@Windows_Security: Could you post here or send me your example configurations please, so I could copy and paste parts?
-
This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
- Nov 17, 2016
- 761
- 2,153
- Operating System
-
- Windows 10
- Installed Antivirus
-
- Microsoft
- Mar 13, 2016
- 710
- 3,185
- Operating System
-
- Windows 7
@TerrakionSmash
You are correct that I only used MemProtect, but since yesterday U also Pumpernickel because I received so much emails with ransomware lately that I wanted extra protection for the build-in backup drive and Outlook PST and OST files.
Regards Kees
You are correct that I only used MemProtect, but since yesterday U also Pumpernickel because I received so much emails with ransomware lately that I wanted extra protection for the build-in backup drive and Outlook PST and OST files.
Regards Kees
Likes:
TerrakionSmash
- Nov 17, 2016
- 761
- 2,153
- Operating System
-
- Windows 10
- Installed Antivirus
-
- Microsoft
- Mar 13, 2016
- 710
- 3,185
- Operating System
-
- Windows 7
I use Pumpernickel and MZwritescanner from excubits. Yep everything is manual, but the protection is unequaled. MZwritescanner is my hero, it detects and alerts you when a exe,dll,sys file are dropped on your system, and it blocks them until you either clear the log file or reboot.
And they are very inexpensive, $13 us for each. I think he make his money by doing custom setups for enterprise. I am not sure he cares if you dont't use it because there is no GUI.
And they are very inexpensive, $13 us for each. I think he make his money by doing custom setups for enterprise. I am not sure he cares if you dont't use it because there is no GUI.
Likes:
Deletedmessiah
- Jan 16, 2017
- 879
- 7,768
- Operating System
-
- Windows 8.1
- Installed Antivirus
-
- Emsisoft
If you are a "logaholic," which I know you are at a level where log audits are no challenge for you, then it might benefit you - if you are so inclined to audit logs from time-to-time. What log audits add to overall security is up to the user to decide.
Excubits cmdScanner (command lines with arguments) and MZWriteScanner (executable file tracking) can be configured to an "audit-only" mode. NoVirusThanks has similar products that are freeware for home use. There is also a freeware version of Log-MD which can be configured extensively.
Just a FYI... Excubits cmdScanner will not log process (*.exe) launches blocked by AppGuard. It will however log blocked executions of scripts. cmdScanner is useful in capturing command lines to configure AppGuard policy. There are multiple ways to get the infos out of cmdScanner with AG installed. If you want more infos then you know where to reach me.
I use cmdScanner from time-to-time. More often than not I reach for SpyShelter as its command line logger is quite good. NVTs logging utilities I have used here and there. Which one I utilize depends upon what I am working on.
Excubits cmdScanner (command lines with arguments) and MZWriteScanner (executable file tracking) can be configured to an "audit-only" mode. NoVirusThanks has similar products that are freeware for home use. There is also a freeware version of Log-MD which can be configured extensively.
Just a FYI... Excubits cmdScanner will not log process (*.exe) launches blocked by AppGuard. It will however log blocked executions of scripts. cmdScanner is useful in capturing command lines to configure AppGuard policy. There are multiple ways to get the infos out of cmdScanner with AG installed. If you want more infos then you know where to reach me.
I use cmdScanner from time-to-time. More often than not I reach for SpyShelter as its command line logger is quite good. NVTs logging utilities I have used here and there. Which one I utilize depends upon what I am working on.
My system doesn't change frequently. I generally just keep my currently installed software patched and current. There are exceptions of course but now that I have locked down my PC and have it configured like I want it I like to just maintain.
Can you use MZWriteScanner on it's own to alert you when an exe/dll/sys file is dropped on your drive? Do you have a screenshot? I'm quite curious about this now!
I do have a peak in my Windows firewall logs from time to time using the excellent "Connection Log" in WFC. I like to have granular control of my machine and also like to know what is going on with it. I hate to be in the dark regarding these things!
Am I correct in saying that MZWriteScanner will only alert me when a NEW exe/dll/sys file is saved onto the hard drive? ie: existing exe/dll/sys files are ignored
Do you have a link for NoVirusThanks product that does the same thing? I was looking in but wasn't sure which one you were referring to:
NoVirusThanks Free Tools
My reason for the interest in MZWriteScanner is, I would like to know when a malicous exe/dll/sys file has landed on my hard drive even if it hasn't been executed yet (from a drive by download for example).
