MZWriteScanner

Discussion in 'other anti-malware software' started by Mr.X, Feb 16, 2017.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    After round one of updating the .ini: 'System error 1450 has occurred. Insufficient system resources exist to complete the requested service'.
    It is already at 4KB, so I have purchased a license.

    Edit: My PayPal purchase has been processed but I have not received a link. Is it a manual process and should I be patient? I ask because I had problems before (with FIDES).
     
    Last edited: Jun 3, 2017
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    It is a manual process. And i'm not sure if they are working on a Saturday :doubt:
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    They do :eek:. Just got it :thumb:.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    I kinda wish MZWriteScanner also had the option to whitelist a 'parent', because in some cases this would simplify and/or improve the whitelist ... some examples.

    I use Zoolz to backup to the cloud but for every item backed up, an entry is created e.g.
    2017/06/03_18:30:43 > W:C:\Program Files\Genie9\Zoolz2\Zoolz.exe > C:\My Portable Applications\Vivaldi\Vivaldi.1.10.862.6.x64.exe > b4393d97febb6970c5bc5298d6b00efda58a5bf996262a1dfb1c7df99423c46a
    In this case essentially I have to whitelist C:\My Portable Applications\*\*.exe but it would be easier, and better, to whitelist C:\Program Files\Genie9\Zoolz2\Zoolz.exe

    Also:
    2017/06/04_07:36:52 > W:C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe > C:\Windows\Temp\cpuz138\cpuz138_x64.sys > 8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775
    2017/06/04_07:36:55 > W:C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe > C:\Windows\Temp\920b141e-d5a8-4b35-ba67-fc14448572ff > 40b7885c0d3b9a14acdff68f2963a0e7397f425d7d3f7d590930f942623733b7

    To whitelist the second entry, I would need C:/Windows/Temp/* or similar, which looks like a bit of a 'hole'. Again, C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe would be better ...

    I already have entries like this to accommodate googleupdate IIRC.
    C:\Users\nnnn\AppData\Local\Temp\*-*-*-*-*\*.dll
    C:\Users\nnnn\AppData\Local\Temp\*-*-*-*-*\*.pyd


    Or am I misunderstanding, and this would completely mess with the 'philosophy' of MZWriteScanner?
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Important is the path where the files has been dropped to.
    Whitelisting the whole location "C:\Windows\Temp" is not a good idea.
    If you are running programs which are dropping/writing a lot of files, then it might be a better idea to turn off the protection temporarily.
    And if you whitelist "C:\My Portable Applications\*\*.exe" you are allowing your portable applications to drop files to this directory (especially your browser, which is able to drop malware or other "bad things")

    Either turn the protection off temporarily or whitelist all needed locations.
    But i would turn the protection off instead of having too many exceptions in the .ini.

    Maybe you can suggest it to the developer ("whitelisting of parent processes")
    If MZWriteScanner is able to mention the parent process of dropped files in the log-file, then i'm sure that the developer is able to implement such a "whitelist-feature" :doubt:
    It only has to "compare" the parent process of the dropped file with the whitelisted parent process in the .ini. If they are equal, the dropped file isn't blocked.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Agree. But difficult with scheduled jobs. Although I am tempted to remove those ...
    May not be a priority for him, but will ask Florian (thanks for your input) nonetheless.
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    The good thing is, every file with a MZ-header will be detected. No matter what extension the file has :)
     
  8. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    first serious attempt to run an excubits app, mzwritescanner_demo. the readme seems clear enough, :doubt: but... I installed driver with right click of inf "install" per directions. I assume it installed but did not (auto)start itself as I'm not finding its log file in \windows or anywhere on hdd. then executed start driver.cmd and I get
    System error 5 has occurred.
    Access is denied.
    I am logged-in to win7 as an admin?
    So I googled error 5 and got a hint, and try again thinking this time it has to work,
    but I now get system error 2, and not immediately finding any good hints.
    I'm rusty with cmd line, but not "afraid" it. I'd like to get mzwr running. clues gladly accepted.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    5 = You don't have sufficient rights to start/stop the driver.
    Make sure to run the command-line as Administrator.
    And make sure to copy MZWriteScanner.ini to c:\Windows\MZWriteScanner.ini

    To verify if the driver is running, launch status.cmd.
    You should see something like:
    STATE : 4 RUNNING

    If it is running, start your browser and download something. Now it should appear in the file: c:\Windows\MZWriteScanner.log
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi simmersKool

    You need both the driver and the ini file in the windows directory. Then what I do is take the start utitility and move it to the windows autostart directory so the tool starts with the system. That way you will get the tray program on every system start.

