shmu26

Level 83
Verified
Trusted
Content Creator
This little security program is not very well known, but it can do a lot, and it has a free version. It is ONLY for those who have the patience and skill for careful manual configuration.

I have been using it for the past few days, and I like it a lot, after I got the hang of it.

What does it do? Every time a new executable file is written to your computer, MZWS logs it, and blocks it from execution. This includes not only exe files and script files, but also dlls and drivers. That's unique!
So what's it good for?
1 You can run it in log-only mode (called "non-lethal" mode), and see when new files are written to your computer. The system tray icon will turn red when a new file is written to disk.
2 You can run it in block mode (called "lethal" mode), and then it functions as a default/deny solution that covers almost all executable file types, including dlls and driver files.
Of course, you must start with a clean system. It will not block malware that is already present.

Disclaimer: MZWS will not protect against fileless malware. For that you need a different solution, such as OSArmor, for instance.
The program is neither self-explanatory nor intuitive, and it is not well documented, and you have to write your own rules, for the most part (or copy the config file of another user). But the support thread is very helpful.

There is a free demo version. It places a limit on the size of the config file, but it is pretty liberal. You will have to reinstall the driver once a year, if you use the demo version.

There is a thread on the other forum about it.
MZWriteScanner
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
All Excubits drivers are the very good forensic tools, for the advanced users. Though, MZWS does not cover malicious scripts & scriptlets, macros, and fileless malware. It can mitigate the attacks in the moment when the executable payload (MZ file) is going to be run. This works also after rebooting the system. It can block such files for some time, but it is the user problem to recognize if the blocked files are malicious. It would be great if MZWS was integrated (as the option) with a good reputation service, like for example SmartScreen.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
I have heard about this program before but is it really needed with Appguard?
Appguard when properly configured is great protection. But it doesn't monitor dlls, per se. The Appguard approach is to block or guard enough system processes that malware will be unable to do anything bad with malicious dlls and drivers, and also, to prevent them from downloading in the first place.

@plat1098: Yes, this program is like the other Excubits products, it has no GUI.
As for the Excubits product that is supposed to combine a few features into one app, maybe @Windows_Security knows how that is progressing. I did some beta testing on it, but I have not been active in a few months.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@plat1098: Yes, this program is like the other Excubits products, it has no GUI.
As for the Excubits product that is supposed to combine a few features into one app, maybe @Windows_Security knows how that is progressing. I did some beta testing on it, but I have not been active in a few months.[/QUOTE]

Same here to busy with other things, no info on Malware Mitigator
 

128BPM

Level 2
If NoVirusThanks adds to File Extension Monitor the ability to block, I think that FEM could be even better than MZWS. Because it is more customizable and has GUI.
 
Last edited:
  • Like
Reactions: shmu26

shmu26

Level 83
Verified
Trusted
Content Creator
If NVT adds to File Extension Monitor the ability to block, I think that FEM could be even better than MZWS. Because it is more customizable.
MZWS is customizable, too, but only by means of writing rules in the config file. Not very convenient, to be sure, but you basically have total control, once you understand how to do it.

On the other hand, if NVT would add ability to block, that would be awesome! However, he would also need to add the ability to exclude specific paths, with parent/child support, like Excubits does, or else things won't work right.