Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @genieautravail
    Yes you are correct, Florian had a previous version of MZWriteScanner in the past few years which had blocking support already. From my understanding, it has been re-written significantly from the ground up which is why it is still behind on a few features in which it previously had.
     
  2. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    109
    MZWriteScanner has much more potential that Bouncer.
    Bouncer can be easily bypassed if a file is dropped in a whitelisted folder (Program Files for example).
    Dropping a file on a drive with MZWriteScanner running is another story... :confused:

    Florian has created Excubits for doing some business.
    He must be launched in a reflexion about the opportunity to release a free version of MZWriteScanner with full features. IMHO :rolleyes:
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @genieautravail
    Yes, I agree. MZWriteScanner has a lot of potential. We are actually brainstorming a little treat of an idea right now as a tiny, portable type of concept. It may combine the best of Bouncer and the best of MZWriteScanner but is just a concept at the moment in early planning stages.

    Yes, current path-based Bouncer is not as strong as compared to hash-based. There is an internal version of Bouncer which is SHA-256 hash based in the works.
     
  4. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    109
    I'am happy to learn that Florian is interested to jump to the next step! :thumb:
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm waiting for Bouncer to implement Hash base whitelisting so it can create a whitelist of executables already in the user-space. Bouncer would be able to protect all of the ProgramData, and AppData Folders then.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    This is a great expectation just waiting to finally be experienced.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yeah, Bouncer would be pretty tough with hashing, and the CommandLineScanner.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Without a doubt a real help especially now that 64bit is pretty common for most end users. Now if only a new independent classical HIPS project would show up on this scene for 64bit my dream security setup would be all but near flawless.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some very interesting stuff
    Just a quick status update. I am heavily coding on a new version of
    MZWriteScanner. My internal build now supports detection of renaming etc.
    The driver is also able to keep track on newly written executables that
    shall be executed (it is hash based using the sha256). So if you turn on
    LETHAL mode any new executable cannot be executed while MZWriteScanner is
    enabled and has registered the executable as new. (after restarting the
    driver one is able to start the executables, it is just session based).
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    So no update yet on some progress with Bouncer? Curious to learn if this might take awhile or what have you.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    There is some internal testing of a completely new driver right now that is able to "catch in-memory attacks", as Florian is "interested in applications that try to inject their code into another running process". This is functionality that could potentially be added to Bouncer later as well. Although it's difficult to say, because I assume that some users might like having individual kernel-mode drivers that have different functions, while some may like all that functionality combined into one kernel-mode driver. It may also come down to what makes sense as far as supporting and maintaining the drivers as well, which method is more efficient. Florian's mind is always moving forward which is certainly a good thing because it means more creativity.

    I know that he also plans on creating some free malware analysis web site by the end of summer for security researchers and hard core users. I believe there should be a major update in functionality coming to MZWriteScanner within the next week or so which would combine nicely with Bouncer or even be significantly secure even without Bouncer. Also there is another plan in the works to create some sort of portable free MZWriteScanner for those everyday Internet users (not Wilders' type of users) with no configuration needed that I was intending to help brainstorm for as well, but my participation so far this summer has been extremely limited because of health related things here at home. But there should be some updates and interesting things coming from Florian still soon and some also by the end of summer. And once summer is over, I will be able to assist some more with the brainstorming and planning aspect.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm very interested in seeing this added functionality. I wonder if it will be anything like AppGuard's memory protection, or if it will be more like EMET's protection. Maybe it want be like either's, and be something new. I look forward to testing Bouncer with this added functionality.
     
  14. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    I have been watching this thread with great interest, to add to WildbyDesigns previous mentions direct from MZWriteScanner "read me"

    "We are currently working on a whitelisting engine for the next version, so you can exclude files and paths that will not cause a notification for entitled executables"

    I look forward to with great anticipation of the software developement of excubits

    regards.
     
