Poll MemProtect

Discussion in 'Other Security for Windows' started by Windows_Security, Apr 9, 2017.

?

Do you use MemProtect?

  1. Yes

    3 vote(s)
    5.4%
  2. No

    53 vote(s)
    94.6%
  1. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #1 Windows_Security, Apr 9, 2017
    Last edited: Apr 9, 2017
    Official Website:
    https://excubits.com/content/en/products_memprotect.html
    Friends,

    Really a great piece of free software which uses Windows internal mechanism and a great add-on to every security setup. @WildByDesign is sort of the intermediate between developer and security forums, so thanks to his feedback collection the developer implements user request (when he thinks they make sense).

    Memprotect uses a Windows mechanism (protected processes), which was designed for DRM by Microsoft, but soon was also used to protect Security software from being attacked. MemProtect takes it a step further and uses the API of Microsoft to use this "protected processes" feature to mitigate memory based exploit attacks. Since it is a windows mechanism this feature will cost near zero CPU cycles.

    I use it in default allow mode and apply container approach, meaning vulnarable software. MemProtect cages vulnarable processes, by blocking it to inject dll, start other process or access memory of other process. WIth my [defaultallow] approach I tell MemProtect to "cage"only a few vulnarable processes.

    This "caging"approach is applied for Chrome, Office and Firefox. I installed Firefox in Mozilla so its Program Files folder is the same as AppData folders. The Home version/free version has a limitation that the ini file may only be 2KB. Using the same folder for installation as AppData simplifies the rules and uses less bytes in the ini file.

    [LETHAL]
    [#LOGGING]
    [WHITELIST]
    [DEFAULTALLOW]
    !*\Google\*>*\Google\*
    !*\Mozilla\*>*\Mozilla\*
    !*\Microsoft Office????\*>*\Microsoft Office????\*

    !C:\Program Files\*>*SumatraPDF.exe
    !C:\Program Files\*>*PDFCreator.exe
    !C:\Program Files\*>*splwow64.exe
    !C:\Program Files\*>*Chrome.exe

    [BLACKLIST]
    *\Google\*>*
    *\Mozilla\*>*
    *\Microsoft Office????\*>*
    EOF]

    The blacklist entries tell MemProtect to deny *\Google\* to mess with any other process memory. The priortity rule whitelist (with !) overrules the blacklist and it basically tells MemProtect that Google (Chrome and update) is allowed to mess with itself.

    I use this on Windows 7 and allow all caged programs to use PDFCreator (printer) and view PDF files (SumatraPDF) print to spool (splwow64.exe) and click on a link (chrome.exe). With this strong protection I don't worry about using WIndows 7 and Office 2007.
     
  2. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,406
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    I don't use it but i refuse to work with text in 2017. The developer should make a gui if he wants more than 10 users.
     
  3. Amelith Nargothrond

    Mar 22, 2017
    586
    2,119
    Romania
    Windows 10
    Avira
    Lol :))
    It's not that bad... on linux you do it all the time :))
    Aaaand that may be one reason linux is so popular... not :p
     
    Rengar, harlan4096, frogboy and 4 others like this.
  4. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    751
    2,129
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    mlnevese, Glashouse, Rengar and 8 others like this.
  5. Amelith Nargothrond

    Mar 22, 2017
    586
    2,119
    Romania
    Windows 10
    Avira
    SHvFl and XhenEd like this.
  6. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    751
    2,129
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    #6 TerrakionSmash, Apr 10, 2017
    Last edited: Apr 10, 2017
    Both MemProtect and other non-Bouncer still require the extra hoops in the manual installation of their stuff, does it not?
    Have you tested MemProtect against macros.
    ...
     
  7. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    When you cage the application which runs the macro's, like I do with Office, they are kept in their host. Safe and sound, why, did you had other experiences?

    Because MemProtect uses near zero CPU cycles and beats all exploits I have thrown at it, it is the best freebie I have come acros since years. There must be a catch which I have not discovered yet, otherwise I can't understand why other security softs dont offer this also.
     
    Sunshine-boy likes this.
  8. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    751
    2,129
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    No. Just wanted to know if it can replace something like MBAE seeing as it also has the disadvantage of the extra effort in making it work.
     
  9. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #9 Windows_Security, May 9, 2017
    Last edited: May 9, 2017
    Protected Processes were originally in Vista to protect (media) digital rights content. Protected processes were improved with Windows7 (with an API) and further improved in Windows 8.1 (with Protected Processes Light).

    This video (start from 30.52/25.16) explains the benefits of stripping out the code injection rights at kernel level. Any exploit runs to a wall because it is not able to create or manipulate code when a process is caged or contained with MemProtect.

    VIDEO: Arun Kishan - Process Management in Windows Vista (jump to 30.50 when interviewer starts asking about new features in Vista).

