Poll MemProtect

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Do you use MemProtect?

  • Yes

    Votes: 4 7.1%
  • No

    Votes: 52 92.9%

  • Total voters
    56

Windows_Security

Level 15
Content Creator
Verified
Mar 13, 2016
722
Operating System
Windows 7
#1
Friends,

Really a great piece of free software which uses Windows internal mechanism and a great add-on to every security setup. @WildByDesign is sort of the intermediate between developer and security forums, so thanks to his feedback collection the developer implements user request (when he thinks they make sense).

Memprotect uses a Windows mechanism (protected processes), which was designed for DRM by Microsoft, but soon was also used to protect Security software from being attacked. MemProtect takes it a step further and uses the API of Microsoft to use this "protected processes" feature to mitigate memory based exploit attacks. Since it is a windows mechanism this feature will cost near zero CPU cycles.

I use it in default allow mode and apply container approach, meaning vulnarable software. MemProtect cages vulnarable processes, by blocking it to inject dll, start other process or access memory of other process. WIth my [defaultallow] approach I tell MemProtect to "cage"only a few vulnarable processes.

This "caging"approach is applied for Chrome, Office and Firefox. I installed Firefox in Mozilla so its Program Files folder is the same as AppData folders. The Home version/free version has a limitation that the ini file may only be 2KB. Using the same folder for installation as AppData simplifies the rules and uses less bytes in the ini file.

[LETHAL]
[#LOGGING]
[WHITELIST]
[DEFAULTALLOW]
!*\Google\*>*\Google\*
!*\Mozilla\*>*\Mozilla\*
!*\Microsoft Office????\*>*\Microsoft Office????\*

!C:\Program Files\*>*SumatraPDF.exe
!C:\Program Files\*>*PDFCreator.exe
!C:\Program Files\*>*splwow64.exe
!C:\Program Files\*>*Chrome.exe

[BLACKLIST]
*\Google\*>*
*\Mozilla\*>*
*\Microsoft Office????\*>*
EOF]

The blacklist entries tell MemProtect to deny *\Google\* to mess with any other process memory. The priortity rule whitelist (with !) overrules the blacklist and it basically tells MemProtect that Google (Chrome and update) is allowed to mess with itself.

I use this on Windows 7 and allow all caged programs to use PDFCreator (printer) and view PDF files (SumatraPDF) print to spool (splwow64.exe) and click on a link (chrome.exe). With this strong protection I don't worry about using WIndows 7 and Office 2007.
 
Last edited:
Nov 17, 2016
761
Operating System
Windows 10
Installed Antivirus
Microsoft
#6
Both MemProtect and other non-Bouncer still require the extra hoops in the manual installation of their stuff, does it not?
Have you tested MemProtect against macros.
...
 
Last edited:

Windows_Security

Level 15
Content Creator
Verified
Mar 13, 2016
722
Operating System
Windows 7
#7
Both MemProtect and other non-Bouncer still require the extra hoops in the manual installation of their stuff, does it not?
Have you tested MemProtect against macros.
...
When you cage the application which runs the macro's, like I do with Office, they are kept in their host. Safe and sound, why, did you had other experiences?

Because MemProtect uses near zero CPU cycles and beats all exploits I have thrown at it, it is the best freebie I have come acros since years. There must be a catch which I have not discovered yet, otherwise I can't understand why other security softs dont offer this also.
 
Nov 17, 2016
761
Operating System
Windows 10
Installed Antivirus
Microsoft
#8
When you cage the application which runs the macro's, like I do with Office, they are kept in their host. Safe and sound, why, did you had other experiences?

Because MemProtect uses near zero CPU cycles and beats all exploits I have thrown at it, it is the best freebie I have come acros since years. There must be a catch which I have not discovered yet, otherwise I can't understand why other security softs dont offer this also.
No. Just wanted to know if it can replace something like MBAE seeing as it also has the disadvantage of the extra effort in making it work.
 

Windows_Security

Level 15
Content Creator
Verified
Mar 13, 2016
722
Operating System
Windows 7
#9
Protected Processes were originally in Vista to protect (media) digital rights content. Protected processes were improved with Windows7 (with an API) and further improved in Windows 8.1 (with Protected Processes Light).

This video (start from 30.52/25.16) explains the benefits of stripping out the code injection rights at kernel level. Any exploit runs to a wall because it is not able to create or manipulate code when a process is caged or contained with MemProtect.

VIDEO: Arun Kishan - Process Management in Windows Vista (jump to 30.50 when interviewer starts asking about new features in Vista).

A processes caged or contained by MemProtect basically is unable to (stripped rights are also for Admins):

· Inject a thread into another process
· Access the virtual memory of another process
· Debug an active protected process
· Duplicate a handle from another process

Constraints on the threads of a caged or contained MemProtect process are:

· Set or retrieve context information
· Impersonate a thread


So MemProtect protects against the EFFECTS of process hollowing by caging or containing them in the hollowed process when.

