Bouncer (previously Tuersteher Light)

I don't have any concerns, but I'm trying to figure out how it works. Like I said, if it works this way, it's not actually blocking exploit methods which are used in remote code execution attacks, so there is no need to compare it with MBAE and HMPA. What you guys are talking about is protecting a process against code injection and memory reading, that's not the same as blocking exploits! So why on earth use the HMPA Test Tool which is designed to simulate exploits caused by memory corruption? This is what member Windows_Security fails to understand, it's not a valid test.

 

Yes I know, so if you can block the payload from running you have already won the battle. You can do this with Bouncer, EXE Radar and VoodooShield to name a few. But MemProtect isn't actually blocking process execution is it? The problem is, I keep getting to hear contradicting stuff.

You have to be kidding me. The real benefit of HMPA and MBAE is that they can block exploits/shellcode in an early stage, so this means there is less chance that malicious code that runs in-memory can try to bypass security tools. And yes, all security tools can be bypassed, this is old news.

 

You seem to be completely missing the point. This isn't about HMPA vs others, this is about if MemProtect offers the same protection methods. And based on what I've read it's more similar to AG's Memory Guard. You guys seem to not know the meaning of "code execution exploits". Blocking a process from injecting code into another process, is not the same as blocking shellcode from running. Protecting a process from code injection or memory reading is also another thing.

 

@WildByDesign

Have you guys made suggestions as far as built-in rules to Florian - or is he including what he thinks best for the base installs ?

Also, I suppose the entire concept is to install Excubits in #Lethal and just observe for a good while, then create rules specific to one's system.

 

This, unfortunately, is not standard industry practice. Consumer products... features, features and more features. And for what ? In the end, most products will fail to protect the system - and fail rather miserably and over-consume resources.

It is surprising, but security soft vendors are not very thorough in pen-testing their own products.

To me, the less resource usage, the greater the protection, the greater the ease-of-use - the better. It's a hard equation to balance.

I'm not a HMP.A fanboy, but comparatively speaking it is one of the better security related softs.

 

This is the only one in the logfile:
2016/03/19_20:18 > C:\Program Files\Mozilla Firefox\firefox.exe > C:\Windows\explorer.exe
If Firefox crashes or not, the above rule is logged always 4 times in a row.

Clear history/cache is not configured. And Flash is disabled, i enable it only if i have to.

There are more sideeffects of protecting Firefox with MemProtect:
Extension-icons are missing and i can't customize the GUI


But all problems are solved with this rule:
!C:\Program*\*Firefox\*>C:\Windows\explorer.exe

 

@WildByDesign

When I enable the field 'Protection' in Process Explorer select columns (view), I see other protected processes, but the ones enabled by MemProtect not. Could you ask Florian why it is not showing?

Thx

 

Exactly, it blocks attempts of process A gaining access on process B. From this angle of view: It cannot detect an exploit as an exploit, it prevents anything happening. Finally the exploit cant move foreward and as an result cant infect the system. There are scenarios (like I gave example) where an attacker keeps beeing active in the exploited application itself and does not drop anything (exe, dll) on the PC, then start or remote-inject it. But those attacks are rare, so MemProtect does a good job. I thinks it depends on personal flavor, if you like MemProtect's approach or other.

 

Absolutely right! Lot of security software is full of features most users do not understand and at the end this lowers overall security. In the last couple of months there were several serious issues reported (e.g. see Travis Ormandy's analysis). This heavi loaded AV and anti-exploit software cannot be reviewed by the vendors, nor - in my opinion - do they really know what all their modules are doing. Their software is too comlex and branched. So less is more, that is why I personally prefer solutions from NVT and Excubits, because at least I have the feeling, that I understand what these tools are doing and I have control over them (but this is some kind of feeling - other user may have such feeling for Symantec, Kaspersky, etc.). It is also a matter of taste

 

Kees, I agree and I think that this is an important question. As a matter of fact, I was also looking around within Process Explorer and Process Hacker hoping that there would be some sort of standout indicated that would help us know which processes were protected with MemProtect. But I did not find any indicator similar to what you were looking to see there. I will pass this question on to Florian and also your recommendations regarding default allow vs. default deny because I trust your judgement and I know that you took the time to research and test your findings. So I value your opinions and suggestions greatly. I will get back to you when I hear back from Florian.

My "assumption" here regarding that Protection field in PE is that this might be a similar situation like EMET where, I can't recall if it was system wide DEP, SEHOP or ASLR, but anyway, those protections were applied accordingly, but PE wasn't able to show it correctly. Sorry, my memory is fading at the moment on this. But anyway, I assume it is something like that. However, I agree that we should ask Florian to find out some more details on that.

 

This is a matter of miscommunication. This hasn't got anything to do with personal flavor.

The reason why I became confused is because some used the "Exploit Test Tool" (ETT) in order to verify if MemProtect could stop exploits. But they misinterpret the results, because MemProtect simply blocks ETT from being able to access/modify the attacked process. While you should actually allow access and then test whether the calc.exe payload is blocked. Actually you don't even need MemProtect to block payloads from running, you should use Bouncer for that, did anyone test Bouncer against ETT?

