MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, I see. The thing is, I think he could somehow try to make all of the tools more user friendly, because in fact they have the same capabilities as for example AppGuard. So I think he could generate a lot more sales if he was focused on this.
     
  2. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    I find MemProtect as a really interesting security tool and have played around with it for a while now.

    However I feel somewhat uncomfortable when it comes to configuring the tool for real use ([LETHAL] mode)...

    I understand that some processes have a legitimate need to access the memory of other processes, like the Task Manager and many security related software programs that insert hooks etc.

    But when it comes to ordinary processes... is it possible to establish some kind of straight guidelines on how strict rules can be written without breaking anything?

    In this thread there are examples like "let MS Office Access MS Office, let "Skype access Skype" etc. But is there really a need for e.g. Word to ever access the memory of Excel, or ever Word to access memory of another Word process? How can one judge such decisions?

    If the only way to find out is to experiment, then I'm afraid that I cannot imagine how MemProtect could be configured to run so that it increases safety but without breaking anything in the system. After having running the tool for a few weeks in #LETHAL mode I have received a lot of different kinds of lines into the log file...

    I have a several installed programs, some of which I use daily, some more occasionally. I think that it would take several months to even gather all possible situations where one process tries to access another - and still there is a problem of judging "should the PDF reader be able to access the memory of the print driver, how about display driver or program XYZ".

    Has someone managed to create simple guidelines which have proved to be (or can somehow be proved to be) safe to run without beraking anything in the running system?

    I'd certainly be grateful for any such ini files...
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Kees is the master when it comes to container type of configurations. Those container approaches are more compact and also easier for managing. So that is the best use case for most users.

    However, I've got a per-process approach to share today. I've been testing it for approximately 3-4 weeks in non-lethal, approximately 1 week in lethal. I've done my best to add comments to each section to describe everything. The reason for going with this more complicated per-process approach is more to deal with today's reality where attackers can quite often utilize built-in Windows components. So instead of giving full access to everything in C:\Windows\System32, etc., this is a more intricate approach. Also it has been a nice learning experience as well, and therefore I figured I might as well share my findings in case anyone else finds it useful.

    This is a larger config and therefore would not fit within demo limitations, but users could certainly copy certain sections that apply to them and trim down file size. Ensure that anyone testing this uses non-lethal mode. That way you can capture logging and see what processes (such as AV and other security software) that would need access to some protected processes. Also I should note that this is a default allow config. This config is very specific as to which built-in Windows binaries can access memory space of any of these protected processes and vice versa. Chromium is tested more solidly within Windows 10 64-bit and also Windows 7 32-bit VM. I only tested Adobe Reader, Microsoft Office, and KeePass on Windows 10 64-bit.

    So this config I use daily in Windows 10 64-bit, with Chromium, Adobe Reader, Microsoft Office, and KeePass as protected processes. I will continue to explore and test more things and share with you whatever turns out interesting.

