MZWriteScanner

Discussion in 'other anti-malware software' started by Mr.X, Feb 16, 2017.

  1. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    The problem seems to be obscure. After MZ installation and a reSTART, the System comes up running with MZ active... great. The problem is, when I go to STOP the driver, the stop hangs at that point and anything else after that stop also hangs. The only way out is a reSTART. It's hampered the testing quite a bit due to the fact I can't edit the INI (file in use) 'cause the driver is running :rolleyes: Only way to edit is to BOOT into Safe Mode for the edit, then back into the main System.

    No such problem with FIDES...

    I'll get back into the test loop as soon as we figure what's going on with the driver...
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Just bought license. You want an interesting read google MZ exe THe MZ is a persons name.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay now I am even more impressed. Adobe Reader had an update. I always have to turn off Appguard, but the installer was throwing an error about a missing DLL. Then I noticed MZ's icon was red. Looked and it was the DLL. Tried clearing the log, but it was still blocking. So I set it to install and got the reader updated. So indeed it is controlling DLL's
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    In times past those DLL malware infestations were often times brutal to track down and finally remove like a bad tooth.

    Good to read of that discovery with this security app/tool/driver whatever.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Pete - have you tried CommandLineScanner also?
    I am not quite sure what the difference is between CommandLineScanner and MZWriteScanner ... is the latter not just a subset of the former? Anyone?
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No I haven't. I'll get the paid MZwritescanner in play, and then give it a play. ERP does a great job with command lines but does nothting with dll and sys files which mz does.

    It takes a bit to wrap you mind around these drivers but once you do they are impressive.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    WOW. I ordered MZ when I posted at 9:24 local time. I just received the download. They have sure speeded up things.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yes they are. BOTH!

    Had my share of fun on 32 bit XP when you could snag rootkit sys drivers (Thanks HIPS!) and turn them around on the bad guys to hide a security app in the alternate data streams and that did take some doing to wrap the old noggin around but worked great!
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Easter, you really ought to look at these guys. Once you get it they are simple, and there are plenty of folks here to help you.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Paid version up and running. Rebooting was the longest part of the process.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I like what you been discovering with excubits. I am seriously considering purchasing a couple of their drivers since they are rock solid from everything that's being trumpeted about the picture perfect security they offer.

    Plus I always been a bits and pieces sort anyway as you well know. A couple of stick'm drivers from those guys teaming with my current setup could just about zip up the whole system.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Decide which ones you want and test them. for example I can't use bouncer and memprotect because they conflict with NVT ERP. But the two I am using, I love.
     
  13. guest

    guest Guest

    CommandLineScanner is looking at each executed Command-Line.
    If you are blocking *java*, you are not only blocking "java-executables" but you are also blocking "notepad.exe java.txt" or "wscript java.js".
    Look at your Command-Lines in ERP to get an idea of what you could be able to block with this tool.

    And you can mitigate the file-less attack mentioned in this thread: A rash of invisible, fileless malware is infecting banks around the globe
    It was also mentioned in the Excubits-blog: https://excubits.com/content/en/news.html (2017/02/19)
    -----
    MZWriteScanner is monitoring the hard disk, and if a file (with a MZ header) has been dropped into a "blacklisted" location, the file is logged (it is now tracked from MZWriteScanner) and further execution is blocked.
    Even if malware was able to copy the dropped file to "Program Files", the file stays blocked.
    (after a restart of the service [or after a reboot], MZWriteScanner doesn't remember any of these previously dropped files anymore...)
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I like to envision a day when Florian is able to hire a talented GUI designed whom is able to combine all of these truly rock-solid kernel-mode drivers into one unstoppable force. Also, I would love to see some kind of step-by-step rule creating "wizard" type of UI similar to AppLocker rule creation so that it can better help users getting started.

    I am most definitely appreciative for the fact that more users are now able to see the "less is more / less attack surface" core design goal of Florian's for keeping things simple, keeping code base small and efficient, yet powerful and granular control over your own systems.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ok a question and this might be for Florian. Copy a exe file to disk and the icon turns red. It's blocked. I clear the log and re invoke the program it runs a drops a dll. Again it is blocked but the icon in the tray stays green. Should this be?
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Testing now in progress :p

    Let us know how it goes overall which looks to be pretty solid. The Excubits guru's have your answer on that one.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks @mood.
    I may also give MZWriteScanner a play, especially given Peter's recent enthusiasm :). I only have FIDES at the moment.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My enthusiasm continues unabated. It's working like a charm. I may contact Florian about the icon question
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Good choice. And that reminds me of an important suggestion for anyone with regard to Excubits' drivers: I would highly recommend that a user masters and understands one driver at a time. That way the user gets a great understanding of how the underlying system reacts dependent upon the rules that have been applied. :thumb:
    Oddly I still have not added FIDES to my daily protection as of yet. I did test it thoroughly before it came out of beta to assist Florian, but just have not made it part of my usual setup yet. But I can certainly attest to the power and efficiency of each of his drivers.

    The icon issue that you had mentioned, though, does sound like some sort of bug with the tray tool. I haven't experienced that myself yet but it does not sound right. By the sounds of it, the driver worked as intended and blocked the dropped .DLL as expected but the tray icon did not respond accordingly. I would suggest contacting Florian on that issue, indeed.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Paid MZWriteScanner users will love this (from included readme.txt):

     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hmm Have paid, and have Forensics turned on, but no folder c:\$forensics Glad I haven't sent the email to Florian yet
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I only have paid versions for Bouncer and MemProtect at the moment, so I don't have access to paid version of MZWriteScanner to test this forensics feature out. Essentially the idea is to have files that are flagged also copied over to this forensics folder for further research. Quite handy for honeypots and malware researcher type of work. I have no idea whether or not the driver creates that folder automatically or if you would have to create that folder yourself prior to enabled that forensics flag. But I am certainly curious about it.

    Please let me know if you find out more about this forensics feature. I assume that having the flag added under [LOGGING] in the top section of the config would be similar to others, [FORENSICS] for enabled and [#FORENSICS] for disabled. Although this is not available in demo version. Since you have the paid version and if this is not working after trying to manually create that directory, I would suggest to see what Florian says since I have not tested this feature as of yet.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I have to correct what I just posted, apparently I do have full versions for Bouncer, MemProtect, Pumpernickel/FIDES and also MZWriteScanner. Although mine are about 1 month prior to the full stable release of all drivers. They are signed for Anniversary Update correctly though so I should be good to go and start testing this.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Cool I'll be curious. I'll let you know what I hear from florian
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I finally got a chance to get a nice setup going with MZWriteScanner paid version lastnight. Everything worked out fantastic in my testing scenarios and I became a fan of this now as well. However, I had no luck getting the Forensics feature working. Execution was being blocked and all as expected, but no copying of dropped executables to that $Forensics directory. I assume that you already wrote Florian about this so I will wait until you hear back on that. He typically will respond more often on weekends.

    I did not initially envision this MZWriteScanner concept when Florian first brought it up with me. I was too curious and interested in Bouncer and/or MemProtect at the time. This is quite interesting though because it would track any dropped binaries (.exe, .sys, etc.) and monitor for their execution. The SHA256 hashes for those dropped binaries are calculated and stored within kernel memory only and therefore well protected. As we know, that kernel memory of hashes is flushed after rebooting the system. However, this would still have prevented any initial execution and/or persistence on the system. No malware would be executed, no malicious drivers installed, etc. and therefore no persistence. Florian was speaking very highly of this MZWriteScanner concept to me a while back prior to public release but I failed to grasp the effectiveness, simplicity and purpose. This is really quite interesting and I will continue to play with this for a while. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.