@mood @paulderdash Excellent, thank you both. I am hoping to give this a try later on today. EDIT: Also I just saw your most recent reply, mood. This is great. So very similar to Bouncer, it seems that we can use a combination of regular rules and parent rules in the recent beta. That is a nice surprise.
I have a basic MZWS setup now and it has come a long way in terms of development since I had last tested it. This FASTHASH is especially nice and efficient. I would love to see FASTHASH in Bouncer one day. @mood With MZWS, can you specifically whitelist or blacklist a binary based on hash only? Just curious about this one.
this rule should block everything? correct? Code: [LETHAL] [LOGGING] [#FORENSICS] [SHA256] [#READBUFFERX16] [FASTHASH] [WHITELIST] [BLACKLIST] *>* [EOF] i can copy paste sys file
@co22 Yes, that will log everything but you should put in non-lethal [#LETHAL] first to ensure system stability. I would suggest instead of *>*, you could simply just use: * Either way will work.
hello dear WildByDesign i did that mistake and used [LETHAL] but i successfully logined in to windows after restart and able to copy paste sys file everywhere.i just see it log in MZWriteScanner.log which file i copy
Hashes cannot used in the configuration for MZWritescanner, but i think adding such a feature could be useful. [we can ensure that only a specific application (added by hash) is able to drop files. If the file has been modified (by malware,etc.), dropped files are blacklisted]
I agree, this could be quite useful. It should be possible for Florian to implement since Bouncer operates in a similar way by being able to whitelist/blacklist by hash. If you have an open dialogue with Florian, could you suggest this to him? You seem to have a clear, concise way of explaining things. Also just to confirm, MZWS is Default Deny, correct?
Yes, it is "Default Deny" (=no entry in the [BLACKLIST] and [WHITELIST] = every dropped file is blocked) And yes, i'll prepare an email and send it. If i receive feedback i'll post the answer in this thread.
removed entry in blacklist also still nothing blocked i used MZWriteScanner.ini in Install and Use folder so its not should because of end line in file or encoding of it Code: *** excubits.com demo ***: 2018/03/12_19:08 WX C:\Windows\explorer.exe C:\Users\some\Desktop\SubtitleEdit.exe 020c1932f9bb8b1408d51f56f97b4f6bd5b2df93bee82320fb79d015cedfa725
Hi everybody. This security app looks interesting but I was wondering given the nature of it how you would deal with windows update. I can imagine it being very problematic to the extent of potentially corrupting an update. Is there a set of rules/exclusions that can make this process seamless while maintaining security. I'm currently using NVT OSArmor and like it but may replace it with this if it's not too unmanageable. Does this offer any significant benefit over OSArmor? Thanks for your help.
I would imagine you would need to set MZWS to 'Install Mode ON' for Windows Update, indeed any software update, but no doubt one of the boffins here should give you a more detailed reply to both your questions.
@AEG @paulderdash is right here in that Install Mode is beneficial for Windows Update. As a matter of fact, Install Mode was designed more because of Windows Update so that the protection state could persist across reboots since some Windows Updates move files around after reboot as well. Then once the updates are complete, you can turn Install Mode off. However, you can take things a step further. You can use lethal mode off [#LETHAL] therefore no actual blocking occurs and keep logging on [LOGGING] and you can use the logging details to create rules to fact in specific locations where Windows Update may drop binaries. Here is just one example from one of my Windows 10 systems: Code: # Malicious Software Removal Tool C:\????????????????????\mrtstub.exe>C:\Windows\System32\MRT.exe C:\????????????????????\mrtstub.exe>C:\Windows\System32\*.dll There may be some slight differences between, for example, Windows 7 and Windows 10. It may take some time to gather up the correct rules and all, but once you've got everything in place you will be able to run Windows Update without any blockages in the logs and without needing to use Install Mode. But that is up to individual user preference. Also, as a community, we can share rules here in code tags to gather up relevant rules. Being Patch Tuesday, I have already got mine switched to non-lethal with logging and I will try to gather as many rules as possible related to Windows Update later today once updates are released and I will share the rules once I've got them cleaned up.
I just put it in stop mode for updates. Once the updates are done usually I've found no rules are necessary
Thanks for your replies. I've installed it and messed around a bit and think it's probably too much management for my tastes. I'm not fond of constantly creating exceptions for different programs and looking at logs all the time, however I'll continue to look at it for a while. I've noticed quite a slow down in my system even though I'm still in [#LETHAL] mode and it's blocking files which I thought it wasn't supposed to in that mode. An update to Sticky Notes initiated by scvhost.exe is blocked for example and if I move an executable to a user folder it won't start. I'm using the default config file and that blacklists all user folders, so does that mean that blacklisting overrides the [#LETHAL] mode ? Windows 10 often updates certain elements without a reboot so I would imagine it's necessary to whitelist directories like Program Files and Windows/System32 etc. Is that sound from a security point of view or is it ok as I believe these resources are protected by Windows anyway? There's also no script to uninstall it even though the readme says there is one. I'll have to re-image my disc to remove it which isn't a problem but a bit annoying.
Alternatively, you could: Open up admin cmd.exe. Type net stop MZWriteScanner sc delete MZWriteScanner then delete all related files and folders ... but again, hopefully someone else here has a more elegant solution!?
I think OSArmor may have interfered with the setup and caused some problems which could explain some of the odd behaviour. I closed the UI down thinking this disabled the program but it doesn't ! I'll try again sometime with OSArmor properly disabled. I like the concept behind MZWriteScanner but it does require management and you're never quite sure you've got thinks right for your system.
OS Armor is a very easy solution, you only need to install it, tick/untick some options and that's it. No complicated management is needed. I wouldn't see MZWritescanner as a a replacement for OS Armor. MZWritescanner is specialised to monitor and keep track of dropped files onto the hard disk. OS Armor is providing a completely different protection. MZWritescanner can be used in addition but you must be aware that you must monitor the log file and must write rules on your own sooner or later.
Yes I've realised this. OSArmor is more of an attack vector from your browser kind of thing and MZWriteScanner is more of an attack vector from anywhere, but it requires management as you say. It's probably close to bullet proof if you can live with configuring it from time to time.
Yes, OSArmor seem easier to manage and perfect if you just want to run and use I guess. You can achive a lot of protection with MZW, but it can be hassle to config. But it is also possible to set it up just to protect from browser, pdf reader and office attack vector. Then config is simpler and you do not care about OS updates and software installation in general. Example: you can restrict chrome.exe, so downloaded executables cant be started. Same for Word or Excel, because MS Office applications normally don't need to download executables and start them, so your rules can be "very simple". But getting initial config is hassle
Hidden function to enable "touched files" is Funny to see what is touched while running Windows session. But not meant for normal use I guess. As written in blog post: looks like feature for pro users and malware forensic people.
Yes my system is relatively straightforward and doesn't change hugely over time so I could probably use it. How would you deal with those windows updates that don't reboot the computer and save files to locations like Program Files and System 32 etc.Would you whitelist the Program Files folder or specific sub-directories for each update location ?
Yes I can do that for updates that require a reboot because I get a warning, but a lot of windows 10 updates install in the background and don't require a restart. They write to folders like Program Files and System 32 etc and I assume they would fail without proper whitelisting. It's a bit of advice on the scope of whitelisting I'm really after. Do you whitelist folders like Program Files or is that too general and insecure. As a general question, is it possible for scripts to damage a computer without writing a file or is that very unusual.
