Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    Anyone with some more info? Because I get to hear two different stories. Windows_Security says MemProtect is making use of a feature related to "System protected process". AFAIK, this will protect a process against memory access. Cutting_Edgetech says MemProtect will also block an exploited process from injecting code into other processes. These are are two different things, and both will not block exploits itself.

    This sounds weird, but this is not a valid way of testing. The HMPA Test Tool should be able to write to memory of a process, otherwise it won't be able to run the exploit. And AG will not block the exploit itself (just like any other anti-exe) it will block the payload. It probably allows calc.exe because it's a system process. But the question remains why MemProtect blocked the exploit/or payload from running.
     
    Last edited: Mar 13, 2016
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    MemProtect protects against memory accessing, and it protects against injecting/open/write code into other processes.

    Even if Firefox is (somehow) exploited and has System Rights, it stays protected.
    It can't read the memory of other processes.
    And it can't execute other files. (It depends on the rules)

    For example:
    *firefox.exe>c:\program files\firefox*

    Firefox can't read the Memory of Processes outside of "c:\program files\firefox"
    = for example reading the Memory of a running password manager started from "c:\program files\passwordmanager\"
    is not possible

    Firefox can't inject into other processes (only in files started from the Firefox-Directory)
    = for example injecting into Explorer or other critical Processes is not possible

    Firefox can only execute files in the Firefox-Directory
    = It can't execute for example: regedit.exe, cmd.exe or other programs/temporary files to further infect the system.

    I hope, this is all correct :cautious:

    I think i wouldn't call MemProtect an "anti-exploit tool".
    But it can mitigate an exploit.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Regarding the issue with MemProtect digital signature not working on Windows 7 SP1:

    There was one hashing/certificate related patch that updated the hash/cert components within Windows 7 to allow the more modern hashing used in digital signatures today. The required patch was KB3033929 which then allowed Windows 7 to validate the signature. There were several other hash/cert related patches for Windows 7 as well, such as: KB2813430, KB3123479, and KB3097966. Also, there are several patches for Windows 7 with regard to kernel-mode drivers which would be a good idea as well.

    So basically, a plain Windows 7 or even Windows 7 DVD with SP1, without any patches installed yet, would fail to run MemProtect without some of these security updates. Obviously, it is recommended to install any critical security updates anyway which would include all of these patches above. But anyway, I just wanted to get down to the root of this issue that I had and clarify a bit more. KB3033929 did the trick for my issue.
     
  4. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Conflicts:

    Yesterday I tried MemProtect on my real machine (in the Shadow Mode of Shadow Defender).

    Immediately after I started the service of MemProtect, a BSOD happened. I repeat this procedure, then the BSOD occurred again.

    I have analyzed the mini dump file. It suggests that the BSOD is corresponding to nvterp.sys, which is the driver of EXE Radar Pro.:(

    I have submitted this problem to Florain, and he said that this might be the problem of ERP. He would do some further inspection to track down what causes the crash.

    By the way, following is my rule set. Please note that I am using the non-lethal mode:

    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    C:\Windows\*>*
    C:\Program Files\*>*
    C:\Program Files (x86)\*>*
    C:\ProgramData\Symantec\Symantec Endpoint Protection\*>*
    [BLACKLIST]
    [EOF]
    
    My real computer is running Win7 64bit Pro. I can reproduce this issue on my real machine, but cannot reproduce it on a VM running Win8.1 32bit.
     
    Last edited: Mar 14, 2016
  5. hjlbx

    hjlbx Guest

    @WildByDesign

    How does Bouncer handle software that is modified via updates ?

    From my understanding this is only an issue if one creates rules based upon hash; Bouncer will block any file whose hash has changed.
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @hjlbx With Bouncer specifically, there are a few different methods that a user could utilize with varying degrees of difference between ease of use or more regular maintenance. A user could go completely path/file-based, completely hash-based, or even a crafty combination that combines both of those methods of control.

