Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. guest

    guest Guest

    There is a small increase of costs for a license:
    now 12,00 EUR (before: 10,00 EUR) for: MZWriteScanner, Pumpernickel (FIDES), CommandlineScanner, MemProtect
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @chrcol This is to answer your question from the EMET thread. These are some rules that I was playing around with when converting some rules over from EMET. I have not fully tested all of these yet though.

    Code:
    [CMDBLACKLIST]
    #    Blocking the regsvr32 application whitelisting bypass technique
    *cmd.exe*>*regsvr32*scrobj.dll*
    *cmd.exe*>*regsvr32*scrrun.dll*
    #    Blocking one rundll32 application whitelisting bypass technique
    *rundll32*>*mshtml.dll*
    #    Blocking rundll32 from loading PowerShell
    *rundll32*>*System.Management.Automation.dll*
    #    Blocking malicious OLE packages in Microsoft Office products
    *\OFFICE1*\*>*flash*.ocx*
    *\OFFICE1*\*>*packager.dll*
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I downloaded a copy of Eassos PartitionGuru Pro.

    I can't believe it's able to read my protected USB drive with FIDES. Thought FIDES could prevent from ANY and absolutely ANY program to write/read my protected drive.

    Btw, my USB drive is exFAT formatted, I believe that doesn't make any difference though.
     
    Last edited: Nov 22, 2016
  4. guest

    guest Guest

    Then it is maybe opening your USB drive as a Logical Volume/Partition, and is accessing your data "directly".
    But i'm not sure, how the program is accessing the data.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Ah yes! Now I remember that post of yours, thanks.
    Now I wonder the possibility of creating a mini-driver capable of blocking Low-Level Access.
     
  6. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Depends on how its accessed. if it uses a driver then i would assume not. if its done through win api a driver should be possible. Does anybody know how such partition tools work? do they need a driver?
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks for your thought. The point here is that if SOME programs like this partition tool (PartitionGuru) can Low-Level access drives then a malware/ransomware can employ same technique to do its nastiness. I want to prevent that.
     
  8. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    hello

    tested with old beta,i test in two mode
    first method
    1.Pumpernickel running
    2.plug in ntfs USB drive
    3.now run PartitionGuru, it for a while go to not responding mode
    it unable to get hard disk volume like "system reserved" and c:
    but get USB drive name
    now if i click each of system drive or USB PartitionGuru will get error and crash
    error:"The instruction at 0x00446ef7 referenced memory at 0x06445600. The memory could not be read.
    Click on OK to terminate the program"

    second method

    1.Pumpernickel stopped
    2.plugin usb
    3.run PartitionGuru
    start Pumpernickel
    now i can see content of pc drive and USB drive
    i can not create new folder
    i can not copy file from USB drive to pc but i am able to allowed location
    i can get file name

    i can view content of file (meaning read file like play video)
    with "copy file to current partition",it was unable to read everywhere
    except "C:\Program Files\PartitionGuru" so i can just able to copy file from there to usb drive
    i can rename file give me
    this error "Partition(or volume) "usb(F:)" is busy, The partition must be dismounted before continuing. Please close all other programs which are using this partition to prevent data loss. Are you sure to dismount this partition?"

    i can delete files

    @Mister X is it similar way you running second method?

    @4Shizzle i think this program use "get write access to hard disk" method SpyShelter firewall alert me

    @mood which tool use Low-Level Access?

    so i think its normal if second method happen
    but i don't know is there anyway to also protect in this situation

    edit: as i say my usb drive is ntfs not exFAT
    and i can not format my usb drives in to exFAT so if anybody can take care that part
     
    Last edited: Nov 22, 2016
  9. guest

    guest Guest

    WinHex for example.
    But at least administrator privileges (to have low-level access) are needed.
    I assume that if a program has installed a kernel-driver, it may not need administrator privileges. It just queries the driver which has System Rights.

    I noticed that PartitionGuru.exe (Eassos Partition Guru) has to be run with administrator privileges, that's the reason why it can see all data (and the way it access it: "low-level")
    (Partition Guru is not using a kernel-driver)
    As long as applications are running with normal user-rights, there should be nothing to worry.
    It is the way the applicaton has full access to the data - Low-Level (but admin-rights are needed).
    Fides, setting ACL's to Deny or using Folder protection with AG doesn't protect against low-level based access.