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #    Chromium - Base Rules (Windows 10 x64)
    !*chrome.exe>*chrome.exe
    !C:\Windows\explorer.exe>*chrome.exe
    !C:\Windows\System32\csrss.exe>*chrome.exe
    !C:\Windows\System32\svchost.exe>*chrome.exe
    !C:\Windows\System32\spoolsv.exe>*chrome.exe
    !C:\Windows\System32\sihost.exe>*chrome.exe
    !C:\Windows\System32\lsass.exe>*chrome.exe
    !C:\Windows\System32\audiodg.exe>*chrome.exe
    !C:\Windows\System32\Taskmgr.exe>*chrome.exe
    !*chrome.exe>C:\Windows\System32\dllhost.exe
    !*chrome.exe>*software_reporter_tool.exe
    !*GoogleCrashHandler*.exe>*chrome.exe
    !*GoogleUpdate*.exe>*chrome.exe
    #    Chromium - Windows 7 Specific (tested in 32-bit VM)
    !C:\Windows\System32\wbem\WmiPrvSE.exe>*chrome.exe
    !C:\Windows\System32\services.exe>*chrome
    !*chrome.exe>C:\Windows\System32\taskhost.exe
    !*chrome.exe>C:\Windows\System32\dwm.exe
    #   Adobe Reader
    !*AcroRd32.exe>*AcroRd32.exe
    !C:\Windows\explorer.exe>*AcroRd32.exe
    !C:\Windows\System32\csrss.exe>*AcroRd32.exe
    !C:\Windows\System32\lsass.exe>*AcroRd32.exe
    !C:\Windows\System32\svchost.exe>*AcroRd32.exe
    !C:\Windows\System32\wbem\WmiPrvSE.exe>*AcroRd32.exe
    !*AcroRd32.exe>*\Adobe\ARM\1.0\AdobeARM.exe
    !*AcroRd32.exe>*RdrCEF.exe
    #   Microsoft Office
    !*\Office1?\*.EXE>*\Office1?\*.EXE
    !C:\Windows\System32\csrss.exe>*\Office1?\*.EXE
    !C:\Windows\System32\svchost.exe>*\Office1?\*.EXE
    !C:\Windows\explorer.exe>*\Office1?\*.EXE
    !C:\Windows\System32\wbem\WmiPrvSE.exe>*\Office1?\*.EXE
    !*\Microsoft Shared\Virtualization Handler\CVH.EXE>*\Office1?\*.EXE
    !*\Microsoft Application Virtualization Client\sftlist.exe>*\Office1?\*.EXE
    !*\Office1?\*.EXE>*\Microsoft Application Virtualization Client\mavinject64.exe
    !*\Office1?\*.EXE>*\Microsoft Shared\Virtualization Handler\CVH.EXE
    !*\Office1?\*.EXE>*chrome.exe
    #    KeePass
    !*KeePass.exe>*KeePass.exe
    !C:\Windows\explorer.exe>*KeePass.exe
    !C:\Windows\System32\svchost.exe>*KeePass.exe
    !C:\Windows\System32\csrss.exe>*KeePass.exe
    !C:\Windows\System32\lsass.exe>*KeePass.exe
    !C:\Windows\System32\wbem\WmiPrvSE.exe>*KeePass.exe
    !C:\Windows\System32\WerFault.exe>*KeePass.exe
    !C:\Windows\System32\Taskmgr.exe>*KeePass.exe
    #    EMET GUI - Access to Protected Processes
    !*EMET_GUI.exe>*chrome.exe
    !*EMET_GUI.exe>*AcroRd32.exe
    !*EMET_GUI.exe>*KeePass.exe
    #    CCleaner - Access to Protected Processes
    !*\CCleaner\CCleaner*.exe>*chrome.exe
    !*\CCleaner\CCleaner*.exe>*AcroRd32.exe
    !*\CCleaner\CCleaner*.exe>*\Office1?\*.EXE
    !*\CCleaner\CCleaner*.exe>*KeePass.exe
    #    Adguard - Access to Protected Processes
    !*\Adguard\AdguardSvc.exe>*chrome.exe
    !*\Adguard\AdguardSvc.exe>*KeePass.exe
    #    VMware - Access to Protected Processes
    !*vmware-authd.exe>*chrome.exe
    !*vmware-authd.exe>*AcroRd32.exe
    !*vmware-authd.exe>*KeePass.exe
    #    Thunderbird - Access to Protected Processes
    !*\Mozilla Thunderbird\thunderbird.exe>*chrome.exe
    !*chrome.exe>*\Mozilla Thunderbird\thunderbird.exe
    #    Intel DPTF - Access to Protected Processes
    !C:\Windows\Temp\DPTF\esif_assist_64.exe>*chrome.exe
    !C:\Windows\Temp\DPTF\esif_assist_64.exe>*AcroRd32.exe
    !C:\Windows\Temp\DPTF\esif_assist_64.exe>*KeePass.exe
    #    Printing Support
    !*>C:\Windows\System32\spool\drivers\*
    !*>C:\Windows\splwow64.exe
    !C:\Windows\splwow64.exe>*
    [BLACKLIST]
    #    Silence Rules (Blocking Protected Process from accessing Explorer)
    $*chrome.exe>C:\Windows\explorer.exe
    $*AcroRd32.exe>C:\Windows\explorer.exe
    $*\Office1?\*.EXE>C:\Windows\explorer.exe
    $*KeePass.exe>C:\Windows\explorer.exe
    #    Silence Rules (General)
    $C:\Program Files*\Apple Software Update\SoftwareUpdate.exe>*chrome.exe
    $*\Office14\*.EXE>*KeePass.exe
    $*\Google\*>*KeePass.exe
    #    Block memory access to/from Chromium
    *>*chrome.exe
    *chrome.exe>*
    #    Block memory access to/from KeePass
    *>*KeePass.exe
    *KeePass.exe>*
    #    Block memory access to/from Adobe Reader
    *>*AcroRd32.exe
    *AcroRd32.exe>*
    #   Block memory access to/from Microsoft Office
    *>*\Office1?\*.EXE
    *\Office1?\*.EXE>*
    [EOF]
    
     
  4. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    Many thanks for your replies, Kees & WildByDesign!

    I think (and at least hope) that I understand the concept of sandboxing rich content medium integrity level processes from the rest of the system with a two-way barrier.

