Ladies and Gents, there appears to be a new MZWriteScanner build available in Beta Camp (https://excubits.com/content/en/products_beta.html). I am assuming that this is the one which supports parent process control/checking. Florian may have done this similar to recent Bouncer beta, in which the parent rules are combined with the regular WHITELIST/BLACKLIST sections. There has not yet been a blog post to announce this build yet although there were a couple of blog posts suggesting that it was coming soon. The drivers are SHA1/SHA256 signed which is great. Although it is not Microsoft Windows cross signed at the moment. This is better than having to use Test Mode for running unsigned binaries though. Here is example MZWriteScanner.ini included in updated package: Code: [#LETHAL] [LOGGING] [#FORENSICS] [SHA256] [#READBUFFERX8] [WHITELIST] [BLACKLIST] *>* [EOF] EDIT: Yes, I can confirm now that this is definitely supporting of parent process checking. Excellent stuff here! And supposed to retain list of hashes to continue blocking newly dropped binaries after reboots as well.
I don't know exactly how to check that easily. You may have to confirm this with a quick email to Florian. I know that in the past, quite often his testing or demo builds would not allow for the full sized ini file. However, if you were to ask Florian directly through email, he would quite often do a custom (unrestricted) build for users who have full licence. So I would suggest sending him a quick email.
The new version is running fine, but i haven't played with the new feature yet (parent-rules). If i am not wrong, i can now add parent-rules for protecting of specific applications (no matter where a file is being dropped to by a blacklisted application, the file can be tracked & blocked by MZWriteScanner) (bonus: ... even after a reboot [persistent cache]) Scenario: old version: if the browser drops a file to a whitelisted place, the file isn't tracked and can be executed. new: the browser is now protected with a parent-rule and any file dropped by the browser will be blocked (and will be blocked after a reboot)
A good thing is, that for example a filemanager can be whitelisted. One of the jobs of a filemanager is to copy files and if i intentionally copy files to specific places (and i really want the filemanager to execute the file afterwards) i don't want MZWriteScanner to interfere. (Remember: If a file is already being tracked by MZWriteScanner, copying it with a filemanager doesn't change the status - the file stays being tracked) One more idea for parent-rules: Backup programs Code: [WHITELIST] # Parent-rules # <insert the path to your backup program here>* # AppCheck C:\Program Files\CheckMAL\AppCheck\AppCheck*.exe>* # Filemanager C:\Program Files\totalcmd\TOTALCMD64.EXE>*
Thanks for letting us know. Confirm, also test it and 16KB is the limit here. One thing to mention (cause I first had problem): you need a folder in Windows dir (C:\Windows\$FORENSICS) or cachin is not working. Smart idea, they dont save list of newly wirtten exe in memroy or file (=mem consumption and maybe other problems), they use file system in the $FORENSICS directory. Hmm, there is pro and contra about this approach, but for me it sounds clever. Asked Florian about timeline: they will test the driver and then push the stable version. There is also something other coming, he told me that this was just beginning. They work on another product which make use of MZWriteScanner and other driver - whatever it will be...it remains exciting
Yes, elegant approach. After i have restarted MZWriteScanner, a previously blocked file was still blocked. It seems to check the $FORENSICS directory and if a file is in it, it will be always blocked (after a reboot or restart of the service)
Faster processing with [FASTHASH] option New Beta of MZWriteScanner 2018/01/30 F. Rienhardt Link: https://excubits.com/content/en/news.html