    A processes caged or contained by MemProtect basically is unable to (stripped rights are also for Admins):

    · Inject a thread into another process
    · Access the virtual memory of another process
    · Debug an active protected process
    · Duplicate a handle from another process

    Constraints on the threads of a caged or contained MemProtect process are:

    · Set or retrieve context information
    · Impersonate a thread


    So MemProtect protects against the EFFECTS of process hollowing by caging or containing them in the hollowed process when.

    Benefit of MemProtect: it uses windows internals (kernel based) to harden your system so it has no impact on system performance.
     
    Daniel Keller likes this.
  10. EASTER

    EASTER Level 3

    May 9, 2017
    110
    352
    SouthWest Indiana (Evansville)
    Windows 10
    Microsoft
    While I don't refuse (completely) to having to resort to retro Windows 98 style manual text editing as those projects require, such a valid point need not be so easily dismissed either.

    We are after all well into the 21st Century and so a proper GUI for assisting in establishing rules needed to fine tune the security would and could go a long way in attracting a much more inviting audience to those really well coded programs of theirs would it not?
     
    mlnevese, TerrakionSmash and Umbra like this.
  11. Daniel Keller

    Daniel Keller Level 2

    Dec 28, 2016
    73
    222
    Germany
    Hi,

    thanks for sharing this with us. I think this is a great addition to SRP.
    Is there a manual? Are there other sample configurations? Download link?
     
  12. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    188
    305
    CI
    Thanks for the helpful post regarding MemProtect. I'm trying to figure out if MemProtect would help me with my machine. Recently I enabled LSA Protection as follows:

    Code:
    ;Enable LSA Protection:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "RunAsPPL"=dword:00000001
    
    I've also GLOBALLY disabled macros from running in Office (Word/Excel/Powerpoint) as follows in local Group Policy:

    Code:
    User configuration\Administrative templates\Microsoft Word 2016\Word options\Security\Trust Center\Block macros from running in Office files from the Internet - set to Enable
    (the same was done for Excel and Powerpoint)
    
    Would running MemProtect still help me?
     
  13. Andytay70

    Andytay70 Level 13

    Jul 6, 2015
    646
    3,288
    Electricial engineer
    UK
    Windows 10
    Avast
    Too much like hard work for the average user IMO!
    People dont have the time to sit and configure stuff like that.
    What "Average joe" need is something simple!
     
    mlnevese, Sunshine-boy and frogboy like this.
  14. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    751
    2,129
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    Browser people and Windows are already trying to do that.
     
  15. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    751
    2,129
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    Remember that although Linux isn't big or increasing, it's not decreasing either and Linux remains relevant everywhere else. More competition.
     
  16. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #16 Windows_Security, May 9, 2017
    Last edited: May 9, 2017
    WildbyDesign has a direct line to the developer: website Execubits = MemProtect - Products | Excubits

    Sample configuration of MemProtect (prevents memory access) and PumperNickel (prevents file access). When you don;t want to tighten everything up, they are a great combo enforcing each other protections. Start playing with it with [#LETHAL] and [LOGGING] to see what effects the rules have before engorcing them. It is really a pitty that such great and strong protection programs have no GUI. I admit that it is a nerd/tech tool, but when you get the hang of the cage and the container idea, writing rules is easy.

    upload_2017-5-9_17-25-36.png

    Cage = block all (with a few exceptions) and allow a vulnarable program access to its own folders = protects admin + user folders
    Container = block access to system folders and allow a vulnarable program access to its own folders = protects admin folders

    I know it is better to explicitely specify paths, but free version only allows small INI files (I believe 2K for MemProtect and 3K for PumperNickel), so I use wildcards (* and ?) to save on characters and reduce tweaking hassle.
     
  17. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,169
    29,672
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    An in our modern age it is a shame, a GUI shouldn't be hard to do... remind me SoB , great tool , no GUI as well...i won't want spend days writing rules manually for each of my apps.
     
  18. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    @ParaXY

    With security center and GPO you can block Add-ons, Active-X and Macro's. I am using office 2007 for which support ends soon, so I need additional layer of security for Office 2007 (on Windows 7). When you are on Windows 10, my bet is that the Chrome sandbox and the Windows 10 exploit prevention mechanisms are strong enough.
     
    Daniel Keller and TerrakionSmash like this.
  19. EASTER

    EASTER Level 3

    May 9, 2017
    110
    352
    SouthWest Indiana (Evansville)
    Windows 10
    Microsoft
    Likewise and that surely will change at some point let's see.

    Windows_Security- Always amazed how you take free versions of security programs (ie:excubits here) with those limitations and show users that one can squeeze out ever last drop of good usage without compromise.
     
  20. Daniel Keller

    Daniel Keller Level 2

    Dec 28, 2016
    73
    222
    Germany
    @Windows_Security: Thank you very much for the explanation and the basic example! I´ll give it a go. :)