MemProtect - Support & Discussion

I am wondering why the default .ini is [WHITELIST] *>* and not just [DEFAULTALLOW].

 

That's a very good point, I did not notice that initially. The default also seems to be missing the [DEFAULTALLOW] tag. I will mention that to Florian because I think that the default should likely be changed.

 

I am wondering what the absence of both [DEFAULTALLOW] and [#DEFAULTALLOW] in the .ini results in. I think it's the latter?

 

Correct. If it's not mentioned in the .ini, it switches to "default deny"-mode.
This can lead to some problems if you don't have *>* in your whitelist

 

As we all know, MemProtect gives us the flexibility to protect any process as a Protected Process-Light (PPL) essentially as a process memory sandbox.

Anyway, what I did not know is that Microsoft protects it's own Windows Defender process(es) as PPL. Alex Ionescu has pointed that out:

Link: https://twitter.com/aionescu/status/797165650003181568

 

Yes that's my main issue. I really don't have a clue why he never bothered to make a user-friendly GUI.

This would be indeed be nice.

 

I asked Florian back then: He said GUI would not make configuration easier. Still have to choose the parent process and path. Dont know if he will implement a GUI soon.

 

I'm not sure what he means with not easier. I was also shocked by Smart Object Blocker, having to manually write rules is simply not user friendly.

 

Training/Learning Mode would be great, at least you get a rule to work on.

 

You must specify parent and path to child. Having GUI you also needs to specify parent and path to child process. So it is not easier, it is just a GUI on what you could also do in text editor.

MemProtect support [#LETHAL] mode, so you can training. Just use [#LETHAL] use the driver, check log and modify yours rules.

 

Have you ever used EXE Radar? That's exactly what I'm looking for, when it comes to the GUI. And BTW, I was reading the description of MemProtect, and it was not completely clear to me. What if you run some app that is not encaged, will it be able to inject code into other processes?

http://excubits.com/content/en/products_memprotect.html

 

It can inject code, but not in other "encaged processes". But it depends on what rules you have made for your encaged/protected processes.

 

But why not make it so that ANY process can not inject code into ANY other process without user approval? That's how HIPS work, you don't have to think about which processes to protect. BTW, you might want to check out the RemoteDLL tool to see if MemProtect passes the test:

http://www.majorgeeks.com/files/details/remotedll.html

 

This is possible, you can switch to a "default-deny" mode. But there is more work involved to configure it.
And as you may know, there is no GUI (and no user approval), you have to create your rules manually (notepad-style).

 

MemProtect is not only about code injection, but about any kind of access from one process to another. That also means one process cannot launch another. So if you switch to default deny without a proper whitelist, you will render your system unusable / unbootable.

 

@FleischmannTV

Exactly my point when I asked for default allow to be the default mode (simular to Pumpernickel). Request was implemented (add a Default allow mode), only default stayed on deny. I hope additional requests may make allow the default.

The risk to wreck your system is IMO also a good reason to NOT develop a GUI for this powerfull security mechanism. Not having a GUI is a threshold to use it when you ar not comfortable with command and rule based programs.

Regards Kees

 

MemProtect is a lean and mean security program, which I really like. MemProtect is a tiny driver which uses windows internal mechanisms, so near zero CPU and Memory overhead.

My simple MemProtect INI file (1,8 KB of which half is comment #) using the container approach (vulnarable programs are only allowed to access their own installation folder). I use Chromium stable compiled by HenryPP, when you use Chrome, replace Chromium by Chrome and remove flashplayer (Chrome has own PPAPI flash). I added allow rules for print-spooler (splwow64.exe) and screen-keyboard (taptip.exe). All contained programs also call explorer, but allowing them to manipulate explorer would potentially open a worm hole and blocking access to explorer does not seem to affect functionality.

Code:

[LETHAL]
[#LOGGING]
[DEFAULTALLOW]
#Only Office, Skype, Chromium and Flash are contained
[WHITELIST]
#allow contained programs to start print-spooler and onscreen-keyboard
!C:\Program Files\*>*splwow64.exe
!C:\Program Files\*>*TapTip.exe

#allow Office access to Office
!C:\Program Files\Microsoft Office???\*>C:\Program Files\Microsoft Office???\*

#allow Skype access to Skype
!C:\Program Files\Skype\*>C:\Program Files\Skype\*

#allow Chromium access to Chromium and Flashplayer
!C:\Program Files\Chromium\*>C:\Program Files\Chromium\*
!C:\Program Files\Chromium\*>C:\Windows\System32\Macromed\*

#allow Flashplayer access to Flashplayer
!C:\Windows\System32\Macromed\*>C:\Windows\System32\Macromed\*

[BLACKLIST]
#deny Office to infect/start other programs
C:\Program Files\Microsoft Office???\*>*

#deny Skype to infect/start other programs
C:\Program Files\Skype\*>*

#deny Chromium to infect/start other programs
C:\Program Files\Chromium\*>*

#deny Flashplayer to infect/start other programs
C:\Windows\System32\Macromed\*>*
[EOF]

MemProtect does not delay startup of programs, as shown by AppTimer results.

C:\Program Files\Chromium\chrome.exe - 5 executions without MemProtect
0.8614
0.4371
0.4275
0.3500
0.4317

C:\Program Files\Chromium\chrome.exe - 5 executions with MemProtect installed
0.8880
0.3036
0.4172
0.3226
0.3057

 

Yes I have. OK, now I understand what you looking for. MemProtect is not right solution for you.

Yes, there you need also rules which are "somehow" provided by vendor updates. In MemProtect you specify rules, it is not blackbox you having more freedom but on other side you need to know what you are doing. From what you said in posts I think MemProtect is not right tool for you - I guess you are looking for a tool that does it all automaticaly and delightful. MemProtect is for more advanced/skilled user. Like @Windows_Security said: "Not having a GUI is a threshold" here, so ordinary user cant crash system what is a good point, because I thinks normal Windows-user will be frustated with MemProtect. Someone at some point here on Wilders said: Excubits products are not for masses, that is what I think, too. It is for specialist or admin.

@Windows_Security: Thanks for sharing your ini file. btw: [DEFAULTALLOW] really should be in default config.

 

Apologize when posted before M$ documentation on protected processes as introduced wih Vista. MemProtect info mentions Windows 7 and up

link to document download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_vista.doc

 

According to the Newsblog, they added suport for a larger .ini-file (up to 1 Megabyte):

 

@mood Good news! Thanks.

 

For some reason I thought Win 8 was minimum requirements, but documentation mentions Windows 7, so I added MemProtect on my wife's laptop.

 

Yes, also works in Windows 7. I used it on my old Win7 (x64) notebook. Worked pretty fine (but ensure you install all updates or driver with sha256 (EV) signaturte will not load because older Windows version dont support driver sha256 signatures if you dont update.

 

As @4Shizzle mentions, a stock Windows 7 Service Pack 1 system cannot verify SHA256 / EV digital signatures in binaries because, quite simply, Microsoft had not added that hashing algorithm at that point in time. For example, if somebody wanted to run a Windows 7 virtual machine and not deal with hundreds of updates through Windows Update, they would at the very least need to install KB3033929. Also KB2813430, KB3123479 and KB3097966 are pretty important as well with regard to hashing updates in Windows 7. But to keep things simple, I would assume that the recent Windows 7 Convenience Rollup would include these very important patches.

 

Ok checked thx