Your IP : 192.168.165.1


Current Path : C:/ProgramData/Malwarebytes/MBAMService/lkg_db/
Upload File :
Current File : C:/ProgramData/Malwarebytes/MBAMService/lkg_db/dynconfig.dat

;	-------------------------------------------------------------------------------------------------------------

;	-	EJEMPLO	DE CONFIGURACION																				-

;	-------------------------------------------------------------------------------------------------------------

;	[NombreSeccion]

;	objectType			=	1

;	objectValue			=	"C:\ProgramData\Malwarebytes Anti-Exploit\"

;	l0_vb_disable_mask	=	MBAE_FLAG_ALL_FAMILIES

;	l0_vb_disable		=	MBAE_FID_SUSPICIOUS | MBAE_FID_TEST | MBAE_FID_OTHER

;	l1_ropc32_mask		=	MBAE_FLAG_ALL_FAMILIES

;	l1_ropc32			=	MBAE_FID_MULTIMEDIA | MBAE_FID_PDF_READER | MBAE_FID_TEST | MBAE_FID_CHROMEBROWSER

;	l0_xmlhttp_mask		=	MBAE_FID_WEBBROWSER

;	l0_xmlhttp			=	0

;	-------------------------------------------------------------------------------------------------------------



; 	Object types

;	-----------------------------------

;	file path				->	0

;	folder path				->	1

;	Process name			->	2

;	Module/Dll				->	3

;	Registry tree path		->	4

;	Registry key path		->	5

;	------------------------------------





; Disable ROP for GAS Tecnologia

; ----------------------------------------------------------------------------------------------------------------

[GAS1]

objectType			=	1

objectValue			=	"C:\Program Files\Diebold\Warsaw"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc64			=	0



; Disable Fingerprinting & ROP for GAS Tecnologia

; ----------------------------------------------------------------------------------------------------------------

[GAS2]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\GbPlugin"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc64			=	0



; Disable Fingerprinting & ROP for GAS Tecnologia

; ----------------------------------------------------------------------------------------------------------------

[GAS3]

objectType			=	1

objectValue			=	"C:\ProgramData\GAS Tecnologia"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc64			=	0



; Disable Fingerprinting & ROP for GAS Tecnologia

; ----------------------------------------------------------------------------------------------------------------

[GAS4]

objectType			=	1

objectValue			=	"C:\ProgramData\GbPlugin"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc64			=	0



; Disable Fingerprinting & ROP for GAS Tecnologia

; ----------------------------------------------------------------------------------------------------------------

[GAS5]

objectType			=	1

objectValue			=	"C:\Program Files\GbPlugin"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l1_ropc64			=	0



; Disable Fingerprint for Spectorsoft

; ----------------------------------------------------------------------------------------------------------------

[SPECTORSOFT]

objectType			=	0

objectValue			=	"C:\Windows\winipbin\svrltmgr.dll"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0



; Disable HeapSpraying for Imprivata

; ----------------------------------------------------------------------------------------------------------------

[IMPRIVATA1]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Imprivata\OneSign Agent"

l0_ah_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_CHROMEBROWSER

l0_ah				=	0



; Disable HeapSpraying for Imprivata

; ----------------------------------------------------------------------------------------------------------------

[IMPRIVATA2]

objectType			=	1

objectValue			=	"C:\Program Files\Imprivata\OneSign Agent"

l0_ah_mask			=	MBAE_FID_WEBBROWSER | MBAE_FID_CHROMEBROWSER

l0_ah				=	0



; Disable BottomUp ASLR for Symantec DLP

; ----------------------------------------------------------------------------------------------------------------

[SYMCDLP1]

objectType			=	0

objectValue			=	"C:\Program Files\Manufacturer\Endpoint Agent\clpbm.dll"

l0_baslr_mask			=	MBAE_FID_OFFICE

l0_baslr			=	0



; Disable BottomUp ASLR for Symantec DLP

; ----------------------------------------------------------------------------------------------------------------

[SYMCDLP2]

objectType			=	0

objectValue			=	"C:\Program Files (x86)\Manufacturer\Endpoint Agent\clpbm.dll"

l0_baslr_mask			=	MBAE_FID_OFFICE

l0_baslr			=	0



; Disable Dynamic-Anti HeapSpraying for Symantec DLP

; ----------------------------------------------------------------------------------------------------------------

