Jump to content

Choosing between Sandboxie and MBAE

Aya_Tachibana

By Aya_Tachibana
in Anti-Exploit Beta

 Share

Recommended Posts

Aya_Tachibana

Aya_Tachibana

Posted
Posted

Hello everyone!

 

After getting some help in these forums, a user reccomended me few programs, so I got 3 new programs, WOT, MBAE and Sandboxie.

 

I know that MBAE doesn't work with Google Chrome if it's being sandboxed, so I have few questions.

 

 

1 - I know that MBAE creates some security layers on some programs (in this case, Google Chrome), but, If I close the program, MBAE will have to protect it again when I reopen the program?

 

2 - What would be more safe? MBAE or Sandboxie? (since both give security)

 

 

Thank you guys for helping me.

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Staff
Posted

MBAE still works if you use Chrome within Sandboxie. It will still protect other browsers, Java and a few other internal OS components.

 

As for your questions:

 

1- No, MBAE protects those programs automatically every time you open them.

2- Sandboxie doesn't prevent the exploit, it just contains it. MBAE will prevent the exploit. They are both good programs, but MBAE also protects other things (Java, Acrobat, Office, etc.) as well as the ability of adding custom shields.

 

NOTE: moving this thread to the Questions sub-forum.

Link to post
Share on other sites
Aya_Tachibana

Aya_Tachibana

Posted
  • Author
Posted

Hello, and thank you for moving this thread.

 

So, from what I thought about your reply, I could:

 

1 - Start Google Chrome and let MBAE protect it.

2 - Thwn, I would close it and start Google Chrome with Sandboxie to have full protection (since the MBAE protection was added before using Sandboxie)

 

That would work? Or maybe I didn't understand how MBAE works.

 

 

Thank you for helping me.

Link to post
Share on other sites
Aya_Tachibana

Aya_Tachibana

Posted
  • Author
Posted

Hello again.

 

So, let's say that MBAE protection for Google Chrome is updated every 24 hours.

 

So, if I do what I posted before, I would only have to start Googe Chrome only once without Sandboxie (in the same time that an update for it's protection is released), then I would only have to start without Sandboxie again only after 24 hours ?

 

Sorry about this question, it's because I think that I still didn't understand how MBAE works.

 

 

Thank you for helping me.

 

Link to post
Share on other sites
btmp

btmp

Posted
Posted

Hello again.

 

So, let's say that MBAE protection for Google Chrome is updated every 24 hours.

 

So, if I do what I posted before, I would only have to start Googe Chrome only once without Sandboxie (in the same time that an update for it's protection is released), then I would only have to start without Sandboxie again only after 24 hours ?

 

Sorry about this question, it's because I think that I still didn't understand how MBAE works.

 

 

Thank you for helping me.

Currently 4.x versions of sandboxie are preventing the MBAE dll from getting injected. So if you are using a 4.x version of sandboxie at this time, MBAE will only work when the program is not sandboxed. A future version created by the sandboxie devs should enable compatability according to some posts I've read in the latest sandboxie beta thread. However if you are using a 3.x version of sandboxie it is possible to enable compatibility by adding and enabling a template.

[Template_MBAE]Tmpl.Title=MalwareBytes Anti ExploitTmpl.Class=SecurityTmpl.Scan=sTmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-ExploitOpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*OpenIpcPath=*\BaseNamedObjects*\mchMixCache*OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Staff
Posted

Many thanks for the post btmp and welcome to the forum! Hope to see you around here more often.

 

@Aya_Tachibana, Google Chrome has its own very advanced sandbox, so running Chrome within Sandboxie doesn't make much sense. You're better off running Chrome by itself (which already relies on its own sandbox) plus MBAE.

Link to post
Share on other sites
btmp

btmp

Posted
Posted

I just realized that while the above template works you may need to add an extra scan key for the template to be picked up by a software compat scan in sandboxie 3 on a x64 system.

Tmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\WoW6432Node\Malwarebytes Anti-Exploit

so here's a minor update with the added string from above along with the '-' added to Anti-Exploit title.

[Template_MBAE]Tmpl.Title=MalwareBytes Anti-ExploitTmpl.Class=SecurityTmpl.Scan=sTmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\WoW6432Node\Malwarebytes Anti-ExploitTmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-ExploitOpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION_*OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION_*OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*OpenIpcPath=*\BaseNamedObjects*\mchMixCache*OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*OpenIpcPath=*\BaseNamedObjects*\mchLLEW*
Link to post
Share on other sites
Aya_Tachibana

Aya_Tachibana

Posted
  • Author
Posted

Hello everyone, and thank you for the information.

