MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    I already received my unlimited beta version. Florian is very quickly.
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,058
    How much is the limit with the unlimited beta? I guess 1MB :doubt: Or is it more
     
  3. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    I'm going to purchase this now I think. Memprotect is probably my favourite piece of software at the moment. I have it paired with Bouncer with the blacklist I just added my user folder which is OK for me I know what I'm clicking on. That with UAC trick (Elevation of unsigned executables) and mitigation's some of us have been using with Chromium makes the system almost bullet proof with basically zero overhead. Florian is a genius.

    Props to you guys too. Always reading :)

    Does anyone use Windows Firewall Control? Alexandrud recently updated it so when you change profiles it doesn't go through netsh. This means they now play nicely together without a block from bouncer without having to make a rule.
     
    Last edited: Jun 10, 2017
  4. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    I don't know. At this moment I am using 110kb with no worries.

    @JimboW I have a lifetime license of WFC but it was consuming too much CPU (around 5% constatly).
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,058
    Ok.
    Yeah, the .dll-rules need a lot of space. To be able to create a bigger .ini (without 64kb-limit) is essential now.
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I've used Notepad++ for a number of years, and particularly for MemProtect config files and other Excubits drivers. But slowly over recent time I have switched over to Visual Studio Code and there is absolutely no going back for me. Anyway, I've modified a VSCode theme and settings quite a lot to the point in which it works smoothly and well for these .ini config files and is quite easy on the eyes. Similar to how would used to use NP++, I run VSCode as Admin to edit my configs.

    I figured I would share the steps with you guys/gals if any of you MemProtect / Excubits' users are using Visual Studio Code at all. There's a number of steps, but if there is any interest I will share the step-by-step instructions with code snippets and all. But for now here is a screenshot in case anyone is curious.

    VSCode-theme.png
     
  7. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    252
    Location:
    united kingdom
    I've not used Visual Studio Code before and seeing your screen shot has piqued my interest. Thanks for sharing.

    I for one would be interested in seeing your step by step guide :thumb:
     
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,936
    Location:
    Mexico
    Me too. Thanks @WildByDesign
     
  9. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @askmark @Mister X @ExtremeGamerBR

    1. Install Visual Studio Code (64-bit builds coming next month BTW)
    2. In VSCode, go to View - Extensions
    3. Search extensions for: Dark+ Material by vangware
    4. Click Install
    5. Search Extensions for: Material Icon Theme by Philipp Kief
    6. Click Install
    7. Reload to apply

    (some familiarity with json files is helpful below):
    I apologize guys/gals, this part below was more difficult to explain than I had initially anticipated. I am not always great when it comes to explaining certain details.

    1. Edit C:\Users\{username}\.vscode\extensions\vangware.dark-plus-material-1.0.2\dark-plus-material.json
    2. Ctrl+F search for: "scope": "comment"
    3. Replace what is there with:
      Code:
      "scope": "comment",
      "settings": {
            "foreground": "#8BC34A",
            "fontStyle": "italic"
    4. We need to add a new entity for sections related to .ini files
    5. Go down near bottom of theme config and add:
      Code:
          {
              "scope": "entity.name.section",
              "settings": {
              "fontStyle": "regular",
                "foreground": "#2196F3"
              }
          }
    6. I added mine after support.constant.color, here is snippet that might help aligning json end of file
      Code:
          {
            "scope": "support.constant.color",
            "settings": {
              "foreground": "#FFC107"
            }
          },
          {
              "scope": "entity.name.section",
              "settings": {
              "fontStyle": "regular",
                "foreground": "#2196F3"
              }
          }
        ]
      }

    1. Go to File - Preferences - Settings
    2. Your VSCode personal preferences file is on right hand side
    3. Select all text within your settings file (settings.json) and delete what is there
    4. Copy and Paste my settings (from below) into your settings file (settings.json)
    5. Save

    Code:
    {
        "workbench.activityBar.visible": false,
        "material-icon-theme.showWelcomeMessage": false,
        "workbench.iconTheme": "material-icon-theme",
        "workbench.colorTheme": "Dark+ Material",
        "editor.minimap.enabled": true,
        "editor.fontSize": 16,
        "editor.selectionHighlight": false,
        "editor.wordWrap": "on",
            "workbench.colorCustomizations": {
        "editor.foreground": "#D4D4D4",
        "statusBar.background": "#00EECC",
        "statusBar.noFolderBackground": "#2D2D2D",
        "statusBar.debuggingBackground": "#CCFFFF",
        "statusBarItem.prominentBackground": "#0063a5",
        "statusBarItem.prominentHoverBackground": "#0063a5dd",
        "statusBarItem.activeBackground": "#ffffff33",
        "statusBarItem.hoverBackground": "#ffffff22"
    },
    "editor.renderIndentGuides": true,
    "editor.fontFamily": "'Fira Code', Consolas, 'Courier New', monospace"
    }

    Close out of VSCode and reopen and all settings should now be active.


