MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Code:
     __  __                _____           _            _
    |  \/  |              |  __ \         | |          | |
    | \  / | ___ _ __ ___ | |__) | __ ___ | |_ ___  ___| |_
    | |\/| |/ _ \ '_ ` _ \|  ___/ '__/ _ \| __/ _ \/ __| __|
    | |  | |  __/ | | | | | |   | | | (_) | ||  __/ (__| |_
    |_|  |_|\___|_| |_| |_|_|   |_|  \___/ \__\___|\___|\__|
    


    The purpose of this thread is quite simply a playground for MemProtect. Users can provide support for each other and share rule sets within code tags. Some users have suggested to split off the MemProtect discussion from the main Bouncer thread to keep information more concise. I was hesitating for some weeks prior to creating this MemProtect support and discussion thread because I wanted to ensure that MemProtect had a solid future. The developer, Florian, has now confirmed to me that it will receive stable build status along with cross-signing, documentation, and all of that good stuff. MemProtect has proven itself stable, however, the developer does not believe in promoting to stable status until he has completed appropriate documentation.


    Put simply; MemProtect is a process memory sandbox with zero overhead. This kernel-mode driver utilizes Microsoft Windows built-in Protected Processes feature and essentially allows the user to configure protected processes with any executable, from any directory. It is a security feature that is typically reserved only for some critical Windows processes, but this driver opens up the possibilities to use protected processes however the user/admin chooses; limited only by one's imagination and creativity.


    The following are a list of access rights which are removed by MemProtect:
    Source link: https://msdn.microsoft.com/en-ca/library/windows/desktop/ms684880(v=vs.85).aspx

    Anyway, I just wanted to get the discussion and support started with this new thread for MemProtect specifically and allow the community to collaborate here. There are some other Microsoft technical documentation links on protected processes which I have forgotten at the moment, so I will update this post accordingly when I come across the relevant informative source links.


    Download: http://beta.excubits.com/


    Have fun! :thumb:
     
  2. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,788
    Location:
    .
    Thank you very much! Now watching this thread of yours. :thumb:
     
  3. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Thanks for starting this thread.

    Do you know if there are plans to integrate MemProtect into Bouncer at some point or will it always remain a separate product?
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Mister X You're welcome.

    @askmark You're welcome. It is quite likely that MemProtect will remain it's own and not be integrated into Bouncer. It would be interesting, though, if MemProtect and Pumpernickel/FIDES could be combined together. Bouncer has got a plethora of features already and has proven complicated for some users to understand the configuration differences between the different feature sections within Bouncer.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here is my current/latest testing configuration for MemProtect (in Default Allow mode). The idea here was to provide protected process protection for Adobe Reader DC and Chromium for testing purposes. This configuration example does not yet contain rules to allow Adobe Reader DC or Chromium (Chrome) to update as of yet. I should also note that I have chrome.exe running from Ram Disk location R:\Program Files\Chromium\bin\ and therefore outside of typical Program Files.

    Code:
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !*Procmon*.eze>*
    !*>*Procmon*.eze
    !*chrome.exe>*chrome.exe
    !C:\Program Files\*>*chrome.exe
    !C:\Program Files (x86)\*>*chrome.exe
    !C:\Windows\*>*chrome.exe
    !*\Mozilla Thunderbird\thunderbird.exe>*chrome.exe
    !*chrome.exe>*\Mozilla Thunderbird\thunderbird.exe
    !*\Office14\*.EXE>*chrome.exe
    !*chrome.exe>C:\Program Files\*
    !*chrome.exe>C:\Program Files (x86)\*
    !*chrome.exe>C:\Windows\*
    !*ccleaner*.exe>*chrome.exe
    !*ccleaner*.exe>*\Reader\AcroRd32.exe
    !*thunderbird.exe>*\Reader\AcroRd32.exe
    !*AcroRd32.exe>*AcroRd32.exe
    !C:\Program Files\*>*AcroRd32.exe
    !C:\Program Files (x86)\*>*AcroRd32.exe
    !C:\Windows\*>*AcroRd32.exe
    !*AcroRd32.exe>C:\Program Files\*
    !*AcroRd32.exe>C:\Program Files (x86)\*
    !*AcroRd32.exe>C:\Windows\*
    [BLACKLIST]
    $*procexp64.exe>*chrome.exe
    $*ProcessHacker.exe>*chrome.exe
    C:\Users\*>*
    *>*chrome.exe
    *chrome.exe>*
    *>*AcroRd32.exe
    *AcroRd32.exe>*
    [EOF]
    
