MemProtect - Support & Discussion

Discussion in 'other anti-malware software' started by WildByDesign, Aug 21, 2016.

  1. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    You are welcome! I understand your concern. We never know how AV mess up change things hehehe
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,088
    Other security applications should have access to protected applications but not the other way around.
    In my configuration Google Chrome has only access to its own directory and it has no access to everything else.
    Some exceptions might be needed, for example allowing of the access to the flash-directory (if Flash is being used) or to splwow64.exe (printing of documents)

    I don't have these exceptions (i don't use flash or print documents with Chrome) and it is running fine.
     
  3. Headcool

    Headcool Registered Member

    Joined:
    Dec 8, 2015
    Posts:
    7
    I am a new user to Memprotect and I think it is a great tool to protect sensible data (in my case the decrypted Keepass database in memory).

    However, I wonder why the rule configuration is made so complicated. I mean there is a whitelist, a blacklist, prioriry whitelist rules and priority blacklist rules.
    I think it would be better to have one list that is passed from top to bottom, containing special rules at the top and generic rules at the bottom. The first rule that applies to a certain behaviour is used to allow or to block it. Just like it's done in firewalls. The last rule would always be an allow all or deny all rule.
    This would not only make the rule configuration simpler, but also provide more flexibility as rules could override each other practically infinite instead of 3 times.
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @Headcool Those are some good suggestions, indeed. You would need to suggest those to the developer if you believe strongly in that and I would also suggest to show some sort of "mockup" example configurations of your ideas so that the developer can understand and visually see what you are trying to achieve there. The main developer, Florian, is a fantastic guy so you could certainly email him anytime. Although I should note, he has been extremely busy the past 2-3 weeks because he has been essentially travelling for business purposes across Europe recently. So there may be some delay in responses until he catches up on everything.

    With regard to the priority (!) rules and silence ($) rules are actually intended to be at the very top of their respective rule sections within the config ini file. If they were at the bottom of their respective sections, then another conflicting rule above them would be processed first. Therefore within the kernel, MemProtect does process the rules from top to bottom in their respective sections. Although it is not entirely obvious to the user to remember to put these priority (!) rules and silence ($) rules at the top of their sections.

    Therefore, at some point, I would absolutely love to see some sort of generic UI for a rules editor that can ensure proper structure for the config ini rules and to make configuration easier for some users as well. I'm certain that if another developer wanted to create some sort of open source UI for creating/managing rules, the developer of MemProtect would definitely be open to that and even provide some assistance with development.
     
  5. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    @Headcool

    Despite the excellent response from @WildByDesign , I would add that this kind of confusion is commonplace during the first few times that you use any Excubits driver. I myself suffered this with MemProtect and Bouncer a few times, but I assure you it is temporary and that after a few days of use you will be fully understanding the possibilities of using these rules.

    Honestly, despite this initial difficulty, I love the simplicity and flexibility of changing the rules in this way. I hate complex and full-effect UIs that consume resources from my computer.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,088
    MemProtect is silently running in the background and is doing its work. Not even a performance loss is noticeable :)
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    For MemProtect, in particular, this new stable release adds module (.dll) filtering.

    Updates for MemProtect and Pumpernickel

    From: https://excubits.com/content/en/news.html

     
  8. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Thanks! Great to know!
     
  9. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    306
    Location:
    USA
    I got an email from excubits about 2 or 3 weeks saying a new version of memprotect would be coming and it would have some sort of GUI iirc. I follow this thread but don't have any of excubits apps installed yet. I know generally you edit a text file to give their apps instructions and exclusions, and excubits' email made it seem like the new version was a big deal in memprotect's operation. yes? but just read the link and don't see anything about a GUI (not that I must have one) so maybe I'm not recalling that email correctly. Either way, intend to install soon. :doubt:

    EDIT: so I went to memprotect download using chrome and the download was blocked NOT by av but by google. Never had that happen before. Something new I think. I've DL'd other excubits apps over the past several months.
    https://support.google.com/chrome/a...82-939243799&p=ib_download_blocked&hl=en&rd=1
     
    Last edited: Jul 30, 2017
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Seems to be normal google Chrome EXE-warning. Had the same, but just hit to move on and the binary executable was saved to my system. Did got any warning from Windows AV (Security Essentials).

    Have Memprotect running for 2 days now, does not seem make problems on my machine
     
  11. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    306
    Location:
    USA
    good to know, did you edit any of the protections. Not sure but I thought it installed in a learning mode or with protections turned off, but I could be totally wrong. I downloaded it, but have not installed it yet.
     
  12. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    Update all good here. Haven't dug into the.dll stuff yet but will get around to it. @WildByDesign I see you got a mention. Good work :)
     
  13. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Yes, have my own-custom configuration right now. I start with [#lethal] and [logging] in .ini-file, so you can call it learning mode. Then you see in the logs what is going on and can create rules. After everything working well for me (=no more alerts for applications i like to use etc.) I switched to [lethal] mode. But to be honest: it took some time to learn how to work with the Excubits stuff, but it worth.
     
  14. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    306
    Location:
    USA
    thanks for you feedback. maybe I'll get into it this weekend? :thumb:
     
  15. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Any GUI? I prefer easy GUI access over use of command lines.

    Like choosing a process and checking a box to enable its protection or unchecking to disable the protection.

    Thanks
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,302
    None of the Excubits drivers have GUI's They have a tray app that allows control of the driver, but all ini modifications are by manual edit
     
  17. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Thanks.

    Sorry to ask. Do you know any similar software with GUI for memory protection?
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,302
    Hi Niteranger

    I don't. The excubits stuff is very tight, but you do have to cope with it's manual approach. Once you try it and get used to it, it's really not that difficult.
     
  19. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Thanks again
     
  20. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    @NiteRanger, you can make real simple rules. For instance, locking down your browser all you need is

    [DEFAULTALLOW]
    !*\Chromium\*>*\Chromium\*
    [BLACKLIST]
    *\Chromium\*>*

    You use the tray tool do enable/disable protection by switching Install Mode On or Off
     
    Last edited: Aug 4, 2017
  21. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Noted. Interesting regarding the tray tool thing. Got any snapshot to show?

    But if I have protection for many processes and I perform a format of my drive I'll need to re-enter all the command lines again. Too much of a hassle as compared to simply checking/uncheking boxes for protection of processes, right?

    Anyway. I'll wait for its release and then see how

    Thanks
     
  22. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    The commands go into an .ini file in the Windows directory. So if you format your drive you back up the MemProtect.ini to a flash drive. No need to do it again.

    Mine is looking like this

    [#INSTALLMODE]
    [LETHAL]
    [#LOGGING]
    [WHITELIST]
    [DEFAULTALLOW]
    !*\Chromium\*>*\Chromium\*
    !*\uTorrent\*>*\uTorrent\*
    !*\PotPlayer\*>*\PotPlayer\*
    !*\Microsoft Office\*>*\Microsoft Office\*
    *>*
    [BLACKLIST]
    *\Chromium\*>*
    *\uTorrent\*>*
    *\PotPlayer\*>*
    *\Microsoft Office\*>*
    [EOF]
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,302
    In terms of how you work with the program nothing is going to change in the release. You still have to manually install, and manually edit the ini file.

    You right it is more of a hassle then checking boxes, but there isn't anything you can check boxes in to provide comparable protection
     
  24. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    tray.png
     
  25. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    428
    Location:
    Far East
    Ok looks not that difficult. I'll trial it later when it's released.

    BTW your example only shows for applications, right? How about Windows processes? I believe they need protection too or are they protected by default?

    Thanks