Benefit of MemProtect: it uses windows internals (kernel based) to harden your system so it has no impact on system performance.
 
Last edited:
Likes: Daniel Keller
May 9, 2017
112
Operating System
Windows 10
Installed Antivirus
Microsoft
#10
I don't use it but i refuse to work with text in 2017. The developer should make a gui if he wants more than 10 users.
While I don't refuse (completely) to having to resort to retro Windows 98 style manual text editing as those projects require, such a valid point need not be so easily dismissed either.

We are after all well into the 21st Century and so a proper GUI for assisting in establishing rules needed to fine tune the security would and could go a long way in attracting a much more inviting audience to those really well coded programs of theirs would it not?
 
Dec 28, 2016
83
#11
Hi,

thanks for sharing this with us. I think this is a great addition to SRP.
Is there a manual? Are there other sample configurations? Download link?
 
Mar 14, 2017
279
#12
Thanks for the helpful post regarding MemProtect. I'm trying to figure out if MemProtect would help me with my machine. Recently I enabled LSA Protection as follows:

Code:
;Enable LSA Protection:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001
I've also GLOBALLY disabled macros from running in Office (Word/Excel/Powerpoint) as follows in local Group Policy:

Code:
User configuration\Administrative templates\Microsoft Word 2016\Word options\Security\Trust Center\Block macros from running in Office files from the Internet - set to Enable
(the same was done for Excel and Powerpoint)
Would running MemProtect still help me?
 
Nov 17, 2016
761
Operating System
Windows 10
Installed Antivirus
Microsoft
#14
Too much like hard work for the average user IMO!
People dont have the time to sit and configure stuff like that.
What "Average joe" need is something simple!
Browser people and Windows are already trying to do that.
 
Nov 17, 2016
761
Operating System
Windows 10
Installed Antivirus
Microsoft
#15
Remember that although Linux isn't big or increasing, it's not decreasing either and Linux remains relevant everywhere else. More competition.
 

Windows_Security

Level 15
Content Creator
Verified
Mar 13, 2016
722
Operating System
Windows 7
#16
Hi,

thanks for sharing this with us. I think this is a great addition to SRP.
Is there a manual? Are there other sample configurations? Download link?
WildbyDesign has a direct line to the developer: website Execubits = MemProtect - Products | Excubits

Sample configuration of MemProtect (prevents memory access) and PumperNickel (prevents file access). When you don;t want to tighten everything up, they are a great combo enforcing each other protections. Start playing with it with [#LETHAL] and [LOGGING] to see what effects the rules have before engorcing them. It is really a pitty that such great and strong protection programs have no GUI. I admit that it is a nerd/tech tool, but when you get the hang of the cage and the container idea, writing rules is easy.

upload_2017-5-9_17-25-36.png


Cage = block all (with a few exceptions) and allow a vulnarable program access to its own folders = protects admin + user folders
Container = block access to system folders and allow a vulnarable program access to its own folders = protects admin folders

I know it is better to explicitely specify paths, but free version only allows small INI files (I believe 2K for MemProtect and 3K for PumperNickel), so I use wildcards (* and ?) to save on characters and reduce tweaking hassle.
 
Last edited:

Umbra

Level 61
Content Creator
Verified
May 16, 2011
17,501
Operating System
Windows 10
Installed Antivirus
Default-Deny
#17
It is really a pitty that such great and strong protection programs have no GUI. I admit that it is a nerd/tech tool, but when you get the hang of the cage and the container idea, writing rules is easy.
An in our modern age it is a shame, a GUI shouldn't be hard to do... remind me SoB , great tool , no GUI as well...i won't want spend days writing rules manually for each of my apps.
 

Windows_Security

Level 15
Content Creator
Verified
Mar 13, 2016
722
Operating System
Windows 7
#18
@ParaXY

With security center and GPO you can block Add-ons, Active-X and Macro's. I am using office 2007 for which support ends soon, so I need additional layer of security for Office 2007 (on Windows 7). When you are on Windows 10, my bet is that the Chrome sandbox and the Windows 10 exploit prevention mechanisms are strong enough.
 
May 9, 2017
112
Operating System
Windows 10
Installed Antivirus
Microsoft
#19
An in our modern age it is a shame, a GUI shouldn't be hard to do... remind me SoB , great tool , no GUI as well...i won't want spend days writing rules manually for each of my apps.
Likewise and that surely will change at some point let's see.

Windows_Security- Always amazed how you take free versions of security programs (ie:excubits here) with those limitations and show users that one can squeeze out ever last drop of good usage without compromise.