Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've had some wonderful and progressive conversations with Florian regarding the development of Bouncer and additional drivers. Soon, all drivers will be re-compiled and digitally signed. Additionally, all drivers have now received the same date/time stamp in the logging entries, priority rules, etc. Not only that, but all drivers have all had their already tight code bases thoroughly combed over, becoming even more stable and some performance improvements as well. During the past few weeks, Florian has been working hard on these drivers.

    Personally, I have been looking around and speaking with some other developers to inquire about someone assisting with the GUI coding/design. If I have any luck, I will introduce that developer to Florian if/when the time comes. Florian has his hands full at the moment, lots of tackle at the moment along with his regular everyday career. So I have offered to help with any of the documentation since that is an area that I could potentially be of assistance. I have also suggested the possibility of some sort of Wiki site for Bouncer and related drivers, where documentation can be easily updated, rules shared, etc.

    There has been, at one point, to create a very simplistic GUI similar to that of CryptoPrevent. Nothing like a copy-cat or something along those lines, but something that is "set-and-forget" which is easy rules for everyday users to apply for free without the nitty gritty rule making. Then, the idea would be for that free (simplistic yet powerful) version would hopefully generate more awareness for Bouncer, driving more security researchers, academics, hardcore users, etc. who would be interested in licencing the full drivers. This would provide significant protection to regular users around the world for free, taking a massive dent out of things like ransomware and such, while bringing more recognition toward Bouncer in general. Anyway, this was just a simple brainstorming idea from a while back but I hope is something that can come to fruition at some point.

    I have been able to confirm that, indeed, home users are $35 for a lifetime licence. Personally, I think that it is fair. Large organizations, of course, would have to pay quite a bit more to licence. But home users, I think that is fair. It is also right in line with Sandboxie lifetime licence, for example. I'd say it's one of those things that, for example, if Bouncer were to really take off and do well, that lifetime licence would be really sweet to take advantage of. Although, no doubt, there is more that can be done as far as GUI goes and keeping the user experience easier to manage.
     
  2. hjlbx

    hjlbx Guest

    @WildByDesign

    Home user Lifetime license for $35 = Bouncer only

    What is cost of other modules ?
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Unfortunately I don't have all of the answer for that. There are some rough plans to release the Pumpernickel project driver, for example, as a standalone driver for $5 / 5 Euro but also the possibility to integrate into Bouncer. So my guess is that each driver, if needed for forensics and such can be licensed individually for a low lifetime fee.

    Personally (and this is only my opinion/thoughts) I think that if a user purchases a lifetime licence for Bouncer for $35, I think that it should include access to standalone drivers as well, particularly for testing purposes and so on. Some of those individual drivers like MemProtect and Pumpernickel have a very good chance of being integrated into the main Bouncer driver in the next few stages of development.
     
  4. hjlbx

    hjlbx Guest

    Thanks @WildByDesign
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @hjlbx You're welcome, anytime. :thumb:
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    OK so it appears as though Florian has been hard at work with all releases. Lots of code auditing and cleanup along with some performance enhancements and adding the date/time stamps to the logging of each driver now so that they are all very similar.

    The stable versions of CommandLineScanner and MZWriteScanner have received updates to receive the date/time stamping in the logs. The Beta Camp releases for Bouncer, MemProtect and Pumpernickel have all been updated as well and the Beta Camp drivers are all digitally signed now.

    There seems to be a bit of good news and bad news:

    Good news
    • The drivers are all digitally signed, therefore no need to run Windows in Test Mode
    • Lots of updates with regard to performance, code cleanup, etc.
    Bad news
    • The Beta Camp release of Bouncer is under the German title Tuersteher
    • Just makes it more difficult to remember/spell the name to start/stop the driver
    • The Beta Camp drivers have also received more limited max config file size (see below)
    Bouncer 5KB
    Pumpernickel 3KB
    MemProtect 2KB

    So naturally, I had some difficulties bringing my Bouncer, Pumpernickel and MemProtect config files down to the new size limits for testing purposes. That was a little bit difficult to trim the fat, so to speak, from my configs.

    One workaround for the Tuersteher naming in Bouncer files. You can rename the driver from Tuersteher.sys to Bouncer.sys. Open the Tuersteher.inf install file, use something like Notepad++ to do a Search and Replace for all occurrences of Tuersteher and change them to Bouncer. This will at least make it easier to use cmd to net start bouncer, net stop bouncer, etc. However, the config file and log file will still have to be named Tuersteher.ini and Tuersteher.log regardless.