    Hash-based, of course, would be more maintenance with regard to software updates since the file hashes can change regularly. The log file for Bouncer can provide hashes for files which are blocked which can make it easier to maintain a hash-based whitelist and blacklist. The SHA256 hashing performance done by Bouncer is very efficiently done. As a matter of fact, in future versions and if there is enough interest over the SHA256 hashing functions, Florian has said that there is a possibility of re-writing the hashing functions in assembly code or something like that which would provide even greater efficiency and performance. However, as many of us know already, Bouncer does lack a good mechanism for creating and maintaining a larger sized hash list. It definitely needs some sort of database method along with a more intuitive built-in software tool to deal with the hashing and maintaining of hash lists, for sure. But on the other hand, there hasn't been a tremendous amount of interest in the SHA256 hashing, so I can understand why Florian has not put as much development time toward that external tool/database type of mechanism for hashing.

    Path/file-based is much easier to deal with software updates, particularly. Bouncer's use of wildcards (* and ?) allow for creating nice rules for allowing software updates and these rules can range anywhere from super loose rules (less secure, but easier to create) to very specific, tight rules (more secure, more difficult to create). I've created and collected a variety of rules to deal with software updates and other users have also come up with many which we've all been able to share collectively as a community. You could even combine hash-based with path/file-based rules to get really creative and likely even more secure as well.

    And also I wanted to mention that I do absolutely respect your opinion when you mention Bouncer needing a more intuitive GUI. I totally respect that. Bouncer is very much more of a niche tool mostly designed for Admins to distribute and provide great control over user systems. Also some user in academics and particularly forensics. But yeah, I would definitely love to see a more intuitive tool for Bouncer. Quite honestly, I don't think that it has to be pretty or fancy or anything like that. Most important, it needs to be intuitive, easy to use and easy to understand and to have a flow for creating rules fluidly and efficiently. I definitely have some ideas and dreams there. But what some users don't know is that Florian still works a regular full time job and on the side has done much security research over the years and his many ideas that come from his direct security research and forensics work turn into these various kernel-mode drivers which he also utilizes for his research/forensics work on the side, separate from his full time work. So that is why Bouncer doesn't evolve quite as fast as compared to other software which has much more developers and funding. But what I respect most about Florian is his design goals and fundamentals. He has an absolute passion/obsession with keeping his code bases small, efficient and precise to Windows API standards/protocols regarding kernel drivers. He is against taking any shortcuts or easy ways out, against things like using kernel hooks or user hooks, etc. He is, in general, against how many large software corporations use fancy GUI's as marketing and giving users more of a false sense of security. Also, he is against software pulling in user data, telemetry and all of that stuff which is so common. If you ever take a look at EULA's these days, there is so much great free software around from some really large software companies, but often times they use these free versions to pull in all sorts of data which then goes on to benefit the company and/or it's paid userbase or even third parties. A lot of scary stuff. He's also got zero plans on introducing any kind of activation to his software, key codes, etc. It's all about trust with him, trust both ways I assume.

    Anyway, I hope that covers your question. As always, feel free to ask questions and request rules, share rules, etc. There's a handful of users now who are well versed with the rule creation now who are great at helping out here. I apologize that this ended up being more of a long-winded reply than I had anticipated.
     
  7. hjlbx

    hjlbx Guest

    I think with the complexity of rules, the integration of a simple notification system will be impracticable.

    For example, a simple alert with:
    • Allow Once
    • Create Allow Rule (Allow Always)
    • Block Once
    • Create Block Rule (Block Always)
    With priority rules and generic rules - where the order of rules definitely matters, a simple alert like above will not work - nor - be convenient.

    Then there is the issue of an avalanche of alerts if there are insufficient

    If anything, an Allow\Block once would be convenient - until the user can create desired rule(s).

    A user-friendly alert would need a built-in rule creation wizard. In other words, a means to also take into account the rules logic - how a newly created rule will interconnect with any existing rules - so as to avoid rule conflicts.

    I have no beef with Florian or Excubits. In fact, I think his products are as about as good as protection can be had from what I have seen with my limited use.

    I just think - even for an experienced IT security Admin - fully configuring the Excubits product line is almost a full-time occupation.

    Maybe, just maybe... I am lazy and extraordinarily unmotivated when it comes to reviewing logs and writing rules. :D

    Instead of log review\write rules, perhaps an efficient training mode ?

