Pete, what version of Reflect are you using? Are you on version 7? Do you have free version or a paid version? Yesterday, my Reflect 7 Home updated to version 7.2, and I started to get BSODs when MZWS is running. Just wondering if a different version of Macrium might work better.
Equally resting with version 6 on this end as well. Last thing we want to find is something going awry which seems to happen sometimes on new upgraded modified code. Especially when vendors are trying to catch up with twists and turns Windows 10 is tasking them with on compatibility to re-balance a stable product. Windows 8.1 x64 here.
Thanks to Pete and to EASTER It turns out the conflict with MZWS was caused by some component of Reflect 7 paid edition. Right now I am running the latest and greatest of Reflect free, 7.2.3811, and finally, no conflicts.
Thanks, but I don't even have a license. I was on trial version, having reinstalled Windows less than 30 days ago.
Nice to learn the conflict passed and everything works as expected alongside your selected security app now. Out of curiosity could you return another reply sometime when you get a chance to go over things on what you find very useful with that new version (free) that you have running now in comparison to say the version 6? In the Macrium topic thread of course.
New version released. More info available in the Newsblog (2020/01/06) [or in this post] Download MZWriteScanner (Binaries last updated on 2020/01/06)
Just to let you folks know, EXCUBITS is no longer available on the net and the Company is undergoing what the developer calls a "strategic realignment." I don't know how ominous this is but the product(s) Developer remains available at <info@excubits.com> to assist anyone with fully licensed application issues.
Very sad that I did not buy MZWriteScanner before it was gone. I tried the latest demo recently. Just post to confirm that the latest demo works well on Windows 10 20H2. No expiry and INI file is limited to 16KB actually. Some history before it became marketed as product on Excubits. Anyone has those old copies, please message me. Thanks. ================================================ MZWriteScanner - Monitor Your PC Against Malware 2013/10/07 (updated 2013/10/20) by Flo Thinking about different approaches to monitor malware while they are installing their evil code on your machine I ended up in a monitoring minifilter driver that might help you out analyzing potential zero-days and other malicious stuff on your forensics machine. MZWriteScanner is a simple minifilter that intercepts IRP_MJ_CREATE, IRP_MJ_CLEANUP and IRP_MJ_WRITE (and some other) to track what files should (and will) be written on your disk. The driver checks if a file contains the magic bytes for an executable, namely the string 'MZ'/'ZM' at offset (0) of the file. If this is the case MZWriteScanner outputs the filename via DbgPrint and writes the path and filename to %SystemRoot%\mzwritescanner.log. Well, the approach seems to be a bit cheesy on the first view, but should work for many malware executables that hit your face through drive-by exploit kits. Since version 2.1 the driver needs a configuration file at %SystemRoot%\mzwritescanner.ini where you are able to enable the so called lethal mode which enables you to deny execution of newly written executable files and to whitelist paths or files that are allowed to contain newly written executables without blocking them. The latter might be helpful in automated scenarios where you might want to allow updating system executables (e.g. the executables of patches, updates etc.) or anti-virus tools. But be careful with what you gonna whitelist, because whitelisting the wrong path or file might open the doors for potential malware -- keep that in mind! The whitelist in %SystemRoot%\mzwritescanner.ini *must* be in UNICODE file format and must contain at least one line enabling or disabling the blocking mode: [LETHAL] to enable it, or [#LETHAL] to disable it. If you would like to whitelist some paths or files, just add their path and/or name in a line followed by an asterisks before the new line. See the following example: [LETHAL] whitelist* \Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Definition Updates\* \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download\* \Device\HarddiskVolume2\Users\XXX\Desktop\Dbgview.exe* \Device\HarddiskVolume2\Windows\System32\Drivers\Dbgv.sys* To install the driver just go into the binaries path regarding your version of Windows (Windows x86/x64 Vista, 7 and 8. Then right-select the .inf and hit "install". Then run one of the cmd-scripts to start, stop, restart and uninstall the driver. Do not forget to fire up DbgView to peek the messages the driver prints out. Make sure to disable driver signing on 64-bit versions of Windows, the driver was not signed yet. The driver is for educational and test purposes only. It might contain bugs that lead to system crashes and other damages to your system. Use the driver by and on your own risk. Only try it on a non production environment. I am not responsible nor liable for any damages caused by using the driver. The target audience for MZWriteScanner are Windows enthusiasts (IT forensic guys and hackers). You can download the whole package here: MZWriteScanner.zip Code: (Used to be there @ http//:www.bitnuts.de/MZWriteScanner.zip but now it is gone) ======================== MZWriteScanner: A minifilter that monitors executables written on your disk 2012/10/20 by Flo Thinking about different approaches to monitor what malware does while this crap is installing its evil code on your machine I ended up in a monitoring minifilter driver that might help you out analyzing potential zero-days and other malicious stuff on your forensics machine. MZWriteScanner is a simple minifilter that intercepts IRP_MJ_CREATE, IRP_MJ_CLEANUP and IRP_MJ_WRITE to track what files should (and will) be written on your disk. The driver checks if a file contains the magic bytes for an executable, namely the string 'MZ' at offset (0). If this is the case MZWriteScanner outputs the filename via DbgPrint so you can track it. Well, this is a bit cheesy but should work for many malware executables. The filter does no blocking on the written files thus malicious code might be executed. If there is demand I will probably adjust the driver. Right now it is just a monitoring driver, NO intercepting or blocking will be performed, so beware of what you are writing and executing on your machine! The driver heavily bases on Microsoft's Scanner File System Minifilter Driver and PassThrough File System Minifilter Driver. As some homework for you: Just combine the best of these two drivers, think about what happens if a file is gonna be written on your disk and how to determinate an executable by its MZ/PE-header. The resulting driver should be something like MZWriteScanner. You can download MZWriteScanner for Windows XP, Vista, 7 and 8 (32bit and 64bit). Please follow the link below. If you have any questions, suggestions, comments or bug reports contact me by e-mail. Download MZWriteScanner: Code: http://bitnuts.de/MZWriteScanner.zip but now it is gone. I would like to credit Microsoft and the Honeyproject for their ideas, whitepapers and great driver sources. Thank you guys for sharing your code and knowledge. I really appreciate your work, because it gives a very good overview and in depth look into drivers. Peering Inside the PE: A Tour of the Win32 Portable Executable File Format http://msdn.microsoft.com/en-us/library/ms809762.aspx Portable Executable http://de.wikipedia.org/wiki/Portable_Executable PassThrough File System Minifilter Driver http://code.msdn.microsoft.com/windowshardware/passThrough-File-System-f9975611 Scanner File System Minifilter Driver http://code.msdn.microsoft.com/windowshardware/Scanner-File-System-426c8cbe Windows 8 Driver Samples http://code.msdn.microsoft.com/windowshardware/Windows-8-Driver-Samples-5e1aa62e/view/SamplePack/4?sortBy=Popularity CaptureFileMonitor.c https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c
Yeah not very generous as most third party developers are. More like a tease. It was obsolete pretty fast. Shame that guy cut it way too fine on the logfile size on purpose. And then since a year ago just said heck with it.
