Bouncer (previously Tuersteher Light)

That's weird. I wrote Florian a mail and asked him about it. It makes no sense to me, because I recently have beta version of Türsteher adn Pumpernickel (I have purchased full versions) without any limitation and for me it does not look like that he will angering its customers. From all I can say he always tries his best for good service. Maybe it was a misunderstanding. Once I know more, I write it here.

 

I have been playing around with MemProtect some more lately with a growing interest in creating memory sandboxes for Chromium to protect from injection and essentially isolate from user-space. This is just an early config example that I wanted to share. I will try to put together more examples for other vulnerable apps such as Adobe Reader and more as I have time.

Spoiler: MemProtect.ini

Code:

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!*chrome.exe>*chrome.exe
!C:\Program Files\*>*chrome.exe
!C:\Program Files (x86)\*>*chrome.exe
!C:\Windows\*>*chrome.exe
!*chrome.exe>C:\Program Files\*
!*chrome.exe>C:\Program Files (x86)\*
!*chrome.exe>C:\Windows\*
!*ccleaner*.exe>*chrome.exe
[BLACKLIST]
C:\Users\*>*
*>*chrome.exe
*chrome.exe>*
[EOF]

 

Thanks @WildByDesign I will try it.

Got answer from Florian. It must be a misunderstanding - as I have suspected already - If you licensed a driver you can always get unlimited versions of new betas, just ask. For those who do not want to license but want to do more in deep testing they can request unlimited beta version, but these are restricted in time and behavior (for good reasons: if he would not, people can just request free betas and then use them instead of licensing. As Florian's drivers are quite well performing and there are less serious errors and bugs, he would kill his own business case. From this point of view it all makes sense.

In short: If you already paid (licensed) driver, you get unrestricted beta as well. Just fair and simple, nothing to complain either

 

Then it was a little misunderstanding from their side, because I asked them a question about a "beta-version for users who paid for it" and they answered: "...it' s restricted"
But good to know that beta's are unrestricted (if the user has a licensed version)

 

@4Shizzle :

Thank You for the detailed explanation.

 

New beta builds coming soon with Silent Rules for: Bouncer, MemProtect, MZWriteScanner, and Pumpernickel/Fides.

 

Great news indeed... Thanks a lot!

 

Just requested unlimited Betas of MemProtect and Pumpernickel (Bouncer paid user), they are time limited, do not get started if change year to 2017.

Seems Bounce beta has no limitations (no size, no time limitation).

Only did a quick test though, "the switching back to [#LETHAL]" not confirmed yet.

 

They told me It should switch back to [#LETHAL] after "a few thousand" events.
I think some hours are needed to reach this limit.

 

Bouncer = process execution and command filter
Pumpernickel = file read and write filter
Memprotect = uses a Windows buld-in feature called "protected processes"

Benefits of MemProtect over HPMA:
a) KERNEL based protection (no dll-injection/hooking)
b) SIMULAR* (probably stronger) exploit protection
c) WITHOUT the compatibility issue of HPMA
d) WITH less code (CPU overhead)
e) FREE for consumers

*MemProtect stops all exploit related attaks of the HPMA test tool, see link

 

Sorry, seem that my write up was leading to misunderstanding here.

What I mean was: If you have license Bouncer you can have unlimited beta version of Bouncer while the new version is not official launched.

If you have license of Pumpernickel (which I have as early bird adopter/supporter), then you can have unlimited beta version of Pumpernickel. And yes Pumpernickel is yet not official launched as product but I asked Florian back then if I could already get license and then when Pumpernickel is final product get the full version. So I have already full version of beta and will automatic get full version of final product Pumpernickel --> FIDES as it will named on final product release.

I said: you can always ask Florian for a demo fitting you needs for more deep testing. He is open minded and my experience is that he provides lots of information, background infos if you ask. Also you can have special versions to do more checks. He also provides betas (from what @kakaka and @mood say, you already got them too), but with limitation. This would be OK for me, because it is demo/beta. We all know that beta/demo are not meant to be used unlimited, at least for security reasons you should not use them in long term. So what is the problem I dont get it

As written by me some posts ago: If you have licensed full version of a product you get full support for this product, incl. full-free betas. Giving more for not license customers this is unfair for all custiomers who paid for product. Honestly I would be very, very upset to see people who paid already for Pumpernickel - like me and other I know of - and give support as early bird (kick starter) supporters have no advantage over others. That would really annoy me to hell.

I had conversations with Florian while ago on licensing and costs. I also said that giving too much for free will ruin business case for individual product. Some people here seem still do not understand that soft development costs, building a web page and reliable web hosting costs, code signing costs, a copy of visual studio costs, year business taxes/fees cost, ....... I am from swizerland and can best assume what the costs are in Germany and believe me: it is not just peanuts.

