Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    @Windows_Security

    Hi, just now I do some small tests and now I can confirm that the priority symbol "!" can actually be used in MemProtect in my tests.

    There are two test cases here for comparison. In the first test case, I create the following rules:
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    [BLACKLIST]
    C:\*\notepad.exe>*
    [EOF]
    
    With such rules, when I open the FileDialog in notepad, MemProtect will generate quite many log events in the following form, which shows that notepad.exe tries to access the memory of explorer.exe.
    Code:
    *** excubits.com demo ***: 2016/03/09_02:54 > C:\Windows\System32\notepad.exe > C:\Windows\explorer.exe
    In the second test case, I create the following rules:
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    !C:\*\notepad.exe>C:\*\explorer.exe
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    [BLACKLIST]
    C:\*\notepad.exe>*
    [EOF]
    
    Please note that the only difference here is that I add a priority rule that allows notepad.exe to access the memory of explorer.exe. In such case, when I open FileDialog in notepad.exe, no log event will be generated.

    The differences between the test results can prove that the priority symbol could be used in MemProtect.

    Please note that in Bouncer, priority rules should be put at the beginning of the WHILTELIST block. I think such constraint also exists in MemProtect.
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    This is exciting!

    So far there's been zero issue on my own 8.1 but there is still plenty to learn yet. Keep those buggy reports flowing too fellows, it can only help.
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Thank you for your help! Sorry, I accidentally stated Bouncer by habit. I actually do have my config file named Tuersteher, and it is located in the Windows Folder. I guess this must be a bug. I will save a copy of my config file in case I lose everything. I would hate to start over. I end up having to save the rest of my rules to a separate notepad document while my mind was being creative. I will add them later if I can get Tuersteher/Bouncer working again. Basically I have a lot of other rules to block file types by extension from being the parent to cmd.exe, rundll32.exe, taskhost.exe, etc.. I have seen spoofed image files containing executable code so there's no reason to give them the resources they need to execute code if one can keep from doing so.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    Looks cool, too bad that he doesn't build a user friendly GUI for all of his tools.
     
  5. :thumb: Thanks, now it works
     
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I just submitted a bug report to Fabian for this. Hopefully he will be able to tell me what is causing the System 1283 Error, and get Bouncer back to working again without having to remove my rules.
     
  7. @Cutting_Edgetech, @Online_Sword, @WildByDesign

    Question: most anti-exploit software is based on a list of protected applications. So they apply a default allow combined with a blacklist of operations (like Pumpernickel). Are you comfortable with the current implementation of MemProtect using a default deny like Bouncer.

    Am I the only one not feeling comfortable with this? I rather have MemProtect work the same as Pumpernickel (explicitely block something). Just cureous on your preference on this.

    Regards Kees
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thank you for confirming the priority rules for MemProtect, that's good news. You have a great way of explaining a lot of these technical things and also good at showing how things work with your explanations and rule set examples.
    Excellent, I'm thrilled that your testing is going well. I appreciate your positive mindset.
    I agree, for sure. And I think that a lot of us would like to have some more visual GUI tools to work with Bouncer along with the other upcoming drivers. I strongly believe that good things are worth waiting for, and on that note I believe strongly also in Florian's goals and underlying principles. I do believe that a better GUI tool will come sometime in the future for Bouncer. As long as things continue to move forward and do well, I have high hopes for that.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    No, i'm not confortable with it. I would prefer to define which applications are not allowed to read/write to the memory of other applications. I don't remember if MemProtect can be configured to only function in this manner since it is not compatible with my setup. It causes Windows to hang on my machines, and it is not recoverable. The mouse cursor will not even move when it occurs. I have to do a hard shutdown every time. It is not compatible with Eset on my machines for one, but I suspect there is something else running on my machine that it is not compatible with. I reported it, but Florian was not interested in putting any time into fixing it.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    I found a nice way to protect only vulnerable applications with MemProtect.

    a) *>* has to be on the whitelist
    b) Put the vulnerable app to the blacklist.
    c) And put the vulnerable app to the whitelist, but now as a priority rule.

