Advice Request MemProtect

Please provide comments and solutions that are helpful to the author of this topic.

Do you use MemProtect?

  • Yes

    Votes: 5 8.2%
  • No

    Votes: 56 91.8%

  • Total voters
    61
Status
Not open for further replies.

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Sample configuration of MemProtect (prevents memory access) and PumperNickel (prevents file access). When you don;t want to tighten everything up, they are a great combo enforcing each other protections.
But you only use Memprotect of the two, don't you?
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@TerrakionSmash

You are correct that I only used MemProtect, but since yesterday U also Pumpernickel because I received so much emails with ransomware lately that I wanted extra protection for the build-in backup drive and Outlook PST and OST files.

Regards Kees
 
  • Like
Reactions: Handsome Recluse

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
@TerrakionSmash

You are correct that I only used MemProtect, but since yesterday U also Pumpernickel because I received so much emails with ransomware lately that I wanted extra protection for the build-in backup drive and Outlook PST and OST files.

Regards Kees
Webmail or email client? How common are ransomwares there? I use Western products but I'm not a Westerner nor do I live there. Ransomware doesn't seem to be common here. Of course I might just be odd living in an odd environment since my environment surely isn't normal.
 

Glashouse

Level 4
Verified
Well-known
Jun 4, 2017
174
did anyone try the new [MODULEFILTER] for memprotect?
I just enabled it and played a little bit. --> wow this can really mess up your system :)
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
I use Pumpernickel and MZwritescanner from excubits. Yep everything is manual, but the protection is unequaled. MZwritescanner is my hero, it detects and alerts you when a exe,dll,sys file are dropped on your system, and it blocks them until you either clear the log file or reboot.

And they are very inexpensive, $13 us for each. I think he make his money by doing custom setups for enterprise. I am not sure he cares if you dont't use it because there is no GUI.
 
  • Like
Reactions: Deletedmessiah

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
I use Pumpernickel and MZwritescanner from excubits. Yep everything is manual, but the protection is unequaled. MZwritescanner is my hero, it detects and alerts you when a exe,dll,sys file are dropped on your system, and it blocks them until you either clear the log file or reboot.

And they are very inexpensive, $13 us for each. I think he make his money by doing custom setups for enterprise. I am not sure he cares if you dont't use it because there is no GUI.
That price, yearly or lifetime?
 
  • Like
Reactions: frogboy

ParaXY

Level 6
Verified
Mar 14, 2017
273
I currently use AppGuard in locked down mode and am very happy with it. Is there any point in using MZwritescanner as well? I like the idea of being alerted when an exe/dll/sys file is "dropped" onto my drive.
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
I currently use AppGuard in locked down mode and am very happy with it. Is there any point in using MZwritescanner as well? I like the idea of being alerted when an exe/dll/sys file is "dropped" onto my drive.

Hi ParaXY

I also use Appguard in Lockdown. Whether you need both is kind of up to you and your situation. It is true Appguard will stop everything, but i do like having that notice. Depending how much your system changes you do have to baby sit it, but for me it's worth it.
 
5

509322

I currently use AppGuard in locked down mode and am very happy with it. Is there any point in using MZwritescanner as well? I like the idea of being alerted when an exe/dll/sys file is "dropped" onto my drive.

If you are a "logaholic," which I know you are at a level where log audits are no challenge for you, then it might benefit you - if you are so inclined to audit logs from time-to-time. What log audits add to overall security is up to the user to decide.

Excubits cmdScanner (command lines with arguments) and MZWriteScanner (executable file tracking) can be configured to an "audit-only" mode. NoVirusThanks has similar products that are freeware for home use. There is also a freeware version of Log-MD which can be configured extensively.

Just a FYI... Excubits cmdScanner will not log process (*.exe) launches blocked by AppGuard. It will however log blocked executions of scripts. cmdScanner is useful in capturing command lines to configure AppGuard policy. There are multiple ways to get the infos out of cmdScanner with AG installed. If you want more infos then you know where to reach me.

I use cmdScanner from time-to-time. More often than not I reach for SpyShelter as its command line logger is quite good. NVTs logging utilities I have used here and there. Which one I utilize depends upon what I am working on.
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
Hi ParaXY

I also use Appguard in Lockdown. Whether you need both is kind of up to you and your situation. It is true Appguard will stop everything, but i do like having that notice. Depending how much your system changes you do have to baby sit it, but for me it's worth it.

My system doesn't change frequently. I generally just keep my currently installed software patched and current. There are exceptions of course but now that I have locked down my PC and have it configured like I want it I like to just maintain.

Can you use MZWriteScanner on it's own to alert you when an exe/dll/sys file is dropped on your drive? Do you have a screenshot? I'm quite curious about this now!

If you are a "logaholic," which I know you are at a level where log audits are no challenge for you, then it might benefit you - if you are so inclined to audit logs from time-to-time. What log audits add to overall security is up to the user to decide.

Excubits cmdScanner (command lines with arguments) and MZWriteScanner (executable file tracking) can be configured to an "audit-only" mode. NoVirusThanks has similar products that are freeware for home use. There is also a freeware version of Log-MD which can be configured extensively.

Just a FYI... Excubits cmdScanner will not log process (*.exe) launches blocked by AppGuard. It will however log blocked executions of scripts. cmdScanner is useful in capturing command lines to configure AppGuard policy. There are multiple ways to get the infos out of cmdScanner with AG installed. If you want more infos then you know where to reach me.