    * Keep in mind this is totally optional. By default, VSCode will use Consolas font which is pretty nice.
    1. Download latest Fira Code font from: https://github.com/tonsky/FiraCode/releases
    2. Extract font archive
    3. Within the "ttf" folder, copy those 5 ttf font files to C:\Windows\Fonts\
    4. Restart VSCode and Fira Code will be default now
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    From: https://excubits.com/content/en/news.html

     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    Thank you for the info! I'm not sure I would know how to configure the rules for lsass.exe. I will have to see what rules options I have available with MemProtect, and see what rights lsass.exe must have to function correctly.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    Yes, it does look easy on the eyes. I may give it a try.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    Thanks for the update!
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @Cutting_Edgetech You're welcome. By the way, if I have some spare time during this week I may also give it a try setting up some permissions for lsass.exe and see what it needs to function as per normal. It should be easy to, at the very least, block user space binaries from injecting into system processes. I will let you know if I am able to come up with anything useful.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    Thank you! That would be very helpful for me. I honestly don't have the time to tinker with it much due to school, and work. I will be able to contribute more after I finish my degree.
     
  17. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    252
    Location:
    united kingdom
    Many thanks for going to all the time and trouble to produce this guide. I'm on vacation this week but will definitely be applying this when I get home.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @askmark You're welcome, my pleasure. Enjoy your vacation time! :thumb:
     
  19. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    hi,
    if i not allow one dll in example "search everything" program
    1.png

    then it give such error.and i confirm MemProtect do its job very well
    but anyone know what should i ask from developer of everything to fix in its program?
    or if someone know please email it to everything developer
    thanks
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @co22 Do you have any logged entries from your MemProtect.ini log file that occur with these blocked messages? If you can provide some of the logged lines for the blockage within a code tag and/or spoiler tag I would be happy to dig into it more and see what's going on.
     
  21. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    Hello WildByDesign
    here check bellow
    i allowed them under explorer.exe but not in Everything.exe
    i checked with ProcessHacker and wont see them loaded on Everything
    but if not allow them under explorer.exe i don't see such error like above screenshot
    so i think problem is from Everything.exe side

    Code:
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Windows\System32\twext.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Windows\System32\cryptsp.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Windows\System32\ShellExt\HashCheck.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Program Files\WinRAR\RarExt.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Windows\System32\SpyShelterShellExt.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Program Files\Mp3tag\Mp3tagShell32.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Program Files\Shadow Defender\ShellExt.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Windows\System32\ShellExt\clipname.dll
    *** excubits.com demo ***: 2017/06/21_01:54 > MODULE > C:\Users\username\Desktop\Everything.exe > C:\Program Files\AIMP\System\aimp_menu32.dll
     
  22. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    @WildByDesign
    also please test this two program Dr. Folder,Fort - File encryption for Windows
    both bouncer and MemProtect wont log their dlls file
    Code:
    DrFolderExtension.dll
    Fort.dll
    FortLanguage.dll
    FortRegistry.dll
    FortSettings.dll
    Newtonsoft.Json.dll

    i disabled both driver then put them in [#LETHAL] mode
    installed programs,restarted pc
    in startup i first run ProcessHacker Get properties of explorer.exe
    i wont see those dll.(so reasonable to not see them in log)
    then i right click files,folder,shortcut and browse mycomputer,folders,For a while
    then run ProcessHacker Get properties of explorer.exe and i see those dll are loaded under explorer.exe
    but i don't see those dlls in log file!!!
    please investigate them
    thanks
     
  23. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    23
    I started to create a working MemProtect.ini and found out that I seem to be missing some basic understanding even after having read thru this thread and the documentation, so sorry about my noobie question..

    My problem is to determine the logic when it's safe to blacklist on the other hand incoming memory access and on the other hand outgoing memory access. Let me give an example:

    I currently use Henry++'s chrlauncher based chromium as my main browser, and Bitdefender, Sandboxie and Macrium Reflect to name some other software.

    My understanding is that it's best to whitelist e.g. Bitdefender to access chrome.exe and chrlauncher.exe, but should I use one way or two way whitelisting (i.e. does chrome.exe have a need to access e.g. back the Bitdefender processes due to some Bitdefender dll injections to chrome.exe or for some other reason, or is it enough to allow Bitdefender => Chrome memory access)?

    And what is the general rule on determining if a whitelist rule should be created inwards only, outwards only or both ways?

    Having studied the sample Memprotect.ini files in this thread I was under the impression that when protecting e.g. chromium, there would not be need for massive silent blacklist rules. Hence I was i bit surprised to find out that I received the following kind of lines in the log (of course only one of the lines in this sample is directly from chrome.exe and the rest come from chrlauncer):

    Code:
    017/06/24_14:16:51 > C:\Program Files\Macrium\Common\MacriumService.exe > C:\Program Files\Chromium\bin\chrome.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\sihost.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\svchost.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\taskhostw.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\RuntimeBroker.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files\Macrium\Common\ReflectUI.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files\Macrium\Common\ReflectMonitor.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\VBoxTray.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files\Sandboxie\SbieCtrl.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files (x86)\Excubits\MemProtect\Tray.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files (x86)\Excubits\Pumpernickel\Tray.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files\Bitdefender\Bitdefender 2017\bdagent.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files\Bitdefender\Bitdefender 2017\bdwtxag.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\ApplicationFrameHost.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\ImmersiveControlPanel\SystemSettings.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Program Files (x86)\Notepad++\notepad++.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\smartscreen.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\System32\audiodg.exe
    2017/06/24_14:18:45 > C:\Program Files\Chromium\chrlauncher.exe > C:\Windows\SoftwarePolicy\softwarepolicy.exe
    
    So Macrium backup software tried to access chrome.exe and chrlauncher.exe tried to access a long list of processes.

