MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    What does that mean? You select the app when you install with 'Install Mode' on and that gets it protected?
     
    Last edited: Aug 5, 2017
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    That's one approach. With MZwritescanner which has to be off for any software install you have two options. One is the install mode, the other is on the program selection you have 3 options , Start,Stop and Reset( which does a stop and start) Usually for most things I just use stop. If you need to edit the config file then you restart.
     
  3. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Thanks

    But I already have programs installed so the 'Install Mode' don't work or does it only work when you install a new program?

    Also, how about Windows processes? Are they available for user to select and protect? Or are they protected by default?
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    HI Niteranger

    At this point I would suggest reading thru the whole thread.

    All install mode does is turn off the protection. Has the same effect as the stop except if you use stop it turns back on after a reboot.

    As to windows processes, that's where going thru the thread will help. Some users have posted their ini files. The last part is where you are missing how these drivers work.
    There is no "selecting" or "default". If you want to have it protected you have to put it in the ini file or it isn't there.

    The only caution is the structure of those files is exact. Putting spaces in where they shouldn't be will result in the rule you entered being ignored.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I have wanted to do this for quite some time, but unfortunately time has been very limited. I've finally had a chance to do some preliminary LSASS.EXE memory protection testing with MemProtect. It took some time to do the logging necessary to create some rules. I would advise to be super careful with lsass.exe because incorrect rules could cause system stability issues for sure.

    These are just preliminary rules that I will expand on later. There is some basic whitelist rules along with the blacklist rules to run lsass.exe as a protected process. Then some silence blocking ($) rules as well. I still have to mess around with some module whitelist and module blacklist stuff later to see which DLLs should and should not be allowed.

    Code:
    [WHITELIST]
    #   LSASS (lsass.exe) Protection
    !C:\Windows\System32\services.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\csrss.exe>C:\Windows\System32\lsass.exe
    !C:\Windows\System32\lsass.exe>C:\Windows\System32\*
    [BLACKLIST]
    #   LSASS (lsass.exe) Protection
    $C:\Windows\System32\lsass.exe>C:\Windows\SystemApps\*
    $C:\Windows\System32\lsass.exe>C:\Windows\explorer.exe
    $C:\Windows\System32\lsass.exe>C:\Program Files*
    *>*lsass.exe
    *lsass.exe>*
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    BTW, I haven't really followed all of this stuff, but isn't this the same?

    https://www.petri.com/enable-lsa-protection-windows-8-1-server-2012-r2
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Why not, isn't the goal to make lsass.exe a protected process, or does MemProtect do more?
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    That's like saying my goal is to get from Washington DC to Florida so if I drive or if I walk isn't it the same. Nope it isn't
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    As far as the end goal is concerned, both solutions end up running lsass.exe with the memory restrictions of protected process-light. So yes, a similar end goal. But as Pete mentioned, the route to getting to that end goal is slightly different. The built-in PPL by MS ensures that any non-signed, non-trusted DLL modules are blocked from any kind of memory access to/from lsass.exe process. Therefore blocking many credential stealing methods such as mimikatz and I believe also the EternalBlue exploit since those types of attacks involve memory manipulation of lsass.exe process.

    MemProtect would have the same end goal, however, it also gives you the opportunity to control any DLL module activity to/from lsass.exe process. Therefore, same end goal, just more granular control over the entire memory protection mechanisms. I'm actually using built-in PPL by MS to protect lsass.exe combined with MemProtect right now for testing purposes. So far the testing is going well, but it completely blew my mind how much access lsass.exe needs to nearly every aspect of the running Windows OS. Therefore the rules can be quite complex in the end. Being in the "drivers seat", so to speak, is what I appreciate most about MemProtect. I've got the final say and the overall control which is quite nice.

    Although, in the wrong hands, I would not want to imagine what it would be like if malware utilized this to create somewhat of a memory sandbox to protect the malware itself. That would be some significant power but that would indeed need some sort of kernel level exploit to achieve in the end.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    OK so with MemProtect you get a little more control. I wouldn't want to mess around with it, so the built-in setting in Windows is good enough for me.
     
  12. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    I can see licenses prices from Excubits products at their official site. Also I read the ToS, found nothing about lifetime licenses. Are they available?
    Lifetime + lifetime upgrades/updates.
     
  13. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    Well I think I didn't dig enough. Found in FAQ myself that:
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    And you probably get a discount after one year, so you don't have to pay the full price.
    The post is from 2016, maybe things have changed in the meantime:
     
  15. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    Thank you.