    In the following example, only Firefox and FossaMail are protected now.

    Edit: There is already a solution for protecting vulnerable applications: #948

    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    !c:\Program Files\Mozilla Firefox\*>c:\Program Files\Mozilla Firefox\*
    !c:\Program Files\FossaMail\*>c:\Program Files\FossaMail\*
    *>*
    [BLACKLIST]
    c:\Program Files\Mozilla Firefox\*>*
    c:\Program Files\FossaMail\*>*
    [EOF]
    
     
    Last edited: Mar 9, 2016
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Cutting_Edgetech I was playing around with my config some more and came across the error 1283 that you experienced. The error that I experienced initially with the config file not being present in C:\Windows, so I apologize for the misunderstanding. But now after experiencing the same error 1283 as you, I can confirm with certainty that it refers to going over the file size limit. I find it easier to determine file size in Notepad++ and when loading your config in Notepad++, going to View menu - Summary... File length (in byte): shows 5962. So Windows Explorer shows as 6KB. Unfortunately, I had to remove approximately 18 lines from your config to bring the File length (in byte) reading in Notepad++ down to 4978 which is what would show as 5KB in Windows Explorer. Then Bouncer would load your config. So hopefully that clarifies the error for you. Although, I know, it does not do much justice regarding file size limit for demo and I know how difficult it is to remove rules which you worked hard to create. I think your rule set is very creative, by the way. We'll see if maybe Florian can relax the limit to, say 10KB, would be more appropriate. Anyway, so for now with the current demo, use Notepad++ to help see File length (in byte) in View - Summary and ensure that it stays just slightly under 5000. I had to get more creative and combine some rules with wildcards to squeeze my config down to 5KB.
     
  12. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    @Windows_Security

    Until now, I only use MemProtect on my VMs. It has not caused any trouble to me. :)

    The reason why I personally think the default-deny policy of MemProtect could work is that, for legitimate applications, accessing other process's memory is not a frequent operation.

    Several months ago, I used ESET HIPS on a real machine. At that time, I created a rule which prompted me every time when any application tries to modify the state of other applications. Such a rule can be viewed as a "default-prompt" rule.

    At that time, I found that, I only need to create quite a few whitelist rules (each of which explicitly specifies the source application and target application) to suppress the alerts. That is why I think the default-deny policy in MemProtect could work.

    By contrast, writing to files is a frequent operation. For example, when I try Comodo, I found that svchost.exe will continuously write to files in the background. That is why I think Pump could not use the default-deny policy.

    Anyway, I have not tried MemProtect on a real machine. On a real machine, I might also experience the problem described by @Cutting_Edgetech in #960. However, it may not be caused by the default-deny policy. It may just be a bug in coding...
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Thank you for getting back with me again. I think it will be very difficult to do much good beta testing Bouncer with such a small data limit. One can not play with the rules with such a low limit to make sure everything is working correctly. I have many other rules I have written. I guess I will have to post them on here to make sure I wrote them correctly. So you are confined to the same data limit with beta releases even though you have a lifetime license?
     
  14. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I think it was the design he wanted to go, there was also a blog on this end 2015. If I remeber right he also argued why he choose that way.

    Hmmm, I guess he cannot check each and everything. For me it sounds like problem with ESET or with your configuration. I also found myself in freezing application - every time it happend it was my fault because of an wrong/odd configuration. So I guess maybe your config for ESET is somehow not correct.

    I have the former version of Türsteher, but Florian told that I can also have a unlimited beta if I want (I dont, but I could have). This is the premium bonus for customers and I think this is abslutely fair: If you pay you should also have a benefit. Until know there was little difference between demo and paid version and I think this was not fair for the supporters who paid. So I absolutely do a thumbs up for his decision because it would make me angry to see that paying version equals not paid version. (just my opinion here).
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    The problem occurred even with default settings of Eset, and no other real-time security software installed. I will just live without MemProtect for now. Maybe he will want to figure out what the problem is later down the road.