     
  6. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    @WildByDesign
    thank you very much for topic.
    bellow is my rule set(can be shorted more even),tomorrow i will test this in LETHAL mode
    what do you think about suspended process?
    i would like that MemProtect terminate process instead of suspend.since they log in the MemProtect.log file
    i send an email to Florian about it but he is very Busy and so i don't have response from him
    i wish he find a way to protect process from terminating
    also in ProcessHacker->properties of process->token->advanced->security
    can you confirm that able modify that for protected process


    Code:
    [#LETHAL]
    [LOGGING]
    [#DEFAULTALLOW]
    [WHITELIST]
    !C:\Windows\System32\conhost.exe>C:\New folder (2)\*
    !C:\Windows\System32\conhost.exe>C:\Program Files\*
    !C:\Windows\System32\conhost.exe>C:\Sandbox\*
    !C:\Windows\System32\conhost.exe>C:\Windows*
    !C:\Windows\System32\csrss.exe>C:\Windows*
    !C:\Windows\System32\csrss.exe>C:\Users\*\Desktop*
    !C:\Windows\System32\csrss.exe>C:\Sandbox\*
    !C:\Windows\System32\csrss.exe>C:\Program Files\*
    !C:\Windows\System32\csrss.exe>C:\KMPlayer\KMPlayer.exe
    !C:\Windows\System32\csrss.exe>C:\New folder (2)\*
    !C:\Windows\System32\dllhost.exe>C:\Windows\explorer.exe
    !C:\Windows\System32\LogonUI.exe>C:\Windows\System32*
    !C:\Windows\System32\lsass.exe>C:\KMPlayer\KMPlayer.exe
    !C:\Windows\System32\lsass.exe>C:\Program Files\*
    !C:\Windows\System32\lsass.exe>C:\Sandbox\*
    !C:\Windows\System32\lsass.exe>C:\Users\*\Desktop*
    !C:\Windows\System32\lsass.exe>C:\Windows\*
    !C:\Windows\System32\lsm.exe>C:\Windows*
    !C:\Windows\System32\lsm.exe>C:\Program Files\*
    !C:\Windows\System32\services.exe>C:\KMPlayer\KMPlayer.exe
    !C:\Windows\System32\services.exe>C:\Program Files\*
    !C:\Windows\System32\services.exe>C:\Users\*\Desktop*
    !C:\Windows\System32\services.exe>C:\Windows*
    !C:\Windows\System32\net.exe>C:\Windows\System32\net1.exe
    !C:\Windows\System32\svchost.exe>C:\KMPlayer\KMPlayer.exe
    !C:\Windows\System32\svchost.exe>C:\New folder (2)\*
    !C:\Windows\System32\svchost.exe>C:\Program Files\*
    !C:\Windows\System32\svchost.exe>C:\Sandbox\*
    !C:\Windows\System32\svchost.exe>C:\Users\*\Desktop*
    !C:\Windows\System32\svchost.exe>C:\Windows*
    !C:\Windows\System32\taskeng.exe>C:\Program Files\*
    !C:\Windows\System32\userinit.exe>C:\Windows\explorer.exe
    !C:\Windows\System32\winlogon.exe>C:\Windows*
    !C:\Windows\System32\smss.exe>C:\Windows\System32\lsm.exe
    !C:\Windows\explorer.exe>C:\KMPlayer*
    !C:\Windows\explorer.exe>C:\New folder (2)*
    !C:\Windows\explorer.exe>C:\Program Files\*
    !C:\Windows\explorer.exe>C:\Sandbox\*
    !C:\Windows\explorer.exe>C:\Users\*\Desktop*
    !C:\Windows\explorer.exe>C:\Windows*
    !C:\Windows\regedit.exe>C:\Windows\System32\taskhost.exe
    !C:\Windows\System32\audiodg.exe>C:\KMPlayer\*
    !C:\Windows\System32\audiodg.exe>C:\Program Files\*
    !C:\Windows\System32\audiodg.exe>C:\Windows*
    !C:\Windows\System32\cmd.exe>C:\Program Files\*
    !C:\Windows\System32\cmd.exe>C:\Windows\System32\net.exe
    !C:\Windows\System32\cmd.exe>C:\Windows\System32\sc.exe
    !C:\Program Files\NetWorx\networx.exe>C:\Sandbox\*
    !C:\Program Files\*>C:\Windows\explorer.exe
    !C:\Program Files\*>C:\Sandbox\*
    !C:\Program Files\*>C:\Program Files\*
    !C:\Program Files\Sandboxie\SbieSvc.exe>*
    !C:\Program Files\WinRAR\WinRAR.exe>C:\Users\*\AppData\Local\Temp\Rar$EXa*
    !C:\Sandbox\*>C:\Program Files\Mozilla Firefox\firefox.exe
    !C:\Sandbox\*>C:\Program Files\Siber Systems\AI RoboForm\identities.exe
    !C:\Sandbox\*>C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    !C:\Sandbox\*>C:\Windows\explorer.exe
    !C:\Sandbox\*>C:\Program Files\Sandboxie\SbieSvc.exe
    !C:\Sandbox\*>C:\Sandbox\*
    !C:\Users\*\Desktop*>C:\Windows\explorer.exe
    !C:\KMPlayer*>C:\Windows\explorer.exe
    !C:\New folder (2)\MKVExtractGUI-1.6.4.1\mkvtoolnix-gui.exe>C:\New folder (2)\MKVExtractGUI-1.6.4.1\mkvmerge.exe
    !C:\Program Files\*>C:\Windows*
    !C:\Windows\System32\consent.exe>C:\Windows*
    [BLACKLIST]
    *>*
    [EOF]
    
