Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    SVD

    Could robocopy.exe be classed as a vulnerable process?
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks again @mood. You are most helpful.
     
  3. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Tested Pumpernickel for some weeks now. This is correct Mister X, but I dont see any problem here. Pumpernickel still protect against write attempt so the only risk I see is that malware coul read out information, but they are not able to do harm like with ransomware.

    On my VM I tested Pumpernickel with some Locky (and other malware). Ransomware was not able to encrypt secured folders so I think Pumpernickel did great job.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    A major concern for me. I have lots of legit software keys and serials which costed $$ to me.
    It would be wonderful to see Pumpernickel to be able to block any program just like SecureFolders does.

    Thanks for your input.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Regarding Pumpernickel, can it be bypassed if ransomware reads/writes the disk data directly?

    I ask after seeing this other solution in another thread:
     
  6. guest

    guest Guest

    I blocked write-access to a USB-stick, opened it as a logical volume with an disk editor and searched for the file i want to edit. Then i easily modified it.
    After that i drag&dropped the same file normally to the editor, and the write-access was denied.
    Low-Level Access = NOT denied
    Normal write-access = denied

    But the ransomware needs admin rights to modify the data directly.
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Alright but a ransomware could be granted with admin rights by very sophisticated methods or a vuln., could be?
     
  8. @Mister X

    Yesterday was the monthly draft of the Dutch State Lottery. The one with the winning ticket number could win 20 million dollar. I did not win.

    My guess is that the chances of this type of good luck matches the bad luck you described ("could by very sophisticated methods using a vulnerability").

    Despite those odd (good luck) chance, I still bought a ticket for next month, so I can understand that you might prefer another solution, to minimize that very small bad luck chance.

    Regards Kees
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    L0L, thanks @Windows_Security
    To my understanding this is one of the best drivers ever built, along with EFL, I think. So no, I do not prefer any other solution so I'll stick to Pumpernickel for the time being or EFL (I need further testing on both).
     
  10. hjlbx

    hjlbx Guest

    You use AppGuard in Lock Down mode. So even with exploit of browser or other Guarded App that manages to get ransomware file onto system, it will not execute.

    I have witnessed with my own eyes -- AppGuard blocked a fully undetected, digitally signed ransomware that got onto system via Internet Explorer exploit and whitelisted NET Framework\vulnerable Windows process abuse.

    Besides, you can define Private folders in AppGuard. There is one defined by default. Just place all your most valuable data inside it.

    So, if ransomware manages somehow to bypass AppGuard and execute on system, then contents of Private folder(s) still cannot be modified -- even by hollowed whitelisted Windows process -- like explorer.exe.
     
  11. guest

    guest Guest

    First it has to be executed, but with other security apps running the probability is very low.
    For example AppGuard in Lock Down, ERP, etc...
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Okay, then Pumpernickel will suffice. Thank you guys.
     
  13. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    So, if I want to protect backups on an attached USB drive, all I need to do is mark the drive as Private in AppGuard and run AppGuard in Lockdown mode? No need for Pumpernickel or Secure Folders to protect the USB drive?
     
  14. guest

    guest Guest

    Programs started in system space and Guarded Apps with Privacy=Off can still access your backups.
    And if you lower the protection to "Allow Installs" or "Off" temporarily they are not protected too.
     
  15. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Thanks Mood, I was hoping to simplify things a bit, but I guess I will stick with Pumpernickel for now...
     
  16. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Hmmm, to be honest: You should not keep your software's keys unencrypted on your disk. I would suggest to put em into true crypt (veracrypt) drive...
     
  17. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    How should it be possible? AppGuard is no magical snake oil software. something must protect a Private (protected) folder. At the end it is some software by AppGuard. And as we all know: every software has bugs and every software can be hacked, so I would assume that a smart attacker can and will attack such Private Folders, too.

    So for me no difference between Pumpernickel and AppGuard here. Both are tools and in some situation you will be able to overcome them.
     
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Ha, ha :) Great!

    I do not see the attack here: Having access to logical volume and using a disk editor will break every file-based protection. I think this is not the kind of attack AppGuard, Secure Folders or Pumpernickel are written against. It is like saying: Well, I have all these protection drivers on, but when I boot a Linux Live System or have infected my system with harcore rootkit that gets persistant right before boot-up, all these protection drivers do not work. Yes sure, they will not work, because this is not meant to be what they are good for. Its like crashing a mercedes s type against a wall with 300km/h and telling, whooops, people died, airbag did not work correctly, claiming: Mercedes is totally insecure.

    Using driect disk access to attack a drive protected with tools on file basis is not an attack.

    Okay, the attack should be blocked long before by your other measures. Security is all about layering, never just use one tool alone, combine wisely that is the key point.

    I highly recommend Brian Krebs blog, he often referrs to layering mitigation techniques to avoid attacks etc. When reading forums I often get the feeling that people tend to tell: just use _only_ this ONE super-duper tool, it will catch all and everything, its theeee best you can get, do not use all the others... At the end we all know, that nothing is 100%, so LAYER and use/combine different tools wisely so that they can play to their strengths.
     
    Last edited: May 14, 2016
  19. hjlbx

    hjlbx Guest

    I am using AppGuard bypass to mean that AppGuard is not able to block execution of ransomware. As long as ransomware does not completely disable AppGuard, when the ransomware executes it does so with limited rights (Guarded). Any child processes inherit limited rights (Guarded). So hollowed System Space processes (e.g. explorer.exe) will inherit restricted file system and registry modification privileges. With inherited limited rights, no process - not even System Space processes - can modify Private Folder contents.

    It is easy to test. Add ransomware to System Space and add it to Guarded Apps. Execute ransomware. Ransomware will encrypt all modifiable directories -- except any defined private folders.

    It's just that simple.

    * * * * *

    It would require a very sophisticated (convoluted) attack to completely disable AppGuard. So, in other words, it would require a complex, targeted attack of AppGuard itself. The probability of such an attack is minuscule -- and not something to fret over for a single second.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks for the suggestion but I will never encrypt my drive/s. For me, for my specific personal setup encryption is not needed at all. I just want a driver which can put a thick wall between my USB flash drive and the rest of the OS, with a good user interface. If any malware out there or "upcoming" ones could break driver's robustness I could still live with breakage. I think I'm going to try Easy File Locker.
     
  21. hjlbx

    hjlbx Guest

    I don't disagree with the concept of layering. I use a layered config = AppGuard + Adguard + Windows Defender + Windows Firewall. I also keep software updated and reduce attack surface by not using most of the most commonly exploited applications.

    For safe use, this general security approach protects my system. Granted, it ain't anti-NSA grade protection. If I were operating in a highly dangerous environments - such as an internet cafe in Nigeria - then I would really harden my OS and\or use Linux. However, I am always at home behind a NAT router.

    I look at my typical use and use environment and have deliberately chosen my security softs based upon actual facts of use. There is no use in hauling around a cannon when all one needs is a good pocket knife...

    From my perspective -- gained from participation on the forums -- there are some that promote excessive layering with a lot of duplication of effort. Other users try to implement this model and go overboard -- resulting in nothing but problems and frustration.

    I see it time and again -- configs with 10 layers of security with a whole lot of overlap that decreases usability, makes configuration overly complicated and causes system\application problems.

    You give good advice: "so LAYER and use/combine different tools wisely so that they can play to their strengths."

    I adhere to the concept that "Less is more." It works if you choose wisely...
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Where is the script to uninstall Pumpernickel?
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Open an elevated command prompt:
    Code:
    net stop pumpernickel
    sc delete pumpernickel
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.