[SYMANTECDLP3]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Manufacturer\Endpoint Agent"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable Dynamic-Anti HeapSpraying for Symantec DLP

; ----------------------------------------------------------------------------------------------------------------

[SYMANTECDLP4]

objectType			=	1

objectValue			=	"C:\Program Files\Manufacturer\Endpoint Agent"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable Dynamic-Anti HeapSpraying for Symantec Endpoint Protection

; ----------------------------------------------------------------------------------------------------------------

[SYMANTECEP1]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable Dynamic-Anti HeapSpraying for Symantec Endpoint Protection

; ----------------------------------------------------------------------------------------------------------------

[SYMANTECEP2]

objectType			=	1

objectValue			=	"C:\Program Files\Symantec\Symantec Endpoint Protection"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable Fingerprint for SpectorSoft

; ----------------------------------------------------------------------------------------------------------------

[SPECTORSOFT2]

objectType			=	3

objectValue			=	"csvrelay32.dll"

l0_xmlhttp_mask			=	MBAE_FID_WEBBROWSER

l0_xmlhttp			=	0



; Disable Heap Return Address for Emsisoft

; ----------------------------------------------------------------------------------------------------------------

[EMSISOFT1]

objectType			=	3

objectValue			=	"a2hooks64.dll"

l2_caller_mask			=	MBAE_FID_OFFICE

l2_caller			=	0





; Disable Heap Return Address for Emsisoft 32

; ----------------------------------------------------------------------------------------------------------------

[EMSISOFT2]

objectType			=	3

objectValue			=	"a2hooks32.dll"

l2_caller_mask			=	MBAE_FID_OFFICE

l2_caller			=	0



; Disable Dynamic-Anti HeapSpraying for BitDefender

; ----------------------------------------------------------------------------------------------------------------

[BITDEFENDER1]

objectType			=	1

objectValue			=	"C:\Program Files\Bitdefender Antivirus Free"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable Dynamic-Anti HeapSpraying for BitDefender

; ----------------------------------------------------------------------------------------------------------------

[BITDEFENDER2]

objectType			=	1

objectValue			=	"C:\Program Files\Bitdefender"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable Dynamic-Anti HeapSpraying for BitDefender

; ----------------------------------------------------------------------------------------------------------------

[BITDEFENDER3]

objectType			=	1

objectValue			=	"C:\Program Files\Bitdefender Agent"

l0_dah_mask			=	MBAE_FID_WEBBROWSER

l0_dah				=	0



; Disable CALL ROP Gadget detection and Malicious Return Address detection for Trusteer Rapport

; ----------------------------------------------------------------------------------------------------------------

[TRUSTEER1]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Trusteer"

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER

l1_ropc64			=	0

l2_caller_mask			=	MBAE_FID_WEBBROWSER

l2_caller			=	0



; Disable CALL ROP Gadget detection and Malicious Return Address detection for Trusteer Rapport

; ----------------------------------------------------------------------------------------------------------------

[TRUSTEER2]

objectType			=	1

objectValue			=	"C:\Program Files\Trusteer"

l1_ropc32_mask			=	MBAE_FID_WEBBROWSER

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_WEBBROWSER

l1_ropc64			=	0

l2_caller_mask			=	MBAE_FID_WEBBROWSER

l2_caller			=	0



; Disable Malicious Return Address detection for Think-cell plugin

; ----------------------------------------------------------------------------------------------------------------

[THINKCELL1]

objectType			=	1

objectValue			=	"C:\Program Files\think-cell"

l2_caller_mask			=	MBAE_FID_OFFICE

l2_caller			=	0



; Disable Malicious Return Address detection for Think-cell plugin

; ----------------------------------------------------------------------------------------------------------------

[THINKCELL2]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\think-cell"

l2_caller_mask			=	MBAE_FID_OFFICE

l2_caller			=	0



; Disable Malicious Return Address detection for Think-cell plugin

; ----------------------------------------------------------------------------------------------------------------

[THINKCELL3]

objectType			=	3

objectValue			=	"tcaddin.dll"

l2_caller_mask			=	MBAE_FID_OFFICE

l2_caller			=	0



; Disable CALL ROP Gadget detection for Mirillis

; ----------------------------------------------------------------------------------------------------------------