We all accept that starbucks coffee costs - no one complains and say, hey you starbucks guys I had a star latte vanilla double choc at starbucks last week, give me that cookie and cheese cake and a tripe choc coffe for free today, because I already bought a coffee last week. Oh boy! Think for a little moment about it... then complain again.

You can use ads and user data/statistics to make money and fill costs or you sell licenses. Florian/Excubits sells licenses instead of ads and user data/statistics and people still complain here that it should be free or cheaper, all and everything included. How should that work guys? That is insane. And I am annoyed that we hav this discussen here again, again, again, again, again and again (just go back in the thread). This should be technical discussion here, not about licensing and how to get things free and cheap all time every time.

I would like to see that Excubits drivers are updated supported for the next few years. I have seen so many tiny dev teams making cool soft for free or with just little fees and some ads. At the end they shut down business, no more updates, no more support and soft was stuck somewhere in the middle of being complete. And dont tell me that donation-ware is the solution here. It does not work for tiny projects because most 99.99% people just take, and never ever donate. That is reality. And that is why I pay for movies, mp3 and software I am using, because I also expect from my boss that he pays me at the end of the month and that my work was not for free.

 

Like NVT also.

 

Exactly They go hybrid way. They have free toos, tools to license, but they have advertisments on their web page at every single page you browse (Google Ad Words, with all the tracking cookies relating to this Ad-network). So they co-finance their stuff with Ads!!!

As I said: companies need to pay the bills somehow - even facebook isnt free, they sell you personal data, interests and show you Ads in timeline. YouTube the same play of games, its not free, Google makes a lot of money with tracking you on YouTube and Google search and present Ads. So it is decision of the company how to make money: licensing of software, showing ads, selling customer data to 3rd party, .... combination of each. So what I often hear and read is: Blame on facebook and Google for tracking and advertisment, but people do not want to pay. If company wants fees for service, people again blame and say: why want money, I want it free. Then company tells they need to pay bills, so they show ads. Then again, people complain about ads and customer data sellout, data protection, personal rights of data. They want full service without any side effect. Like I said: the same people want their boss to pay loan at the end of month, they also do not work for free I guess.

So respect others too, pay for music, movies, and also for software! If you cant or dont want I would then suggest to use linux only, but then you defenitly need more time to get things configured and fixed, I never used a Linux without getting stuck at some point, spending hours to search solutions.... And here we go again: time is money, too At end everything has a price.

 

What is the link to buy a license?

 

People here got mixed information about betas, so I requested betas and did some tests. It seems now all cleared up.

If you have license of *****, then you can have REALLY unlimited beta version of *****. Simple and Fair.

 

Yeah I would buy but it's not available yet, other than in beta camp.

 

Even if there is no buy button for these programs, you can buy it.
Send them an email and you'll get further information.
The support is fast and they are responding every time. Sometimes the developer himself responds
(Not like other vendors, where i rarely get an answer or if it get one it consists of maybe 1-2 sentences)

 

These were the details from Florian as to which memory/access operations are blocked by MemProtect. Also, I should note that Florian still has the ability to lock things down further and remove more attributes manually if needed.

Code:

The system restricts access to protected processes and the
threads of protected processes. The following standard access rights are
not allowed from a process to a protected process:

-DELETE
-READ_CONTROL
-WRITE_DAC
-WRITE_OWNER
-SYNCHRONIZE

The following specific access rights are not allowed from a process to a
protected process:

-PROCESS_ALL_ACCESS
-PROCESS_CREATE_PROCESS
-PROCESS_CREATE_THREAD
-PROCESS_DUP_HANDLE
-PROCESS_QUERY_INFORMATION
-PROCESS_SET_INFORMATION
-PROCESS_SET_QUOTA
-PROCESS_VM_OPERATION
-PROCESS_VM_READ
-PROCESS_VM_WRITE

 

Thanks for the information more explanation https://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx

 

@WildByDesign I like your MemProtect.ini, it works very well! I added a few lines to add MS Office protection, allow printing and allow the Chrome software tool to run. Please see below and comment if you wish...

Spoiler: MemProtect.ini

Code:

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!*chrome.exe>*chrome.exe
!C:\Program Files\*>*chrome.exe
!C:\Program Files (x86)\*>*chrome.exe
!C:\Windows\*>*chrome.exe
!*chrome.exe>C:\Program Files\*
!*chrome.exe>C:\Program Files (x86)\*
!*chrome.exe>C:\Windows\*
!*ccleaner*.exe>*chrome.exe

!C:\Program Files\Microsoft Office\*>C:\Program Files\Microsoft Office\*
!C:\Program Files\Microsoft Office\*>C:\Windows\explorer.exe
!C:\Program Files\*>C:\Windows\splwow64.exe
!*chrome.exe>*software_reporter_tool.exe
[BLACKLIST]
C:\Users\*>*
*>*chrome.exe
*chrome.exe>*

C:\Program Files\Microsoft Office\*>*
[EOF]

 

Excellent work, thank you for sharing. I forgot to mention that my config still does not contain support for updating Chrome since I don't use Google Chrome; I use Chromium. But I will try to run some logging on a VM one of these days to capture upgrading components to create rules to include updates.

