Bouncer (previously Tuersteher Light)

Great news, @Online_Sword , thank you for sharing. So it seems that just disabling the Superfetch service is enough to work around this Windows 7 bug. Very good news.

I would definitely suggest disabling Superfetch and try yourself to see whether the performance is worth noting or not, it would all depend on different systems. I think that you should give that a solid try for a few days, across several reboots and so on just to make sure, nothing to lose by disabling it.

 

Here is part of my log file from the internal Beta (not yet reached Beta Camp):

Code:

*** excubits.com beta ***: 20151220082444 > C:\Windows\explorer.exe > D:\Downloads\BleachBit-1.8-setup.exe
*** excubits.com beta ***: 20151220082455 > C:\Windows\explorer.exe > D:\Downloads\AcroRdrDC1500920069_en_US.exe
*** excubits.com beta ***: 20151220082500 > C:\Windows\explorer.exe > D:\Downloads\7z1512-x64.exe

Notice anything different in there? Florian has implemented date and time stamps within the kernel. It's definitely a good start and will be quite beneficial especially for Admins looking over system logs. The Priority rules are working great as well. I will thoroughly test this for the remainder of the day and provide some feedback to Florian tomorrow. So far this is excellent.

 

Is he going to add back-slashes in there? It gives me a headache trying to separate the numbers into day, month, year, and time. Is there any word on when he is going to release the code that will block vulnerable apps from writing to System Space, and Program Files?

 

@WildByDesign

Have you tested the priority symbol (!) ?

 

I don't believe that the back-slashes come by default by the method that he uses to obtain that from the kernel, but I would assume that is something that he could add after-the-fact. I agree, it would be better with some back-slashes in there to separate it some more and I can suggest that to Florian later today.

I'm not 100% certain, but I know that is something that Florian is also very interested in and excited about. I would guess that would likely come in the February release, but I will let you know as I find out more info.

Yes, I am testing the priority symbol (!) right now and have been testing it for about 24 hours now. It is working great for the most part, however, I have found what appears to be one bug and have reported it to Florian. That needs to be fixed before it can be released on Beta Camp page.

EDIT: Nevermind, what I thought might be an issue with the priority symbol (!) rules did not end up being a bug. So far this testing release is great. I've talked back and forth with Florian a few times throughout the past day or so and things are going well. I'll let you know when it shows up on Beta Camp page.

 

I find that, if we only disable Superfetch in Win 7, then we can avoid the strange blockages in the idle time.

However, when I launch some specific applications, strange blockages would appear again.

For example, when I restart Bouncer service, the following events happen:

Code:

*** excubits.com demo ***: C:\Windows\SysWOW64\net1.exe > C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\protection-log-2015-10-22.xml
*** excubits.com demo ***: C:\Windows\SysWOW64\net1.exe > C:\Users\******\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\f_00001f

To eliminate those events, we should disable Prefetch as well in addition to Superfetch.

 

Thank you for confirming.

Would you or someone else be able to create a .reg file to make it easier for Windows 7 users to merge with their registry if they experience these blockages? I suppose maybe one .reg file to disable Superfetch/Prefetch and another .reg file to undo those changes. This could be based on the registry keys provided by @marzametal on this post: https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-30#post-2549515

These days with SSD's and faster processors/chipsets there is very little need for prefetching anyway.

 

I was speaking to Florian some more over the past day or so. I don't have an actual date for when that will become available, but Florian says that it is working great. The internal project name is Pumpernickel. You specify which directories to make it so that it blocks write attempts. It will show up in Beta Camp first as it's own driver as Florian typically does to test it out on it's own. Then it will be combined within the Bouncer driver as long as the functionality behaves well with the other features. It will have it's own section of the config file just the same as the other features. Florian seems pretty pumped and excited about this. I can also see quite a bit of potential for this for combating some of today's malware. Hopefully it will show up sometime in January, just a guess. Either way, Florian will keep us updated on it.

 

Thank you for the update WildByDesign! I think I recall him telling me the project was called Pumpernickel. I remember just thinking to myself it was a funny name. It sounds as though it is exactly as I requested. Bouncer will become a Hybrid of Policy, whitelisting, and Sandboxing. You really can't beat that combo. I can't wait to try it out. IMO Bouncer will cover almost all threats if properly configured.

 

WARNING!!!: please make sure that you have blacklisted *\msiexec.exe !!!

Problem Description:

Just now, I want to install a software on my virtual machine, which is running win7 32-bit. The installer is a msi file.

When I double-clicked the installer, I realized that I forgot to turn off Bouncer. So I thought that the installer should be prevented by Bouncer. However, it was not. The GUI of that installer appeared.

