Bouncer (previously Tuersteher Light)

The restart button successfully confused me. I did not know it stopped, and started the driver. I thought it only started the driver. I still think it is unneeded though. I think it's best to keep it simple. I also think having one button for stop, and start would also work good as well. I also think having a stop, and start button is not a bad setup as well. 3 buttons = confusion though.

 

Florian confirmed it was not a bug.

 

The RESTART is a good idea Florian incorporated into it. There will likely be times when users simply need to stop the driver for however long.

The restart feature alone wouldn't accomplish that.

I haven't even bothered with that little color glitch i experienced earlier in my MZWriteScanner testings since it does absolutely nothing to prohibit normal operations of it but am looking forward to the whole package once they're all incorporated into Bouncer.

 

I just sent Florian an email informing him what is causing the unknown executable code alerts. The cause for the alerts is Superfetch Service. Below is the email I sent him. I was receiving anywhere from 50-100 alerts a day, and after disabling Superfetch I am no longer receiving any. I think CGuard should also check to see if that solves his alerts as well.

I tested Bouncer on 2 different Windows 7X64 Ultimate machines, and Bouncer was constantly giving me unknown executable code alerts on both machines. Superfetch Service is what is causing the alerts. The reason Superfetch is causing the alerts is because Superfetch loads executables into memory with executable privilege in order to gather information from the executable. Superfetch wants to know how often the executable is being used. If the executable is being used often then Superfetch will add it to the Window's prefetch folder, and keep it loaded in memory so it can be read from memory instead of from the disk. Superfetch will load any executable into memory with executable privilege, even if it is an installer that has not been installed on the user's machine. There are many post on the internet that says Superfetch can behave very differently on many different machines.

I also suspect that other services may be using Superfetch because when I disabled Offline Files I received fewer alerts. This could have been a coincidence though. After I disabled Superfetch I received no more alerts at all. Superfetch is the direct cause for the alerts. There is only a handful of users at Wilders that is testing Bouncer, and two are experiencing these alerts. If Bouncer ever goes mainstream then this would likely affect many thousands of users. It would create one hell of a support headache for you. Read the second post in this thread for another description of Superfetch http://superuser.com/questions/645650/what-is-superfetch-and-its-relation-to-svchost-exe-localsystemnetworkrestricte

Kind Regards,

Mike

 

@Cutting_Edgetech
Excellent job finding the source of the problem, Mike. You are persistent with your testing and reporting and that is beneficial to many of us and I am very thankful.

If it is Superfetch, that's an easy and good workaround since Superfetch is not really needed these days with faster systems and SSDs in particular. I believe that you are correct because I do trust you. And so I believe that Superfetch must be at the root of the problem. Although what I do wonder now, is if some other security program is reacting based on Superfetch, as I recall you and @CGuard both had some light virtualization in common as well.

Have you tried a freshly installed Windows with only Bouncer installed and no other security software? I'm just curious about ruling that out. However, you have done so much testing lately and several clean installs of Windows, so I certainly do not expect you to do any more of that. I will try to do some research into Superfetch as well since you mentioned that there are some inconsistencies in the way that Superfetch works on different machines and so on. I'll see if I can find something for Florian to work around if possible.

 

Yes, I tried it on 2 different machines with fresh installations of Windows 7X64 Ultimate. The only security software I had installed on both of them was Bouncer. I did not even have Shadow Defender installed. I think it has to do with certain hardware that Superfetch acts strange on. Superfetch is also known to degrade system performance, but it was introduced in Window Vista to make user's computers faster by loading applications from memory instead of having to read from the disk. It uses a hell of a lot of memory on some computers, and if you only have 2GB's of memory on a desktop machine then I would recommend you turn it off. I think 2GB's is the bare minimum for Vista, and above. It does not slow down my computer so I have it turned on for now. Florain said it may be tough to come up with a solution for. He said if he just allows this behavior it could create a small Window for malware to get through. I think if he can identify these alerts from other alerts then he could give the user an option to suppress them. I think that would be the best solution. That way the tray icon is not blinking constantly, and they are not filling the log up making it difficult to find other needed info in the log. I would give an option to suppress the blinking of the tray icon, and not log the events for executions related to Superfetch. I will make this recommendation to Florian, but he already said it could be difficult to distinguish these executions from others.

 

There is one other possibility that I have not ruled out yet. Maybe Shadow Protect causes Superfetch to behave like this. Shadow Protect is a full image backup software. I have it installed on both affected machines.

 

If I remember correctly from before, the majority of executables reported in your log were from external drives. Do you often run programs from these external drives?

With regards to disk imaging from Shadow Protect, I'm wondering if one possibility here could be doing a disk image which would mean the contents from C:\Windows\Prefetch would be backed up to disk image and restored later. I'm wondering if clearing out the Prefetch folder before or after restoring the disk image might make a difference, just a thought anyway. Definitely a strange anomaly but I think that you are heading down the right path now. It's good that you have figured out a workaround for now and hopefully there is a relatively easy solution at some point.