    Anyway, we'll have to see how it goes from here. From a paid software product perspective, it is absolutely phenomenal. But as a free/demo type of testing software, it is slightly more limited at the moment.

    News page (which includes link to Beta Camp): https://excubits.com/content/en/news.html
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    @WildByDesign

    Thanks for this news. Yeah the updated limited config restraint size puts a squeeze on things but by golly at least now more of us can finally test it with the drivers now digitally signed.

    Is it absolutely necessary to RENAME Tuersteher to Bouncer or will it run Default AS-IS? This is a confusing part unfortunately.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    No, that is not necessary.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    Good. Thanks.

    This is excellent. Many of us have only been able to read of other's results. Now we can experience for ourselves just how STRONG these drivers are and realize their benefits as well as forward any bug reports that might crop up.

    Have a new rig that's been just waiting to try these safety drivers.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're very welcome. If you do come up with any issues or questions, please do feel free to ask whatever you need. I'm happy to help. :thumb:
     
  11. hjlbx

    hjlbx Guest

    It's a good thing that the drivers are now digitally signed, but - in the end - it is just more rigmarole that needlessly complicates beta testing.

    I've pretty much come to the conclusion that - until usability is vastly improved - Excubits products are only for those that have the knowledge and\or time to mess with it.

    Its protections are great, but it has a long way to go in terms of convenience of use...
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I just installed Pumpernickel, and I want to sandbox Firefox. I just started writing some rules which I will fine tune as I see how Firefox works with these rules. I'm not really sure how to write the rules yet for Pumpernickel since there is not much documentation yet. Do the rules below look ok? I'm just trying to prevent Firefox from writing to System Space, and Program Files. Also, how can I prevent Firefox from only writing to C:\ without preventing Firefox from writing to the entire C drive? Is it possible? Also will the priority rules (!) allow Firefox.exe to write to a particular file like place.sqlite, but block writing to all other files in a folder? I will try to make the rules much tighter as I have time.

    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    *C:\Program Files (x86)\Mozilla Firefox.exe>C:\Users\achilles\AppData\Roaming\Mozilla\*
    [BLACKLIST]
    *C:\Program Files (x86)\Mozilla Firefox.exe>C:\Windows\*
    *C:\Program Files (x86)\Mozilla Firefox.exe>C:\Program Files\*
    *C:\Program Files (x86)\Mozilla Firefox.exe>C:\Program Files (x86)\*
    [EOF]
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Cutting_Edgetech Try something like:
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    !*firefox.exe>*\Mozilla\Profiles\Firefox*
    !*firefox.exe>C:\Users\*\AppData\Local\Temp\etilqs_*
    !*firefox.exe>C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\counters.dat
    !*firefox.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations*
    !*firefox.exe>C:\Users\*\AppData\Local\Temp\mozilla-temp-files*
    !*firefox.exe>C:\Users\*\AppData\Local\Mozilla\updates\????????????????*
    !*firefox.exe>C:\Users\*\AppData\Roaming\Mozilla\Firefox\Crash Reports\*
    !*firefox.exe>D:\Downloads*
    !*firefox.exe>C:\Users\achilles\AppData\Roaming\Mozilla*
    C:\Windows\System32\*>*
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\*.db
    [BLACKLIST]
    *firefox.exe>*C:\*
    [EOF]
    
    The blacklist rule will stop firefox.exe from writing anywhere within C:, which would also cover Windows, Program Files as well as root of C drive. The priority rules in whitelist section will allow firefox.exe write to the places still required on C for normal functionality. That should give you something to play around with and tweak as necessary for now. Let me know how it goes.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Thank you for your help! All write access by Firefox is being blocked to C:\Users. It's way too much to post, but it's everything in the user folder. I'm going to try something real quick.
     
  15. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    @WildByDesign

    Thank you for sharing your config and the news.
    Please also update the Bouncer thread on malwaretips :D
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Ok, I got Pumpernickel working now. The problem was I was using full file path for firefox.exe. I had to use a much looser rule than your example above though because of endless blocks to C:\Users\achilles\Appdata. I will try to tighten it down using your examples when I see the feedback from Pumpernickel's logs. I do not understand why you have C:\Windows\System32\*>* on your whitelist. It does not have anything to do with Firefox does it? Thank you for your help!
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. No, that rule was not specific to Firefox, I apologize for any misunderstanding with that. That was something more specific to Windows (or possibly Windows 10) at the time.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    One nice feature that Florian has also implemented recently in this current Beta Camp release is showing within each line of the logs which rule section triggered the logging event. As Bouncer received more and more features, such as parent checking, command line checking, etc. it became more difficult within the logs to determine which rule section the user needs to create a new rule to prevent that logging event from occurring again.

