Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.
You are welcome! I understand your concern. We never know how AV mess up change things hehehe
Other security applications should have access to protected applications but not the other way around.
In my configuration Google Chrome has only access to its own directory and it has no access to everything else.
Some exceptions might be needed, for example allowing of the access to the flash-directory (if Flash is being used) or to splwow64.exe (printing of documents)
I don't have these exceptions (i don't use flash or print documents with Chrome) and it is running fine.
I am a new user to Memprotect and I think it is a great tool to protect sensible data (in my case the decrypted Keepass database in memory).
However, I wonder why the rule configuration is made so complicated. I mean there is a whitelist, a blacklist, prioriry whitelist rules and priority blacklist rules.
I think it would be better to have one list that is passed from top to bottom, containing special rules at the top and generic rules at the bottom. The first rule that applies to a certain behaviour is used to allow or to block it. Just like it's done in firewalls. The last rule would always be an allow all or deny all rule.
This would not only make the rule configuration simpler, but also provide more flexibility as rules could override each other practically infinite instead of 3 times.
@Headcool Those are some good suggestions, indeed. You would need to suggest those to the developer if you believe strongly in that and I would also suggest to show some sort of "mockup" example configurations of your ideas so that the developer can understand and visually see what you are trying to achieve there. The main developer, Florian, is a fantastic guy so you could certainly email him anytime. Although I should note, he has been extremely busy the past 2-3 weeks because he has been essentially travelling for business purposes across Europe recently. So there may be some delay in responses until he catches up on everything.
With regard to the priority (!) rules and silence ($) rules are actually intended to be at the very top of their respective rule sections within the config ini file. If they were at the bottom of their respective sections, then another conflicting rule above them would be processed first. Therefore within the kernel, MemProtect does process the rules from top to bottom in their respective sections. Although it is not entirely obvious to the user to remember to put these priority (!) rules and silence ($) rules at the top of their sections.
Therefore, at some point, I would absolutely love to see some sort of generic UI for a rules editor that can ensure proper structure for the config ini rules and to make configuration easier for some users as well. I'm certain that if another developer wanted to create some sort of open source UI for creating/managing rules, the developer of MemProtect would definitely be open to that and even provide some assistance with development.
Despite the excellent response from @WildByDesign , I would add that this kind of confusion is commonplace during the first few times that you use any Excubits driver. I myself suffered this with MemProtect and Bouncer a few times, but I assure you it is temporary and that after a few days of use you will be fully understanding the possibilities of using these rules.
Honestly, despite this initial difficulty, I love the simplicity and flexibility of changing the rules in this way. I hate complex and full-effect UIs that consume resources from my computer.
MemProtect is silently running in the background and is doing its work. Not even a performance loss is noticeable
For MemProtect, in particular, this new stable release adds module (.dll) filtering.
Updates for MemProtect and Pumpernickel
Thanks! Great to know!
I got an email from excubits about 2 or 3 weeks saying a new version of memprotect would be coming and it would have some sort of GUI iirc. I follow this thread but don't have any of excubits apps installed yet. I know generally you edit a text file to give their apps instructions and exclusions, and excubits' email made it seem like the new version was a big deal in memprotect's operation. yes? but just read the link and don't see anything about a GUI (not that I must have one) so maybe I'm not recalling that email correctly. Either way, intend to install soon.
EDIT: so I went to memprotect download using chrome and the download was blocked NOT by av but by google. Never had that happen before. Something new I think. I've DL'd other excubits apps over the past several months.
Seems to be normal google Chrome EXE-warning. Had the same, but just hit to move on and the binary executable was saved to my system. Did got any warning from Windows AV (Security Essentials).
Have Memprotect running for 2 days now, does not seem make problems on my machine
good to know, did you edit any of the protections. Not sure but I thought it installed in a learning mode or with protections turned off, but I could be totally wrong. I downloaded it, but have not installed it yet.
Update all good here. Haven't dug into the.dll stuff yet but will get around to it. @WildByDesign I see you got a mention. Good work
Yes, have my own-custom configuration right now. I start with [#lethal] and [logging] in .ini-file, so you can call it learning mode. Then you see in the logs what is going on and can create rules. After everything working well for me (=no more alerts for applications i like to use etc.) I switched to [lethal] mode. But to be honest: it took some time to learn how to work with the Excubits stuff, but it worth.
thanks for you feedback. maybe I'll get into it this weekend?
Any GUI? I prefer easy GUI access over use of command lines.
Like choosing a process and checking a box to enable its protection or unchecking to disable the protection.
None of the Excubits drivers have GUI's They have a tray app that allows control of the driver, but all ini modifications are by manual edit
Sorry to ask. Do you know any similar software with GUI for memory protection?
I don't. The excubits stuff is very tight, but you do have to cope with it's manual approach. Once you try it and get used to it, it's really not that difficult.
@NiteRanger, you can make real simple rules. For instance, locking down your browser all you need is
You use the tray tool do enable/disable protection by switching Install Mode On or Off
Noted. Interesting regarding the tray tool thing. Got any snapshot to show?
But if I have protection for many processes and I perform a format of my drive I'll need to re-enter all the command lines again. Too much of a hassle as compared to simply checking/uncheking boxes for protection of processes, right?
Anyway. I'll wait for its release and then see how
The commands go into an .ini file in the Windows directory. So if you format your drive you back up the MemProtect.ini to a flash drive. No need to do it again.
Mine is looking like this
!*\Microsoft Office\*>*\Microsoft Office\*
In terms of how you work with the program nothing is going to change in the release. You still have to manually install, and manually edit the ini file.
You right it is more of a hassle then checking boxes, but there isn't anything you can check boxes in to provide comparable protection
Ok looks not that difficult. I'll trial it later when it's released.
BTW your example only shows for applications, right? How about Windows processes? I believe they need protection too or are they protected by default?
Separate names with a comma.