I've also recently added Adobe Reader to my MemProtect testing. This also does not contain rules for updates as of yet. The main concept so far with my MemProtect testing is to contain Chromium and Adobe Reader from potential user-space injections whether that being from user-space or to user-space. Anyway, just a work-in-progress and a learning process for me at the same time and figured that I would share what is working for me thus far.

Spoiler: MemProtect.ini

Code:

[#LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!*chrome.exe>*chrome.exe
!C:\Program Files\*>*chrome.exe
!C:\Program Files (x86)\*>*chrome.exe
!C:\Windows\*>*chrome.exe
!*\Mozilla Thunderbird\thunderbird.exe>*chrome.exe
!*chrome.exe>*\Mozilla Thunderbird\thunderbird.exe
!*\Office1?\*.EXE>*chrome.exe
!*chrome.exe>C:\Program Files\*
!*chrome.exe>C:\Program Files (x86)\*
!*chrome.exe>C:\Windows\*
!*ccleaner*.exe>*chrome.exe
!*ccleaner*.exe>*\Reader\AcroRd32.exe
!*AcroRd32.exe>*AcroRd32.exe
!C:\Program Files\*>*AcroRd32.exe
!C:\Program Files (x86)\*>*AcroRd32.exe
!C:\Windows\*>*AcroRd32.exe
!*AcroRd32.exe>C:\Program Files\*
!*AcroRd32.exe>C:\Program Files (x86)\*
!*AcroRd32.exe>C:\Windows\*
[BLACKLIST]
C:\Users\*>*
*>*chrome.exe
*chrome.exe>*
*>*AcroRd32.exe
*AcroRd32.exe>*
[EOF]

I haven't had a chance to speak with Florian about this, but recently I have been brainstorming some sort of a "variables" concept during my use with MemProtect and may potentially be beneficial for the other drivers as well.

Variables Concept:

Code:

[VARIABLES]
a=*chrome.exe;*AcroRd32.exe;*firefox.exe
b=C:\Windows\Temp;C:\Users\*Temp*\

[WHITELIST]
^a>C:\Windows\System32\*
^C:\Windows\System32\*>a
^a>a

Anyway, I haven't had a chance to fully organize this concept yet. But essentially to allow multiple executables/paths/etc to be used within the same rule. I think that this would be especially nice for something like MemProtect.

The ^ was simply just an idea to indicate within the specific line/rule that it utilizes variables, although it could certainly be any other symbol. I'm certain that this concept could be organized and tidied up quite a bit more to look more appropriate, but the general concept itself would be beneficial. I will suggest this to Florian the next time that I am talking with him but I will try to clean up the concept a bit first.

 

This is what I was trying to explain. The "protected process" feature hasn't got anything to do with stopping some process from being exploited. Both Bouncer and MemProtect will block exploits/malware, by simply monitoring process execution. Let's say if they fail to do so, then MemProtect will try to stop the malware by blocking code injection into ANOTHER process, similar to AG's Memory Guard.

 

It don't matter if the exploit itself succeeds or not; what is important is that the payload or in-memory attack is blocked. Even not being able to block an in-memory attack is all that big of deal as long as access to the persistence (auto-start) keys and start-up folders has been denied.

I think too much emphasis is placed on blocking the exploit itself, and not enough attention paid to whether or not the overall attack was successful.

So ? Some reg keys are created in a harmless section HKCU or a file or two are deposited to User Space - it's no big deal - they're just inert on the system.

LOL...Inert malware on their system is a concept that few people can mentally or emotionally cope with...even though they might know better.

Perfectionism and OCD fantasies don't work in the world of IT -- unless a user wants to pay an annual license subscription starting in the $500 range - and even with that kinda fee the product really ain't that perfect.

It makes no difference if an attack is blocked at point A or point Z; all that matters is that the attack was detected, prevented overall, and user data has been saved\not compromised.

AppGuard, for example, blocks all the important areas of the system when dealing with in-memory\RMI\code-injection attacks that are "successful." Well... they ain't very successful if the attacks are broken so badly that they are inert on the system. Some rubbish keys and files\folders are left on system. That's not an infection, but ask most any security soft geek and they will say - "Oh... wait a minute buddy. My system has be 'compromised.'" Good grief...

MemProtect basically works the same way - it does only what is absolutely important and required. It breaks the run sequence of exploit attacks; I've seen it. And it doesn't matter if it is the end run or initiation run. A thwarted attack is a thwarted attack.

Combine it with a basic virtualization, rollback, image or clean install - and you got what constitutes an essentially secure, non-worrisome setup.

 

@hjlbx agree BTW posts were moved to other thread

 

Complicated when I cannot even keep track of the musical threads... UM = user mistake.