I should say I was scared at that time. I am sure that the path of that installer is not in the whitelist, and the LETHAL mode of Bouncer is properly enabled.

So I try to run that installer on my real machine, but it is blocked.

The only difference here is that, in my real machine, msiexec.exe is blacklisted according to the blog of the developer. So the following execution is blocked when I double-click the msi installer:

Code:

C:\Windows\explorer.exe > C:\Windows\System32\msiexec.exe

I have also tested another anti-exe program. Under the default setting which does not blacklist msiexec.exe, that anti-exe program cannot block the msi installer, either. So I think this is not a bug of Bouncer, but a feature of the System.

I am not sure whether this issue has already been discussed in this thread. If you know more technical details about his, please let me know.

 

@Online_Sword Some great info here: http://www.symantec.com/connect/articles/understanding-difference-between-exe-and-msi

I always think of MSI files as similar to ZIP archives, since you can open them with 7-Zip. They are essentially just a package and require msiexec.exe to carry out their instructions. MSI files are usually not filtered by anti-exec because they do not contain a PE header, therefore not technically an executable itself. Also, I do not believe there is much history of malware targeting through MSI. However, I do think that it is important to monitor and control msiexec.exe (as Florian recommends) since that way you have control over the root of the MSI installer system. I keep *.msiexec in my blacklist section as well in Bouncer, although sometimes I comment it out with #*.msiexec if I am expecting an update on a certain day from, for example Adguard For Windows, which uses MSI for updating. So I will temporarily comment it out in the blacklist and restart the Bouncer driver until the update is done.

I agree with you 100%. Thank you for all of your suggestions that have gone into Bouncer so far. Also, I am very glad that Florian listens to the community for certain feature suggestions. Bouncer has come a long ways lately.

 

Thank you very much for your information @WildByDesign .

By the way, when msiexec.exe is blocked, would Bouncer block msi update files of windows that are executed during the shutdown period of computer?

Of course, I know Bouncer does not recognize digital signs, so it cannot distinguish windows update files from other msi files. I am only curious about whether Bouncer still works during the shutdown period of the computer.

 

Does anyone have any malware samples contained in a .msi file? If you do then don't post them here since it's against forum rules. I've never seen any on the malware source sites, but I don't visit them often. I only do malware testing every now, and then. At the present time I have limited space for my test machines. Well, I have always blacklisted msiexec.exe so i'm not really worried about it. AppGuard also blocks .msi files in Locked Down Mode.

 

Hah The very first thing i noticed was the addition of TimeStamps. I guess integrating that into the kernel wasn't so with issues after all.

 

Ladies and gentlemen: New Beta Camp Releases
See here for details: https://excubits.com/content/en/news.html
Goodies are here: https://excubits.com/content/en/products_beta.html

Bouncer with date-time logging and "!" Priority Rules, Pumpernickel, MZWriteScanner, Oh My!

EDIT: Quick note: These binaries and drivers do not appear to be digitally signed. There seems to be a lot of neat and interesting changes here. But not signed, unfortunately. It's easy to test on 32-bit systems but a bit trickier on 64-bit. If anybody wants to test on 64-bit, let me know and I can help you.

Update info for MZWriteScanner: The driver now supports date and time logging and does also log the parent process initiating the write and execute on the file. Besides that we cleaned up the code a bit, hence it shall perform better.

 

@WildByDesign , thank you for your information.

But I get a little confused when both Pumpernickel and MzWriteScanner have version updates. I have not tried either of them, but I think Pumpernickel should be a superset of MWS in terms of function, because Pumpernickel could monitor any kinds of writing operation, while MWS could only monitor the the operation of writing executable files, right? So in the past I thought MWS would be abandoned and replaced by Pumpernickel...

Maybe we can suggest Florain to find another name of Pumpernickel, because it is quite difficult for me to find a proper shorthand of "Pumpernickel".

================================================

By the way, has anyone here ever tried Excubits CommandLineScanner (CLS)?

It seems that this product has quite a few documents. I am confused after reading the readme file. The rules mentioned in the readme file are:

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
\??\C:\Windows\*
\??\C:\Program Files\*
\??\C:\Program Files (x86)\*
\??\C:\ProgramData\Microsoft\*
[BLACKLIST]
*mSpAint.exE*
[CMDWHITELIST]
*
[CMDBLACKLIST]
desk.cpl,ScreenSaver,@ScreenSaver
[EOF]

First, what is the meaning of "\??\" ?

