Frequently Asked Questions

[pbust]

How do I protect programs running within Sandboxie?

According to reports from multiple users, Sandboxie  can be configured to allow MBAE to protect applications running within Sandboxie.

 

Under 32bit Operating Systems -> Use Sandboxie 3.76

Under 64bit Operating Systems -> Use Sandboxie 4.x

 

In order to enable this workaround users must manually edit the C:\Windows\Sandboxie.ini file with the following entries and reload the configuration.
Once the Sandboxie.ini is open (notepad works fine for this) add "Template=MBAE" to the Global Settings found at the top.

 

Example

[GlobalSettings]Template=MBAE

Then scroll down to the bottom of the Sandboxie.ini and append this template.

[Template_MBAE]
Tmpl.Title=Malwarebytes Anti-Exploit
Tmpl.Class=Security
Tmpl.Scan=s
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-Exploit
Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-Exploit
OpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*
OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*
OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*
OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*
OpenIpcPath=*\BaseNamedObjects*\mchMixCache*
OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*
OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
OpenIpcPath=$:mbae-svc.exe
InjectDll=C:\Program Files\Malwarebytes Anti-Exploit\mbae.dll
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll

Once the changes have been added, save the file and open Sandboxie Control. Select the menu option 'Configure' then 'Reload Configuration'.

MBAE should now be able to protect applications contained within Sandboxie.
 

Hat-tip to btmp aka syrinx for his great work and thorough tests to come up with this excellent guidance for running MBAE alongside Sandboxie.

Edited August 26, 2016 by pbust

[pbust]

How do I protect Metro apps under Windows 8/8.1?

Using MBAE Premium you can add a custom shield for WWAHost.exe using the "browser" profile. This will effectively protect most Metro apps.

 

However some Metro apps run via a different method. One example is the Metro PDF Reader. It uses the process "glcnd.exe" to run. You can add this as a custom shield using the "PDFreader" profile.

 

Hat-tip to puff_m_d for testing and providing this guidance.

[pbust]

The tests from wicar.org are not triggering

Wicar.org is a website that has some pre-packaged exploits for some vulnerabilities. Clicking on some of these exploit tests might trigger a detection by your AV, but that is in most cases a signature detection of the URL and therefore not considered awareness and block of the exploit itself but only of the web address where it is being served from.

 

When running tests from wicar.org it is also important to have the vulnerable version of the application being tested installed in the VM or test machine. Testing an exploit for Internet Explorer 8 for Windows XP from a Windows 7 machine with Internet Explorer 10 will not allow the exploit to trigger and therefore there will be no alert from MBAE as there is no exploit being triggered.

 

To correctly perform tests from wicar.org it is recommended to follow these steps:

1- Configure the test or VM machine with the vulnerable (old) version being exploited.

2- Run the test without MBAE installed to verify that the exploit does in fact trigger.

3- Only after step 2 has been confirmed, install MBAE and re-run the test to verify that the exploit is blocked by MBAE.

[pbust]

If you want or need to remove leftovers after uninstalling MBAE from Control Panel, simply download, unzip and "run as admin" the attached mbae_clean batch file.

clean_mbae.zip

Edited October 5, 2016 by celee
Fixed download link