Can you use MZWriteScanner on it's own to alert you when an exe/dll/sys file is dropped on your drive? Do you have a screenshot? I'm quite curious about this now!
I do have a peak in my Windows firewall logs from time to time using the excellent "Connection Log" in WFC. I like to have granular control of my machine and also like to know what is going on with it. I hate to be in the dark regarding these things!
Am I correct in saying that MZWriteScanner will only alert me when a NEW exe/dll/sys file is saved onto the hard drive? ie: existing exe/dll/sys files are ignored
Do you have a link for NoVirusThanks product that does the same thing? I was looking in but wasn't sure which one you were referring to:
NoVirusThanks Free Tools
My reason for the interest in MZWriteScanner is, I would like to know when a malicous exe/dll/sys file has landed on my hard drive even if it hasn't been executed yet (from a drive by download for example).
I have not used MZWriteScanner in quite a while. Florian made changes to it. The person who knows it is @Peter2150 since he uses the latest version.
The purpose of MZWriteScanner is to track certain file types that hit the system. The tray icon color change is your alert system, unless Florian also put in a tray icon balloon.
NVT Process and Event Logger: NoVirusThanks Products & Software
Just about every one of his products has a singular logging purpose. You have to read all the product descriptions.
The purpose of MZWriteScanner is to track certain file types that hit the system. The tray icon color change is your alert system, unless Florian also put in a tray icon balloon.
NVT Process and Event Logger: NoVirusThanks Products & Software
Just about every one of his products has a singular logging purpose. You have to read all the product descriptions.
The beauty of MZwritescanner, is the file drops anywhere on your system and you see a color change in the tray icon. But more importantly is it won't execute until you either clear the log file or reboot. So you are both alerted and and protected. I don't know of anything else that will do that.
Likes:
shmu26
Hi ParaXY
No screenshot. I assuming any one here can visualize a tray icon turning from green to red. But as I said even if you don't notice it right away.. To answer the other question. I have a grc utility Leaktest.exe on my F drive. If I copy it to my c: drive (or any other location) MZ will alert and block it's execution from there. I like that fact that is something drops a DLL I'll know about it.
No screenshot. I assuming any one here can visualize a tray icon turning from green to red. But as I said even if you don't notice it right away.. To answer the other question. I have a grc utility Leaktest.exe on my F drive. If I copy it to my c: drive (or any other location) MZ will alert and block it's execution from there. I like that fact that is something drops a DLL I'll know about it.
Thank you all. This does sound like something I'd be interested in. Even if it runs in [#LETHAL] (audit mode) initially. I'd be fascinated and very interested to see when new executables land on my drive! The system tray icon changing colour is an excellent idea.
I just spun up a test VM but it doesn't seem to be installing in Windows 10 Version 1703. I am running 64-bit so have gone into the 64-bit folder in MZWriteScanner, right clicked the .ini file and clicked install but when I try to start the service it says it can't find the file? I did try a reboot but no luck.
I just spun up a test VM but it doesn't seem to be installing in Windows 10 Version 1703. I am running 64-bit so have gone into the 64-bit folder in MZWriteScanner, right clicked the .ini file and clicked install but when I try to start the service it says it can't find the file? I did try a reboot but no luck.
Hehe, I think I can visualise that 
I thought there may be a toaster type alert or something along those lines.
I assume MZWriteScanner can/does monitor ALL locally attached drives? (ie: not just the system drive)
This is really cool. So you're alerted that a NEW executable has landed on your drive (so you're aware), you get the system tray icon changing colour AND you get the option to allow it to run if you want to (legitimate download). I assume existing executables will run that you have saved on your drive?
I thought there may be a toaster type alert or something along those lines.
I assume MZWriteScanner can/does monitor ALL locally attached drives? (ie: not just the system drive)
This is really cool. So you're alerted that a NEW executable has landed on your drive (so you're aware), you get the system tray icon changing colour AND you get the option to allow it to run if you want to (legitimate download). I assume existing executables will run that you have saved on your drive?
Indeed they will.
Here is what I do. I place their folder in Programs (x86) and execute the driver install. Also you must place the ini file in c:\windows or nothing will happen. The other thing I do is create a shortcut to the tray.exe file. I place that short cut in windows startup folder so it will start with windows.
Here is what I do. I place their folder in Programs (x86) and execute the driver install. Also you must place the ini file in c:\windows or nothing will happen. The other thing I do is create a shortcut to the tray.exe file. I place that short cut in windows startup folder so it will start with windows.