Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.
You're welcome .
Interesting and simple anti-exe approach, but the fact that it hasn´t got a GUI is unacceptable for me.
From http://www.bitnuts.de/ blog post dated 2014/07/04:
Thank you very much MrBrian for this beautiful finding of freeware OS tools, and the blog http://www.bitnuts.de/ is good too, for learning more about built in features of OS, I am start learning about it
Right now I am using Pretty Good Security tool from sully and almost settle down with no-Anti virus setup. light and easy!
I have little doubt as I am still learning:
1. I think PGS and Tuersteher Light both good, I yet to try Tuersteher Light, but which one would be easy to manage for Admin account?
2. Disable "Digital Signature requirement" a one time process only or it will be permanent ?
Sorry for the noob questions,
@powerpack: You're welcome .
I recommend also considering Software Policy: use Software Restriction Policies on any Windows edition (free).
1. For ease of use, I would guess Pretty Good Security or Software Policy are easier than Tuersteher Light.
2. Depends on how you do it. See 5 Methods to Load Unsigned Drivers in Windows 7, 8 and Vista 64-bit (x64) for more details. Self-signing the driver is probably the safest method.
Thank you Mr.Brian for reply,
I agree with you to use PGS or Software Restriction Policies are easier to use, I did try Tuersteher Light on VM and its locked down my OS , my fault, I guess had to learn about.
I did tried Software Restricted Policies for about two weeks, I like that, but come back to PGS, its easy to define user folders/Files via GUI!
So right now I settled with PGS, NovirusThanks Exe Radar Pro, with Webroot secureAnywhere (had six month subscription), Light and Easy!
Thanks for the help though!
I just wanted to mention that I also used (and still do use) Simple Software Restriction Policy and used to use PGS alongside that to help define/confirm rules a bit with the easy GUI. However, since CryptoPrevent added a Software Restriction Policy Editor to their Advanced menu it's made managing the policies much easier with their GUI for whitelist/blacklist and still running alongside Simple Software Restriction Policy as well. Anyways, just wanted to pass that along since PGS is a little dated. I don't use CryptoPrevent's normal features though, just the policy editor.
Thanks for the suggestion, will look in to CryptoPrevent!
Tuersteher Light gets official (2014/09/1 From: http://bitnuts.de/
Having it's own web site now at http://foxtron.de/ sounds promising. I am wondering if they will be providing digital signatures (64-bit) for private and non-commercial use as well at their licensed commercial use. I was messing around with this software earlier this week and with this news, I am quite excited to see what comes next.
EDIT: The Download button has a message stating that they are currently certifying the drivers. So this sounds good. I suppose the money needed to do this will come from the commercial licensing.
Cool, but I wish it had a GUI.
Moving along slowly but surely with the Driver Certificate Signing and such.
May not have GUI, but developer previously stated: "I am currently working on a Türsteher Admin Tool, this will make the configuration more convenience. If you are interesed in beta testing contact me or stay tuned until the final version is released here."
Update: 2014/10/04 (http://bitnuts.de/)
Official Registry Request to Tax Office, certificate pending.
Driver Signing Certificate requested and already paid (GoDaddy)
Brand new VSC licensed and already paid (Microsoft)
Cool, I will check it out when it has a GUI. But I doubt that I will choose it over EXE Radar.
Some updates from http://bitnuts.de/:
New web site (coming soon): Excubits.com - Because Information Security matters
Drivers have been heavily optimized for better performance, even on systems with lower resources
User Manual updated for upcoming new release (English and German manuals)
64-bit builds will be digitally signed
Interesting excerpt from manual:
Several great points within that paragraph. Chrome/Chromium > Limited User Account / Standard User Account > EMET > along with Tuersteher, which, for anyone who hasn't heard of it, is essentially a path-based whitelisting/blacklisting kernel mode driver that controls where DLLs, SYS and EXE files can or can't be executed. Just another Anti-EXE but wickedly lightweight.
With a new web site and soon to be digitally signed, this could be interesting. I will be Beta testing this as soon as the last stage gets approval. For the more casual users, if only this came with some sort of GUI to aide in configuration and also if the software itself (Tuersteher) got a new name as well, similar to the new web site name, I strongly believe that this software could really take off in popularity. If only... BUT at least it will be interesting for us more security-minded folks who don't mind getting our hands dirty.
I can not imagine that after all these efforts he will release the tool without a GUI, he would be silly not to. If he does, it might become a competitor to EXE Radar and VoodooShield, who knows. On the other hand, feature wise it's currently not that advanced.
GUI coming soon (from bitnuts.de):
Now, this is definitely getting interesting.
xtray for Türsteher from: bitnuts.de
Also, the Admin Tool has been released on the same blog. I will update (and clean up) this post later.
Thanks for the update .
The blog post for 2014/11/23 now contains a link to a beta of the admin tool.
I don't get it, is it already released? I've checked it out (demo?), and I think it looks kinda cool at first sight.
The tray tool is not released yet, but will be released (including source code) likely within the next few weeks alongside Tuersteher Lite which has been significantly improved as well. But the Admin Tool (download referred to as tattoo) is available to download on the blog. You can use it with the older release of Tuersteher Lite that is still available there. Or, at the very least, you could use the Admin Tool to get all of your rules setup prior to release. It makes setting up the rules quite easy and produces a nice clean .ini config file.
