Poll MemProtect

Discussion in 'Other Security for Windows' started by Windows_Security, Apr 9, 2017.

?

Do you use MemProtect?

  1. Yes

    3 vote(s)
    5.4%
  2. No

    53 vote(s)
    94.6%
  1. Daniel Keller

    Daniel Keller Level 2

    Dec 28, 2016
    73
    222
    Germany
    @Windows_Security: Could you post here or send me your example configurations please, so I could copy and paste parts?
     
  2. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    752
    2,130
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    But you only use Memprotect of the two, don't you?
     
  3. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    619
    2,894
    Holland
    Windows 7
    Default-Deny
    @TerrakionSmash

    You are correct that I only used MemProtect, but since yesterday U also Pumpernickel because I received so much emails with ransomware lately that I wanted extra protection for the build-in backup drive and Outlook PST and OST files.

    Regards Kees
     
    TerrakionSmash likes this.
  4. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    752
    2,130
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    Webmail or email client? How common are ransomwares there? I use Western products but I'm not a Westerner nor do I live there. Ransomware doesn't seem to be common here. Of course I might just be odd living in an odd environment since my environment surely isn't normal.
     
  5. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    619
    2,894
    Holland
    Windows 7
    Default-Deny
    Email client is Outlook from Office 2007
     
    TerrakionSmash likes this.
  6. Glashouse

    Glashouse Level 4

    Jun 4, 2017
    154
    322
    Germany
    Windows 10
    Emsisoft
    did anyone try the new [MODULEFILTER] for memprotect?
    I just enabled it and played a little bit. --> wow this can really mess up your system :)
     
  7. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    619
    2,894
    Holland
    Windows 7
    Default-Deny
    Yeah, it is like Attack Surface Reduction of EMET. You could stop vbs.dll from being started by Word etcetera
     
    Deletedmessiah and Trooper like this.
  8. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    816
    Washington DC
    Windows 7
    Emsisoft
    I use Pumpernickel and MZwritescanner from excubits. Yep everything is manual, but the protection is unequaled. MZwritescanner is my hero, it detects and alerts you when a exe,dll,sys file are dropped on your system, and it blocks them until you either clear the log file or reboot.

    And they are very inexpensive, $13 us for each. I think he make his money by doing custom setups for enterprise. I am not sure he cares if you dont't use it because there is no GUI.
     
    Deletedmessiah likes this.
  9. Deletedmessiah

    Deletedmessiah Level 15

    Jan 16, 2017
    716
    6,603
    SSD
    Windows 8.1
    Emsisoft
    That price, yearly or lifetime?
     
    frogboy likes this.
  10. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    189
    306
    CI
    I currently use AppGuard in locked down mode and am very happy with it. Is there any point in using MZwritescanner as well? I like the idea of being alerted when an exe/dll/sys file is "dropped" onto my drive.
     
  11. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    816
    Washington DC
    Windows 7
    Emsisoft
    Life time.
     
    Deletedmessiah likes this.
  12. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    816
    Washington DC
    Windows 7
    Emsisoft
    Hi ParaXY

    I also use Appguard in Lockdown. Whether you need both is kind of up to you and your situation. It is true Appguard will stop everything, but i do like having that notice. Depending how much your system changes you do have to baby sit it, but for me it's worth it.
     
  13. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,713
    11,887
    AppGuard LLC Virginia, U.S.
    If you are a "logaholic," which I know you are at a level where log audits are no challenge for you, then it might benefit you - if you are so inclined to audit logs from time-to-time. What log audits add to overall security is up to the user to decide.

    Excubits cmdScanner (command lines with arguments) and MZWriteScanner (executable file tracking) can be configured to an "audit-only" mode. NoVirusThanks has similar products that are freeware for home use. There is also a freeware version of Log-MD which can be configured extensively.

    Just a FYI... Excubits cmdScanner will not log process (*.exe) launches blocked by AppGuard. It will however log blocked executions of scripts. cmdScanner is useful in capturing command lines to configure AppGuard policy. There are multiple ways to get the infos out of cmdScanner with AG installed. If you want more infos then you know where to reach me.