Thanks This will be a great speed increase especially for owners of hard disk drives (yes, there are still owners of hard disk drives ) And especially for users of the beta (see below) Quick overview of "When does MZWriteScanner need to hash files": Stable version: As soon as a file gets on the blacklist, MZWriteScanner need to hash all future files which are introduced onto the system. This is also the case for renamed files (to be more specific: written, copied, renamed or moved files) (renaming of a file => new file => MZWritescanner hashes the file => and compares it with the blacklist) = As long as no file is on the blacklist (or a file has been dropped), MZWriteScanner doesn't even need to hash anything (System has been restarted, no file has been dropped yet = MZWriteScanner is "idle") Beta version: Now with the persistent cache (files/hashes which are located in the C:\Windows\$FORENSICS folder) MZWriteScanner must hash each file which is about to be executed (not only dropped files) (System has been restarted, no file has been dropped yet = MZWriteScanner is always hashing files (but only if the $FORENSICS folder isn't empty), and is comparing it with the hash in the $FORENSICS folder)
The layout in the log file has changed a little bit with the newest beta: Code: beta: File has been dropped: *** excubits.com demo ***: 2018/01/30_17:14 > W:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe > adff6a1e55614bab53785a2c1904bca7945f7fa5781aff221a1e6532923a422d Launching was prevented: *** excubits.com demo ***: 2018/01/30_17:15 > X:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe beta (new): File has been dropped: *** excubits.com demo ***: 2018/01/30_17:57 WX C:\Program Files\totalcmd\TOTALCMD64.EXE C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe c850120de1077eb9559d29d35367152d4216b10b23e6cc0f208dcb94658ae2c7 Launching was prevented: *** excubits.com demo ***: 2018/01/30_18:01 XW C:\Program Files\totalcmd\TOTALCMD64.EXE C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe c850120de1077eb9559d29d35367152d4216b10b23e6cc0f208dcb94658ae2c7
Hi Mood Thanks for this. I was having trouble getting the beta to work. This post of yours help me figure out what was going on.
Been holding off on betas, but there sure is a lot of new functionality coming in the new version . Asides ... wondering if these improvements will be incorporated into the planned Malware Mitigation (https://malwaretips.com/threads/nee...-application-sandbox.75992/page-7#post-696517), and if that would be able to co-exist with NVT OSA for a relatively simple set-and-forget anti-malware solution. Lack of GUIs for Excubits drivers no doubt deters many, but I'm sure that wishing for that is a lost cause.
I am running the latest beta of MZwritescanner, and it's fine with NVT OSA. But MZwritescanner is not a set and forget piece of software and I wouldn't hold my breath for a GUI. BUT what MZwritescanner is, is a phenomenal piece of protection.
A new beta is available now New feature: Block executables from external drives New beta version of MZWriteScanner 2018/02/07
There is an updated (2018-02-19) binary package available for MZWriteScanner on Beta Camp page. Link: https://excubits.com/content/en/products_beta.html I am not sure what the latest changes are but quite likely just small fixes to polish things off. The latest that Florian told me was "MZWriteScanner is now able to detect external drives and users can automatically block executables from there.". MZWriteScanner is going to be absolutely solid protection against malware combing from external drives in addition to the solid protection (and granular control) that it already has. I still run my setup with just Bouncer and MemProtect and I still have not played much with MZWriteScanner lately. But I definitely need to find some time to add this to my setup.
My quick assessment. It is some what of a pain if your system changes a lot, but it oh so solid a protection I wouldn't want to be with out it.
Code: 2018/03/01_11:36 WX C:\Program Files (x86)\XYplorer\XYcopy.exe C:\drop\acpi.sys 2018/03/01_11:36 WX C:\Program Files (x86)\XYplorer\XYcopy.exe C:\drop\MZWriteScanner.sys 2018/03/01_11:37 WX C:\Program Files (x86)\XYplorer\XYcopy.exe C:\drop\veracrypt.sys 2018/03/01_11:37 WX C:\Program Files (x86)\XYplorer\XYcopy.exe C:\drop\SbieDrv.sys MZWritescanner is able to "detect" kernel mode drivers [.sys binaries] after they have been dropped to disk because of the MZ signature (even kernel mode drivers have one) but sad news: It isn't able to actually block them. A different solution is needed to achieve this.
I think it wasn't mentioned before but how does MZWriteScanner detect dropped files? There is an old blog entry (year 2013) which is explaining it: For more details about these interceptions, Microsoft is providing them: IRP_MJ_CREATE, IRP_MJ_CLEANUP, IRP_MJ_WRITE
Would it be worthwhile asking Florian why .sys binaries are detected but not blocked? I wonder if he may have a trick to make the blocking work if he is aware of this.