 

A quick question:

 

The version 3.x of Sandboxie really different from the 4.x? (I'm using 4.12)

 

Since pbust said that Google Chrome have a very advanced sandbox, there isn't a reason for using Sandboxie (excpet if you want an extreme protection with both MBAE and Sandboxie)

Link to post
Share on other sites
btmp

btmp

Posted
Posted

Hello everyone, and thank you for the information.

 

A quick question:

 

The version 3.x of Sandboxie really different from the 4.x? (I'm using 4.12)

 

Since pbust said that Google Chrome have a very advanced sandbox, there isn't a reason for using Sandboxie (excpet if you want an extreme protection with both MBAE and Sandboxie)

Yes they are both very different. With 4.x the protection was overhauled to make use of an "Anonymous Logon" which automatically starts a sandboxed program with the lowest possible rights. This allowed them to remove the hooks into the kernel and boosted compatibility for x64 versions of windows and the newer Win 8. While this all sounds great (and for the most part~it is!) many people have run into issues in the 4.x line that have yet to be resolved. I happen to be one of those people and have had to stick with the 3.76 versions to keep things working as I like though I do test newer versions as well. Once a MBAE compatible version is released I may delegate the last remaining holdout program (I have constant CPU usage issues only when it is sandboxed in the 4.x line) to an older machine and make the switch to 4.x myself.

 

 

In short

3.x relies on unofficial hooks to the kernel and the protection is not 100% as effective on x64 versions of windows though with the 'experimental protection' activated it should come close.

 

4.x only retains a few hooks on XP and none beyond and should work equally well on x64 versions of windows. They have also added support for ASLR, DEP. They were (are?) also having the code audited for possible weak spots.

 

To me it came down to a simple question: Do I feel better running the program normally or sandboxed using an older version?

Link to post
Share on other sites
btmp

btmp

Posted
Posted

Sorry to hear you had issues with the 4.x version of sandboxie. I'd suggest testing out 3.76 unless you are on windows 8 or 8.1.

 

Regardless of if you try it or not, another way to look at your question might be to label the purpose of each program.

 

MBAE is designed to stop exploits.

Sandboxie is designed to contain/prevent changes to the system.

 

So in essence if you are using sandboxie in the default mode without making use of many of the advanced features available it might still be a good layer for you to consider in the unlikely event that an exploit makes it through. IMHO though it isn't as important as stopping the intrusion in the first place. Without MBAE an exploit could "possibly" still run in a sandbox and bypass it depending on if it exploits an undiscovered/unpatched kernel flaw. For the most part other exploits should still be contained within the sandbox and would not persist across sessions. (assuming you use the auto-delete feature.)

Link to post
Share on other sites
btmp

btmp

Posted
Posted

Is there no edit button on this forum or am I blind?

 

Anyway.....my point was that sandboxie does not prevent an exploit/keylogger/virus/etc from running within the sandbox. It simply prevents it from persisting or spreading to the actual system (in most cases-not counting kernel flaws) and can still be a valuable tool in a layered approach.

 

Sacrificing prevention for this layer isn't acceptable to me however and is one of the reasons I've stuck to the 3.76 version and been able to continue using MBAE at the same time! The safety net of the 3.x sandbox might have a few more holes in it vs 4.x, but I feel better knowing that it's unlikely exploits will get past MBAE to start with.

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Staff
Posted

Anyway.....my point was that sandboxie does not prevent an exploit/keylogger/virus/etc from running within the sandbox. It simply prevents it from persisting or spreading to the actual system (in most cases-not counting kernel flaws) and can still be a valuable tool in a layered approach.

 

Sacrificing prevention for this layer isn't acceptable to me however and is one of the reasons I've stuck to the 3.76 version and been able to continue using MBAE at the same time! The safety net of the 3.x sandbox might have a few more holes in it vs 4.x, but I feel better knowing that it's unlikely exploits will get past MBAE to start with.

 

Excellent overview summary, thanks @btmp

 

Not sure what the forum rules are, I think you need to have a minimum number of posts before you can edit.

Link to post
Share on other sites
Aya_Tachibana

Aya_Tachibana

Posted
  • Author
Posted

Sorry to hear you had issues with the 4.x version of sandboxie. I'd suggest testing out 3.76 unless you are on windows 8 or 8.1.