    There has to be a greater emphasis on ease-of-use (specifically, rules creation) - otherwise 99.9999 % of users will never adopt Excubits products. Rules writing is way too time intensive.

    If a user is over-burdened with rules creation then they will either disable or uninstall.

    There is no easy, direct answer to the ease-of-use issues.
     
    Last edited by a moderator: Mar 14, 2016
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    15,224
    Location:
    The Netherlands
    OK, so in other words it can only block the payload, just like with any other anti-exe. But couldn't this already be done with Bouncer itself?
     
  9. hjlbx

    hjlbx Guest

    OK... so now what's going on with Excubits betas ?

    Placed the default (no modifications whatsoever) *.ini files in C:\Windows\ per instructions.

    Installed driver by right-click *.inf.

    Even tried start driver.cmd as Administrator (which states driver already loaded).

    LOGGING is occurring.

    No icons in tray and no Excubits drivers\services shown running in Task Manager.

    W8.1 64-bit.
     
    Last edited by a moderator: Mar 14, 2016
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @hjlbx Which driver are you running?

    Open up an elevated command prompt. You can type the following to see if the driver is running:
    Code:
    sc query Tuersteher
    That will give indication if the driver is running or not. Change the word Tuersteher to whichever driver name you are running. Within the admin cmd prompt you can also control with net stop Tuersteher and net start Tuersteher.

    The executable that comes with the Beta Camp drivers are each named something similar to TuersteherSignalCheck.exe. Those are very bare bones, basic. They are just to help with testing to get an idea when something is blocked/logged and to open the log file. So unfortunately they don't have the full functionality as the executables Admin Tool.exe and BouncerTray.exe provide with the stable release builds.
     
  11. hjlbx

    hjlbx Guest

    I am running all the betas.

    Services are running.

    They do not show in Task Manager, Process Explorer, Process Hacker.

    If execute TuersteherSignalCheck.exe - tray icon will appear for a few seconds and then disappear - even if set to show icon & notifications.

    Upon system reboot - all Excubit tray icons disappear.

    If it is required to create a start-up job in Task Scheduler for the executables, then it would be nice if this infos was included in the read-me or in the beta camp.
     
    Last edited by a moderator: Mar 14, 2016
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    The stable version of bouncer has an installer. It installs the driver, the tray-icon, etc.
    But not the beta-version.
    And yes, installing via right-click on Tuersteher.inf only installs the driver.
    Bouncer is a pure kernel-driver and it's running without additional software.
    If you want to be alerted, an additional program has to be running.
    But that's not the concept of Bouncer.

    From their website:
    ..it just installs a simple kernel driver...no additional software is running on the system that slows down Windows or bothers the user with question message boxes
     
  13. hjlbx

    hjlbx Guest

    Like I said, it would be nice if this infos was in the read-me or in the Beta Camp. With no infos I expect beta installation and functionality to essentially behave as stable.

    No improvements in usability, then there will be only the current users on this thread. Typical user is not going to spend hours, days and weeks reviewing logs and writing rules. That's reality and there is nothing that can change that except improvements in usability. Eventually, the developer will have to make improvements. There is no easy answer to how to improve it.

    If Excubits products are intended for only those that have a lot of free time to review logs, create rules, and maintain those rules over time, then well, I guess it is perfect - innit ?

    If you re-read my post, you will see that I said an alert system is not going to work because of the different rules types.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Yes. But Bouncer can't prevent the injecting to other processes, or reading the memory of other processes.
    But nevertheless both should be able to block the payload.
    Correct. A handful of users... maybe less.
    I think the reason is that all other users are busy with writing and maintaining rules :D
    --------
    In terms of Usability there are better programs.
     
