Advice Request Excubits MZWriteScanner

[shmu26]

This little security program is not very well known, but it can do a lot, and it has a free version. It is ONLY for those who have the patience and skill for careful manual configuration.

I have been using it for the past few days, and I like it a lot, after I got the hang of it.

What does it do? Every time a new executable file is written to your computer, MZWS logs it, and blocks it from execution. This includes not only exe files and script files, but also dlls and drivers. That's unique!
So what's it good for?
1 You can run it in log-only mode (called "non-lethal" mode), and see when new files are written to your computer. The system tray icon will turn red when a new file is written to disk.
2 You can run it in block mode (called "lethal" mode), and then it functions as a default/deny solution that covers almost all executable file types, including dlls and driver files.
Of course, you must start with a clean system. It will not block malware that is already present.

Disclaimer: MZWS will not protect against fileless malware. For that you need a different solution, such as OSArmor, for instance.
The program is neither self-explanatory nor intuitive, and it is not well documented, and you have to write your own rules, for the most part (or copy the config file of another user). But the support thread is very helpful.

There is a free demo version. It places a limit on the size of the config file, but it is pretty liberal. You will have to reinstall the driver once a year, if you use the demo version.

There is a thread on the other forum about it.
MZWriteScanner

 

[ForgottenSeer 69673]

I have heard about this program before but is it really needed with Appguard?

 

[bribon77]

Excubits products, I find them very good but I can not understand them correctly.:devil:.

 

[Andy Ful]

All Excubits drivers are the very good forensic tools, for the advanced users. Though, MZWS does not cover malicious scripts & scriptlets, macros, and fileless malware. It can mitigate the attacks in the moment when the executable payload (MZ file) is going to be run. This works also after rebooting the system. It can block such files for some time, but it is the user problem to recognize if the blocked files are malicious. It would be great if MZWS was integrated (as the option) with a good reputation service, like for example SmartScreen.

 

[plat]

Doesn't have a user interface, I take it. I know MemProtect doesn't, which turns me off. Wasn't someone here trying to get the developer to consider a couple of products under a unified interface? Excubits is over my head and I'm a little envious.

 

[shmu26]

I have heard about this program before but is it really needed with Appguard?

Appguard when properly configured is great protection. But it doesn't monitor dlls, per se. The Appguard approach is to block or guard enough system processes that malware will be unable to do anything bad with malicious dlls and drivers, and also, to prevent them from downloading in the first place.

@plat1098: Yes, this program is like the other Excubits products, it has no GUI.
As for the Excubits product that is supposed to combine a few features into one app, maybe @Windows_Security knows how that is progressing. I did some beta testing on it, but I have not been active in a few months.

 

[128BPM]

What does it do? Every time a new executable file is written to your computer, MZWS logs it

Something like this? Track Files Created in the System with File Extension Monitor | NoVirusThanks

 

[shmu26]

Something like this? Track Files Created in the System with File Extension Monitor | NoVirusThanks

The big difference is that the NVT tool only logs, it doesn't block. If logging is what you want, it looks like the NVT tool is more customizable, in terms of which file types to monitor.
But if you want blocking, the NVT tool doesn't do that.

 

[Windows_Security]

@plat1098: Yes, this program is like the other Excubits products, it has no GUI.
As for the Excubits product that is supposed to combine a few features into one app, maybe @Windows_Security knows how that is progressing. I did some beta testing on it, but I have not been active in a few months.[/QUOTE]

Same here to busy with other things, no info on Malware Mitigator

 

[128BPM]

If NoVirusThanks adds to File Extension Monitor the ability to block, I think that FEM could be even better than MZWS. Because it is more customizable and has GUI.

 

[shmu26]

If NVT adds to File Extension Monitor the ability to block, I think that FEM could be even better than MZWS. Because it is more customizable.

MZWS is customizable, too, but only by means of writing rules in the config file. Not very convenient, to be sure, but you basically have total control, once you understand how to do it.

On the other hand, if NVT would add ability to block, that would be awesome! However, he would also need to add the ability to exclude specific paths, with parent/child support, like Excubits does, or else things won't work right.