MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I am wondering why the default .ini is [WHITELIST] *>* and not just [DEFAULTALLOW].
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That's a very good point, I did not notice that initially. The default also seems to be missing the [DEFAULTALLOW] tag. I will mention that to Florian because I think that the default should likely be changed.
     
  3. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I am wondering what the absence of both [DEFAULTALLOW] and [#DEFAULTALLOW] in the .ini results in. I think it's the latter?
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,193
    Correct. If it's not mentioned in the .ini, it switches to "default deny"-mode.
    This can lead to some problems if you don't have *>* in your whitelist ;)
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    As we all know, MemProtect gives us the flexibility to protect any process as a Protected Process-Light (PPL) essentially as a process memory sandbox.

    Anyway, what I did not know is that Microsoft protects it's own Windows Defender process(es) as PPL. Alex Ionescu has pointed that out:
    Link: https://twitter.com/aionescu/status/797165650003181568
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    Yes that's my main issue. I really don't have a clue why he never bothered to make a user-friendly GUI.

    This would be indeed be nice.
     
  7. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I asked Florian back then: He said GUI would not make configuration easier. Still have to choose the parent process and path. Dont know if he will implement a GUI soon.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    I'm not sure what he means with not easier. I was also shocked by Smart Object Blocker, having to manually write rules is simply not user friendly.
     
  9. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    75
    Training/Learning Mode would be great, at least you get a rule to work on.
     
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    You must specify parent and path to child. Having GUI you also needs to specify parent and path to child process. So it is not easier, it is just a GUI on what you could also do in text editor.

    MemProtect support [#LETHAL] mode, so you can training. Just use [#LETHAL] use the driver, check log and modify yours rules.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    Have you ever used EXE Radar? That's exactly what I'm looking for, when it comes to the GUI. And BTW, I was reading the description of MemProtect, and it was not completely clear to me. What if you run some app that is not encaged, will it be able to inject code into other processes?

    http://excubits.com/content/en/products_memprotect.html
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,193
    It can inject code, but not in other "encaged processes". But it depends on what rules you have made for your encaged/protected processes.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,557
    Location:
    The Netherlands
    But why not make it so that ANY process can not inject code into ANY other process without user approval? That's how HIPS work, you don't have to think about which processes to protect. BTW, you might want to check out the RemoteDLL tool to see if MemProtect passes the test:

    http://www.majorgeeks.com/files/details/remotedll.html
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,193
    This is possible, you can switch to a "default-deny" mode. But there is more work involved to configure it.
    And as you may know, there is no GUI (and no user approval), you have to create your rules manually (notepad-style).
     
  15. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    MemProtect is not only about code injection, but about any kind of access from one process to another. That also means one process cannot launch another. So if you switch to default deny without a proper whitelist, you will render your system unusable / unbootable.
     
  16. @FleischmannTV

    Exactly my point when I asked for default allow to be the default mode (simular to Pumpernickel). Request was implemented (add a Default allow mode), only default stayed on deny. I hope additional requests may make allow the default.

    The risk to wreck your system is IMO also a good reason to NOT develop a GUI for this powerfull security mechanism. Not having a GUI is a threshold to use it when you ar not comfortable with command and rule based programs.

    Regards Kees
     
  17. MemProtect is a lean and mean security program, which I really like. MemProtect is a tiny driver which uses windows internal mechanisms, so near zero CPU and Memory overhead.

    My simple MemProtect INI file (1,8 KB of which half is comment #) using the container approach (vulnarable programs are only allowed to access their own installation folder). I use Chromium stable compiled by HenryPP, when you use Chrome, replace Chromium by Chrome and remove flashplayer (Chrome has own PPAPI flash). I added allow rules for print-spooler (splwow64.exe) and screen-keyboard (taptip.exe). All contained programs also call explorer, but allowing them to manipulate explorer would potentially open a worm hole and blocking access to explorer does not seem to affect functionality.