    I agree with you, but I would suggest not having a data limit for beta builds used by paid customers. He will not receive good feedback from beta testers with such a low data limit. The user can't experiment with different rules. It will make it easier for the user to find bugs if they can try more rules.
     
  16. Done something simular see post
     
  17. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    A good point, should be considered. Well, MemProtect is beta so we could ask Florian to change :)

    Also a good point here. Well, for me important was (and is) that Excubits is from Europe (call me a paranoia freak) but to be honest I do not trust the other Anit-EXE solutions. Appguard looks too "homeland security", same on Faronics Stuff. They do not provide much information about their solutions and from what I've heard they use pesky reg. processes etc. No go for me. The solutions from well known AVs like Kaspersky, Symantect and McAfee: They are all trash, full of stuff I dont need, slow AND they have yearly fees. So no go again. So what else? Excubits or Trust-No-Exe at the end. I think both are good solutions and from what I can see here in comments and details on Wilders and other Forums: I think both developers Andrea and Florian did a great job far beyond what these massive and big companies did in the last years (it is somehow a shame what e.g. Symantec, Kaspersky did with their Anti-EXE solutions). On the other hand it is impressive what these two guys and theit solutions can do. Others may like Appguard or stuff from Kaspersky/Symantec. If I would live in the US, maybe I would opt for Appguard instead of the Italian/German software (Exe-Radar/Bouncer).

    Regarding Florian's choice "Florian's different position when everyone knows"... We could ask him. Maybe he changes the architecture. Like I assumed: it is beta. And you could also use the

    Code:
    *>*
    rule in the whitelist part, then nothing blocks - only the one you set onto the blacklist before. So at the end, I do not see it this critical.
     
    Last edited: Mar 9, 2016
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    :oops: Oh, I think i missed that post.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    How can I use wildcards to write my [PARENTCHECKBLACKLIST] rule for FlashPlayerPlugin.exe so that FlashPlayerPlugin will continued to be covered as it is updated to a new build? The process name will change depending on the build number. I'm currently using FlashPlayerPlugin_20_0_0_306. Will the rules below work, and continue to work as FlashPlayerPlugin is updated to a new build?

    !*FlashPlayerPlugin*.exe>*cmd.exe
    !*FlashPlayerPlugin*.exe>*rundll32.exe
    !*FlashPlayerPlugin*.exe>*taskhost.exe
    !*FlashPlayerPlugin*.exe>*conhost.exe
    !*FlashPlayerPlugin*.exe>*taskeng.exe

    Will the [PARENTBLACKLIST] rules below work to block by file extension? I have seen image files that contain executable code, and the parent check feature could be used to block any file with the same extension from accessing cmd.exe, rundll32.exe, taskhost.exe, etc.. The same mitigation method could be used with any media file.

    *>*.png>*cmd.exe
    *>*.png>*rundll32.exe
    *>*.png>*taskhost.exe
    *>*.png>*conhost.exe
    *>*.png>*taskeng.exe
    *>*.png>*powershell.exe
    *>*.png>*powershell_ise.exe
    *>*.gif>*cmd.exe
    *>*.gif>*rundll32.exe
    *>*.gif>*taskhost.exe
    *>*.gif>*conhost.exe
    *>*.gif>*taskeng.exe
    *>*.gif>*powershell.exe
    *>*.gif>*powershell_ise.exe
    *>*.jpg>*cmd.exe
    *>*.jpg>*rundll32.exe
    *>*.jpg>*taskhost.exe
    *>*.jpg>*conhost.exe
    *>*.jpg>*powershell.exe
    *>*.jpg>*powershell_ise.exe
    *>*.bmp>*cmd.exe
    *>*.bmp>*rundll32.exe
    *>*.bmp>*taskhost.exe
    *>*.bmp>*conhost.exe
    *>*.bmp>*taskeng.exe
    *>*.bmp>*powershell.exe
    *>*.bmp>*powershell_ise.exe
    *>*.dib>*cmd.exe
    *>*.dib>*rundll32.exe
    *>*.dib>*taskhost.exe
    *>*.dib>*conhost.exe
    *>*.dib>*taskeng.exe
    *>*.dib>*powershell.exe
    *>*.dib>*powershell_ise.exe
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    407
    Location:
    router
    thank you WildByDesign
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here is what I would do:
    Code:
    !*FlashPlayerPlugin_??_?_?_???.exe>*cmd.exe
    !*FlashPlayerPlugin_??_?_?_???.exe>*rundll32.exe
    !*FlashPlayerPlugin_??_?_?_???.exe>*taskhost.exe
    !*FlashPlayerPlugin_??_?_?_???.exe>*conhost.exe
    !*FlashPlayerPlugin_??_?_?_???.exe>*taskeng.exe
    Also, just for curiosity sake since you were wondering what you can do with wildcards, I will show some more examples of Flash Player related files which would cover 32-bit and 64-bit systems.
    Code:
    You can convert this:
    
