MZWriteScanner

Discussion in 'other anti-malware software' started by Mr.X, Feb 16, 2017.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well I need to do some white listing of my EIS program updating. MZwritescanner completely shut it down. It did its job. And yes I did write Florian.
     
  2. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    4,459
    Location:
    The Pond - USA
    Without extensive WHITELISTing, MZ will shut down a ton of stuff... think program installs/updates, FileSyncing utilities, even commonplace unArchiving like ZIP or RAR unZIPing program executables, etc.

    It'll get wild as you go along... :)
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    I suspected as much :eek:.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    ROFL. I finally got my white list set up for allow for EIS software versions automatic updating. It was kinda like Linus playing football with Lucy. The target kept moving. Yes it may take a bit of work at first, but to me it's worth it because it's not an everyday thing. And I love the extra protection. That makes it worth it.

    Pete
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You could also switch this thing around into a Default Allow type of setup with a * wildcard in the whitelist section, then specifying locations within the blacklist section in which you want to monitor more closely. This is my preferred scenario at the moment.

    I suppose similar to MemProtect, it might be good to have Florian develop a [DEFAULTALLOW] switch for MZWriteScanner as well. Either way, once I setup my configs for Bouncer, MemProtect, etc. I have not had to make any modifications to my setups for several months now and allows for great flexibility for my overall daily workflows. These drivers become fantastic "set-and-forget" protection once dialed in to your specific machine/workflow.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well when I set up my second machine I configured it the same as the first. That once I have one setup no two falls right in line. Ihave no issue with the way it is now. Sure it's a bit work but when done,it's done.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I heard back from Florian on the 3 issues

    1. When an 2nd file is dropped, the icon doesn't respond.

    Florian said there appeared to be a problem in the tray app. Will fix

    2. The Forensic option.

    He said it wasn't turned on yet. Said he could make a build with it on.

    3. The tray icon color for off. He sent me a new icon that is gray. Looks good. will be in next build.

    Excellent timely support.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Good to see. I'm excited to see when this next build comes along.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Wowser. I just ran a script file with Locky in it. For sure Appguard, VS and ERP would have shut it down, but I just wanted to see what MZwritescanner on it's own could do. WIthout turning off the driver there was just no getting to run. It doesn't block the script file of course but the script drops a tmp file and that is blocked. So you clear the log file and then restart the script. Runs till it drops the tmp file again, and it''s game over for the malware. Couldn't get it to run. Now that is cool.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,394
    I agree. Once you have set it up the configuration, you forget about that Excubit-tools are running and protecting you all the time :)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I was thinking about the idea of blank white list with exceptions black listed. Won't work for th is driver. Give me a bit of time and I'll explain later.

    Pete
     
  12. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    4,459
    Location:
    The Pond - USA
    It should work... you should be able to use PRIORITY rules in the BLACKLIST to inhibit areas of the WHITELIST entry if needed.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Froggy, think about. In this case, if you were to whitelist everything, how would you know what to black list. By black listing everything it blocks anything dropped on the disk. Then it is okay you white list it.
     
  14. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    strongly considering giving mzwritescanner a try on my win7x64, but it sounds like I'd have to make time to really get into it. Historically, I have used Appguard, VS & ERP, but right now just VS of those 3. sounds like you're perhaps in a testing VM, and you're not running mzwritescanner with VS. do you know if mzws will conflict with VS, or do you suggest just not running both at the same time??
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,394
    Sometimes i use them all together, and they don't conflict with each other :)
    Make sure to switch to Install Mode before you install other applications, because MZWritescanner might block your installer or other temporary files which are dropped to blacklisted locations.
    Or, an AV for example might drop files/signatures to a specific directory several times a day and MZWriteScanner is blocking it every time. In this case you can whitelist the location, so it isn't blocked anymore.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi SimmersK00l

    Yes I am running them together. In the VM for testing, and on my host machine(s) for real. And no you can't install and ignore it. But once you get it setup, then it is pretty trouble free. Also I do run Appguard,ERP and VS. I have reasons but it might be overkill for you.
     
  17. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    Thanks Peter!!
     
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    The new MZWriteScanner now also is able to log written EXE-files in a forensic directory (c:\windows\$forensics\) - that is cute :) I guess this is helpful to analyse dynamically written stuff that get deleted or changed over time. I hav seen malware droppers that quickly delete or overwrite themselve on runtime, so with this you can still get such malware afterwards. But I think enabling it for the whole runtime can also be dangerous. What would you guys recommend? Turn it always on or just for forensic/analysis (as name of it recommends)?
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    As noted on Excubits blog, all of the kernel-mode drivers have been updated (demo and paid). But particularly MZWriteScanner received quite a bit of improvements with regard to efficiency. There was also a bug that affected the processing of wildcards that was quite an important fix and may have lead to crashes in some situations or at the least, some inconsistencies in rule processing. This is definitely the best version of MZWriteScanner so far.

    Link: https://excubits.com/content/en/news.html


    Some appreciation there for @TheRollbackFrog and @Peter2150 I believe. Thank you to anyone who has shared there suggestions and bug reports to improve MZWriteScanner for all us. :thumb:
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Florian really stays on top of stuff.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Heads up guys. I don't know whether this is a bug or design change: The earlier version, if you dropped an exe, the icon alerted. You could look at the log file, but as long as you left it in the log execution would be blocked. The new version still alerts, but once you look at the log it no longer blocks. I don't like that.

    I've just reported it and will post when I hear back. Just be aware.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,394
    You mean, after looking at the log it isn't blocking the file anymore (or clearing)?
    Looking at the log shouldn't affect the protection.
    Only clearing the log-file is affecting the protection, because the service is restarted and all remembered files are discarded.
    :doubt:
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That's correct. Try it and see if you can duplicate my results. Like I said I have reported it to Florian
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,394
    I forgot to mention it in my post, but i tried it and MZWriteScanner was still protecting files.
    To be sure i tried it again:
    a) Green tray-icon is displayed
    b) a file has been blocked, tray-icon turns red.
    c) another execution of the same file = file is blocked, tray-icon is still red
    d) Rightclick on tray-icon: Open log-file, tray-icon turns green
    e) execution of the previously blocked file = it is blocked and stays blocked...
    Code:
    *** excubits.com demo ***: 2017/04/08_17:09 > W:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\test\DriveLetterView.exe > a36885e04b3ad2609f36d9095c64d69516ec1981e1b181b0429fa47499270b0c
    *** excubits.com demo ***: 2017/04/08_17:09 > X:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\test\DriveLetterView.exe
    I was not able to reproduce it on my system :(
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I'll retest, but when I first tried I forgot I had Appguard on. When you test be sure nothing else is blocking.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.