    Code:
    [LETHAL]
    [#LOGGING]
    [DEFAULTALLOW]
    #Only Office, Skype, Chromium and Flash are contained
    [WHITELIST]
    #allow contained programs to start print-spooler and onscreen-keyboard
    !C:\Program Files\*>*splwow64.exe
    !C:\Program Files\*>*TapTip.exe
    
    #allow Office access to Office
    !C:\Program Files\Microsoft Office???\*>C:\Program Files\Microsoft Office???\*
    
    #allow Skype access to Skype
    !C:\Program Files\Skype\*>C:\Program Files\Skype\*
    
    #allow Chromium access to Chromium and Flashplayer
    !C:\Program Files\Chromium\*>C:\Program Files\Chromium\*
    !C:\Program Files\Chromium\*>C:\Windows\System32\Macromed\*
    
    #allow Flashplayer access to Flashplayer
    !C:\Windows\System32\Macromed\*>C:\Windows\System32\Macromed\*
    
    [BLACKLIST]
    #deny Office to infect/start other programs
    C:\Program Files\Microsoft Office???\*>*
    
    #deny Skype to infect/start other programs
    C:\Program Files\Skype\*>*
    
    #deny Chromium to infect/start other programs
    C:\Program Files\Chromium\*>*
    
    #deny Flashplayer to infect/start other programs
    C:\Windows\System32\Macromed\*>*
    [EOF]
    
    MemProtect does not delay startup of programs, as shown by AppTimer results.

    C:\Program Files\Chromium\chrome.exe - 5 executions without MemProtect
    0.8614
    0.4371
    0.4275
    0.3500
    0.4317

    C:\Program Files\Chromium\chrome.exe - 5 executions with MemProtect installed
    0.8880
    0.3036
    0.4172
    0.3226
    0.3057
     
    Last edited by a moderator: Nov 20, 2016
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Yes I have. OK, now I understand what you looking for. MemProtect is not right solution for you.

    Yes, there you need also rules which are "somehow" provided by vendor updates. In MemProtect you specify rules, it is not blackbox you having more freedom but on other side you need to know what you are doing. From what you said in posts I think MemProtect is not right tool for you - I guess you are looking for a tool that does it all automaticaly and delightful. MemProtect is for more advanced/skilled user. Like @Windows_Security said: "Not having a GUI is a threshold" here, so ordinary user cant crash system what is a good point, because I thinks normal Windows-user will be frustated with MemProtect. Someone at some point here on Wilders said: Excubits products are not for masses, that is what I think, too. It is for specialist or admin.

    @Windows_Security: Thanks for sharing your ini file. btw: [DEFAULTALLOW] really should be in default config.
     
  19. Apologize when posted before M$ documentation on protected processes as introduced wih Vista. MemProtect info mentions Windows 7 and up

    link to document download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_vista.doc
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,193
    According to the Newsblog, they added suport for a larger .ini-file (up to 1 Megabyte):
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood Good news! Thanks. :thumb:
     
  22. For some reason I thought Win 8 was minimum requirements, but documentation mentions Windows 7, so I added MemProtect on my wife's laptop.
     
  23. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Yes, also works in Windows 7. I used it on my old Win7 (x64) notebook. Worked pretty fine (but ensure you install all updates or driver with sha256 (EV) signaturte will not load because older Windows version dont support driver sha256 signatures if you dont update.
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    As @4Shizzle mentions, a stock Windows 7 Service Pack 1 system cannot verify SHA256 / EV digital signatures in binaries because, quite simply, Microsoft had not added that hashing algorithm at that point in time. For example, if somebody wanted to run a Windows 7 virtual machine and not deal with hundreds of updates through Windows Update, they would at the very least need to install KB3033929. Also KB2813430, KB3123479 and KB3097966 are pretty important as well with regard to hashing updates in Windows 7. But to keep things simple, I would assume that the recent Windows 7 Convenience Rollup would include these very important patches.
     
  25. Ok checked thx
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.