    SpyShelter for example can alert about it, and HMP.A (or MBR Filter) can at least protect the MBR
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Hello,

    Tested with latest stable using first method.
    1. FIDES running.
    2. USB drive was already plugged in.
    3. Then run PartitionGuru, it also didn't respond for a brief moment.
    4. PartitionGuru was able to access any drive, as expected, with the exception of my USB stick which is protected by FIDES.
    5. PartitionGuru never crashed. It was able to access all my files, read them, delete them, rename them, copy them, etc. as if FIDES wasn't protecting at all.
    Got it. Now I'm hoping no ransomware is capable of privilege elevation. :eek:
     
    Last edited: Nov 23, 2016
  11. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Even if they have admin rights I assume that they will not implement raw-level access. most ransoware is written poorly, they often fail with crypto and protocols, i dont think they will be skilled enough to write own NTFS support. So should be safe for a while ;)

    A good mitigation technique: dont use "hot backup", it is recommended to have "cold backup" in place. This means you backup your data to external hdd not connected all time. In general this is good idea, because your PC can be stolen, so it is good idea to have back in other place. A friend of me had such a case: his notebook, tv, tablet got stolen from his flat. They also stole external hdd from his desktop - to have additional backup, offline and not near PC is really a good suggestion I have learned from him :thumb:
     
  12. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Exactly. If you dont execute suspicious/malicious applications, risk is low. To avoid accident execution you can make use of Boucer, AG, NVT or SRPs. But there is always a risk - nothing is 100% bullet proof. So Pumpernickel just works fine for what it should achieve.
     
  13. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thank you very much
    about Eassos Partition Guru i disabled UAC in pc but still run it as admin it wont able to read anything and as it crash it wont able to write
    about WinHex.i don't know how exactly work with this.
    however i can confirm it can read drive (create disk image menu)
    i don't know how to delete file or modify file in this program.so this need help
    also in ProcessHacker token tab i see SeDebugPrivilege, Enabled, Debug programs
    maybe because of this can do such things?

    thank you very much.ok so maybe because of exFAT format or config file
    i also now tested with 2. USB drive was already plugged in. but same result program crash

    my config is just like this
    Code:
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    whitelist MODIFY rules
    [BLACKLISTMODIFY]
    *>*
    [WHITELISTREAD]
    whitelist read rules
    [BLACKLISTREAD]
    *>*
    [EOF]
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    One thing that I would like to add is that if someone wanted to go in an even more extreme direction of granular control, one could use Bouncer to literally block the execution of any non-legitimate hardware / file-system driver (.sys) with Bouncer. That could be done more loosely by filename/path or more thoroughly by hash. You could go as far as locking systems down even more tight in comparison to kiosk systems or PoS. Although, as we know now, this PartitionGuru software does not utilize a kernel driver anyway but this was just a thought. I tested PartitionGuru briefly just to get some more details, but from a Standard User Account which everyone should be using, PartitionGuru was not able to achieve anything on my system. Therefore malware would be not much different from that, with the rare exception being elevation of privilege exploits.
     
  15. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    You can also use HxD. If you start as Admin you can access hdd and select the drive in raw mode. Its possible to access. But as mentioned here (also some posts ago) this is not what Pumpernickel intended. The homepage says "Pumpernickel (FIDES, FIle and Directory Enhanced Security) is a kernel mode driver that enables you to detect access attempts relating your files and folders." So only access to file system (files and folders) not raw access. Some posts before we discussed that it is also still possible to boot LINUX and access the hdd from there. The same for bootkit malware or rootkit starts befor original Windows bootloader - this has nothing to do with Pumpernickel, it is valid for all such tools. Because they operate ontop of filesystem, here it cant see underlying raw structure. To achieve there is other driver needed that also monitor raw access.
     
  16. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Good point and summarazions. Thanks. Will try to test locking drivers, sounds like nice idea for additional protection.

    OK. I thinks if malware uses privilege exploits they will do more harm by trying installing rootkit. It should be rare, because such an exploit will sell for much money. just unsing it for a ransomware campaing is not likly to happen, my opinion. So you are right @WildByDesign, is should assumed to be rare.
     