    Note guys: This driver does need some baby sitting. You will have to turn it off on every install and uninstall of any software. The protection is incredible but it can also be a bit of a pain.

    Pete
     
  11. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    thanks mood & Peter, I skipped over (missed) the step of putting ini in windows dir. I had been reading this thread some months ago, and then put it aside and then jumped back in last night without reading new or re-reading older posts.. will try running mzwr again shortly.
    thanks for reminder about installs and uninstalls, but for me, for now purely logging.

    EDIT: I went back to start mzwr again, and still some "issues," then recalled the other night when I opened demo.exe, it seemed like maybe there was a glitch, so... tonight I started over from the beginning, uninstalling, reinstalling, etc, and it was as easy as falling off a log, almost easier. log file and ini file were in c\windows, the log file seems to be logging ok. so now I'll re-read all posts get up to speed and send Florian some $$. thanks!!
     
    Last edited: Dec 21, 2017
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Keep us posted.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Indeed, does need quite some babysitting. I PM'd Florian about the possibility of some sort of whitelisting via parent process (#106), but didn't get a response.
     
  14. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    175
    Location:
    Europe
    Also askd this. He is evaluating and there is good chance this gonna be implemented in MZwritescanner.
     
  15. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    as I said, when I reinstalled mzwr from scratch and restarted it, everything was in place and it was running and (only) logging on my win7_64, (default ini) seemingly aok, but...
    I think there was some incompatibility with some installed apps, either VS, AG, or comodo firewall @ cruelsister settings, and after about 18 hours the system got slow & buggy and was hanging. It was hanging to the extent that when I tried to reboot it froze, and I had to crash it. I restarted in safe mode and removed mzwr, for now, and pc is running super fine again. my best guess is that cf that did not like mzwr, but I could not pin it down. I'll play with mzwr some more but give it a rest for a few days. (maybe go back and read thru all the posts). Lately, I'm (re)thinking about what's a good extra layer of security versus redundant and overkill.
     
  16. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    :thumb:. Would make it more usable for me.
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Important update:

    Adjustments for Windows 7 and optimization of the read buffer
    Update for MZWriteScanner
    https://excubits.com/content/en/news.html 2017/12/23
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks Mood
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi simmersKa00L

    I saw no compatability issues with Appguard and VS upto ver 3.59b. Never used Comodo so you might start with that and then try the new VS. But you need to do a complete uninstall not just turn them off.
     
  20. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    thanks peter2150, (& and saw mood's post about win7, wonder if that was any issue for me?) Per Dan, VS 4.xxb "different" than 3.59, 4.14b seems like he's worked out most if not all of the bugs. I do suspect cf troubling mzwr primarily because cf immediately sandboxed the cmd scripts so I had to fix that one by one. Gotta say, I like cruelsister's videos, and now over time I've come to consider cf@cs primary protection, ie, not ready to abandon it, at least not now. but I remain interested in excubits, and gee Flolrian just sent me a christmas email. :thumb:
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    From: https://excubits.com/content/en/news.html

     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Good. Florian told me in response to PM it was coming.
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    The coming version of MZWritescanner will get a persistent cache and is able to block newly written files after a reboot :thumb:

    Behind the scenes of MZWriteScanner and Meltdown & Spectre
    MZWriteScanner, Meltdown and Spectre
    https://excubits.com/content/en/news.html 2018/01/08
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood Thanks for the heads up. That is fantastic news! :thumb:
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Waiting for this one, will start from scratch and redefine my rules.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.