    I was just thinking that if it were possible to get rid of DEFAULTALLOW or somehow "wildcard" the allowed processes with a more general rule than specifying an explicit list like "Acro Reader, *Chrome, Office*, etc." - then maintaining the configuration could possibly become still one step simpler and at the same time we would get a one more step secure operating environment.

    Do you think that it would be possible to formulate some kind of a general rule to identify what kind of processes (except security related & task manager etc.) must be put into the WHITELIST?

    For example, how great probability you think that your "[DEFAULTALLOW]" could be commented out without any problems in your own INI files?

    Or to put it in other words, does e.g. Winword.exe really have to have access to Outlook.exe or even to Windows.exe - and if yes, why? If we could find out what is common to answers for this kind of questions, we possibly might get somewhere near to where I'm aiming at.

    But maybe (and perhaps quite likely) I'm just dreaming of something that does not exist... :rolleyes:
     
  5. @mike83

    The idea of containers and hardware virtualization is taking of now. The idea of compartments/containers is a really old contingency approach to limit the effects of intrusions when operating in a hostile environment. Think of the compartments in ocean ships to prevent them from sinking, or the air locks in an space ship/rocket.

    Completely isolating a program is often shooting on a mosquito with a canon as we say in Dutch. When you cage all your office programs in one container, they can infect each other, but word can't infect windows executables or other programs in program files. The only program which is vulnerable to infections from inside is you browser. You won't want a MITB active in your browser since we do online banking and buy from webshops. Same applies in a lesser degree to your email program (you don't want your relations being harassed by spam and malware).

    So my advice is start with containers, to get acquainted with MemProtect. For normal home users easy to maintain containers for office and media programs are good enough. When you get the hang of it, use @WildByDesign templates to further isolate your browser. When you are have a MemProtect blackbelt like Dave, make your emailprogram your next isolation project and consider buying a license.

    Regards Kees
     
  6. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Thanks, Good advice, thats how I proceed. With the new feature in the tray-application its easy to change between different container config files. There can be a very isolated config, but I can also change quickly to a more open one if I am not doing dangerous things like browsing, e-mails etc. I found this function very helpful but still needs to learn and understand more about the driver.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Curious. What is install mode?
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Install Mode is really quite simple, somewhat of a pass-through. The main purpose here was a method which persists through reboots. For example, if you were to stop the MemProtect driver in normal fashion, it would automatically re-start the driver upon reboot when Windows boots back up. So this could potentially cause some problems with things such as Windows Updates or major upgrades to Windows which do some additional work upon restart. Therefore Install Mode (for MemProtect and his other drivers) essentially just allows all to pass-through and no logging as well. So no "lethal" protection for memory blocking (and no execution blocking for Bouncer, for example) and logging is disabled since this is an administrative initiated Install Mode. Therefore one would need to trust the software and/or activity during that brief time period.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ah Thanks WBD

    Pete
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    There are some super beneficial features within Notepad++ that can be useful for users of MemProtect, Bouncer, etc. so I figured that I would share those here in hopes that some of you may find it helpful.


    Project Workspace

    View - Project > Project Panel 1
    • You will have to save that project workspace settings as a file
    • Mine is something like "D:\Bouncer\workspace" with no extension
    • On project panel, click on Workspace to choose Save As, Open Workspace, etc.
    _npp-project.png


    Folding Sections

    View - Fold All (Alt+0)
    View - Unfold All (Alt+Shift+0)

    • Or manually fold/unfold by pressing on + or - buttons individually
    _npp-bouncer.png


    Added sections [Chromium], [Adobe Reader], etc. to my own MemProtect.ini to keep things tidy and to benefit more from folding sections. This was potentially risky because there was a possibility that it could cause the driver to fail to load. But after testing these sections specifically within the [WHITELIST] section, I have experienced zero issues and the rules are applied correctly.

    _npp-memprotect.png


    EDIT: In case anyone asks about the theme, it is Visual Studio 2015 Dark Theme for Notepad++ (https://github.com/Nidre/VS2015-Dark-Npp) but I have made a few minor changes to it for my own usability.
     
  11. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    @WildByDesign : WOW, thanks a lot for this. Great idea, thanks for sharing. Will help to tidy my configurations :thumb:
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ran into a bit of a stumbling block. I have FIDES on board and I auto start it by a shortcut in the start menu. How do I autostart memprotect along with FIDES. It appears Tray.exe may be the same exe ?

    Pete
     
  13. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Hi Pete!

    It is not same EXE file. If you have shortcut it already point to the correct exe. One shortcut to the Tray.exe for FIDES, other shortcut to Tray.exe to MemProtect. You can rename shortcut file, one shortcut file is named FIDES, the other MemProtect, but they still will point to the correct exe file (tray.exe) behind.