    edit:some more rule regarding to shut down,lock,log off,switch user,restart
    Code:
    !C:\Windows\System32\wininit.exe>C:\Windows\System32\LogonUI.exe
    !C:\Windows\System32\smss.exe>C:\Windows\System32\smss.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\audiodg.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\csrss.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\LogonUI.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\lsm.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\Magnify.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\msiexec.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\Narrator.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\osk.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\services.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\sethc.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\smss.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\sppsvc.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\svchost.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\taskeng.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\Utilman.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\VSSVC.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\wininit.exe
    !C:\Windows\System32\Utilman.exe>C:\Windows\System32\winlogon.exe
    !C:\Windows\System32\Utilman.exe>C:\Program Files\*
    !C:\Windows\System32\smss.exe>C:\Windows\System32\csrss.exe
    !C:\Windows\System32\smss.exe>C:\Windows\System32\winlogon.exe
    !C:\Windows\System32\Utilman.exe>C:\Users\*\Desktop\Everything.exe
     
    Last edited: Aug 23, 2016
  7. I have a much more simpler setup, because I take the Protected Processes (light) and Integrity Levels of the OS itself into account.

    As a rule I allow Office to access Office, Google to access Google. In stead of micro managing with program based rules, I simply contain/partition medium level processes from each other (and the rest of the system). This means I don't have to care about vulnerabilities, because the malware will always be trapped inside its (rich content) hosting program. By isolating rich content programs (which often run scripts or macros) on folder level I don't need to micro manage my browser with script blockers et cetera.

