Pumpernickel (FIDES)

Discussion in 'other anti-malware software' started by TheRollbackFrog, Dec 9, 2016.

  1. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,611
    Location:
    The Pond - USA
    ...AND... there is a brand new "User Guide'" :eek:
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,992
    My Email link didn't work for FIDES. I've written Florian
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,992
    Big Duh. Link was fine. It helps if you copy the whole password.

    Anyway some things that might help folks, and these probably apply to all these drivers.

    1. The ini file has to end with and EOF and a line feed. Leave off the line feed and it blows up.
    2. I've entered rules by cutting pasting parts of them from log files. They don't always work. Enter them manually by hand being careful of the typing and they do.

    Those ini fles are touchy but gosh once it's correct.
     
  4. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    135
    Location:
    Europe
    True words :):thumb:
     
  5. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Hello!

    I need some quick help here.

    I am testing Pumpernickel (FIDES) as a way to protect my external hard drive (used as backup - U:/) and my OneDrive (Nuvem - Cloud) folder.

    I want to block writing in these units, however I do not mind reading (should I care?).

    Do you suggest I change anything? Here is my config:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Users\Rodolfo\AppData\Local\Viivo\viivo.exe>T:\Nuvem*
    !C:\Users\Rodolfo\AppData\Local\Microsoft\OneDrive\OneDrive.exe>T:\Nuvem*
    !C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem*
    !D:\Programas\Create Synchronicity\Create Synchronicity.exe>U:*
    !C:\Program Files\VeraCrypt*>*
    [BLACKLISTMODIFY]
    *>U:*
    *>T:\Nuvem*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    Cryptomator isn't working:

    Code:
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\3U\OE\3UOEZXQ6CMCJJOZMBCR6CSU5RM5DQS6Y.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\EM\3H\EM3H5J6D7L2N575BCA6XJIQSWN35U2OQ.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FB\4Z\FB4ZJC3NH6WSPXBI4P5X3DPFTPT4L4XX.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FH\TC\FHTCUQLMWX7GEUMJYA7LKISB36HATB3Q.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\GE\6G\GE6G4SE7PND5WYSKAMIG67XYKGTCT4II.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\XG\UV\XGUVUDP7HZHBLZHG2GEKKA3KWABDVAAO.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\3U\OE\3UOEZXQ6CMCJJOZMBCR6CSU5RM5DQS6Y.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\EM\3H\EM3H5J6D7L2N575BCA6XJIQSWN35U2OQ.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FB\4Z\FB4ZJC3NH6WSPXBI4P5X3DPFTPT4L4XX.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\FH\TC\FHTCUQLMWX7GEUMJYA7LKISB36HATB3Q.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\GE\6G\GE6G4SE7PND5WYSKAMIG67XYKGTCT4II.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\m\XG\UV\XGUVUDP7HZHBLZHG2GEKKA3KWABDVAAO.lng
    *** excubits.com beta ***: 2017/05/19_10:08 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\2H\HFUQKMKSW5BYYL4CKIATTJMPZK7ROZ\04SZ6OLKEEGONUFMAVQYMC4GHFTYU2KPU5IWQHEC4BDZHO6H35O6KO===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\0X6HRIVFON2WUS2DUDH2QR23DWEXRVHQJZN3MOKGPEI2Q====
    *** excubits.com beta ***: 2017/05/19_10:10 > W: C:\Program Files\Cryptomator\Cryptomator.exe > T:\Nuvem\OneDrive\Cryptomator\Cryptomator\d\4K\QHK2U3WOHALDPYAQSUAHONLZUDICRW\RALDFF7GKNN74BHA2IPZSE5Q74DZFRAVUBYOPSIV5GYDAEFPICUT2===
    
    What am I doing wrong?

    Ah, another thing: do any of you use Pumpernickel to isolate Chrome/Chromium?
     
    Last edited: May 19, 2017
  6. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    135
    Location:
    Europe
    Hmm, strange. Have you restarted driver after change in pumpernickel.ini?

    Try to do

    Code:
    net stop pumpernickel
    net start pumpernickel
    in cmd.exe-concole with admin permissions. Then check if problem still is there.

    You can also whitelist

    C:\Program Files\Cryptomator\*

    I dont use Cryptomator but tried to reproduce with other tool and same config as you. On my system it worked, so this is really strange.

    Add on:

    "!C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem*"

    rule is exactly like this? Without any spaces between > and after *. Also saved file with Windows \r\n code?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,992
    Is T: a physical disk on your computer or is it on a network?
     
  8. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    1) Maybe that was the problem. I restarted my computer and now everything is fine.

    2) What is this? I don't know.

    Is physical, but virtually mounted with Veracrypt, anyway now it is working.

    Now only one thing is wrong... How can I silence SearchIndexer.exe?

    This is my actual config:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    #    [Veracrypt]
    !C:\Program Files\VeraCrypt\*>*
    #    [OneDrive]
    !C:\Users\Rodolfo\AppData\Local\Microsoft\OneDrive\OneDrive.exe>T:\Nuvem\*
    !C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem\*
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:\Nuvem\*
    #    [Backup (U:/)]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>U:*
    [BLACKLISTMODIFY]
    *>U:*
    *>T:\Nuvem*
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    This is my log:

    Code:
    *** excubits.com beta ***: 2017/05/19_14:00 > W: C:\Windows\System32\SearchIndexer.exe > U:\System Volume Information
    It still happening even after a reboot.

    What's going on?
     
