Pumpernickel (FIDES)

Discussion in 'other anti-malware software' started by TheRollbackFrog, Dec 9, 2016.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    A very welcome new improvement indeed! Especially for the GUI/Alert Notify interested members expecting a little noise. :)

    Wow, thanks for passing along this little bit of new news.
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    The new Tray-App is working great:
    FIDES_balloon.png
    An Event cannot be overlooked now ;)
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    I use them both together and i have not encountered any problem. :doubt:
    The same as Peter2150:
     
  4. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    Thanks. I will give it a go.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    +1
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For Pumpernickel (FIDES) in particular, this new stable release includes some important fixes and code optimizations.

    Updates for MemProtect and Pumpernickel

    From: https://excubits.com/content/en/news.html

     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    :thumb:
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Great :thumb: (i have updated both tools and they are running without problems)
    The manual of both tools was also updated (Manual.pdf - v1.1.0 - July 2017)
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    Again @mood - or anyone, can you take me through the correct sequence for updating Pumpernickel? Apologies, I think I have asked this before.

    Edit: I had already installed the beta version baloon and sound notifications. I have my original email link and password.
     
    Last edited: Jul 31, 2017
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Open up admin cmd.exe. Type

    Code:
    net stop pumpernickel
    sc delete pumpernickel
    Then extract new bundle. Go to driver directory for your system. Is it a 32-bit Windows, go to 32-bit driver. Is it a 64-windows, go to 64-driver.

    Left-click on pumpernickel.inf, then select "Install driver". Windows will now install driver.

    Go back to admin cmd.exe console, type:

    Code:
    net start pumpernickel
    If you use the Tray applications and so on, make sure to overwrite the old with the new ones.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,462
    Location:
    Under a bushel ...
    Thanks @4Shizzle :thumb:. Should be a sticky for knuckleheads like me.:)
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    I already have a notepad txt file made by me a long time ago stuck in my FUD. :geek:
     
  13. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    407
    Location:
    router
    found new log
    R: C:\Users\*\Desktop\Everything.exe>\\localhost\C$\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.23455_none_c61ec764190f7fb5\credssp.dll
     
  14. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,084
    Sorry for noob question. Is there a noob friendly installation instructions for this?
     
  15. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    407
    Location:
    router
    copy Pumpernickel.ini to C:\Windows
    create new text file and rename it to pumpernickel.log (*.txt to log) and copy it to C:\Windows
    then if you are in 32bit windows go to Pumpernickel\32-bit folder rightclick on Pumpernickel.inf select install
    click on restart driver.cmd file will start logging
    hmm thats was another method of access from explorer :)
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,084
    Thanks, this helped out a lot! :thumb::thumb:
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    So I have been playing around with Process Hollowing in recent days out of pure curiosity. I realized that I was able to effectively block certain stages of the process hollowing with Bouncer and MemProtect, I could not seem to block the process hollowing stage itself.

    Even though I had effectively blocked the overall activity, I wanted to push myself further (because I am too persistent and never give up) and wanted to target only the process hollowing stage.

    As we all know, all of the various Excubits drivers have fantastic logging abilities. I realized that MZWriteScanner would probably work for this purpose as well since a binary would likely have to be dropped on disk prior to process hollowing. But I wanted to be more specific.

    This all led me to Pumpernickel (FIDES) which I have tested in the past quite thoroughly but have never made it a regular part of my security setup.

    Anyway, with the great logging abilities, out of hundreds of lines of logging I found one single line. The logged entry meant: The process to be hollowed absolutely must perform a Read operation on the malicious binary after being unmapped from memory but prior to allocating that unmapped memory with the malicious sections and headers. Therefore Pumpernickel (FIDES) was able to block the process hollowing stage.

    So this is quite interesting. However, in the rare instances of fileless malware (no binary touching disk), this would not work. But in most cases where binaries are dropped to disk, this would absolutely be effective.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Wow! I installed FIDES (demo) on March 11 this year and today its license was expired... :mad:
    My drive/folders are unprotected now! :mad:
    Demo lasted 20 days only?

    p.png
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    License is cheap, solution, buy it. You already don't want to give it up.:)
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    License would be cheap if it lasted a lifetime. It needs annual renewal.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It may need renewing for new versions, but it still works.
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Ah! This changes landscape quite a bit. :)
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    It's a useful piece of work as are the other drivers. One major drawback which is hauntingly missing for this user is a decent GUI.

    IF they ever decided to build on this concept with the addition of a practical GUI, popularity and sales would follow accordingly IMO.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Easter every time it is mentioned to him he rejects it. Not sure he cares about the sales as I suspect he makes his money from consulting.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    I understand and respect that Pete. The maker's choice rules, but I still hold out hope against hope that one day in the future (near would be cool), that he will turn to adding it.

    But you are right, as of quite awhile and still even, it's dead set on staying as-is without a decent GUI :(
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.