    By denying Google\Chrome to touch anything outside its folder (blacklist + priority rule) Chrome is isolated from the rest of the system. Same trick is done with Office and Skype. Office had four character wildcards (?) because I have different Office versions on different PC's (only need one rule across PC's).

    I only need two exceptions (priority whitelist rules) to allow all programs from (UAC protected) Program Files to print (splwow64.exe) and use touchscreen keyboard (TapTip.exe).

    On my desktop I have an SSD (C:\) for programs and a second HDD (D:\) where I store my data on. In the transformer I have a 64GB SD Flash which functions as data partition. That is why D is also blacklisted (D:\*>* rule).

    Code:
    [LETHAL]
    [#LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !C:\Program Files\Google\Chrome\*>C:\Program Files\Google\Chrome\*
    !C:\Program Files\Office????\*>C:\Program Files\Office????\*
    !C:\Program Files\Skype\*>C:\Program Files\Skype\*
    
    !C:\Program Files\*>C:\Windows\splwow64.exe
    !C:\Program Files\*>C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    
    [BLACKLIST]
    C:\Program Files\Google\Chrome\*>*
    C:\Program Files\Office????\*>*
    C:\Program Files\Skype\*>*
    
    D:\*>*
    [EOF]
    
    I have disabled Internet Explorer (use Chrome instead) and Windows Media Player (using Groove Music, Films & TV and Photo's instead) and installed the PDF reader App from Windows Store to read PDF files on my harddisk.

    I combine this with a simple Basic User SRP see MalwareTips
    (for my Windows Home 8.1 transformer I used Sully's PGS to add registry tweaks for SRP).
     
    Last edited by a moderator: Aug 23, 2016
  8. guest

    guest Guest

    There will be an interface for memprotect?
     
  9. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    my ruleset working fine

    nice simple setup

    at the moment no GUI so maybe later.
    the way i manage rule it very easy
    open log file in to notepad 2
    then use alt+z to remove everything before c:\

    then go here and remove duplicate lines
    then for sort go to here
    then when you maked your rule and want add ! prefix to it go here
     
  10. To be honest, I don't think should not get a graphical user interface. It is a partitioning / container tool used to harden selectively.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Is the MemProtect driver signed in the latest beta build?
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes, traditional digital signature which we are all more familiar with. But not Microsoft Windows cross-signed for Windows 10 AU yet.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was thinking, if you make Firefox a "protected process", and also deny Firefox to read/open other processes, will it still be able to load child processes like the Flash Plug-in and the PDF reader?

    It depends on the malware, not all payloads have to inject code into other processes. So called in-memory payloads may be able to steal data from disk, but it also depends on the privileges of the browser. So extra protection is still needed.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you for the info! I think I will be able to test MemProtect in a few days. I have been really busy with school. I need to stay more active on the forum though since my course of study is Database, and Network Security. I'm also close to my BA in Spanish, but I couldn't work on it this semester.

    I actually learn a lot on Wilders sometimes. It's nice to have so many different people with different backgrounds in Computing to help with research.
     
  15. Sorry, you can plant an egg or even spread memory with an omelet, but this malicious code can't be reached from a MemProtect contained process.

    Again when you know of technique's which are able to do that, lets team up and enter the next pwn2own. As posted earlier I will call you Rasheed-SAN, get coffee or thee while you are hacking your way through undocumented system calls, massage your shoulders when you take a break, as long as I get a share of all the bugbounties you will be earning with your Rasheed magic.
     
    Last edited by a moderator: Sep 1, 2016
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm not sure what's so difficult to understand what I'm saying. As said before, in theory a so called "in-memory" based payload can still perform stuff that browsers can do, like reading and modifying data. Or perhaps it can even modify browser memory in order to hijack connections like banking trojans do. MemProtect can't do anything to stop that, since it doesn't block in-memory malware from running. The good news is that in-memory malware is not used in the average exploit-kits, and often relies on code injection which can be blocked.
     