Personally, I think that the developer, with these new additions, has the basic code fundamentals now to achieve something great. However... obviously without a decent marketing team, it would never appeal to everyday users. Obviously the individual component names and such aren't very appealing. Although the developer has incredible coding skills and is an accomplished security researcher and puts security first and foremost with this tool. Hopefully he will see the future possibilities with this as it has the potential to be something great. Of course marketing costs lots of money up front though.
Yes it might turn up to be quite cool, however with these kinda tools it's quite easy to break systems, so some extra config options would be nice.
I am able to share some of the upcoming details now which I am personally quite excited about. I have been working closely with the developer (Florian) for a little while now through many conversations and have suggested some ideas on how to move forward.
Florian has been given clearance now and has gone through all of the necessary steps to register as an official company, Excubits, or technically Excubits UG (haftungsbeschränkt) in Germany, and therefore now has the ability to release digitally signed drivers. That is especially beneficial for 64-bit operating systems and made previous testing more tedious.
Tuersteher Light is now officially Bouncer for short, or together with company name Excubits Bouncer. In German, Tuersteher is defined as 'bouncer' or 'doorman' like at clubs, bars, etc. And I quite like the definition and roots of this software, but even to this day could not spell it (without copy and paste) or pronounce it. So one day I was joking around to Florian and suggested the rename to Bouncer with something like this "Why don't you call it Bouncer? Because every kernel needs a doorman". And that was the beginning of it.
Previously it was just the driver running kernel-level along with a config file and a log file. There will now be a typical system tray icon running at startup to take care of normal operations of the underlying driver as well as notifications and such. And there will also now be an Admin Tool to assist with create config files, managing config files, managing the driver, log file and more. The system tray icon will also have a simple way to start the Admin Tool. I suggested that the tray icon doesn't prompt for elevation at system startup because then users will be upset and try to find ways around it. So no elevation prompt at startup. It will simply prompt for elevation only depending on what the user selects from the tray icon's menu, such as running the Admin Tool and starting or stopping of the driver. The driver will also now be able to write to the Event Logs whenever it blocks something from running, as well as it's own log file to help troubleshooting and so on. Bouncer works great so far on Windows 10 preview builds from my own testing, and makes use of the new Notification Center very well and the new 'Toasts' pop ups as well when something is blocked, and older Windows versions will show the familiar bubble pop ups just the same. As one would expect, Bouncer blocks .exe, .dll, .sys along with all of the other common executable types including RLO (right-to-left override) and other file name spoofing methods. The developer will eventually create some detailed videos to show users some sophisticated malware attack vectors along with how Bouncer blocks it.
My Personal Experience:
My own personal experience so far with Bouncer has been great. I was provided a custom beta build and used solely on Windows 10 preview builds for my own testing. I was amazed at the fact that a simple 21kb kernel driver could protect my system even better than the build-in Software Restriction Policies. Bouncer blocks first, and instantly. So SRP plays no role. Some other software I've been testing would take a long time to load, even after the Windows desktop was loaded and nothing would be usable for 30-45 seconds or so. Now I can use my system right away, and I'm always particular when it comes to system performance. This thing is solid and I am sticking to it. I've gotten rid of my old SRP rules as well now.
On the developers blog (bitnuts.de) there is a testing version of xtray (the tray tool which will be named differently later) as well as the Admin Tool. At the moment they would have to be used with the older release of Tuersteher Light since they are coded to look for the older config and log file. There is an updated tray tool and Admin Tool which have the latest functions and all but they wont be released for a few days. I will update when it does.
However, if you want to dig into the digitally signed goodies, you can right now, but you will be without the tray function or Admin Tool for a few days. It's updated, signed driver, but just the driver and log functionality like previously. Go to new web site to download: http://excubits.com/content/en/products_bouncer.html
The current demo limitation is not bad at all, it limits the config file to 3kb, but my thorough config actually happens to be right on 3kb.
\Device\HarddiskVolume2\Program Files (x86)\*
* Keep in mind, this is just an example from my config. You would have to change user name to your user profile name and also drives/partitions accordingly. For the blacklist, I have made use of MrBrian's rule sets for SRP and AppLocker based on AccessChk to determine user writable locations within the Windows directories. Thank you to MrBrian for always sharing such great rule sets.
That's it for now, I will share more upcoming stuff later.
\Device\HarddiskVolume2\Program Files (x86)\*
It looks cool, but how would you compare this to a tool like EXE Radar?
Realistically, this is just bare bones compared to fully fledged anti-exe programs. This is simply just the kernel-mode-driver (KMD) which would be just the underlying core. The other anti-exe programs take that further with file hashes, password protection, parent process, etc. And of course a lot of programs add a lot of bells and whistles on top of the necessary features.
For me, it's great though because I like the nitty gritty details, getting my hands dirty, so to speak. You can take this KMD and achieve a lot with it all depending on your config though. I mean, you could block access to things like regedit, cmd, etc and create your very own lockdown mode with it. You are in complete control and that is what I like about it. It's not going to appeal to those average, everyday computer users though. But for those of us here on Wilders who are adventurous and have the knowledge, it's great. Being a bare bones KMD, it has the advantage of being wickedly light and fast. It has piqued my curiosity anyways.
Some other anti-exe programs might block content types that Bouncer does not, such as selective blocking of some types of scripts.