Advice Request MemProtect

Please provide comments and solutions that are helpful to the author of this topic.

Do you use MemProtect?

  • Yes

    Votes: 5 8.2%
  • No

    Votes: 56 91.8%

  • Total voters
    61
Status
Not open for further replies.

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Friends,

Really a great piece of free software which uses Windows internal mechanism and a great add-on to every security setup. @WildByDesign is sort of the intermediate between developer and security forums, so thanks to his feedback collection the developer implements user request (when he thinks they make sense).

Memprotect uses a Windows mechanism (protected processes), which was designed for DRM by Microsoft, but soon was also used to protect Security software from being attacked. MemProtect takes it a step further and uses the API of Microsoft to use this "protected processes" feature to mitigate memory based exploit attacks. Since it is a windows mechanism this feature will cost near zero CPU cycles.

I use it in default allow mode and apply container approach, meaning vulnarable software. MemProtect cages vulnarable processes, by blocking it to inject dll, start other process or access memory of other process. WIth my [defaultallow] approach I tell MemProtect to "cage"only a few vulnarable processes.

This "caging"approach is applied for Chrome, Office and Firefox. I installed Firefox in Mozilla so its Program Files folder is the same as AppData folders. The Home version/free version has a limitation that the ini file may only be 2KB. Using the same folder for installation as AppData simplifies the rules and uses less bytes in the ini file.

[LETHAL]
[#LOGGING]
[WHITELIST]
[DEFAULTALLOW]
!*\Google\*>*\Google\*
!*\Mozilla\*>*\Mozilla\*
!*\Microsoft Office????\*>*\Microsoft Office????\*

!C:\Program Files\*>*SumatraPDF.exe
!C:\Program Files\*>*PDFCreator.exe
!C:\Program Files\*>*splwow64.exe
!C:\Program Files\*>*Chrome.exe

[BLACKLIST]
*\Google\*>*
*\Mozilla\*>*
*\Microsoft Office????\*>*
EOF]

The blacklist entries tell MemProtect to deny *\Google\* to mess with any other process memory. The priortity rule whitelist (with !) overrules the blacklist and it basically tells MemProtect that Google (Chrome and update) is allowed to mess with itself.

I use this on Windows 7 and allow all caged programs to use PDFCreator (printer) and view PDF files (SumatraPDF) print to spool (splwow64.exe) and click on a link (chrome.exe). With this strong protection I don't worry about using WIndows 7 and Office 2007.
 
Last edited:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Lol :))
It's not that bad... on linux you do it all the time :))
Aaaand that may be one reason linux is so popular... not :p
http://www.dedoimedo.com/images/computers_years/2013_2/linux-distro-dependency-graph.png
linux-distro-dependency-graph.png
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Both MemProtect and other non-Bouncer still require the extra hoops in the manual installation of their stuff, does it not?
Have you tested MemProtect against macros.
...
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Both MemProtect and other non-Bouncer still require the extra hoops in the manual installation of their stuff, does it not?
Have you tested MemProtect against macros.
...
When you cage the application which runs the macro's, like I do with Office, they are kept in their host. Safe and sound, why, did you had other experiences?

Because MemProtect uses near zero CPU cycles and beats all exploits I have thrown at it, it is the best freebie I have come acros since years. There must be a catch which I have not discovered yet, otherwise I can't understand why other security softs dont offer this also.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
When you cage the application which runs the macro's, like I do with Office, they are kept in their host. Safe and sound, why, did you had other experiences?

Because MemProtect uses near zero CPU cycles and beats all exploits I have thrown at it, it is the best freebie I have come acros since years. There must be a catch which I have not discovered yet, otherwise I can't understand why other security softs dont offer this also.
No. Just wanted to know if it can replace something like MBAE seeing as it also has the disadvantage of the extra effort in making it work.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Protected Processes were originally in Vista to protect (media) digital rights content. Protected processes were improved with Windows7 (with an API) and further improved in Windows 8.1 (with Protected Processes Light).

This video (start from 30.52/25.16) explains the benefits of stripping out the code injection rights at kernel level. Any exploit runs to a wall because it is not able to create or manipulate code when a process is caged or contained with MemProtect.

VIDEO: Arun Kishan - Process Management in Windows Vista (jump to 30.50 when interviewer starts asking about new features in Vista).