[MIRILLIS1]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Mirillis"

l1_ropc32_mask			=	MBAE_FID_MULTIMEDIA

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_MULTIMEDIA

l1_ropc64			=	0



; Disable CALL ROP Gadget detection for Mirillis

; ----------------------------------------------------------------------------------------------------------------

[MIRILLIS2]

objectType			=	1

objectValue			=	"C:\Program Files\Mirillis"

l1_ropc32_mask			=	MBAE_FID_MULTIMEDIA

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_MULTIMEDIA

l1_ropc64			=	0



; Disable RET ROP Gadget detection for Firefox

; ----------------------------------------------------------------------------------------------------------------

[FIREFOX1]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Mozilla Firefox"

l1_ropr32_mask			=	MBAE_FID_WEBBROWSER

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_WEBBROWSER

l1_ropr64			=	0



; Disable RET ROP Gadget detection for Firefox

; ----------------------------------------------------------------------------------------------------------------

[FIREFOX2]

objectType			=	1

objectValue			=	"C:\Program Files\Mozilla Firefox"

l1_ropr32_mask			=	MBAE_FID_WEBBROWSER

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_WEBBROWSER

l1_ropr64			=	0



; Disable Memory Patch Hijacking Protection for Process Hollowing FP in MB3

; ----------------------------------------------------------------------------------------------------------------

[PROCHOLLOW]

objectType			=	3

objectValue			=	"Swissarmy.dll"

l1_wpm_mask			=	MBAE_FID_OFFICE

l1_wpm				=	0



; Disable Malicious Return Address detection for Trend Micro

; ----------------------------------------------------------------------------------------------------------------

[TRENDMICRO]

objectType			=	3

objectValue			=	"tmmon.dll"

l2_caller_mask			=	MBAE_FID_OFFICE

l2_caller			=	0



; Disable Memory Patch Hijacking Protection for Process Hollowing FP in MBAE

; ----------------------------------------------------------------------------------------------------------------

[PROCHOLLOW1]

objectType			=	3

objectValue			=	"mbae.dll"

l1_wpm_mask			=	MBAE_FID_OFFICE

l1_wpm				=	0



; Disable Memory Patch Hijacking Protection for Process Hollowing FP in MBAE

; ----------------------------------------------------------------------------------------------------------------

[PROCHOLLOW2]

objectType			=	1

objectValue			=	"C:\Program Files (x86)\Malwarebytes Anti-Exploit"

l1_wpm_mask			=	MBAE_FID_OFFICE

l1_wpm				=	0



; Disable Memory Patch Hijacking Protection for Process Hollowing FP in MBAE

; ----------------------------------------------------------------------------------------------------------------

[PROCHOLLOW3]

objectType			=	1

objectValue			=	"C:\Program Files\Malwarebytes Anti-Exploit"

l1_wpm_mask			=	MBAE_FID_OFFICE

l1_wpm				=	0



; Disable Malicious Return Address detection for Freedom Scientific

; ----------------------------------------------------------------------------------------------------------------

[FREEDOMSCIENTIFIC]

objectType			=	3

objectValue			=	"FsMonitor.dll"

l2_caller_mask			=	MBAE_FID_OFFICE | MBAE_FID_PDF_READER

l2_caller			=	0



; Unhook "createprocessw" BitDefender gemmauf32.dll

; ----------------------------------------------------------------------------------------------------------------

[BITDEFENDER4]

objectType			=	3

objectValue			=	"gemmauf32.dll"

api_createprocessw		=	0

api_createprocessw_mask		=	MBAE_FID_OFFICE



; Disable "Prevent loading of VbScript library" for Mbae-Business

; ----------------------------------------------------------------------------------------------------------------

[VBSCRIPT1]

objectType			=	0

objectValue			=	"C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe"

l0_vb_disable_mask		=	MBAE_FID_OFFICE | MBAE_FID_WEBBROWSER

l0_vb_disable			=	0



; Disable Malicious Return Address detection for LabTech monitoring software

; ----------------------------------------------------------------------------------------------------------------

[LABTECH1]

objectType			=	0

objectValue			=	"C:\Windows\LTSvc\LTSVC.exe"

l2_caller_mask			=	MBAE_FID_PDF_READER

l2_caller			=	0



; Enable "Allow insecure Java operations in internal IP ranges" for NCEP customers