  17. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thank you all.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yup, thank you all smart and knowledgeable people. :thumb:
     
  19. guest

    guest Guest

    Open it as a logical volume: "Tools - Open Disk" - "Logical Volumes/Partitions" and select the drive.
    Now you can see/read/write/modify all files.

    More information about opening a logical/physical volume:
    If it's a "raw access", the kernel has no idea what file is being read since we don't go through the file system = the kernel-driver "Pumpernickel.sys" doesn't "notice it".
    The intent of Fides is to provide protection on a file-based level. If the file access is on an file-based level, Excubits-tools provides a good and granular protection:
    First, the malware has to be executed and second, it needs adminstrator-rights - at least two obstacles.
    However, watch carefully what files you are executing, lock your system down, etc.
    And if you are concerned about your "secret files", you can put them into an encrypted container (TC/VeraCrypt,etc.), and only mount it if it's needed.
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    ok thank you very much
    my config are very restricted so i can tell it can view them but can not touch them for sure.or maybe i do something different from you.since i am new this program
    i go with Tools - Open Disk" - "Logical Volumes/Partitions wait for search
    then double click on file that i want modify it will open in new tab
    now i select some of hex value and then right click select edit
    then i try with cut,remove...,modify data...,fill block
    then it just give error.
    Error #1 Cannot open "C:\Users\*\Desktop\*\*\WinHex 002.tmp". Please check the path and your access rights.
    Error #3 Cannot create "C:\Users\*\AppData\Local\Temp\WinHexC.tmp". Make sure the folder exists and the file is not write-protected.
    the i allow above path
    in it give me
    Error #10 Cannot access "*95232*Drive C:\settings.xml". The handle is invalid.
    same happen to usb drive
    so with this raw method it just can view and perhaps make clone(copy) of drive

    of course Fides is file-based level security and its very good
     
  21. guest

    guest Guest

    I think WinHex was prevented from writing temporary files ;)
    "In-place Mode" can be used to edit a file directly, without a temporary file (and without a prompt).
     
  22. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thank you.yes you are 1000% right :thumb: my bad:oops:.its for me in a Default edit mode and also now tested In-place edit mode and its directly write to file no warning!
    i know Bouncer will take care of this things in first step.but hope Florian make another driver for this raw mode also
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That is a good suggestion. Possibly something similar to the kernel-mode driver that was released by Cisco’s Talos Group, MBRFilter, but extended functionality. Although I can imagine that raw level access is likely quite complex.
     
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    I got an email this morning from Excubits:

    Dear friends,

    Today we would like to publish an updated list of recommended blacklist
    values for Bouncer. The current list can be loaded at [2], use the values
    to enhance your configuration’s security.

    Additionally we would like to focus on EVENTVWR.EXE. This program file is
    recently abused by cyber crooks to install malware forcing privilege
    escalation. EVENTVWR.EXE is part of the Windows operating system and is
    automatically installed onto your system. The attackers rely on a security
    breach described by enigma0x3 (see [2]). In short, it is a misbehavior of
    EVENTVWR.EXE which requests parts of its configuration from the user
    accessible parts of the Windows Registry. E.a. cyber criminals can change
    the behavior of EVENTVWR.EXE by just manipulating a setting in the user's
    Registry Hive. Crooks use this to instruct macros placed in Microsoft Excel
    and Word files to execute malicious code with higher (admin) privileges and
    thus can manipulate vivid parts of your system. However, an attacker can
    gain total control over the computer by just calling EVENTVWR.EXE.

    EVENTVWR.EXE is therefore dangerous and shall be deactivated. Normally you
    do not need this EXE every day, so you should put it onto Bouncer’s
    blacklist as soon as possible and protect your PCs effectively against this
    security hole. Hopefully Microsoft will publish a patch soon. Also disable
    Office Macros if you do not need them.

    Regards, Florian


    [1]: https://excubits.com/content/files/blacklist.txt
    [2]:
    https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
     
  25. guest

    guest Guest

    Disk Cleanup is affected too:
    [3]: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
    And other executables which are able to auto-elevate without any UAC-prompt
    But MS won't fix it:
    Mitigation:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.