  15. hjlbx

    hjlbx Guest

    ROFLMAO ... :argh::argh::argh::argh::argh:
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I agree with almost all of your suggestions, for sure. I think that some sort of "install mode" would be great when administrators need to run installations and upgrades and so on, this could be some set period of time (example: 15 minutes, 30 minutes, user set) and then the protection would be re-enabled and just allow for installations/upgrades but still prevent some executions. Florian is working on something like that and has a few ideas to run with. I also agree with some sort of initial "training mode" that can assist the user at getting an initial configuration started and I believe that Florian is also working toward something there as well. And I definitely agree with some sort of rules creation wizard. I really think that would be important as well and extremely helpful for a lot of users to have a wizard type of UI walk through the steps and have folder/file selection with detailed explanations as well.

    The only part that I disagree with is the alerts. And keep in mind, I absolutely respect and value everyone's opinions, without a doubt. And so this is just my opinion, but I think that adding interactive type of alerts to allow/disallow execution is a very slippery slope. Not only could it be potentially dangerous, but it also goes against the ideas behind Bouncer. I understand both perspectives, of course, since there are pros and cons either way. I mean, as we have seen with things like UAC, for example, they can be an important layer in a layered security setup, but putting that execution decision in the hands of the user in real time can be dangerous, particularly in the case where some users might make the wrong decision. That also would require that process execution be started in an early stage and suspended, as I understand it, in order to be able to have the decision to allow or disallow. But anyway, the main idea behind Bouncer in general is more preventative and to follow basic Windows security guidelines such as setting everything up as Administrator, then running daily in LUA (although, of course, that is not required). Or in business usage, administrators setting up policies and locking down the client machines of entire office environments. Even usage with heavily locked down PoS (point of sale) type of machines or kiosks, library, etc. I mean, we've seen some absolutely crazy large scale breaches in recent years, particularly wide scale chains like Target and Home Depot and likely many others. These were like millions/billions of dollars in losses and it came down to older Windows machines running on their PoS systems/networks. All of these could easily have been locked down and prevented in the first place. Of course, it is not necessarily just the specific security software that makes all of the difference, but more about the competency of their security teams and administrators.
     
  17. hjlbx

    hjlbx Guest

    I get both sides of the alert argument.

    Anyhow, an alert solution won't work because alerts are too simplistic to prevent conflicts between rules. The introduction of priority rules and rule order significance quashes the whole alert mode argument.

    That is why I think perhaps a "training mode" and\or rules creation wizard. Really, when you think about it, the existing Bouncer rules interface is a basic rules creation wizard. Something a little more speedy perhaps - like interactive logs where a rules creation wizard could be accessed directly by selecting a line item in the log. Of course, that means heavy coding to create such a feature.

    A built-in core of strong rules would be a real benefit for the user. However, I think that core would have to be rather massive to cover the vast array of potentialities. So, in that regard, I think it is not practicable.

    Like I said, there's no easy solution to reduce the time-intensive mechanics of rules creation. Perhaps, in the end, it will just be what it is - time intensive and part of the personal cost of having Excubits' great protections.
     
    Last edited by a moderator: Mar 15, 2016
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I think the target users are admins that shall have the time to set up rules. In my company the admins spend month of testing of new software (or updates for a single application) before they release it. So they have also enough time to spend on rules for SRPs and the Anti-EXE they use.

    In general (not relating to @hjlbx):

    I dont see it so harsh. Look, if you have a well configured Windows PC making rules for Bouncer is really simple and fast. Im not an IT expert, I just have and use a clean system that I understand. So making rules is really, really simple. From what I read here it seems that some people just do not have any clue what they do with their Windows, they even do not understand basic concepts of that Operating Systems. For such people, sorry to say I totally agree: Do not use any Anti-EXE, because you will fail and will crash your system. It will bother you to death! To use any kind of Anti-EXE you should at least know of basic Windows concepts, and Program folders, you should also understand what it means to install software and where it lies. If not, you should really not use any kind of Anti-EXE - keep using AV and the build in Firewall.

    I also have the feeling that some of the users commenting here tend to install a thousands of applications a week. This tool here, that tool there. Well, that of course makes things difficult with Anti-EXEs... For me Anti-EXEs work fantastic, because I set up a PC, install just a bunch of applications and tools and then use this PC (with exact that configurtation) for months (or years). So no problems. On an update I just stop the Anti-EXE (not just Bouncer), install the update and YES: while installing the update I do not surf the web or make other ********** I just update and this works fine (for years!).

