Well I need to do some white listing of my EIS program updating. MZwritescanner completely shut it down. It did its job. And yes I did write Florian.
Without extensive WHITELISTing, MZ will shut down a ton of stuff... think program installs/updates, FileSyncing utilities, even commonplace unArchiving like ZIP or RAR unZIPing program executables, etc. It'll get wild as you go along...
ROFL. I finally got my white list set up for allow for EIS software versions automatic updating. It was kinda like Linus playing football with Lucy. The target kept moving. Yes it may take a bit of work at first, but to me it's worth it because it's not an everyday thing. And I love the extra protection. That makes it worth it. Pete
You could also switch this thing around into a Default Allow type of setup with a * wildcard in the whitelist section, then specifying locations within the blacklist section in which you want to monitor more closely. This is my preferred scenario at the moment. I suppose similar to MemProtect, it might be good to have Florian develop a [DEFAULTALLOW] switch for MZWriteScanner as well. Either way, once I setup my configs for Bouncer, MemProtect, etc. I have not had to make any modifications to my setups for several months now and allows for great flexibility for my overall daily workflows. These drivers become fantastic "set-and-forget" protection once dialed in to your specific machine/workflow.
Well when I set up my second machine I configured it the same as the first. That once I have one setup no two falls right in line. Ihave no issue with the way it is now. Sure it's a bit work but when done,it's done.
I heard back from Florian on the 3 issues 1. When an 2nd file is dropped, the icon doesn't respond. Florian said there appeared to be a problem in the tray app. Will fix 2. The Forensic option. He said it wasn't turned on yet. Said he could make a build with it on. 3. The tray icon color for off. He sent me a new icon that is gray. Looks good. will be in next build. Excellent timely support.
Wowser. I just ran a script file with Locky in it. For sure Appguard, VS and ERP would have shut it down, but I just wanted to see what MZwritescanner on it's own could do. WIthout turning off the driver there was just no getting to run. It doesn't block the script file of course but the script drops a tmp file and that is blocked. So you clear the log file and then restart the script. Runs till it drops the tmp file again, and it''s game over for the malware. Couldn't get it to run. Now that is cool.
I agree. Once you have set it up the configuration, you forget about that Excubit-tools are running and protecting you all the time
I was thinking about the idea of blank white list with exceptions black listed. Won't work for th is driver. Give me a bit of time and I'll explain later. Pete
It should work... you should be able to use PRIORITY rules in the BLACKLIST to inhibit areas of the WHITELIST entry if needed.
Froggy, think about. In this case, if you were to whitelist everything, how would you know what to black list. By black listing everything it blocks anything dropped on the disk. Then it is okay you white list it.
strongly considering giving mzwritescanner a try on my win7x64, but it sounds like I'd have to make time to really get into it. Historically, I have used Appguard, VS & ERP, but right now just VS of those 3. sounds like you're perhaps in a testing VM, and you're not running mzwritescanner with VS. do you know if mzws will conflict with VS, or do you suggest just not running both at the same time??
Sometimes i use them all together, and they don't conflict with each other Make sure to switch to Install Mode before you install other applications, because MZWritescanner might block your installer or other temporary files which are dropped to blacklisted locations. Or, an AV for example might drop files/signatures to a specific directory several times a day and MZWriteScanner is blocking it every time. In this case you can whitelist the location, so it isn't blocked anymore.
Hi SimmersK00l Yes I am running them together. In the VM for testing, and on my host machine(s) for real. And no you can't install and ignore it. But once you get it setup, then it is pretty trouble free. Also I do run Appguard,ERP and VS. I have reasons but it might be overkill for you.
The new MZWriteScanner now also is able to log written EXE-files in a forensic directory (c:\windows\$forensics\) - that is cute I guess this is helpful to analyse dynamically written stuff that get deleted or changed over time. I hav seen malware droppers that quickly delete or overwrite themselve on runtime, so with this you can still get such malware afterwards. But I think enabling it for the whole runtime can also be dangerous. What would you guys recommend? Turn it always on or just for forensic/analysis (as name of it recommends)?
As noted on Excubits blog, all of the kernel-mode drivers have been updated (demo and paid). But particularly MZWriteScanner received quite a bit of improvements with regard to efficiency. There was also a bug that affected the processing of wildcards that was quite an important fix and may have lead to crashes in some situations or at the least, some inconsistencies in rule processing. This is definitely the best version of MZWriteScanner so far. Link: https://excubits.com/content/en/news.html Some appreciation there for @TheRollbackFrog and @Peter2150 I believe. Thank you to anyone who has shared there suggestions and bug reports to improve MZWriteScanner for all us.
Heads up guys. I don't know whether this is a bug or design change: The earlier version, if you dropped an exe, the icon alerted. You could look at the log file, but as long as you left it in the log execution would be blocked. The new version still alerts, but once you look at the log it no longer blocks. I don't like that. I've just reported it and will post when I hear back. Just be aware.
You mean, after looking at the log it isn't blocking the file anymore (or clearing)? Looking at the log shouldn't affect the protection. Only clearing the log-file is affecting the protection, because the service is restarted and all remembered files are discarded.
That's correct. Try it and see if you can duplicate my results. Like I said I have reported it to Florian
I forgot to mention it in my post, but i tried it and MZWriteScanner was still protecting files. To be sure i tried it again: a) Green tray-icon is displayed b) a file has been blocked, tray-icon turns red. c) another execution of the same file = file is blocked, tray-icon is still red d) Rightclick on tray-icon: Open log-file, tray-icon turns green e) execution of the previously blocked file = it is blocked and stays blocked... Code: *** excubits.com demo ***: 2017/04/08_17:09 > W:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\test\DriveLetterView.exe > a36885e04b3ad2609f36d9095c64d69516ec1981e1b181b0429fa47499270b0c *** excubits.com demo ***: 2017/04/08_17:09 > X:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\test\DriveLetterView.exe I was not able to reproduce it on my system
I'll retest, but when I first tried I forgot I had Appguard on. When you test be sure nothing else is blocking.