 

Regardless of if you try it or not, another way to look at your question might be to label the purpose of each program.

 

MBAE is designed to stop exploits.

Sandboxie is designed to contain/prevent changes to the system.

 

So in essence if you are using sandboxie in the default mode without making use of many of the advanced features available it might still be a good layer for you to consider in the unlikely event that an exploit makes it through. IMHO though it isn't as important as stopping the intrusion in the first place. Without MBAE an exploit could "possibly" still run in a sandbox and bypass it depending on if it exploits an undiscovered/unpatched kernel flaw. For the most part other exploits should still be contained within the sandbox and would not persist across sessions. (assuming you use the auto-delete feature.)

 

Hello.

 

Well, sicne I'm using Windows 8.1, what do you reccomend?

 

Continue using MBAE? Or maybe try again Sandboxie...

Link to post
Share on other sites
Peter2150

Peter2150

Posted
Posted

Sorry to hear you had issues with the 4.x version of sandboxie. I'd suggest testing out 3.76 unless you are on windows 8 or 8.1.

 

Regardless of if you try it or not, another way to look at your question might be to label the purpose of each program.

 

MBAE is designed to stop exploits.

Sandboxie is designed to contain/prevent changes to the system.

 

So in essence if you are using sandboxie in the default mode without making use of many of the advanced features available it might still be a good layer for you to consider in the unlikely event that an exploit makes it through. IMHO though it isn't as important as stopping the intrusion in the first place. Without MBAE an exploit could "possibly" still run in a sandbox and bypass it depending on if it exploits an undiscovered/unpatched kernel flaw. For the most part other exploits should still be contained within the sandbox and would not persist across sessions. (assuming you use the auto-delete feature.)

 

You are raising the point about the infamous Bromium labs POC exploit which can bypass almost all security.   I did some googling, and most of the hits came back to the Bromium articles so my question is how many of the kernel exploits have been found in the wild.

Link to post
Share on other sites
Aya_Tachibana

Aya_Tachibana

Posted
  • Author
Posted

Hello guys.

 

Strange, after instaling programs like WOT, Sandboxie and MBAE, sometimes Windows were running on slow (when trying to change the battery mode, for example, the window would freeze for a few seconds before acutally changing it).

 

I thought it was Sandboxie the source of the problem, but looks like that the problem persists.

 

Maybe it's MBAE, the source of the problem. I will take  a look in the internet.

Link to post
Share on other sites
btmp

btmp

Posted
Posted

@Aya_Tachibana
    I can't really answer this question for you. Both are good programs to make use of. Hopefully it won't be long and they will be usable together in the new versions of sandboxie as well making the question moot.

@Shrugged
    I'm not sure that they were ever fully revised to the 4.x line. Last I looked through them they struck me as written for the 3.x line or perhaps even earlier with a few updates between (and some out of date leftovers). I haven't checked recently but I believe that as far as the settings and stuff go all should be similar enough between revisions that the help pages are good for both. It's mostly the way that the program achieves it's goals that has changed.

@Peter2150
    The better question might be, How many have been discovered that I know of? The answer to that question is zero! It's certainly nothing that has impacted any sandboxie users in a real world scenario that I have read about to date.

Link to post
Share on other sites
mynorgeek

mynorgeek

Posted
Posted

To make sure that I have read this thread correctly, MBAE does not function with SBIE 4.0, is that right?

And any interested users must wait for Invincea to make Sandboxie compatible with MBAE, is that right?

(In other words, there is nothing MBAE can do to fix the conflict?)

I consider Sanboxie to be absolutely the #1 security component on my computers.  All other softwares must work with Sandboxie or I do not use them.

I hope the day soon arrives when I can begin using SBIE 4.0 and MBAE together.

 

Link to post
Share on other sites
  • 1 month later...
btmp

btmp

Posted
Posted

Already posted something similar on wilders but I wanted to update this thread as well. With the new Experimental build "1.05.3.1011" 32bit programs are properly injected under sandboxie 4 (Only tested with current beta 4.15.3 so far but I imagine others would function as well) 64bit programs still don't get injected properly (yet) but as the only 64bit program I needed protected with MBAE was a browser I have switched it over to 32bit for now so that I could maintain the functionality of MBAE with latest version of sandboxie. Looking forward to the 64bit fix but I for one am extremely happy with the progress. Keep up the great work!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.