Second, would the format of whitelisting/blacklisting a command line be "program,argument1,argument2,..."? Would the commas here be essential or not?

Third, according to the first two sections of the rules above, it seems that CLS also has the capability of blocking executables, then could it block dlls, drivers, and other PE files like what Bouncer could do?

 

You're welcome.

That's a very good question and I'm not 100% sure that I understand the under-the-hood differences in functionality entirely yet. I need to play around with these new drivers for a few days to really understand them. MZWriteScanner (MWS) filters and blocks entirely based on SHA256 hash of the executables. I think that MWS may continue on it's own way since there are some interesting concept ideas that may come to fruition in the future, while Pumpernickel may be more likely to be integrated into Bouncer at some point. The silly name is just a project name which is likely be gone once it passes through Beta Camp phase. Just like MemProtect, they are all individual kernel-mode drivers initially, some are slightly different concepts and slightly different methods of filtering, and the best and most powerful drivers which prove themselves the best may potentially be integrated into Bouncer main driver. The CommandLineScanner (CLS) driver functionality is also expected to be integrated into the Bouncer driver soon, with each individual component having the ability to enable/disable within the Bouncer.ini config file since certain advanced functionalities are not needed by all researchers, etc.

The questions regarding CLS I honestly don't know. You can feel free to ask Florian or if you want, I can ask next time I talk with him. The command line usage is one area which I am still not very familiar with, despite the fact that I know that it can be extremely powerful.

Yes, the CLS driver is extremely powerful and is able to filter executables, dlls, drivers and any other PE file in which Bouncer filter, but also fine grained control over interpreters such as Python, Perl, etc. But it is beyond my expertise at the moment, something that I want to learn more soon.

 

A good news for me! If so, I think I do not need to buy a license of CLS, as I have already got a license of Bouncer Thank you

 

You're welcome. I am pretty excited to see Bouncer progress. I had a feeling that the CLS driver command line functionality would be your type of feature to enjoy. I would suggest wait until it shows up in Bouncer.

For anyone testing the latest Beta Camp release of Bouncer, the BouncerTray tool and Admin Tool from the latest stable package still work great with the latest beta driver release. The Admin Tool does not have priority ! rule functionality yet though, but that can be done through Notepad++ anyway.

 

@WildByDesign Thanks again for that notice about the "unsigned drivers". I'll just wait i guess until their released "signed" since i (personal choice) don't particularly favor trying to circumvent patchguard/kernel on my current 8 rig but am really satisfied that there seems to be a lot of effort gone into those to make them cream of crop in their respective duties.

 

Does anyone know if Bouncer installs AutoIT interpreter ?

I know it uses AutoIT scripts - so for them to work on Windows (which doesn't ship with AutoIT interpreter) it would require the AutoIT interpreter.

AutoIT interpreter = ** security risk **

 

@hjlbx Where would the AutoIT interpreter be installed? I have not noticed it being installed anywhere on my system before.

As I understand it, the Admin Tool and BouncerTray tools utilize AutoIT. But I believe that they are converted to executables and therefore don't need the AutoIT interpreter package installed to work. I could certainly be wrong though but that is my understanding.

 

I have no technical infos. This one is for Florian.

The way he explained it early on is that AutoIT scripts were included in Bouncer.

My understanding is that in order for a script to run, it must have the executing interpreter installed.

I also understand that a script can be converted into an executable, although I am not sure that applies to all scripts.

So that's why I asked as I am unsure of the AutoIT implementation by Florian (and I don't have Bouncer installed to take a "Look-See").

UPDATE:

*** NOTE: I think @WildByDesign is correct; Florian converted the AutoIT scripts to executables (*.exe) so that AutoIT interpreter (Au3IT.exe) does not need to be installed.

I think question is answered.

 

From my limited testing of this new project Pumpernickel driver, I am far more impressed than I expected to be. This is kind of like a dynamic sandbox.

The pre-existing rules for Chrome work great. Also, using Notepad.exe to play around with permissions was great and helped me to get a better idea of how the driver and config works. You supply the locations where a program is allowed write access, and all other write access is denied. This is really quite powerful. Logging is good and helpful as well when creating rules.

So this is all about controlling write access permissions on a per application basis. Very cool.

Blocked write access shows the typical "You don’t have permission to save in this location. Contact the administrator to obtain permission" message.

 

For me this has been the most interesting thread at Wilders for 2015. I absolutely respect the technical input, clear and concise explanations by many members here that help many to understand the ideology and methodology of Florian's software. Obviously all the credit to him for his hard work, this software has made the most leaps and bounds this year in my opinion and I look forward to seeing how it evolves.

regards.