I use cmdScanner from time-to-time. More often than not I reach for SpyShelter as its command line logger is quite good. NVTs logging utilities I have used here and there. Which one I utilize depends upon what I am working on.

I do have a peak in my Windows firewall logs from time to time using the excellent "Connection Log" in WFC. I like to have granular control of my machine and also like to know what is going on with it. I hate to be in the dark regarding these things!

Am I correct in saying that MZWriteScanner will only alert me when a NEW exe/dll/sys file is saved onto the hard drive? ie: existing exe/dll/sys files are ignored

Do you have a link for NoVirusThanks product that does the same thing? I was looking in but wasn't sure which one you were referring to:

NoVirusThanks Free Tools

My reason for the interest in MZWriteScanner is, I would like to know when a malicous exe/dll/sys file has landed on my hard drive even if it hasn't been executed yet (from a drive by download for example).
 
5

509322

My system doesn't change frequently. I generally just keep my currently installed software patched and current. There are exceptions of course but now that I have locked down my PC and have it configured like I want it I like to just maintain.

Can you use MZWriteScanner on it's own to alert you when an exe/dll/sys file is dropped on your drive? Do you have a screenshot? I'm quite curious about this now!



I do have a peak in my Windows firewall logs from time to time using the excellent "Connection Log" in WFC. I like to have granular control of my machine and also like to know what is going on with it. I hate to be in the dark regarding these things!

Am I correct in saying that MZWriteScanner will only alert me when a NEW exe/dll/sys file is saved onto the hard drive? ie: existing exe/dll/sys files are ignored

Do you have a link for NoVirusThanks product that does the same thing? I was looking in but wasn't sure which one you were referring to:

NoVirusThanks Free Tools

My reason for the interest in MZWriteScanner is, I would like to know when a malicous exe/dll/sys file has landed on my hard drive even if it hasn't been executed yet (from a drive by download for example).

I have not used MZWriteScanner in quite a while. Florian made changes to it. The person who knows it is @Peter2150 since he uses the latest version.

The purpose of MZWriteScanner is to track certain file types that hit the system. The tray icon color change is your alert system, unless Florian also put in a tray icon balloon.

NVT Process and Event Logger: NoVirusThanks Products & Software

Just about every one of his products has a singular logging purpose. You have to read all the product descriptions.
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
I have not used MZWriteScanner in quite a while. Florian made changes to it. The person who knows it is @Peter2150 since he uses the latest version.

The purpose of MZWriteScanner is to track certain file types that hit the system. The tray icon color change is your alert system, unless Florian also put in a tray icon balloon.

NVT Process and Event Logger: NoVirusThanks Products & Software

Just about every one of his products has a singular logging purpose. You have to read all the product descriptions.

The beauty of MZwritescanner, is the file drops anywhere on your system and you see a color change in the tray icon. But more importantly is it won't execute until you either clear the log file or reboot. So you are both alerted and and protected. I don't know of anything else that will do that.
 
  • Like
Reactions: shmu26

Peter2150

Level 7
Verified
Oct 24, 2015
280
Hi ParaXY

No screenshot. I assuming any one here can visualize a tray icon turning from green to red. But as I said even if you don't notice it right away.. To answer the other question. I have a grc utility Leaktest.exe on my F drive. If I copy it to my c: drive (or any other location) MZ will alert and block it's execution from there. I like that fact that is something drops a DLL I'll know about it.
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
I have not used MZWriteScanner in quite a while. Florian made changes to it. The person who knows it is @Peter2150 since he uses the latest version.

The purpose of MZWriteScanner is to track certain file types that hit the system. The tray icon color change is your alert system, unless Florian also put in a tray icon balloon.

NVT Process and Event Logger: NoVirusThanks Products & Software

Just about every one of his products has a singular logging purpose. You have to read all the product descriptions.

The beauty of MZwritescanner, is the file drops anywhere on your system and you see a color change in the tray icon. But more importantly is it won't execute until you either clear the log file or reboot. So you are both alerted and and protected. I don't know of anything else that will do that.

Thank you all. This does sound like something I'd be interested in. Even if it runs in [#LETHAL] (audit mode) initially. I'd be fascinated and very interested to see when new executables land on my drive! The system tray icon changing colour is an excellent idea.

I just spun up a test VM but it doesn't seem to be installing in Windows 10 Version 1703. I am running 64-bit so have gone into the 64-bit folder in MZWriteScanner, right clicked the .ini file and clicked install but when I try to start the service it says it can't find the file? I did try a reboot but no luck.
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
Hi ParaXY

No screenshot. I assuming any one here can visualize a tray icon turning from green to red. But as I said even if you don't notice it right away.. To answer the other question. I have a grc utility Leaktest.exe on my F drive. If I copy it to my c: drive (or any other location) MZ will alert and block it's execution from there. I like that fact that is something drops a DLL I'll know about it.

Hehe, I think I can visualise that :)

I thought there may be a toaster type alert or something along those lines.

I assume MZWriteScanner can/does monitor ALL locally attached drives? (ie: not just the system drive)

This is really cool. So you're alerted that a NEW executable has landed on your drive (so you're aware), you get the system tray icon changing colour AND you get the option to allow it to run if you want to (legitimate download). I assume existing executables will run that you have saved on your drive?
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
Indeed they will.

Here is what I do. I place their folder in Programs (x86) and execute the driver install. Also you must place the ini file in c:\windows or nothing will happen. The other thing I do is create a shortcut to the tray.exe file. I place that short cut in windows startup folder so it will start with windows.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top