  15. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    why is it so expensive vs EXE Radar Pro - is it that much better?
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Windows_Security
    I will check compatibility later tonight and will let you know, Kees. My assumption is that they would be compatible as long as we whitelist the necessary components of each so that they don't conflict. But I will respond later tonight when I try both together and will also make note of any whitelist rules if necessary. :)
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Windows_Security
    I have done some preliminary testing this afternoon regarding compatibility between SmartObjectBlocker and Bouncer. Some notes below:
    • SmartObjectBlocker seems to be having memory corruption issues, at least on Windows 10 x64. These issues are occurring even on a bare bones Windows 10 x64 prior to Bouncer being installed. The memory corruption errors seem to be affecting any kind of right-click menu functionality, Save / Save As functionality, as well as command prompt functionality. Seeing memory errors for Werfault.exe, dllhost.exe, cmd.exe, conhost.exe, etc. If your version of Windows with SmartObjectBlocker is not experiencing these memory corruption errors, then you will be fine running Bouncer alongside SOB. But if your Windows is also experiencing these memory errors with SOB, then you will have problems with Bouncer because Bouncer relies on cmd.exe and conhost.exe for the GUI.
    • Bouncer driver seems to block executables first, so SOB seems redundant for the most part. My testing was with SOB in Lockdown mode with pretty basic Allow rules to ensure the system is running great while I tested it. I ensured that my D: drive would be blocked by both Bouncer and SOB, to see if there would be any kernel level conflicts when both programs try to block an exectuable at the same time. There were no kernel level conflicts to report, no crashes or anything, it worked as expected. Bouncer blocked and logged the executable blockages and SOB did not log anything as it did not block anything since Bouncer beats SOB to the punch, so to speak.
    So aside from SOB's memory corruption issues (at least on Windows 10 x64), it seems to be compatible with Bouncer just fine and no kernel level issues or crashes. I will do some more testing later tonight.

    Out of curiosity, are you experiencing these memory corruption errors with SOB? Which version of Windows are you testing SOB on? Thanks
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some info on an upcoming kernel-mode driver:
    From: http://excubits.com/content/en/news.html

    I don't know much about it yet but I believe it has to do with protecting memory from program to program and to prevent DLL injection and things like that. Anyway, below is a quote from that article.

     
  19. I was on Windows 7 Ultimate and moved over to Windows 10 Pro, just after Andreas reported the memory issues fixed of SOB. It was my guess that Bouncer would be first, therefore I suggested combined usage with SOB adding for instance parent limitation and allowing only programs signed in a particular folder to load.

    Bouncer: only allow Windows and Programs Files execution
    SOB only allow Chrome signed from chrome (as shown in the example), don't allow parent process spawning other processes (but that could also be done for Windows Media Player, Office, PDF player, etc.

    Bouncer + SOB would bring all Applocker functionality to every Windows version :thumb:
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Internal testing of kernel-level parent process control and SHA256 hashing is going extremely well and therefore there will be an updated version of Bouncer released soon. After that update there are more interesting things to come as well but will need more testing.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I've been using the stable release of MZWriteScanner for about 2 weeks now, and its working extremely well for me. I just use it to log executable activity on my systems. It's nice to have more in depth logs of executable activity. It could even help in discovery of more sophisticated threats, even those well funded by government agencies that are misusing their resources. If you live in the wrong country these days you don't have to do anything to make yourself a target. Some governments want complete control over their citizens, and access to everything they do.
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Cutting_Edgetech I have been curious about MZWriteScanner lately as well. Florian is going to do a pre-release very soon of MZWriteScanner that "supports Bouncer’s black- and whitelisting and features a [LETHAL] mode" and when "enabled, any newly written executable that is not whitelisted will be hashed and logged. If someone tries to start an executable with this SHA256 hash value, the driver blocks the attempt."

    That sounds pretty exciting to me, especially in combination with the upcoming features of Bouncer. The combination would be pretty solid and 100% within the kernel. There is expected to be a release of Bouncer and MZWriteScanner soon as both are doing well with internal testing for quite some time now.

    One thing that Bouncer likely with not get, though, is checking of signature/issuer/certificates for several reasons (quoted from Florian):
    You can always send Florian a note if you wanted to test the pre-release of MZWriteScanner which should be available soon.

    Yes, that is the main purpose (and design goal) behind all of Florian's drivers; forensics use. Although since the drivers have gained some momentum over the past year, he has decided to make them somewhat more user friendly. But they will still only appeal to hardcore users.
     
    Last edited: Aug 6, 2015
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Ok apparently Christmas came early for my Inbox. I just received test versions of Florian's latest drivers/updates:
    • Bouncer with SHA256 and parent process checking/control
    • MZWriteScanner with SHA256 and full blocking control when files are written to disk
    • MemProtect driver to prevent programs from writing to other program's memory, DLL injection, etc.
    These have reached a stable level now and after I test them out for a week or so, these should be ready to go. I am mostly excited about MZWriteScanner's new features and Bouncer's new features as well. Although I know some users will be excited about MemProtect too. Time for me to start stress testing all 3 of these new drivers and I will report more on them later as I test them.

    Regarding MemProtect driver:

    Regarding Bouncer roadmap, versions, etc.:
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I hope I have time to test it tomorrow. Too many things on the to do list for today. The drivers aren't signed yet so it will be a little more time consuming to test at this stage.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.