    They are different EXE because the tools use their own commands to interact with the driver (they do corresponding net start, stop, etc command). The remaining function of the Tray.exe is to open .ini file, to set INSTALLMODE. This is specific for each driver, so Tray.exe for FIDES wont works for MemProtect and vice versa...
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I suspected as much. Okay, can you rename one or the other, or is there a better way to autostart them. Windows went let two shortcuts with the same name go into the start folder?

    Thanks,

    Pete

    PS. I re read and saw the solution
     
    Last edited: Dec 12, 2016
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Peter2150 What I ended up doing was having several directories within Program Files. Something like C:\Program Files\Excubits\MemProtect and C:\Program Files\Excubits\FIDES, therefore a different sub directory for each. Then I utilized Task Scheduler to create a startup for each Tray.exe, trigger being at Logon (or Startup), action is start Tray.exe from their separate locations. So there would be a separate task for each one. Ensure that you do not allow it to start the task at highest privilege level because that would not be as good from a security perspective. Although alternatively, you could (at a cost of security) choose to run it at highest privilege to avoid the UAC elevation prompts. You could try renaming Tray.exe to see what happens, but I can't confirm whether or not it would mess things up because I have not tried renaming it. I just used different sub directories for each.

    Ideally, in the future, I would like to see a consolidated Tray tool which could auto-determine which drivers you have installed, and give control to start/stop each driver, clear logs, etc. That would be nice to have some day, for sure. But it might be tricky to determine which driver caused specific alerts and so on. So it would require some clever planning and programming.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi WbD

    Going to try the rename of the short cuts first. Just simpler. Stay tuned.

    Pete
     
  17. :argh::D:sick::blink: @Peter2150 I am speechless, this would be be your second GUI-less program.
    I hope everything is well with you. I am a bit worried ;)
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    ROFL. Kees your giving me pains from laughing. But hey, I try and stay open minded.

    Okay I have a problem. The differently named Shortcuts worked, but I have a problem.

    The service isn't starting properly.

    I am getting the following error

    System error 87 has occurred
    The parameter is incorrect

    Here is the ini file.

    [LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    #!C:\Program Files\*>*splwow64.exe
    !C:\Program Files\Skype\*>C:\Program Files\Skype\*
    !C:\Program Files\Opera\*>C:\Program Files\Chromium\*
    !C:\Program Files\Opera\*>C:\Windows\System32\Macromed\*
    !C:\Windows\System32\Macromed\*>C:\Windows\System32\Macromed\*
    [BLACKLIST]
    C:\Program Files\Skype\*>*
    C:\Program Files\Opera\*>*
    C:\Windows\System32\Macromed\*>*
    [EOF]

    Thanks for any help.



    Pete

    OOPS Saw the chromium and changed it to OPERA and didn't change anything. Still get the error.
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is one of the most important things in life, and I greatly respect that. :thumb:
     
  20. @Peter2150

    I think it is because the ini file is in the wrong format (like ASCII or EBCDIC type of format). I had the same error and could not fix it, so I did it in the dumb way, by doing a clean install and making a copy of the example ini file and manually adding my changes in the copy.

    1. De-install MemProtect (be sure to make a copy of your ini file)
    2. Extract MemProtect from Program files
    3. Copy ini file to location you are allowed to edit it
    4. Manually type all changes
    5. Copy Memprotect ini to Windows
    6. Install driver and start Memprotect service
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Kees

    I did exactly what you outlined and got the same error. Then I decided to just try the default ini that came in the package. Tray icon started to turn green and then followed with the whole screen turning blue. Never got back into the system. Went into an RE and replaced the ini, so I am back where I was before.

    [LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !C:\Program Files\Skype\*>C:\Program Files\Skype\*
    !C:\Program Files\Opera\*>C:\Program Files\Opera\*
    !C:\Program Files\Opera\*>C:\Windows\System32\Macromed\*
    !C:\Windows\System32\Macromed\*>C:\Windows\System32\Macromed\*
    [BLACKLIST]
    C:\Program Files\Skype\*>*
    C:\Program Files\Opera\*>*
    C:\Windows\System32\Macromed\*>*
    [EOF]


    This is the hand typed ini just incase you see any errors, I've missed.

    Pete
     
  22. Sorry Pete I don't see errors, but I left out something

    Copy the default ini file which is in the MemProtect Library to a location you are allowed to edit it (I am editing them with notepad).

    Manually edit the DEFAULT ini file which was copied to anther location
    Use SAVE not SAVE AS
    Copy the edited ini file to Windows folder

    Hope this helo
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No Love. I guess I'll email Florian tomorrow
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Peter2150 Error 87 likely indicates no blank link after [EOL]. Try to ensure there is one blank link after [EOL] line. Then restart driver.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.