Pumpernickel (FIDES)

Discussion in 'other anti-malware software' started by TheRollbackFrog, Dec 9, 2016.

  1. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,459
    Location:
    The Pond - USA
    ...AND... there is a brand new "User Guide'" :eek:
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,308
    My Email link didn't work for FIDES. I've written Florian
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,308
    Big Duh. Link was fine. It helps if you copy the whole password.

    Anyway some things that might help folks, and these probably apply to all these drivers.

    1. The ini file has to end with and EOF and a line feed. Leave off the line feed and it blows up.
    2. I've entered rules by cutting pasting parts of them from log files. They don't always work. Enter them manually by hand being careful of the typing and they do.

    Those ini fles are touchy but gosh once it's correct.
     
  4. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    124
    Location:
    Europe
    True words :):thumb:
     
  5. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,225
    Hello!

    I need some quick help here.

    I am testing Pumpernickel (FIDES) as a way to protect my external hard drive (used as backup - U:/) and my OneDrive (Nuvem - Cloud) folder.

    I want to block writing in these units, however I do not mind reading (should I care?).

    Do you suggest I change anything? Here is my config:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Users\Rodolfo\AppData\Local\Viivo\viivo.exe>T:\Nuvem*
    !C:\Users\Rodolfo\AppData\Local\Microsoft\OneDrive\OneDrive.exe>T:\Nuvem*
    !C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem*
    !D:\Programas\Create Synchronicity\Create Synchronicity.exe>U:*
    !C:\Program Files\VeraCrypt*>*
    [BLACKLISTMODIFY]
    *>U:*
    *>T:\Nuvem*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    Cryptomator isn't working:

    Code:
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\3U\OE\3UOEZXQ6CMCJJOZMBCR6CSU5RM5DQS6Y.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\EM\3H\EM3H5J6D7L2N575BCA6XJIQSWN35U2OQ.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FB\4Z\FB4ZJC3NH6WSPXBI4P5X3DPFTPT4L4XX.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FH\TC\FHTCUQLMWX7GEUMJYA7LKISB36HATB3Q.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\GE\6G\GE6G4SE7PND5WYSKAMIG67XYKGTCT4II.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\XG\UV\XGUVUDP7HZHBLZHG2GEKKA3KWABDVAAO.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\3U\OE\3UOEZXQ6CMCJJOZMBCR6CSU5RM5DQS6Y.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\EM\3H\EM3H5J6D7L2N575BCA6XJIQSWN35U2OQ.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FB\4Z\FB4ZJC3NH6WSPXBI4P5X3DPFTPT4L4XX.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FH\TC\FHTCUQLMWX7GEUMJYA7LKISB36HATB3Q.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\GE\6G\GE6G4SE7PND5WYSKAMIG67XYKGTCT4II.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\XG\UV\XGUVUDP7HZHBLZHG2GEKKA3KWABDVAAO.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\2H\HFUQKMKSW5BYYL4CKIATTJMPZK7ROZ\04SZ6OLKEEGONUFMAVQYMC4GHFTYU2KPU5IWQHEC4BDZHO6H35O6KO===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\0X6HRIVFON2WUS2DUDH2QR23DWEXRVHQJZN3MOKGPEI2Q====
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    
    What am I doing wrong?

    Ah, another thing: do any of you use Pumpernickel to isolate Chrome/Chromium?
     
    Last edited: May 19, 2017 at 9:14 AM
  6. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    124
    Location:
    Europe
    Hmm, strange. Have you restarted driver after change in pumpernickel.ini?

    Try to do

    Code:
    net stop pumpernickel
    net start pumpernickel
    in cmd.exe-concole with admin permissions. Then check if problem still is there.

    You can also whitelist

    C:\Program Files\Cryptomator\*

    I dont use Cryptomator but tried to reproduce with other tool and same config as you. On my system it worked, so this is really strange.

    Add on:

    "!C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem*"

    rule is exactly like this? Without any spaces between > and after *. Also saved file with Windows \r\n code?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,308
    Is T: a physical disk on your computer or is it on a network?
     
  8. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,225
    1) Maybe that was the problem. I restarted my computer and now everything is fine.

    2) What is this? I don't know.

    Is physical, but virtually mounted with Veracrypt, anyway now it is working.

    Now only one thing is wrong... How can I silence SearchIndexer.exe?

    This is my actual config:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    #    [Veracrypt]
    !C:\Program Files\VeraCrypt\*>*
    #    [OneDrive]
    !C:\Users\Rodolfo\AppData\Local\Microsoft\OneDrive\OneDrive.exe>T:\Nuvem\*
    !C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem\*
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:\Nuvem\*
    #    [Backup (U:/)]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>U:*
    [BLACKLISTMODIFY]
    *>U:*
    *>T:\Nuvem*
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    This is my log:

    Code:
    *** excubits.com beta ***: 2017/05/19_14:00 > W: C:\Windows\System32\SearchIndexer.exe > U:\System Volume Information
    It still happening even after a reboot.

    What's going on?
     
  9. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,940
    If you don't want to see SearchIndexer/dllhost.exe in your log, you have to place the silent-rules at the beginning.
    Code:
    [BLACKLISTMODIFY]
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    *>U:*
    *>T:\Nuvem*
    
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,225
    Oh, PERFECT! Thanks!

    Mood, you use FIDES to protect your Chrome/Chromium? If so, how?
     
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,940
    With FIDES i am blocking all programs from accessing writing to other partitions (D:, E:, ...)
    And Chrome is protected with MemProtect.
     
    Last edited: May 21, 2017 at 10:25 AM
  12. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,225
    Got it. After a couple of days testing FIDES, this is my config:

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    #    [Veracrypt]
    !C:\Program Files\VeraCrypt\*>*
    #    [NUVEM]
    !C:\Users\Rodolfo\AppData\Local\Microsoft\OneDrive\OneDrive.exe>T:\Nuvem\*
    !C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem\*
    #    [Backup (U:/)]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>U:*
    #    [Chromium]
    !D:\Programas\Chromium\*\chromium\chrome.exe>D:\Programas\Chromium\*
    !D:\Programas\Chromium\*\chromium\chrome.exe>T:\Downloads\Chromium*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Windows\System32\catroot2*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Windows\System32\CatRoot*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Users\Rodolfo\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\*.toc
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\ProgramData\NVIDIA Corporation\Drs\nvdrssel.bin
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Users\Rodolfo\AppData\*\Microsoft\Windows\*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Users\Rodolfo\AppData\Local\Temp\SPL????.tmp
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Windows\System32\spool\PRINTERS\*.SPL
    !D:\Programas\Chromium\*\chrlancher\chrlauncher.exe>C:\Users\Rodolfo*
    [BLACKLISTMODIFY]
    #    [Backup (U:/) - Silenced]
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    #    [Chromium]
    $D:\Programas\Chromium\*>C:\Users\Rodolfo*
    *>D:\Programas\Chromium\*
    D:\Programas\Chromium\*>*
    #    [Backup (U:/)]
    *>U:*
    #    [NUVEM]
    *>T:\Nuvem\*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    

    For Chromium, I needed to let it access "C:\Users\Rodolfo\AppData\Local\Temp\SPLo_O?.tmp" for printing.

    chrlauncher.exe needed access to my profile "C:\Users\Rodolfo*" to update. But, after all, with this settings I don't even note that FIDES is protecting me. Really set and forget.

    If I buy a license, I will try to cage Edge in the same way.
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    1,940
    The full potential you will only get with buying a license. You can't do really much if the .ini is limited to 3kb :)