    I use cmdScanner from time-to-time. More often than not I reach for SpyShelter as its command line logger is quite good. NVTs logging utilities I have used here and there. Which one I utilize depends upon what I am working on.
     
  14. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    189
    306
    CI
    My system doesn't change frequently. I generally just keep my currently installed software patched and current. There are exceptions of course but now that I have locked down my PC and have it configured like I want it I like to just maintain.

    Can you use MZWriteScanner on it's own to alert you when an exe/dll/sys file is dropped on your drive? Do you have a screenshot? I'm quite curious about this now!

    I do have a peak in my Windows firewall logs from time to time using the excellent "Connection Log" in WFC. I like to have granular control of my machine and also like to know what is going on with it. I hate to be in the dark regarding these things!

    Am I correct in saying that MZWriteScanner will only alert me when a NEW exe/dll/sys file is saved onto the hard drive? ie: existing exe/dll/sys files are ignored

    Do you have a link for NoVirusThanks product that does the same thing? I was looking in but wasn't sure which one you were referring to:

    NoVirusThanks Free Tools

    My reason for the interest in MZWriteScanner is, I would like to know when a malicous exe/dll/sys file has landed on my hard drive even if it hasn't been executed yet (from a drive by download for example).
     
  15. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,713
    11,887
    AppGuard LLC Virginia, U.S.
    I have not used MZWriteScanner in quite a while. Florian made changes to it. The person who knows it is @Peter2150 since he uses the latest version.

    The purpose of MZWriteScanner is to track certain file types that hit the system. The tray icon color change is your alert system, unless Florian also put in a tray icon balloon.

    NVT Process and Event Logger: NoVirusThanks Products & Software

    Just about every one of his products has a singular logging purpose. You have to read all the product descriptions.
     
  16. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    816
    Washington DC
    Windows 7
    Emsisoft
    The beauty of MZwritescanner, is the file drops anywhere on your system and you see a color change in the tray icon. But more importantly is it won't execute until you either clear the log file or reboot. So you are both alerted and and protected. I don't know of anything else that will do that.
     
  17. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    816
    Washington DC
    Windows 7
    Emsisoft
    Hi ParaXY

    No screenshot. I assuming any one here can visualize a tray icon turning from green to red. But as I said even if you don't notice it right away.. To answer the other question. I have a grc utility Leaktest.exe on my F drive. If I copy it to my c: drive (or any other location) MZ will alert and block it's execution from there. I like that fact that is something drops a DLL I'll know about it.
     
  18. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    189
    306
    CI
    Thank you all. This does sound like something I'd be interested in. Even if it runs in [#LETHAL] (audit mode) initially. I'd be fascinated and very interested to see when new executables land on my drive! The system tray icon changing colour is an excellent idea.

    I just spun up a test VM but it doesn't seem to be installing in Windows 10 Version 1703. I am running 64-bit so have gone into the 64-bit folder in MZWriteScanner, right clicked the .ini file and clicked install but when I try to start the service it says it can't find the file? I did try a reboot but no luck.
     
  19. ParaXY

    ParaXY Level 4

    Mar 14, 2017
    189
    306
    CI
    Hehe, I think I can visualise that :)

    I thought there may be a toaster type alert or something along those lines.

    I assume MZWriteScanner can/does monitor ALL locally attached drives? (ie: not just the system drive)

    This is really cool. So you're alerted that a NEW executable has landed on your drive (so you're aware), you get the system tray icon changing colour AND you get the option to allow it to run if you want to (legitimate download). I assume existing executables will run that you have saved on your drive?
     
  20. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    816
    Washington DC
    Windows 7
    Emsisoft
    Indeed they will.

    Here is what I do. I place their folder in Programs (x86) and execute the driver install. Also you must place the ini file in c:\windows or nothing will happen. The other thing I do is create a shortcut to the tray.exe file. I place that short cut in windows startup folder so it will start with windows.