; ----------------------------------------------------------------------------------------------------------------

[JAVAINTRANET1]

objectType			=	0

objectValue			=	"C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe"

l3_javaintranet_mask		=	MBAE_FID_WEBBROWSER | MBAE_FID_OFFICE | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l3_javaintranet			=	1



; Enable "Allow insecure Java operations in internal IP ranges" for MBES customers

; ----------------------------------------------------------------------------------------------------------------

[JAVAINTRANET2]

objectType			=	0

objectValue			=	"C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-cli.exe"

l3_javaintranet_mask		=	MBAE_FID_WEBBROWSER | MBAE_FID_OFFICE | MBAE_FID_PDF_READER | MBAE_FID_CHROMEBROWSER

l3_javaintranet			=	1



; Disable Malicious Return Address detection for Generali Global Assistance

; ----------------------------------------------------------------------------------------------------------------

[GENERALI1]

objectType			=	3

objectValue			=	"epclient32.dll"

l2_caller_mask			=	MBAE_FID_PDF_READER 

l2_caller			=	0



; Disable Malicious Return Address detection for Generali Global Assistance

; ----------------------------------------------------------------------------------------------------------------

[GENERALI2]

objectType			=	3

objectValue			=	"arwinject32.dll"

l2_caller_mask			=	MBAE_FID_PDF_READER

l2_caller			=	0



; Disable CALL ROP Gadget detection for Online Data Protection

; ----------------------------------------------------------------------------------------------------------------

[AOL1]

objectType			=	3

objectValue			=	"epclient32.dll"

l1_ropc32_mask			=	MBAE_FID_PDF_READER | MBAE_FID_OFFICE

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_PDF_READER | MBAE_FID_OFFICE

l1_ropc64			=	0



; Disable CALL ROP Gadget detection for MSCTF.dll

; ----------------------------------------------------------------------------------------------------------------

[AOL2]

objectType			=	3

objectValue			=	"msctf.dll"

l1_ropc32_mask			=	MBAE_FID_PDF_READER | MBAE_FID_OFFICE

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_PDF_READER | MBAE_FID_OFFICE

l1_ropc64			=	0



; Disable CALL ROP Gadget detection for USER32.dll

; ----------------------------------------------------------------------------------------------------------------

[AOL3]

objectType			=	3

objectValue			=	"user32.dll"

l1_ropc32_mask			=	MBAE_FID_PDF_READER | MBAE_FID_OFFICE

l1_ropc32			=	0

l1_ropc64_mask			=	MBAE_FID_PDF_READER | MBAE_FID_OFFICE

l1_ropc64			=	0



; Disable RET ROP Gadget detection for Comctl32.dll

; ----------------------------------------------------------------------------------------------------------------

[Comct132]

objectType			=	3

objectValue			=	"Comctl32.dll"

l1_ropr32_mask			=	MBAE_FID_OFFICE

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_OFFICE

l1_ropr64			=	0



; Disable RET ROP Gadget detection for Kernel32.dll

; ----------------------------------------------------------------------------------------------------------------

[Kernel32]

objectType			=	3

objectValue			=	"Kernel32.dll"

l1_ropr32_mask			=	MBAE_FID_OFFICE

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_OFFICE

l1_ropr64			=	0



; Disable RET ROP Gadget detection for gdi32.dll

; ----------------------------------------------------------------------------------------------------------------

[GDI32]

objectType			=	3

objectValue			=	"gdi32.dll"

l1_ropr32_mask			=	MBAE_FID_OFFICE

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_OFFICE

l1_ropr64			=	0



; Disable RET ROP Gadget detection for mso.dll

; ----------------------------------------------------------------------------------------------------------------

[MSO]

objectType			=	3

objectValue			=	"mso.dll"

l1_ropr32_mask			=	MBAE_FID_OFFICE

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_OFFICE

l1_ropr64			=	0



; Disable RET ROP Gadget detection for LibreOffice

; ----------------------------------------------------------------------------------------------------------------

[LIBREOFFICE]

objectType			=	1

objectValue			=	"C:\Program Files\LibreOffice"

l1_ropr32_mask			=	MBAE_FID_OFFICE

l1_ropr32			=	0

l1_ropr64_mask			=	MBAE_FID_OFFICE

l1_ropr64			=	0