Is there a way to make SBIE x4 and MBAE compatible

[btmp]

Here's another logfile as requested.

Logfile.zip

[pbust]

Thanks. I don't see cmd involved in this instance. Did you get a cmd is protected balloon from MBAE this time?

[btmp]

After I saw your post about the flow I re-checked that myself as it hadn't shown up as an actual process in any of my tests. A search did show it in a few lines elsewhere as if it was going to be used though. Manually running cmd shows up in the logs so it doesn't seem to be a hardcoded ignore. I'm not sure what's that all about. It's been confusing me as well.

[pbust]

Internally there's some logic in MBAE as to whether to inject cmd or not as it is sometimes used by certain types of exploits.

 

But that shouldn't be injecting if you're only running notepad from within Sandboxie (unless of course you added some custom shields for either Sandboxie, cmd or notepad).

 

Maybe the last additions to the template are always trying to force injection of the dll?

[btmp]

Here's another one I just made, I removed all the filters (including defaults) before saving but kept the 'If not' cmd.exe then exclude up for the screenshot.

Logfile_CMD_All.zip

[btmp]

Yes the templates are 'always attempting an injection', they don't discriminate, but as I noted before, on certain OS, such as on Windows 7 x86 when those are added per box (rather than the template) and an app not guarded in the mbae list is ran in that same box, it works perfectly. On Windows 7 x64 it always tries to inject using that same setup so it's highly confusing.

[pbust]

Thanks. Can you also post the MBAE logs from this last test?

[btmp]

Sure. As a side note, the cmd protection notice is usually followed by another for whatever app was launched in the sandbox, from the way you explained it I'm guessing is due to the 'chain' that follows after cmd and mbae sees them as linked. The pop-ups aren't my greatest concern though, it's what protections are being applied to these apps not in the list, eg will they cause trouble for other apps that are sandboxed but not 'intentionally guarded by mbae' down the line type thinking.

Malwarebytes Anti-Exploit_Newer.zip

[pbust]

I wouldn't worry about it. Worse case scenario there's more protection being applied to Sandboxed processes. If you do encounter an FP under Sandboxie that does not occur normally outside the sandbox, then it's something interesting to look at.

[btmp]

Yeah that was my thinking as well, I don't remember if it was on this forum or wilders but after I thought about it I kinda liked the idea. I just didn't want it to cause more issues than it solved. As the logs in the GUI no longer display the protections being used I was worried it might be applying all of them by default or something which would increase the chances of issues. I'm only one person but I haven't seen anything negative yet.

 

The template manually injecting the dlls is still kinda a 'dirty' solution IMO but at least it has worked for everything except XP so far so I with your response I'm a bit more comfortable with it being suggested in the FAQ. btw, THANKS for taking a look so late on a sunday after you've been traveling all last week =) Much appreciated!

 

I can deal with the cmd notifications but can you think of any way to silence (or identify and ignore those started by sbie) them (and the rest of the chain) without interfering with 'real' notifications concerning cmd? I can't ~ but I figured I'd ask anyway as it's likely to create a lot of tickets otherwise.

[pbust]

The cmd notifications are not supposed to ever show up, so they are a direct result of the forced injection. I don't think there's an easy way currently without disabling the notifications altogether, but that's not a solution. We'll have to take a closer look at that sometime.

[pbust]

Yes, thanks @btmp again for all your work with MBAE and Sandboxie!