Bouncer (previously Tuersteher Light)

When are Pumpernickel and MemProtect to be completed; stable releases ? Not asking for exact date, but next 3 months, 6 months, etc... ?

I'm mostly interested in MemProtect...

 

To be more specific about future plans as to when Pumpernickel and MemProtect will leave Beta, I will check in with Florian and get his plans on that and hope to at least provide estimated time frames.

MemProtect is likely the closer of the two when it comes to being feature complete and stable since Pumpernickel is still receiving some additional features within the internal builds. Over the course of time throughout much testing, MemProtect in particular has proven to be rock solid.

The impression that I have is that Florian wouldn't push these out to the public and declare each as a "stable software product" of sorts yet because they both still lack in documentation and that is where he lacks more in time since it's a very small development team. That's why I'm also trying to decide on whether or not to push forward some sort of Bouncer community effort, such as Wiki-type of site where users can add/edit/share different configurations and help to create documentation and so on. It would also even be possible for someone who is skilled with creating graphical user interfaces to create a GUI front-end for to provide more visual control, etc.

Over time, both MemProtect and Pumpernickel may end up being integrated into Bouncer with each having their own configuration sections within the Bouncer.ini file and also their own line so that the user can toggle them on or off. So I am not 100% sure if MemProtect and Pumpernickel would go stable on their own or be integrated into the stable Bouncer builds. I will inquire with Florian soon though and get back to you on his upcoming plans.

As far as your main interest with MemProtect goes, I would say go for it. It is digitally signed now and proven rock solid on it's own. The only thing that I would suggest is to run MemProtect in non-lethal mode for the first little while until your configuration is proper based on your overall setup to ensure that nothing is showing up in the log file that would be critical if it were to be blocked. Ensure that it doesn't block any of AppGuard's functionality in particular. I do recall a few users who had success with MemProtect and AppGuard together.

 

Thanks @WildByDesign.

LOL... I know some users that are simply trying to re-create AppGuard's complete policy set within Bouncer.

I will check MemProtect. Does it use the W10 toast notification the same as Bouncer ?

Those toasts will flood (10,000+ red X .pngs) AppData\Temp; it took CCleaner 2 minutes to clean-out the Temp directory... LOL.

 

With Bouncer they have a very reliable "fallback" if AG simply doesn't want to block some executables.

Is this documented somewhere? I looked in the handbook but couldn't find it.

 

Just a quick update. I've received a second internal pre-release build of Pumpernickel today from Florian and it's broken down Pumpernickel config much better and better control over read access config. Below is just a brief layout of the upcoming Pumpernickel config to give an idea of how it can be broken down now thanks to input from Kees.

Code:

[WHITELISTMODIFY]
[BLACKLISTMODIFY]
[WHITELISTREAD]
[BLACKLISTREAD]

I don't believe that it ended up being documented. It works like a charm though and that is my preferred way to use Bouncer.

 

After some more testing, I've come to the realization of just how solid of protection Pumpernickel will provide against ransomware with regard to external backup drives, partitions, etc. all while still allowing the required backup software access to the protected data. With the addition of read access filtering, I've found that you cannot even see the contents of a partition / external drive, thus essentially hiding file names, folder names, etc.

Code:

Example:
*>D:\Pictures*

Or another scenario for example, let's say we give access to the folder (but block access to data within) in this case on purpose and we can see the file names within it, without read access it will block the thumbnails from being shown on pictures, videos, etc.

Code:

Example:
*>D:\Pictures\*

The simple backslash makes a big difference between the two examples. The first example blocks access to the folder itself, folder attributes, and data within. The second example gives access to the folder, but blocks access to the data within.

I should note that priority rules (!) are supported in Pumpernickel configuration as well which allows for great flexibility and creativity.

One other thing to note. I was also playing around with blocking access entirely to a partition or external drive with the following example:

Code:

Example:
*>D:*

Not:
*>D:\*

Anyway, I just wanted to share briefly what I've found so far in my testing of this latest internal build of Pumpernickel. My plan is to create some different configuration examples and share them here so that users can simply copy and paste to try different things and see what all can be achieved around the time when Florian releases the build on the Beta Camp page. It's proven to be solid and stable in my testing. So hopefully it makes it's way to beta soon enough.