 

But anyway, if Florian developed a user friendly GUI, he could combine Bouncer with MemProtect and Pumpernickel and then he would basically have made a strong security tool, similar to AG but easier to understand. But it all depends on the GUI of course.

 

I think I have fallen for memprotect.

 

Really Rasheed? Why is your reason for being right always build on my limited/lacking knowledge/understanding?

For definitions of shell code see Wikipedia. Windows offers several build execution environments which can be accessed by scripts (command, dotNet, Powershell, vbscript, javascript, etc.). Rich content on the internet executes code all the time directly or through plugins which also provide an (just in time) execution environment. So when you visit a webpage your are basically executing code in the application hosting this rich/dynamic content. So BY DESIGN there are many EXECUTION envrionments build in the OS and APPLICATIONS to increase flexibility and provide rich content experience in the Internet of things. An anti-executable won't help you because the host application (e.g. browser or word processor) is allowed to run.

Because most host applications are written in C and C++ and these programming langauges have BY DESIGN the abiliy to do unchecked pointer arithmetic. This flexibility in C and C++ is the root cause of overflows, integer type errors and invalid format strings. Luckily more and more protection mechanisms (DEP, SEHOP, ASLR) control mechanisms (Flow Control Guard) and memory freeing and garbage cleaning features are build in the OS and C++ compilers.

So trying to block exploits from happening is like trying to prevent someone from making mistakes. THIS IS IMPOSSIBLE. On every 1000 lines of code (KLOC) there are some errors made by programmers (which are living people, not machines). Errors are not always logic errors, but may involve incorrect memory management (e.g. use after free). Errors are called vulnabilities, when such an error can be misused (exploited) in a predictable way, it is called an exploit. So software designed to prevent exploits from happening has to monitor many attack vectors targetting many execution environments.

So MemProtect does not prevent an exploit from gaining control over the flow of commands inside an application hosting such an execution environment, it prevents the malware to break out of that hosting application (or break into other same integrity level applications).

Focussing on a few threat gates is a far more effective approach (using less code) than looking at many attck vectors in many dynamic code environments.

As said earlier there is elegance in simplicity: MemProtect uses only 25Kb of code (including signature) to accomplish this Memory Protection. This means it is easier to pen test, less prone to error and uses less CPU resources.

This is the last time I am discussing this with you, because I do not seem to be able to explain it to you. Luckiliy I am not alone because the explanation of @4Shizzle does not seem to sink either.

Regards Kees

 

Yes exactly. And that's why you need anti-exe or anti-exploit, to block the malware from running at all. If anti-exe or anti-exploit are bypassed, then you need to rely on other tools like MemProtect to block malware from attacking other processes.

So MemProtect isn't designed to block malware from running, you need Bouncer, HMPA or other tools for that. That's why there is no need to compare them. Also, the Exploit Test Tool should have been tested against Bouncer, not against MemProtect. The ETT is designed to simulate exploits that trigger process execution in this case, calc.exe. So I now hope you understand what I mean.

 

Some users don't like the multi-layered approach, but instead just rely upon OS tweaks and a few choice softs to block malicious actions.

I can see their point - even though I don't necessarily subscribe to their chosen mode of system protection.

To me, all that matters is whether or not the system is persistently infected and if personal data can be exfiltrated.

I think the protection methodology against such things is irrelevant; if it prevents persistent infection and data theft, then that is sufficient.

The problem is that all solutions to date are not 100 %.

Therein lies the real problem - and this necessitates a multi-layered protection model:

Bouncer, MemProtect, Pumpernickel, Command Line Scanner, ...

 

BY DESIGN the OS and rich content applictions host execution environments, which CAN'T be stopped by ANTI-EXECUTABLES (because they allow the host or the execution environment). An ANTI-EXECUTABLE does not prevent abnormal (in memory) flow modification nor the execution of the egg (egg is a piece of code saved in memory which is executed after the exploits takes control of the flow of commands). ANTI-EXECUTABLE programs can stop the dropper from running (dropper installs malware on the system).

BY DESIGN C and C++don't have overflow protection, ANTI-EXPLOIT DON'T change this, so they can not prevent exploit execution, they can only detect KNOWN exploit techniques. The numbers game on exploit behaviour (of anti-exploit programs) is just a fraction of the numbers game in fingerprints (of anti-virus applications), so it is much easier to catch up with malware writers. ANTI-EXPLOIT programs intercept after an abnormal flow modification is detected, so it blocks reaching the egg to execute additional code.

BY DESIGN: Protected processes feature protects selected processes from other processes in the system. Memprotect jails the exploit in the host application using this Windows protected processes feature. Depending on the rule set the exploit can't break out of vulnerable processes or break into other processes. No harm can be done, so it is (execution) game over.