 

Yes, almost all the executables that Bouncer alerted to are on external drives. Bouncer basically itemized every executable on the drive, and starts back over again lol Bouncer even alerted to a few jpegs, and notepad documents. I have to say I don't know why Superfetch needs to open those in memory, but it could be used by a hacker to get a copy of everything on one's drive with network access.

No, I don't run many applications from my external drives. I have several applications that use them for storage; keypass, Anki, Repetitions, Tixati, etc. I have some very important projects that I store on my external drives that I have been working on for years. I would be devastated if I lost my data. To be honest I don't feel as safe as I once did because I don't have anything monitoring Program Files at the moment, and I don't want to keep piling on security software until I cripple my machine. I would use UAC, but I discovered some bugs in UAC that causes problems with some of my software. When I used Online Armor it covered everything except memory protection. It is by far the most comprehensive, and user-friendly software I have used. If I ever won the lottery I would purchase it from Emsisoft, and turn it into an opensource project. There would be a lot of happy HIPS fans.

I hope Florian develops his own whitelisting system soon. If I could somehow whitelist, and protect the Program Files Folders with Bouncer then I would be a happy camper. I also have been meaning to tell Florian that if the opportunity presents itself that Bouncer would be well suited to facilitate hardware assisted mitigation. I wouldn't doubt if he has not already thought about it. I'm very interested in knowing how much can be mitigated in the Kernel without having to use techniques that HIPS use. I think as much as possible should be mitigated at the kernel level, and then it's ok to use other techniques as long as the person knows what they are doing. I have seen some pretty sloppy code in my time. I use to study C++, and if I had the time I'm sure I could do a little coding. It's just that you have to dedicate so much time to it to really get good at it, and it would take away from my foreign language studies. We all would love to be able to do much more than we are capable of, but it always comes down to prioritizing. I've always been known as the jack of all trades, but one needs to be an expert at something to make a living.

 

Sorry, I forgot to respond about Shadow Protect, and clearing the prefetch. I figure that would cause more alerts if it had any affect. Superfetch is responsible for building the prefetch, and if it's empty it may check everything all over again. I don't have Bouncer installed right now. I'm hoping Florian will develop a whitelisting feature soon. I'm using ERP at the moment because I can protect the ProgramData Folder, and all of AppData Folder without having to allow everything within some folders. Appdata, and ProgramData Folders are favorite places for some threats to drop in.

 

@Cutting_Edgetech
+1 Thanks a lot!

 

No problem!

 

Euuuuh!

Before Florian decide to create Excubits, MZWriteScanner with blocking feature (version 2.2) was available for download on his blog Kahu Security.

http://www.kahusecurity.com/

This version is in my toolbox...

 

I'm not entirely sure who that blog belongs too. All I know is that Google is recommending to stay away from it and blocks access. I decided to bypass Google's blockage and looked further but could not find anything to do with MZWriteScanner on that web site. Could you explain a bit more? I just could not find anything there and Google's blockage is a bit concerning.

Florian's blog is bitnuts.de

 

When you say Google is blocking it do you mean Google Chrome, Google Search engine, or Google list of bad sites using another browser? I'm using Firefox, and it's not being blocked on my machine. WOT also gives it a good rating.

 

I scanned the blog with VirusTotal Link Scanner, and the page came back with 1 hit out of 63 engines. The hit was from a new engine called Quttera. I have never heard of Quttera before.

 

It's the phishing and malware protection built into Google Chrome.

 

That's pretty weird, I also use Chrome, with malware/phishing protection enabled, and I can access this blog with no problems whatsoever.

 

I like the app "converter" from that site and hope I can find some time to play with it soon. It looks extremely interesting. BTW, that site is as safe as it comes IMO as in nothing is going jump out at ya for landing on it.

 

I can access the blog as well, but the warning comes specifically when I click on the Tools section.

 

Yes, I can confirm this...

Spoiler

 

Works for me too. This was just posted also..

Converter Updated
Posted on June 20, 2015 by darryl

 

After doing some searches, I must admit that perhaps I have confused the two blogs.
But I can confirm to you that I have a version of MZWriteScanner with the blocking feature, just scroll this page :

http://www.bitnuts.de/archive_2013.html

The drivers are for Windows Vista, 7 and 8 (32/64 bits) and aren't signed.
A config file (mzwritescanner.ini) is present too while in the new version the config file is missing.

In june 2014, I have exchanged some mails with Florian about Tuersteher Light and, after that, he has released a version for Windows XP that I had tested and debugged for him (and me too ).
In the same time and in a reflex, I have downloaded from his blog all the drivers that were available.

 

There is no problem with Kahu Security, it's not a malware website but a very serious security blog.