  17. It is nog difficult to understand. It is just not correct what you are theoretically thinking.

    The memory overflow is not stopped by Memprotect. Anti exploit programs don't stop the memory overflow either, since this is an elementary flaw in programming languages like C, C++, etc (with new compiler checks like Control Flow Guard, these threats will decrease in future).

    In memory payloads have to inject code and execute it. MemProtect takes away access rights to certain or all processes (depending on the rules) which makes it impossible to manipulate other processes memory.

    What magical options do you know of? So let's make a deal: until You come up with an undocumented syscall or find a PoC (I won't ask for real malware), you stop polluting this thread with your fantasy theory about magic memory operations.
     
    Last edited by a moderator: Sep 4, 2016
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, apparently it IS difficult to understand otherwise you wouldn't have made the same comments. I will try to explain it one more time as simple as possible, perhaps it will sink in.

    Why do you keep repeating this? I never claimed this? I even posted some links to make you understand the difference between MemProtect and tools like MBAE/HMPA.

    https://www.paloaltonetworks.com/do...admin-guide/traps-overview/exploit-prevention
    https://www.paloaltonetworks.com/do...e/exploit-prevention/exploit-prevention-rules

    So called "in-memory" payloads do NOT always have to inject code into other processes in order to do any damage like stealing data. They work from inside the exploited process, like the browser. So protection against memory reading and writing won't help here.

    Bouncer/Memprotect, AG and ERP all can not stop in-mem payloads from running. Do we need to worry about this? This depends on how paranoid you are, but probably not since this type of malware is mostly used in high-profile attacks. But it's still a good idea to use a data protection tool to restrict the browser, I use SBIE for this but you can also use Pumpernickel. That's all I'm saying.
     
  19. guest

    guest Guest

    Yes, restricting the browser is a good idea. It should have only access to specific directories, for example the "Downloads"-Folder.
    I don't know a reason why i should let the browser access other partitions/data. So i block them with Pumpernickel/FIDES (and AG)
     
  20. Please respect the OP's intend when creating this thread and keep your promise that this was the last time you explained your magic "in memory" payload to me.
    As far as I know you only theorized about MemProtect without playing with it.
     
    Last edited by a moderator: Sep 5, 2016
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If you mean with "magic" that you don't know of any malware that's currently in the wild that's doing this stuff, then you're right. But that doesn't mean it can't be done. A lot of things are based on theories. Years ago, people had never heard of RMI, but some smart guy started to theorize about it and made it happen.

    The ability to block memory reading and writing isn't anything new. System Safety Monitor did it 10 years ago. BTW, what's truly magical is you claiming that MemProtect is "probably better in stopping exploits than HMPA/MBAE", you sure are a better magician than me. :D
     
  22. MemProtect takes away access rights of processes in from and to rules. It does not block memory read and write operations like HIPS do (system safety monitor ten years ago or spyshelter today).

    MemProtect reduces attack surface which is more robust than looking at the (known) attack vectors, so that is why I said probably better than HPMA/MBAE/EMET on Windows 8.1 and higher.

    Kernel only versus injecting DLL and placing hooks is discussed to death in several security forums. I don't have a principle standpoint on this. Security based on hooks and DLL is better than none. When I have a choice, I prefer kernel based when it seems to do the job (like MemProtect).

    Another plus for me is that protected processes mechanism is a different mechanisme than the ones which the Chrome sandbox is based on. It also does not inject a DLL which potentially could weaken Chrome security (Chrome developers advice to not use EMET or other exploit mitigation programs for that reason).
     
    Last edited by a moderator: Sep 7, 2016
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If you block some process from the ability to open, read or write to another process memory, you're not actively trying to block such a process from being exploited in its earliest phase, like HMPA/MBAE/EMET all do. So based on that you can not say it's better or more robust. Because they are both trying to achieve something else.