    FlashUtil64_20_0_0_306_pepper.exe
    FlashUtil32_20_0_0_306_pepper.exe
    FlashUtil32_20_0_0_306_Plugin.exe
    FlashUtil64_20_0_0_306_Plugin.exe
    
    To this:
    
    *FlashUtil??_??_?_?_???_pepper.exe
    *FlashUtil??_??_?_?_???_Plugin.exe
    
    Or even combine into one line:
    
    *FlashUtil??_??_?_?_???_*.exe
    
    Or also:
    
    *FlashUtil??_??_?_?_???_p*.exe
    See, that (above) covers whether the platform is 32-bit or 64-bit, since 64-bit systems would contain both sets of binaries. It also has wildcards to cover updates to major version releases, minor point version releases, etc. I have used those same wildcard methods for several major release versions of Flash Player and Adobe has stuck to that version naming/numbering method thus far which is good.

    As you can see, you can really make things as tight of rules as you want with wildcards (generally tighter with ? wildcards) or you can make your rules more loose with * wildcards as well. There is room for all sorts of creativity with wildcards. You can be very specific and have many long detailed lines of rules, or you can even use wildcards to condense some rules into less rules but the rules would be a bit more loose. Either way is good, and you are in control of that which is allowed to occur on your system. You're in the driver's seat, that is what I like about it.

    Another example for Flash Player wildcard use would be if you got down into controlling the DLL's for whatever reason, just an example of wildcard use:
    Code:
    You can convert these:
    
    NPSWF64_20_0_0_306.dll
    NPSWF32_20_0_0_306.dll
    pepflashplayer32_20_0_0_306.dll
    pepflashplayer64_20_0_0_306.dll
    
    Into this:
    
    *NPSWF??_??_?_?_???.dll
    *pepflashplayer??_??_?_?_???.dll
    
    And, if need be, you can have fine granular control to bring that down 
    to one rule line:
    
    *\Macromed\Flash\*??_??_?_?_???.dll
    
    As you can see, I added "\Macromed\Flash\" to the one line to make it 
    more strict.
    
    So again (above), we cover platform whether that be 32-bit or 64-bit along with covering version numbers as well and covers whether the user is using NPAPI Flash and/or PPAPI (pepper) Flash.

    Anyway, I hope those wildcard examples help to open your mind to explore just how much creativity you can have with wildcards in general. Lots of fun there.


    You're welcome, my pleasure. :thumb:
     
  22. :) because of your post, that was an edited post thanks
     
  23. In case of malfunction when rules are not applied, you are totally locked with a default deny. So changing drom default deny to default allow is not for the "all is well" scenario's, but for the disaster scenario's (caused by bugs, incompatibility).
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    I just don't get it, to be honest. Why build all these cool tools without a handy GUI? That would be a huge selling point. It's the same with NVT, everyone knows that ERP rocks, but the latest tools are a step back, if you ask me.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,871
    Location:
    U.S.A. (South)
    100% Agreed.

    But then many of us have always expected a GUI for better management especially when it comes to "granular" applications. And since there are so many vectors of interest that require (for most users) special coverage and BROWSE to file/folder via GUI to directly configure matters would prove invaluable as the drivers themselves.

    But, we'll see how it goes.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.