After round one of updating the .ini: 'System error 1450 has occurred. Insufficient system resources exist to complete the requested service'. It is already at 4KB, so I have purchased a license. Edit: My PayPal purchase has been processed but I have not received a link. Is it a manual process and should I be patient? I ask because I had problems before (with FIDES).
I kinda wish MZWriteScanner also had the option to whitelist a 'parent', because in some cases this would simplify and/or improve the whitelist ... some examples. I use Zoolz to backup to the cloud but for every item backed up, an entry is created e.g. 2017/06/03_18:30:43 > W:C:\Program Files\Genie9\Zoolz2\Zoolz.exe > C:\My Portable Applications\Vivaldi\Vivaldi.1.10.862.6.x64.exe > b4393d97febb6970c5bc5298d6b00efda58a5bf996262a1dfb1c7df99423c46a In this case essentially I have to whitelist C:\My Portable Applications\*\*.exe but it would be easier, and better, to whitelist C:\Program Files\Genie9\Zoolz2\Zoolz.exe Also: 2017/06/04_07:36:52 > W:C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe > C:\Windows\Temp\cpuz138\cpuz138_x64.sys > 8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775 2017/06/04_07:36:55 > W:C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe > C:\Windows\Temp\920b141e-d5a8-4b35-ba67-fc14448572ff > 40b7885c0d3b9a14acdff68f2963a0e7397f425d7d3f7d590930f942623733b7 To whitelist the second entry, I would need C:/Windows/Temp/* or similar, which looks like a bit of a 'hole'. Again, C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe would be better ... I already have entries like this to accommodate googleupdate IIRC. C:\Users\nnnn\AppData\Local\Temp\*-*-*-*-*\*.dll C:\Users\nnnn\AppData\Local\Temp\*-*-*-*-*\*.pyd Or am I misunderstanding, and this would completely mess with the 'philosophy' of MZWriteScanner?
Important is the path where the files has been dropped to. Whitelisting the whole location "C:\Windows\Temp" is not a good idea. If you are running programs which are dropping/writing a lot of files, then it might be a better idea to turn off the protection temporarily. And if you whitelist "C:\My Portable Applications\*\*.exe" you are allowing your portable applications to drop files to this directory (especially your browser, which is able to drop malware or other "bad things") Either turn the protection off temporarily or whitelist all needed locations. But i would turn the protection off instead of having too many exceptions in the .ini. Maybe you can suggest it to the developer ("whitelisting of parent processes") If MZWriteScanner is able to mention the parent process of dropped files in the log-file, then i'm sure that the developer is able to implement such a "whitelist-feature" It only has to "compare" the parent process of the dropped file with the whitelisted parent process in the .ini. If they are equal, the dropped file isn't blocked.
Agree. But difficult with scheduled jobs. Although I am tempted to remove those ... May not be a priority for him, but will ask Florian (thanks for your input) nonetheless.
The good thing is, every file with a MZ-header will be detected. No matter what extension the file has
first serious attempt to run an excubits app, mzwritescanner_demo. the readme seems clear enough, but... I installed driver with right click of inf "install" per directions. I assume it installed but did not (auto)start itself as I'm not finding its log file in \windows or anywhere on hdd. then executed start driver.cmd and I get System error 5 has occurred. Access is denied. I am logged-in to win7 as an admin? So I googled error 5 and got a hint, and try again thinking this time it has to work, but I now get system error 2, and not immediately finding any good hints. I'm rusty with cmd line, but not "afraid" it. I'd like to get mzwr running. clues gladly accepted.
5 = You don't have sufficient rights to start/stop the driver. Make sure to run the command-line as Administrator. And make sure to copy MZWriteScanner.ini to c:\Windows\MZWriteScanner.ini To verify if the driver is running, launch status.cmd. You should see something like: STATE : 4 RUNNING If it is running, start your browser and download something. Now it should appear in the file: c:\Windows\MZWriteScanner.log
Hi simmersKool You need both the driver and the ini file in the windows directory. Then what I do is take the start utitility and move it to the windows autostart directory so the tool starts with the system. That way you will get the tray program on every system start. Note guys: This driver does need some baby sitting. You will have to turn it off on every install and uninstall of any software. The protection is incredible but it can also be a bit of a pain. Pete
thanks mood & Peter, I skipped over (missed) the step of putting ini in windows dir. I had been reading this thread some months ago, and then put it aside and then jumped back in last night without reading new or re-reading older posts.. will try running mzwr again shortly. thanks for reminder about installs and uninstalls, but for me, for now purely logging. EDIT: I went back to start mzwr again, and still some "issues," then recalled the other night when I opened demo.exe, it seemed like maybe there was a glitch, so... tonight I started over from the beginning, uninstalling, reinstalling, etc, and it was as easy as falling off a log, almost easier. log file and ini file were in c\windows, the log file seems to be logging ok. so now I'll re-read all posts get up to speed and send Florian some $$. thanks!!
Indeed, does need quite some babysitting. I PM'd Florian about the possibility of some sort of whitelisting via parent process (#106), but didn't get a response.
Also askd this. He is evaluating and there is good chance this gonna be implemented in MZwritescanner.
as I said, when I reinstalled mzwr from scratch and restarted it, everything was in place and it was running and (only) logging on my win7_64, (default ini) seemingly aok, but... I think there was some incompatibility with some installed apps, either VS, AG, or comodo firewall @ cruelsister settings, and after about 18 hours the system got slow & buggy and was hanging. It was hanging to the extent that when I tried to reboot it froze, and I had to crash it. I restarted in safe mode and removed mzwr, for now, and pc is running super fine again. my best guess is that cf that did not like mzwr, but I could not pin it down. I'll play with mzwr some more but give it a rest for a few days. (maybe go back and read thru all the posts). Lately, I'm (re)thinking about what's a good extra layer of security versus redundant and overkill.
Important update: Adjustments for Windows 7 and optimization of the read buffer Update for MZWriteScanner https://excubits.com/content/en/news.html 2017/12/23
Hi simmersKa00L I saw no compatability issues with Appguard and VS upto ver 3.59b. Never used Comodo so you might start with that and then try the new VS. But you need to do a complete uninstall not just turn them off.
thanks peter2150, (& and saw mood's post about win7, wonder if that was any issue for me?) Per Dan, VS 4.xxb "different" than 3.59, 4.14b seems like he's worked out most if not all of the bugs. I do suspect cf troubling mzwr primarily because cf immediately sandboxed the cmd scripts so I had to fix that one by one. Gotta say, I like cruelsister's videos, and now over time I've come to consider cf@cs primary protection, ie, not ready to abandon it, at least not now. but I remain interested in excubits, and gee Flolrian just sent me a christmas email.
The coming version of MZWritescanner will get a persistent cache and is able to block newly written files after a reboot Behind the scenes of MZWriteScanner and Meltdown & Spectre MZWriteScanner, Meltdown and Spectre https://excubits.com/content/en/news.html 2018/01/08