MZWriteScanner

Discussion in 'other anti-malware software' started by Mr.X, Feb 16, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Ladies and Gents, there appears to be a new MZWriteScanner build available in Beta Camp (https://excubits.com/content/en/products_beta.html). I am assuming that this is the one which supports parent process control/checking. Florian may have done this similar to recent Bouncer beta, in which the parent rules are combined with the regular WHITELIST/BLACKLIST sections. There has not yet been a blog post to announce this build yet although there were a couple of blog posts suggesting that it was coming soon.

    The drivers are SHA1/SHA256 signed which is great. Although it is not Microsoft Windows cross signed at the moment. This is better than having to use Test Mode for running unsigned binaries though.

    Here is example MZWriteScanner.ini included in updated package:
    Code:
    [#LETHAL]
    [LOGGING]
    [#FORENSICS]
    [SHA256]
    [#READBUFFERX8]
    [WHITELIST]
    [BLACKLIST]
    *>*
    [EOF]
    
    EDIT: Yes, I can confirm now that this is definitely supporting of parent process checking. Excellent stuff here! :thumb:

    And supposed to retain list of hashes to continue blocking newly dropped binaries after reboots as well. :cool:
     
    Last edited: Jan 15, 2018
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Do you know if it will function as a licensed version in terms of size of ini file
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I don't know exactly how to check that easily. You may have to confirm this with a quick email to Florian. I know that in the past, quite often his testing or demo builds would not allow for the full sized ini file. However, if you were to ask Florian directly through email, he would quite often do a custom (unrestricted) build for users who have full licence. So I would suggest sending him a quick email.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    I have tried the beta and the limit is 16KB :)
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks Mood. My ini file is only 6kb so I should be in good shape. How did you like the new version
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    The new version is running fine, but i haven't played with the new feature yet (parent-rules).

    If i am not wrong, i can now add parent-rules for protecting of specific applications (no matter where a file is being dropped to by a blacklisted application, the file can be tracked & blocked by MZWriteScanner) (bonus: ... even after a reboot [persistent cache])

    Scenario:
    old version: if the browser drops a file to a whitelisted place, the file isn't tracked and can be executed.
    new: the browser is now protected with a parent-rule and any file dropped by the browser will be blocked (and will be blocked after a reboot)
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    A good thing is, that for example a filemanager can be whitelisted.
    One of the jobs of a filemanager is to copy files and if i intentionally copy files to specific places (and i really want the filemanager to execute the file afterwards) i don't want MZWriteScanner to interfere.

    (Remember: If a file is already being tracked by MZWriteScanner, copying it with a filemanager doesn't change the status - the file stays being tracked)

    One more idea for parent-rules: Backup programs
    Code:
    [WHITELIST]
    # Parent-rules
    # <insert the path to your backup program here>*
    # AppCheck
    C:\Program Files\CheckMAL\AppCheck\AppCheck*.exe>*
    # Filemanager
    C:\Program Files\totalcmd\TOTALCMD64.EXE>*
     
  8. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    175
    Location:
    Europe
    Thanks for letting us know.

    Confirm, also test it and 16KB is the limit here.

    One thing to mention (cause I first had problem): you need a folder in Windows dir (C:\Windows\$FORENSICS) or cachin is not working. Smart idea, they dont save list of newly wirtten exe in memroy or file (=mem consumption and maybe other problems), they use file system in the $FORENSICS directory. Hmm, there is pro and contra about this approach, but for me it sounds clever.

    Asked Florian about timeline: they will test the driver and then push the stable version. There is also something other coming, he told me that this was just beginning. They work on another product which make use of MZWriteScanner and other driver - whatever it will be...it remains exciting
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Yes, elegant approach. After i have restarted MZWriteScanner, a previously blocked file was still blocked. It seems to check the $FORENSICS directory and if a file is in it, it will be always blocked (after a reboot or restart of the service)
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Faster processing with [FASTHASH] option
    New Beta of MZWriteScanner
    2018/01/30 F. Rienhardt
    Link: https://excubits.com/content/en/news.html

     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Thanks :thumb:
    This will be a great speed increase :thumb: especially for owners of hard disk drives (yes, there are still owners of hard disk drives ;))
    And especially for users of the beta (see below)

    Quick overview of "When does MZWriteScanner need to hash files":

    Stable version: As soon as a file gets on the blacklist, MZWriteScanner need to hash all future files which are introduced onto the system.
    This is also the case for renamed files (to be more specific: written, copied, renamed or moved files) (renaming of a file => new file => MZWritescanner hashes the file => and compares it with the blacklist)
    = As long as no file is on the blacklist (or a file has been dropped), MZWriteScanner doesn't even need to hash anything
    (System has been restarted, no file has been dropped yet = MZWriteScanner is "idle")