    You're welcome. I figure that maybe I should share my latest configs anyway since they are trimmed down to fit the size limitation and represent what is currently working well on my test systems right now. Also, I will do an update over at Malwaretips shortly as well.

    Code:
    [#LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [CMDCHECK]
    [WHITELIST]
    ?:\PortableApps\*
    ?:\Program Files\*
    C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????
    Q:\140066.enu\*
    C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*
    D:\Bouncer\*
    D:\Tools\*
    C:\Program Files (x86)\*
    C:\ProgramData\CanonBJ\*
    C:\ProgramData\Adguard\Temp\*
    C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
    !C:\Windows\Temp\{????????-????-????-????-????????????}\.ba1\mbahost.dll
    C:\Users\*\AppData\Local\Packages\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    C:\Users\*\AppData\Local\Temp\procexp64.exe
    C:\Users\*\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe
    C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
    C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
    C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe
    !C:\Windows\Temp\??_?????.tmp\setup.exe
    C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
    C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe
    !C:\Windows\Temp\???????.tmp\*.dll
    C:\Users\*\AppData\Local\Temp\???????.tmp\*.dll
    C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
    C:\Users\*\AppData\Local\*\updates\????????????????\updates\0\*
    *\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
    C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
    C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
    !C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
    !C:\Windows\Temp\????????-????-????-????-????????????\*.dll
    !C:\Windows\Temp\DPTF\*
    !C:\Windows\Temp\MP*.DLL
    C:\Windows\*
    C:\????????????????????\mrtstub.exe
    C:\Users\TIFFAN~1\AppData\Local\Temp\??????.tmp\*.dll
    [BLACKLIST]
    *iexplore.exe
    *regedit.exe
    *bitsadmin.exe
    *cipher.exe
    *syskey.exe
    *vssadmin.exe
    *regedit.exe
    *Regsvcs*
    *RegAsm*
    *wusa*
    ?:\$Recycle*
    *vssadmin.exe
    *aspnet_compiler.exe
    *csc.exe
    *jsc.exe
    *vbc.exe
    *ilasm.exe
    *MSBuild.exe
    *script.exe
    *journal.exe
    *bitsadmin*
    *iexpress.exe
    *mshta.exe
    *systemreset.exe
    *bcdedit.exe
    *mstsc.exe
    *powershell.exe
    *powershell_ise.exe
    *hh.exe
    *set.exe
    *setx.exe
    *InstallUtil.exe
    *IEExec.exe
    *DFsvc.exe
    *dfshim.dll
    *PresentationHost.exe
    C:\Windows\Temp\*
    [PARENTWHITELIST]
    *>*
    [PARENTBLACKLIST]
    [CMDWHITELIST]
    *>*
    [CMDBLACKLIST]
    [EOF]
    
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    *chrome.exe>C:\Users\*\AppData\Local\Temp\etilqs_*
    *chrome.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent*
    *chrome.exe>C:\Users\*\AppData\Local\Google\Chrome\User Data*
    *chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\*cache_*.db
    *chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\counters.dat
    *chrome.exe>C:\Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\*
    *chrome.exe>C:\Users\*\AppData\Local\Temp\???*.tmp
    *chrome.exe>C:\Users\*\AppData\Local\Temp\????_???*
    *chrome.exe>C:\Users\*\AppData\Local\Temp\scoped_dir_????_????*
    *chrome.exe>D:\Downloads*
    *firefox.exe>*\Mozilla\Profiles\Firefox*
    *firefox.exe>C:\Users\*\AppData\Local\Temp\etilqs_*
    *firefox.exe>C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\counters.dat
    *firefox.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations*
    *firefox.exe>C:\Users\*\AppData\Local\Temp\mozilla-temp-files*
    *firefox.exe>C:\Users\*\AppData\Local\Mozilla\updates\????????????????*
    *firefox.exe>C:\Users\*\AppData\Roaming\Mozilla\Firefox\Crash Reports\*
    *firefox.exe>D:\Downloads*
    C:\Windows\System32\*>*
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\*.db
    C:\Program Files (x86)\Adguard\AdguardSvc.exe>C:\ProgramData\Adguard\*.db*
    Q:\140066.enu\Office14\*>*
    !*notepad.exe>D:\Tools-Protected\Test\*
    [BLACKLIST]
    *explorer.exe>D:\Tools-Protected\Test*
    [EOF]
    
