Thanks. So if I delete that folder, then in the future, just clearing the log should do the job? Or vice versa, if I empty the folder, that alone should do the job,without clearing the log? Another question: I whitelisted the two Program files folders, but I still see a bit of a delay when launching my already installed programs. Is that normal?
The folder will be re-created by MZWriteScanner after a file has been blocked and the hash of the file will be stored there (even if $FORENSICS has been disabled.) $FORENSICS enabled = the whole blocked file will be stored in the $FORENSICS folder, filename: "hash of the blocked file". $FORENSICS disabled = instead of copying the file to the $FORENSICS folder, a file with a a size of 0 bytes will be created. Filename: "hash of the blocked file" As long as no file has been blocked (files has been dropped to whitelisted places) and the $FORENSICS-folder is empty there should be no performance loss. Bus as soon as a file has been blocked, MZWriteScanner is checking the hash of each executed file. Else MZWriteScanner can't catch malware which has been dropped to a blacklisted folder but then has been copied to a whitelisted folder. So, after a file has been blocked, it will be blocked everywhere. To accomplish this, MZWriteScanner needs to scan all files (not only blacklisted folders). = Important is, where the file has been dropped first. After a file has been dropped to a blacklisted folder, it is a guarantee that this file will be also be blocked in whitelisted folders.
I love the peace of mind from MZWS as it doesn't matter where it's dropped it's blocked, also it will catch DLL's dropped any where which is one approach used by some malware
It seems like a dropped file will appear right away in the log, but the hash might show up in forensics sometime later. I think that's what confused me yesterday.
@Peter2150- Lagging as I have. Is the free version adequate enough to get the job done enough as a dll dropper stopper?
It wasn't for me, but the price is so reasonable, I'd go for it. Would you like me to PM you my config file?
Notice that when you move the file it also shows up in the log file. Note also if you i nstall a new piece of software it's best to turn it off first. That's what I do.
I just discovered that the hard way. The installer will create a temp file with a random name, so you will never win unless you just turn it off...
MZWS isn't the easiest piece of software, but it sure is excellent and the piece of mind is really worth it. MZ and Pumpernickel really rock together
This should be added to the default whitelist, at least for win10 1809: C:\Windows\System32\MpSigStub.exe>C:\Windows\Temp\*\mpasdlta.vdm * I dunno what it does, but it does it a lot.
It's the only thing that doesn't work right. It hangs. I even made a special whitelist rule for it: C:\*\Macrium\*>* But it doesn't help.
But I'm not getting any blocks, so it's one of those mysteries. Maybe I should make another Macrium rule, but the reverse: *>C:\*\Macrium\* I think I will try that.
HitmanPro detects MzWriteScanner as well. Kaspersky engine says it contains Trojan.Win32.Miner.tdox. I have attached HitmanPro log file.
Windows Defender also flags it as a miner. I thought WD was really, really stupid, but if Kaspersky makes the same mistake...
The thing with Macrium Reflect seems to be a software conflict, rather than a configuration problem. I put * in the whitelist, restarted the driver, and Reflect still hangs. But if I disable MZWS, Reflect works fine.
It has to be a system specific problem, as I don't see anything like you are seeing, but I know it's possible, as I can't use memprotect as it conflicts with ERP v3
It mean that some kernel module accessed/written an executable. Kernel module has no exe name to be obtained, so its null. Thats what Florian explaind to me some times ago. Contact him if you need more technical information. May i ask: What executable was written on you system from (null)?