 

This is just getting better and better. Can't wait to test new beta Pumpernickel in my system. Thanks.

 

That would definitely be appreciated. Looks like things have developed massively from the last time I tried out Bouncer. Keen to give MemProtect and Pumpernickel a go at some stage when time and mental energy permit.

There's now a lot of pages with some very good information from various contributers.

 

@WildByDesign

Florian stated a few months back that he would be releasing a list of additional vulnerable processes that should be properly configured in Bouncer, MemProtect.

He never released that list.

Could you ask him for the infos ?

 

Some more Pumpernickel news: (quoted Florian)

Sounds like that will harden Pumpernickel even more so.


Some exciting Bouncer/Excubits related news in general: (again, quoting Florian)

That is exciting news because, at present, Bouncer/Pumpernickel/MemProtect kernel-mode drivers do not work on Windows 10 Anniversary Update builds (official MS release upcoming August 2nd) due to the SHA-1 deprecation and the new requirements for kernel-mode drivers to be SHA-256 signed with EV certificate. Expensive stuff, but Florian thankfully is ahead of the game on this and keeping his drivers (and his devoted users) in the mix. These digital signature requirements are expected to his Windows 7/8.x in 2017 as well, so these EV certs are a make or break thing over the next year or so. Bouncer/Excubits will have an EV cert within the next 10-15 days. This new requirement will absolutely strengthen the security of Windows and limit the amount of damage that malware can do as well as limit digital signature theft as well.


Some briefly bad news:

What this means is that Florian was expecting to release an upcoming Beta Camp build this weekend (potentially) but that it will only be Test Signed meaning that users would have to enter Windows in Test Mode to use it initially. But this is only limiting for the next 10-15 days until Florian receives the EV cert on HSM dongle and will then be able to re-sign all of this drivers with EV cert.

 

@hjlbx Absolutely, I will inquire about that. As a matter of fact, that was the "meat & potatoes" that I was really looking forward to as well since his shared findings come from current threat entry points from his primary role as security researcher. I'm assuming that he ran short on time or forgot, but I will check up with him today on that.

 

@Peter2150 Hi Pete

Latest MemProtect can be downloaded from here: https://excubits.com/content/en/products_beta.html

At the moment, documentation for MemProtect is lacking as it does not have a nice PDF manual like Bouncer. However, there should be a readme.txt file within the download once extracted. If there is anything that you need help with or any questions, there's a few of us here that would be more than happy to assist.

Cheers!

 

It was me ...
This Monday i wrote an email exactly about this: "Modifying of file attributes/ACL not possible with Pumpernickel?" then he responded: "that's not part of the protection..."
But yesterday i got another mail and they are now implementing it. That was quick

Correct.

 

edit
first make MemProtect.log with txt file
and copy it to windows folder
then copy MemProtect.ini to windows folder
then install with MemProtect.inf x86 or x64
restart pc

 

thanks for information @WildByDesign
Pumpernickel just getting better and better

 

@Peter2150

Are you really trying software without a GUI?

I am falling out of my chair while typing of surprisssssahhhhhhhhh

 

This^ is a very big advance. Thanks for pressing the issue.

 

Are you using the default MemProtect.ini?
If yes, better use this first:
[#LETHAL]
[DEFAULTALLOW]
With [#LETHAL] blocking is disabled, but it's still logging to Memprotect.log
Nothing bad can happen now.
And for first steps with MemProtect it's maybe better to use [DEFAULTALLOW].

Then try to begin with some rules. In this thread are a lot of examples.
You can look in the Memprotect.log to see what was blocked and you can customize your rules accordingly.
If you are ready after some time you can try [LETHAL] to turn blocking on.

Example:
With the following tiny example the PDF-reader SumatraPDF can't execute programs outside of it's directory.
And it can't modify the memory of processes (or inject into them) started outside of it's directory.

Code:

[WHITELIST]
!*\SumatraPDF.exe>C:\Program*\SumatraPDF\*
[BLACKLIST]
*\SumatraPDF.exe>*

It can happen that you get some messages in the Activity Report like this:
Prevented <c:\program files\mozilla firefox\firefox.exe | c:\windows\explorer.exe> from writing to <\registry\machine\software\excubits\memprotect>.
Just ignore them.