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    ?:\PortableApps\*>*
    ?:\Program Files\*>*
    D:\Tools\*>*
    *ProcessHacker.exe>C:\Windows\*
    *ProcessHacker.exe>C:\Program Files (x86)\*
    *ProcessHacker.exe>C:\Program Files\*
    *ProcessHacker.exe>*peview.exe
    *peview.exe>*ProcessHacker.exe
    *procexp.exe>C:\Windows\*
    *procexp.exe>C:\Program Files (x86)\*
    *procexp.exe>C:\Program Files\*
    *procexp64.exe>C:\Windows\*
    *procexp64.exe>C:\Program Files (x86)\*
    *procexp64.exe>C:\Program Files\*
    *procexp.exe>*procexp64.exe
    *procexp64.exe>*procexp.exe
    C:\ProgramData\Adguard\Temp\?.?.???.???*\setup-?.?.???.???*.exe>*
    C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
    C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Adguard\Temp\?.?.???.???*\setup-?.?.???.???*.exe
    [BLACKLIST]
    [EOF]
    

    Hopefully these rule sets may be helpful to some users who are getting started up recently with the Beta Camp releases.
     
  19. @WildByDesign

    I don't understand your MemProtect ini file; it does not seem to blacklist anything.

    Regards Kees
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    @WildByDesign
    I looked at these example-rules for Pumpernickel, but...
    If firefox and chrome-rules are added to the whitelist, shouldn't be chrome.exe and firefox.exe added to the blacklist, too?

    example:
    [BLACKLIST]
    *chrome.exe>*
    *firefox.exe>*
    Because if nothing is in the blacklist, the rules for the whitelist has no effect.

    Now Memprotect:
    If Processhacker is installed in c:\Program Files\Process Hacker 2\ are these additional Processhacker.exe-rules needed?
    C:\Program Files\*>* is already in the whitelist...

    From 10KB down to 2KB. That's a big difference.
    My config was exactly 10KB :confused:
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That's correct, Kees, nothing is being protected in that particular MemProtect.ini config.

    In my previous testing with MemProtect, I just added the following to the blacklist section of MemProtect.ini:
    Code:
    [BLACKLIST]
    D:\Tools-Protected\*>*
    And so within the Tools-Protected directory, I had some sub-directories such as SpeedyFox, Temp, etc. which I had some portable executables running in protected mode. In that testing, MemProtect did great at stopping Process Hacker's kernel driver from obtaining process details, permissions, termination, etc.
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You are 100% correct, you can add whichever rules you want in the blacklist section to restrict chrome.exe and firefox.exe from writing to any locations, as long as you have the necessary ones in the whitelist section. If you were to add those (above) to your blacklist section, then I would probably recommend making your whitelist rules for chrome.exe and firefox.exe as priority rules to ensure that they take priority. But yes, in your example, that would work great, just make sure you use priority rules in the whitelist.
    Agreed, it was a big shock to me. My Bouncer config was about 15KB and the Pumpernickel and MemProtect configs both also had to be chopped approximately in half for my rules. On one hand, I am very happy that I no longer have to do the driver testing in Test Mode since they are digitally signed. On the other hand, I just hope that the tighter restrictions don't have too much of a negative effect. I will catch up with Florian again soon and figure out the latest plans and so on.
     
  23. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    I do not think so.

    With @WildByDesign 's config, any processes launched from the user space (such as C:\User\*) would be prevented from touching the memory of any other processes (after we revise [#LETHAL] to [LETHAL], of course :D), since such kind of operations is not whitelisted in the WHITELIST.

    @Windows_Security and @WildByDesign , please note that MemProtect is similar with Bouncer, and they are all different from Pump. In both Bouncer and MemProtect, any action that is not implicitly whitelisted would be prevented. By contrast, Pump is a little more complicated.

    Just now, I execute a ransomware which uses the technique of process hollowing. It will start svchost.exe first, then inject into it. Since I launch that ransomware in the document folder, its injection is simply blocked by MemProtect with the rules of @WildByDesign .:)
     
    Last edited: Mar 2, 2016
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Awesome, thank you for taking your time to confirm those details. I often did wonder if something was not specifically whitelisted in MemProtect, if it would act similar to Bouncer and block the request. That makes sense, but I just had not confirmed that previously. So I appreciate that you have been able to confirm that. I think that both MemProtect and Pumpernickel will have a lot of potential for protection and both have the possibility of being integrated into Bouncer.
     
  25. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Regarding the integration, Florain has ever told me that Pump would be integrated into Bouncer. I am not sure about MemProtect. I hope MemProtect and MZWriteScanner could also be integrated into Bouncer at the end. :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.