LIFE CYCLE OF AN EXPLOIT TO BE SUCCESFULL (in laymen terms)
1. A vulnability in a program which can be predictably exploited, meaning execution flow can be changed to a specific memory location(s)
2. An execution environment available within that host application (e.g. javascript in rich content like a webpage, pdf or flash) or accessible from that host application (visual basic macro's in office apps, python in Libre Office).
3. Executing the exploit through the (script based) execution environment (through social engineering or driveby).
4. Abnormal flow of control reaches an additional piece of code planted elsewhere in memory (sometimes called an egg) and executes this (the tinier the piece of code, the greater the chance AV's wont notice it, therefore a tiny piece of code points to a larger piece of code saved in memory)
5. The egg triggers the dropper which drops/installs additional code (in multiple stage attack the dropper can first download additional code) to survive reboot.

SAFE HEX PRACTICES SPOILING THE CHAIN OF EVENTS FOR AN EXPLOIT
1. Patching software in time (most practical and effective prevention of known exploits).
2. Hardening (disabling plug-ins in Office Trust Center, disabling javascript in PDF reader, reading mail as plain text, etc)
3. Safe browsing keeping you away from infected/malware websites, Anti-Adblock keeping you away from malvertising, Scriptblockers preventing the (often third party) scripts triggering the exploit, Anti-execution programs preventing the execution of downloaded attachments/documents or Windows Smartscreen warning for it (on download and execution).
4. OS features like DEP, SEHOP, ASLR, Terminate after Heap corruption, Control Flow Guard, Protected Processes (MemProtect) Hardware based Flow Integrity Control (HPMA), ANTI-EXPLOIT programs monitoring specific weaknesses for code flow anomalies (EMET, MBAE and HPMA).
5. Sandbox programs flushing or Anti-execution programs, Smartscreen and MBAE blocking the dropper executing code from disk. UAC or running as Standard User to prevent installation with admin rights

BOTTEM LINE
Using your PC without an ANTI-EXPLOIT or an ANTI-EXECUTION does not mean it is game over. Modern Anti Virus programs have more cards in their sleeves than just a "fingerprints" blacklist and the AV could prevent or monitor any of the above mentioned stages of the exploit life cycle.

ANTI-EXPLOIT CHOICES
Depending on your skills and wallet you can choose a anti-exploit solutions to complete your protection:
- MBAE is for average pc users because is the easiest to use and has no or the least of compatibility issues of all anti-exploits mentioned in this post.
- EMET for the knowledgeable user who likes freeware (ASR is a very powerfull feature).
- HPMA for the knowledgeable users who likes features (only one which uses hardware assisted control flow integrity) and have contingency in place to deal with compatibility issues which might be caused by this "most comprehensive set of features".
- MemProtect: for power users (elegance in its simplicity using a kernel feature of the OS), downside is that this feature is designed to protect Anti-Malware programs, so it might interfere with your AV. Due to its deny all and lack of GUI a typo in the ruleset could require an (image) restore.

 

After weeks of testing Pumpernickel i found no real problems. Only the 8.3-filename problem i mentioned there: #949
(Bouncer has this problem too, according to the developer)

My actual scenario of using Pumpernickel:
With AppGuard i already added all partitions as a protected Folder ("read-only"), but it's only limited to Guarded Apps.
So i decided to protect all partitions (except the system-partition) with Pumpernickel, and allow only a few handpicked apps to (write-)access them.
A filemanager (Total Commander - totalcmd64.exe), notepad,
and a zip-extractor (Winrar)

Example:

Edit: Modified the example

Now "Unknown processes" have no chance to write/delete/change your protected files on D: and E:

 

Quick question: creating groups is not possible, is it? At least I haven't found anything that mentions this.

 

If Pumpernickel could block read, it would be perfect.

Both Easy File Locker and File System Protector could block read but with very rough (not as granular as Pumpernickel) rules with simple GUI.

 

Maybe my example was confusing (i have modified it a little bit now).
But No, grouping is not possible.

 

Thank you for clarifying, mood.

 

@mood Absolutely beautiful, creative use of Pumpernickel configuration. That has opened my mind further and brought forth some more ideas. I am always curious to see what creative ideas users come up with since there are so many possibilities. Thank you for sharing.

That would quite likely be possible, although I don't know how many users would be interested in that. I assume that the configuration would have to be different for rules to block read attempts (by different, I mean separate from the blocked move/rename/write/delete). It might be nice to be able to mix and match any of those within rules but may make configuration more complicated. Or I suppose another idea could be for Florian to create another small kernel driver specifically for blocking read attempts (protected and hidden folders/files). I know a lot of users are missing Secure Folders since development ceased, so your suggestion is a good idea.

 

Windows_Security, I'm not following you. Was this latest reply to educate users, or do you still disagree with me? I can't seem to figure this out. Th reason why I became confused is because people kept telling me different things about MemProtect's protection capabilities. I was trying to figure out what it offers:

1 Prevent process from reading memory and injecting code.
2 Protect process from memory reading and code injection
3 Prevent process from executing child process

You told me it was 2, 4Shizzle told me it was 1 and Mood told me it was all of the three. You see where my frustration is coming from? Also, you even tested it against the Exploit Test Tool, while MemProtect will block the tool from working CORRECTLY because of point 1. That's why I said it's not a valid test. Also, if Mood was right, MemProtect is basically a replacement for Bouncer, is this true?

 

promise to myself