    However, according to tests done by you and others, MemProtect als seems to be able to block process execution. Why exactly wasn't clear to me. But probably because a monitored process doesn't have the "CreateProcess" access right, which in fact makes it an AE with as a bonus the ability to block memory reading and writing. It's basically similar to AG.

    But isn't the end result the same? Does it have some kind of edge over SSM and AG's Memory Guard?
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's not relevant, tools like HMPA/MBAE/EMET need to use "user-mode hooks" because without them they can not monitor processes from the inside. Anti-exe who simply lockdown the system without trying to identify an exploit attack, don't need these hooks and can rely on the driver to monitor process execution.

    It's the same discussion as we had about combining Chrome with SBIE. It's indeed probably better to rely on anti-exe that do not inject code into Chrome. But on the other hand, the whole point of anti-exploit and third party sandboxes is to block and to isolate malware, so the question is how relevant this "could weaken Chrome security " argument really is.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here is my latest working test configuration:

    Code:
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    Baseline System-Space Memory Permissions
    !C:\Program Files*>C:\Program Files*
    !C:\Program Files*>C:\Windows\*
    !C:\Windows\*>C:\Program Files*
    !C:\Windows\*>C:\Windows\*
    #    Additional Rules for Portable Apps on RAM Disk
    !R:\Program Files\*>C:\Windows\*
    !C:\Windows\*>R:\Program Files\*
    #    Chromium specific rules - Chromium portable run from R:\Program Files\Chromium\bin
    !C:\Program Files*>*chrome.exe
    !*\CCleaner\CCleaner*.exe>R:\Program Files\*
    !*\Office1?\*.EXE>R:\Program Files\*
    !R:\Program Files\*>R:\Program Files\*
    #    Microsoft Office
    !C:\Program Files*>*\Office1?\*.EXE
    !*\Office1?\*.EXE>C:\Program Files*
    !*\Office1?\*.EXE>C:\Windows\*
    !C:\Windows\*>*\Office1?\*.EXE
    !*\Office1?\*.EXE>*\Office1?\*.EXE
    [BLACKLIST]
    #    Segregate User-Space
    C:\Users\*>*
    *>C:\Users\*
    *Downloads\*>*
    *>*Downloads\*
    #    Block Process Explorer & Process Hacker from accessing Chromium memory
    $*procexp*.exe>*chrome.exe
    $*ProcessHacker.exe>*chrome.exe
    *chrome.exe>*procexp*.exe
    *chrome.exe>*ProcessHacker.exe
    #    Block memory access to/from Chromium
    *>*chrome.exe
    *chrome.exe>*
    #    Block memory access to/from Adobe Reader
    *>*AcroRd32.exe
    *AcroRd32.exe>*
    #    Block memory access to/from Office (Word & Excel)
    *\Office1?\WINWORD*.EXE>*
    *>*\Office1?\WINWORD*.EXE
    *\Office1?\EXCEL*.EXE>*
    *>*\Office1?\EXCEL*.EXE
    [EOF]
    

    Please keep in mind that this is over the 2KB config size limit for the MemProtect demo driver. But I wanted to share so that users could pick and choose whichever suits their needs and I also add commenting to my configs to keep things tidy and easy to understand.

    With this testing config, I have confirmed now that Google Chrome can successfully update itself without any issues since it does it's updating within it's Program Files directories. I still have not yet confirmed if Adobe Reader will update with this config but I will see when the next Reader update comes along.

    The reason for the added Downloads folder rules in my config is because my Downloads folder is not contained within C:\Users, so I had to create an additional rule. I am trying to explore rule sets in which users could be protected with confidence with MemProtect only with no additional anti-exec just for curiosity sake and to push MemProtect to it's limits.

    Also on a side note, I've done some performance testing recently as well and noticed that MemProtect has literally zero impact; whereas Bouncer has a minor performance impact on my system of about 1/10th of a second. No big deal, of course. But I would have thought that it might be the other way around, with MemProtect having the potential performance impact. I was wrong; MemProtect has no impact.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.