    Beta version: Now with the persistent cache (files/hashes which are located in the C:\Windows\$FORENSICS folder) MZWriteScanner must hash each file which is about to be executed (not only dropped files)
    (System has been restarted, no file has been dropped yet = MZWriteScanner is always hashing files (but only if the $FORENSICS folder isn't empty), and is comparing it with the hash in the $FORENSICS folder)
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    The layout in the log file has changed a little bit with the newest beta:
    Code:
    beta:
    File has been dropped:
    *** excubits.com demo ***: 2018/01/30_17:14 > W:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe > adff6a1e55614bab53785a2c1904bca7945f7fa5781aff221a1e6532923a422d
    Launching was prevented:
    *** excubits.com demo ***: 2018/01/30_17:15 > X:C:\Program Files\totalcmd\TOTALCMD64.EXE > C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe
    
    beta (new):
    File has been dropped:
    *** excubits.com demo ***: 2018/01/30_17:57    WX    C:\Program Files\totalcmd\TOTALCMD64.EXE    C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe    c850120de1077eb9559d29d35367152d4216b10b23e6cc0f208dcb94658ae2c7
    Launching was prevented:
    *** excubits.com demo ***: 2018/01/30_18:01    XW    C:\Program Files\totalcmd\TOTALCMD64.EXE    C:\Program Files\12\MediaInfo_GUI_0.7.98_Windows.exe    c850120de1077eb9559d29d35367152d4216b10b23e6cc0f208dcb94658ae2c7
    
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mood

    Thanks for this. I was having trouble getting the beta to work. This post of yours help me figure out what was going on.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Coming soon in the next beta of MZWriteScanner:
    And all in kernel-mode... Pure genius! :thumb:
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Let me know when he releases it to beta. I'll play, and I totally agree with the Pure Genius.
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,972
    Location:
    Under a bushel ...
    Been holding off on betas, but there sure is a lot of new functionality coming in the new version :).

    Asides ... wondering if these improvements will be incorporated into the planned Malware Mitigation (https://malwaretips.com/threads/nee...-application-sandbox.75992/page-7#post-696517), and if that would be able to co-exist with NVT OSA for a relatively simple set-and-forget anti-malware solution. Lack of GUIs for Excubits drivers no doubt deters many, but I'm sure that wishing for that is a lost cause.
     
    Last edited: Feb 8, 2018
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I am running the latest beta of MZwritescanner, and it's fine with NVT OSA. But MZwritescanner is not a set and forget piece of software and I wouldn't hold my breath for a GUI. BUT what MZwritescanner is, is a phenomenal piece of protection.
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    A new beta is available now :thumb:

    New feature: Block executables from external drives

    New beta version of MZWriteScanner
    2018/02/07
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    There is an updated (2018-02-19) binary package available for MZWriteScanner on Beta Camp page.
    Link: https://excubits.com/content/en/products_beta.html

    I am not sure what the latest changes are but quite likely just small fixes to polish things off. The latest that Florian told me was "MZWriteScanner is now able to detect external drives and users can automatically block executables from there.".

    MZWriteScanner is going to be absolutely solid protection against malware combing from external drives in addition to the solid protection (and granular control) that it already has.

    I still run my setup with just Bouncer and MemProtect and I still have not played much with MZWriteScanner lately. But I definitely need to find some time to add this to my setup.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    My quick assessment. It is some what of a pain if your system changes a lot, but it oh so solid a protection I wouldn't want to be with out it.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    Code:
    2018/03/01_11:36    WX    C:\Program Files (x86)\XYplorer\XYcopy.exe    C:\drop\acpi.sys
    2018/03/01_11:36    WX    C:\Program Files (x86)\XYplorer\XYcopy.exe    C:\drop\MZWriteScanner.sys
    2018/03/01_11:37    WX    C:\Program Files (x86)\XYplorer\XYcopy.exe    C:\drop\veracrypt.sys
    2018/03/01_11:37    WX    C:\Program Files (x86)\XYplorer\XYcopy.exe    C:\drop\SbieDrv.sys
    
    MZWritescanner is able to "detect" kernel mode drivers [.sys binaries] after they have been dropped to disk because of the MZ signature (even kernel mode drivers have one) but sad news: It isn't able to actually block them.
    A different solution is needed to achieve this.
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    I think it wasn't mentioned before but how does MZWriteScanner detect dropped files?
    There is an old blog entry (year 2013) which is explaining it:
    For more details about these interceptions, Microsoft is providing them: IRP_MJ_CREATE, IRP_MJ_CLEANUP, IRP_MJ_WRITE
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Would it be worthwhile asking Florian why .sys binaries are detected but not blocked?

    I wonder if he may have a trick to make the blocking work if he is aware of this.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Never hurts to ask.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.