windows Vista/7/8/10 32 bit & SBIE 4.x/5.x

Code: Select all

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll

Windows Vista/7/8/10 64 bit & SBIE 4.x/5.x

Code: Select all

[Template_MBAE]

Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

[bjm]

Ah! I had collected random notes from Wilders and obviously I made big boo boo's. 32bit programs on x64

So, with your huge hand holding. Applications > Local > Create New > Paste > works per sandbox.

And Logs reflect what I'm not seeing in bubble because ..... stuff happens.
And you have Tmpl.Class=Security > while I have Tmpl.Class=Local