    I think you guys want everything: total freedom on changing and installing on your PC 24h a day with fully Anti-EXE, AV, Firewall Security. Well, keep on dreaming :) it will never happen ;-)

    In addition I also see people trying to arm Bouncer with all its power but do not understand its basics. I would highly recommend that you first use just the [WHITELIST] and [BLACKLIST], then go for parent checking - if it makes sense for your setup and try command line scanning if it makes sense for your setup. I think that some people use all features and do not really undestand them. First check your requirements, then configure your Anti-EXE depending on them. I guess that most ordinary users do not need command line scanning and most even do not need parent checking on all processes. So slow down and do not use an atomic bomb to just kill a fly ;-)
     
  19. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    No! No! MemProtect can mitigate against in-memory attacks like: an exploit or malware tries to inject code into another process. There are a lot of exploits and malware droppers out there that e.g. open up some system svchost.exe and inject their malicious code into such process. MemProtect will avoid/block such attempts. It has nothing to do with Bouncer, because it is on a different level. But you are right if it comes to reflective executable injection techniques, there a malicios executable is loaded into other process, this can of course be blocked by Bouncer (if the attacker does not implement it's own PE loader). So MemProtect has its virtues :) Last weekend I did a malware dropper analysis and used MemProtect to analyse whats going on (just in logging mode) and was perfectly able to see what the droper tried to inject where. It was awesome. Additionally I used Pumpernickel, Türsteher and ProcessHacker to see the executables started and to obtain strings from memory. So on the fly I was able to do analysis and I am not an expert, just a hobbyist. With Excubits Tools, ProcessHacker, PeStudio, DbgView and a Registry Monitoring tool you can do great analysis without digging to deep into reverse engineering etc. So even for private enthusiasts this is great. A lot of fun :)
     
  20. hjlbx

    hjlbx Guest

    @Cutting_Edgetech

    Based upon communications from BRN:

    AppGuard's Memory Protection for Guarded Apps does not prevent memory modification for child processes. AppGuard's Memory Protection only works in a specific manner. It will permit memory attacks that execute processes. For example,

    SurfRight Exploit Tool (Guarded App) > Internet Explorer (child process; Guarded) > write to stack, ROP, etc > execute > calc.exe (child process of Internet Explorer; Guarded).

    Memory Protection will block the memory modification of side-by-side processes only. For example,

    SurfRight Exploit Tool (Guarded App) > Internet Explorer (child process; Guarded) > write to stack, ROP, etc > BLOCK memory modification of > calc.exe (already running on system; not a child process of Internet Explorer).

    At least that is my understanding.

    Quite honestly, the explanation was, well, at best contradictory and vague. They stated the SurfRight Exploit Tool is not a true indicator of AppGuard's Memory Protection.

    As always, getting a straight-forward answer rather one that is non-sensical seems impossible.

    MemProtect is more comprehensive protection.
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    AG blocks memory modifications of already running processes, but not "new started processes"?
    A -> child B -> C (already running) = (memory access A -> C = Blocked)
    A -> child B -> child C = (memory access A -> C = NOT blocked)

    Correct?

    If a guarded Firefox starts an installed Password Manager, Firefox can access the passwords.
    If the Password Manager is already running, (memory-)access is blocked.
     
  22. hjlbx

    hjlbx Guest

    That's correct according to BRN.

    Memory Protection does not protect parent from modifying memory of child processes.
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Thanks, good to know.
     
  24. hjlbx

    hjlbx Guest

    The reason why child process memory modification is permitted is because if they block it, then it breaks too many apps.
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That is a very interesting conclusion. And of course, "comprehensive protection" when it comes to either program would ultimately come down to individual user configurations, I would assume. If you don't mind, and if you have a moment, could you please explain why you came to the conclusion that MemProtect provided a more comprehensive protection?

    The reason why I ask is because, while I often do understand how things work to a certain degree and can configure the rules, I don't always understand what is going on under-the-hood, so to speak. What I mean is, I can quite often get things to work quite well, but I personally am not able to "visualize" what is actually happening under the surface from a more technical level.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.