A processes caged or contained by MemProtect basically is unable to (stripped rights are also for Admins):

· Inject a thread into another process
· Access the virtual memory of another process
· Debug an active protected process
· Duplicate a handle from another process

Constraints on the threads of a caged or contained MemProtect process are:

· Set or retrieve context information
· Impersonate a thread


So MemProtect protects against the EFFECTS of process hollowing by caging or containing them in the hollowed process when.

Benefit of MemProtect: it uses windows internals (kernel based) to harden your system so it has no impact on system performance.
 
Last edited:
  • Like
Reactions: Daniel Keller

EASTER

Level 4
Verified
Well-known
May 9, 2017
145
I don't use it but i refuse to work with text in 2017. The developer should make a gui if he wants more than 10 users.

While I don't refuse (completely) to having to resort to retro Windows 98 style manual text editing as those projects require, such a valid point need not be so easily dismissed either.

We are after all well into the 21st Century and so a proper GUI for assisting in establishing rules needed to fine tune the security would and could go a long way in attracting a much more inviting audience to those really well coded programs of theirs would it not?
 

Daniel Keller

Level 2
Verified
Dec 28, 2016
86
Hi,

thanks for sharing this with us. I think this is a great addition to SRP.
Is there a manual? Are there other sample configurations? Download link?
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
Thanks for the helpful post regarding MemProtect. I'm trying to figure out if MemProtect would help me with my machine. Recently I enabled LSA Protection as follows:

Code:
;Enable LSA Protection:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001

I've also GLOBALLY disabled macros from running in Office (Word/Excel/Powerpoint) as follows in local Group Policy:

Code:
User configuration\Administrative templates\Microsoft Word 2016\Word options\Security\Trust Center\Block macros from running in Office files from the Internet - set to Enable
(the same was done for Excel and Powerpoint)

Would running MemProtect still help me?
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Too much like hard work for the average user IMO!
People dont have the time to sit and configure stuff like that.
What "Average joe" need is something simple!
Browser people and Windows are already trying to do that.
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Remember that although Linux isn't big or increasing, it's not decreasing either and Linux remains relevant everywhere else. More competition.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Hi,

thanks for sharing this with us. I think this is a great addition to SRP.
Is there a manual? Are there other sample configurations? Download link?

WildbyDesign has a direct line to the developer: website Execubits = MemProtect - Products | Excubits

Sample configuration of MemProtect (prevents memory access) and PumperNickel (prevents file access). When you don;t want to tighten everything up, they are a great combo enforcing each other protections. Start playing with it with [#LETHAL] and [LOGGING] to see what effects the rules have before engorcing them. It is really a pitty that such great and strong protection programs have no GUI. I admit that it is a nerd/tech tool, but when you get the hang of the cage and the container idea, writing rules is easy.

upload_2017-5-9_17-25-36.png


Cage = block all (with a few exceptions) and allow a vulnarable program access to its own folders = protects admin + user folders
Container = block access to system folders and allow a vulnarable program access to its own folders = protects admin folders

I know it is better to explicitely specify paths, but free version only allows small INI files (I believe 2K for MemProtect and 3K for PumperNickel), so I use wildcards (* and ?) to save on characters and reduce tweaking hassle.
 
Last edited:
D

Deleted member 178

It is really a pitty that such great and strong protection programs have no GUI. I admit that it is a nerd/tech tool, but when you get the hang of the cage and the container idea, writing rules is easy.
An in our modern age it is a shame, a GUI shouldn't be hard to do... remind me SoB , great tool , no GUI as well...i won't want spend days writing rules manually for each of my apps.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@ParaXY

With security center and GPO you can block Add-ons, Active-X and Macro's. I am using office 2007 for which support ends soon, so I need additional layer of security for Office 2007 (on Windows 7). When you are on Windows 10, my bet is that the Chrome sandbox and the Windows 10 exploit prevention mechanisms are strong enough.
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
145
An in our modern age it is a shame, a GUI shouldn't be hard to do... remind me SoB , great tool , no GUI as well...i won't want spend days writing rules manually for each of my apps.

Likewise and that surely will change at some point let's see.

Windows_Security- Always amazed how you take free versions of security programs (ie:excubits here) with those limitations and show users that one can squeeze out ever last drop of good usage without compromise.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top