    I wonder if there any other method than trial and error to find out what can be safely blacklisted silently and what should be whitelisted or blacklisted without the silent flag to get the result both non-obtrusive (=as few alarms as possible) and as easy to maintain as possible (=no problems with running the production applications and a reasonable size ini file at the same time)...
     
  24. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    @mike83

    Well, I will try to answer your questions, but I recommend you to send an e-mail to Florian asking these questions (and I would like to know his answers, if you agree to share)...

    I believe that in this case with BD, you should only allow BD access to Chrome, but block Chrome from accessing BD. I believe that it's a general rule.

    The logic is that your broswer is a risky software, so it need to be locked down as much as possible. If you let chrome.exe access another software, you are opening a door to an exploit to have access to this same software.

    For example, I only let chrlauncher.exe access my chrome.exe, there is absolutely no need to access notaped.exe, do you agree?

    My knowledge about this topic is purely experimental, have been weeks since I'm using MemProtect following this logic and everything is working as expected and I don't see any change in my CPU/RAM/DISK use (so, apparently, nothing is forcing to access what I blocked).

    ---------------------------------------------------------------

    I just want to share my WORD/EXCEL setup. Suggestions are always welcome. I don't have made a granular control of which .dll WORD/EXCEL can access because it would make me crazy (and honestly, I don't know if there is a point doing this), as I'm very tired of this process with chrome.exe.

    So here we go:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [MODULEFILTER]
    [WHITELIST]
    #    [WORD - Base Rules]
    !C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Windows\System32\lsass.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE>C:\Windows\explorer.exe
    !C:\Windows\System32\csrss.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Windows\System32\svchost.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Windows\explorer.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    #    [WORD - Additional Programs]
    !C:\Program Files\Process Lasso\ProcessLasso.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Program Files\Process Lasso\ProcessGovernor.exe>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    #    [Excel - Base Rules]
    !C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Windows\System32\lsass.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE>C:\Windows\explorer.exe
    !C:\Windows\System32\csrss.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Windows\System32\svchost.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Windows\explorer.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE>C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    !C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    #    [Excel - Additional Programs]
    !C:\Program Files\Process Lasso\ProcessLasso.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    !C:\Program Files\Process Lasso\ProcessGovernor.exe>C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    [BLACKLIST]
    #    [Block memory access to/from Office - Silenced]
    $*\VMware\*>*\Office1?\*
    $*\Office1?\*>*D:\Programas\*
    $*\Office1?\*>*notepad.exe
    #    [Block memory access to/from Word]
    *>*winword.exe
    *winword.exe>*
    #    [Block memory access to/from Excel]
    *>*excel.exe
    *excel>*
    [MODULEWHITELIST]
    #    [Office - Module Base Rules]
    !C:\Windows\explorer.exe>C:\Program Files\Microsoft Office\root\Office16\*
    !C:\Program Files\Microsoft Office\root\Office16\*>C:\Windows\System32\*.dll
    !C:\Program Files\Microsoft Office\root\Office16\*>C:\Windows\System32\*.drv
    !C:\Program Files\Microsoft Office\root\Office16\*>C:\Windows\Microsoft.NET\Framework64\*\*.dll
    !C:\Program Files\Microsoft Office\root\Office16\*>C:\Windows\WinSxS\*.dll
    !C:\Program Files\Microsoft Office\root\Office16\*>C:\Program Files\Common Files\microsoft shared\ClickToRun\*.dll
    !C:\Program Files\Microsoft Office\root\Office16\*>C:\Program Files\Microsoft Office\*
    [MODULEBLACKLIST]
    #    [Block module access to/from Word]
    *>*winword.exe
    *winword.exe>*
    #    [Block module access to/from Excel]
    *>*excel.exe
    *excel>*

    Sorry for my poor english.

    EDIT: If anyone is interested in my complete [#DEFAULTALLOW] setup, please PM me.
     
  25. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    23
    @ExtremeGamerBR

    Thank you for your reply and for sharing your setup. I believe that it's safe to follow your setup principle, so I'll give it a try.

    I fully agree with you that there cannot be any reason to give chrlauncher access to notepad etc.

    However since I'm not familiar with the inner workings of AV and other security products, I started to doubt what happens when they inject their dlls or create hooks etc into e.g. web browsers: Could it mean that for the browser to be then fully protected, the injected code (or something alike) should be able to access something that is not obvious to me.

    But I guess that if it was the case, then someone would already have replied to this thread and shared his/her experience...