  9. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    If you don't want to see SearchIndexer/dllhost.exe in your log, you have to place the silent-rules at the beginning.
    Code:
    [BLACKLISTMODIFY]
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    *>U:*
    *>T:\Nuvem*
    
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Oh, PERFECT! Thanks!

    Mood, you use FIDES to protect your Chrome/Chromium? If so, how?
     
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    With FIDES i am blocking all programs from accessing writing to other partitions (D:, E:, ...)
    And Chrome is protected with MemProtect.
     
    Last edited: May 21, 2017
  12. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Got it. After a couple of days testing FIDES, this is my config:

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    #    [Veracrypt]
    !C:\Program Files\VeraCrypt\*>*
    #    [NUVEM]
    !C:\Users\Rodolfo\AppData\Local\Microsoft\OneDrive\OneDrive.exe>T:\Nuvem\*
    !C:\Program Files\Cryptomator\Cryptomator.exe>T:\Nuvem\*
    #    [Backup (U:/)]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>U:*
    #    [Chromium]
    !D:\Programas\Chromium\*\chromium\chrome.exe>D:\Programas\Chromium\*
    !D:\Programas\Chromium\*\chromium\chrome.exe>T:\Downloads\Chromium*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Windows\System32\catroot2*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Windows\System32\CatRoot*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Users\Rodolfo\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\*.toc
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\ProgramData\NVIDIA Corporation\Drs\nvdrssel.bin
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Users\Rodolfo\AppData\*\Microsoft\Windows\*
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Users\Rodolfo\AppData\Local\Temp\SPL????.tmp
    !D:\Programas\Chromium\*\chromium\chrome.exe>C:\Windows\System32\spool\PRINTERS\*.SPL
    !D:\Programas\Chromium\*\chrlancher\chrlauncher.exe>C:\Users\Rodolfo*
    [BLACKLISTMODIFY]
    #    [Backup (U:/) - Silenced]
    $*SearchIndexer.exe>U:*
    $*dllhost.exe>U:*
    #    [Chromium]
    $D:\Programas\Chromium\*>C:\Users\Rodolfo*
    *>D:\Programas\Chromium\*
    D:\Programas\Chromium\*>*
    #    [Backup (U:/)]
    *>U:*
    #    [NUVEM]
    *>T:\Nuvem\*
    [WHITELISTREAD]
    *>*
    [BLACKLISTREAD]
    [EOF]
    
    

    For Chromium, I needed to let it access "C:\Users\Rodolfo\AppData\Local\Temp\SPLo_O?.tmp" for printing.

    chrlauncher.exe needed access to my profile "C:\Users\Rodolfo*" to update. But, after all, with this settings I don't even note that FIDES is protecting me. Really set and forget.

    If I buy a license, I will try to cage Edge in the same way.
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    The full potential you will only get with buying a license. You can't do really much if the .ini is limited to 3kb :)
     
  14. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    135
    Location:
    Europe
    Some news from the developer (see news on excubuts):

    :)

    Hoping the other trays will in beta camp also very soon.
     
  15. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    135
    Location:
    Europe
    Hmm, depending on config and backup strategys, the 3kb can be enough i guess.
     
  16. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Altrough I don't use the tray icon anymore (I'm using FIDES and Memprotect only to my backup and KeePass and after well configured, I spent days with the green icon only) I think is a very good thing, since some people has problems with simple (or no) interfaces.

    I admitely almost quit for some time, these .ini files can be very tricky.
     
  17. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    Yes, it depends. In general 3KB is sufficient.
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    Maybe one day Florian will consider adding even a simple Rules Editor. It doesn't have to be on the order of a full feature NVT-ERP style design but just something enough to drive more traffic/customers to wanting to shell out for those fantastic security drivers.

    I will be the first to admit that I harbor no reservations whatsoever that the Excubits products are ideal and effective but I have no desire to return to Windows 95/98 style of writing rules in notepad like that in our today's age of modern interfaces.
     
  19. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    They can be very tricky, but at least I don't have to worry about nothing except that. Once you setup, it's done. For me it's better than greater performance impact, constantly updates, larger surface attack and buggy UI, that almost any security product appears to need. So I think that it is a valid exchange.

    That was my point, sorry for not be more clear.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,992
    Easter, the choice here is simple. Either accept it or move on. I'd bet Florian isn't going to do much with it. Simple reason. Selling his drivers isn't how he's making his money. He is doing Enterprise custom solutions. You almost could have had it set up in the time it took to type the email. Almost
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    No choice for some. There are of course very viable and useful alternatives but as you, and most others already know, well enough crafted drivers as some of these are, make for a simple set and forget which is a Plus.

    It might not be of any interest for the fashioning of a GUI rules editor/maker while the h0t cash is rolling in for Enterprise clients, sure, but sorry though, can't move on until all hope is lost for a GUI and as mentioned, "Maybe one day" :rolleyes:
     
  22. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    135
    Location:
    Europe
    hopefully in the near feature :) But I got used to it with the .ini files...
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,452
    Location:
    U.S.A. (South)
    You learn to live with the fact that sometimes we can't always have our cake and eat it too. It's clear enough I guess, but....

    Soon as I can line a different separate system the excubits drivers will fit just fine on that one. In fact they already fit with any other setup but those are reserved for hosting a few choice security apps all by themselves.
     
  24. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,557
    Exciting News
    Now a sound can be played or a ballon message can be shown after an event has been occured:
     
  25. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    244
    Nice. Thanks mood :thumb: