Bouncer (previously Tuersteher Light)

What is the developer using the hashing for? Is he/she going to start incorporating whitelisting also, or does he/she just want to give additional info for blocked events?

 

The SHA-256 hashing is for the application whitelisting. So if any executable's SHA-256 has is not included in whitelist, it is blocked from executation or in the case of .dll, blocked from injection as well. Same goes for .sys drivers. It's kind of like Christmas all over again these past few days for me. And I will present the developer, Florian, with some ideas more from a users point of view. Original Bouncer driver will likely go free (no more limited demo) when Plus version of Bouncer is released, and Plus will always be available by lifetime license since developer doesn't believe in product key / activation type of nonsense. But most of Bouncer drivers purpose is custom KMD versions of the Bouncer driver for large organizations or backend licensed for other security software. I've been trying to push dev more toward consumer as well, but more toward advanced security folks or enthusiasts like Wilders users. Relatively small niche, though, but I personally see the potential there.

 

SHA-384 shouldn't be default and should only be an option for paranoid, as it can cause performance down while SHA256 is secure enough.

It's impossible to achieve real whitelistng w/out secure hash.
If a whitelisting program only rely on file path like SRP, determined attacker can easily bypass this by dropping malware file named, say, chrome.exe into proper location.
If a program uses insecure hash like MD5, still such attacker can bypass it with a little effort.

Mitigation factor are:
1. attacker have to know you use such incomplete whitelisting program beforehand.
2. attacker have to know or guess a legitimate program you use and its path. I gave chrome.exe as an example cuz it can be installed in user space so attacker don't even need elevation, but if victim had disabled UAC attack is easier.
3. in insecure hash case, attacker have to make a little calculation to find MD5 collision.

I currently use SecureAPlus, it uses SHA256 too and simple program as a whitelisting. But I also keep watching this thread as obviously dev of Bouncer understand what the security is and don't be deluded with user's demand or temptation to add functions.

 

Your post was insightful, but I already knew Hashing was needed for whitelisting. That's why I asked if he was going to add whitelisting. I thought bouncer was a policy base AE in it's current state. Is Bouncer going to become a hybrid of policy, and whitelisting? Is he going to use the hashing for something else?

 

CET, I apologize if I misunderstood your question. You are correct, the currently released version of Bouncer is policy based (by that, I assume you mean path-based similar to SRP). There is also a version of Bouncer (purely hash based) that the developer had initially created for his own security/malware researching purposes, forensics type of stuff taking apart malware from his honeypots and so on for his own use. That is what he is going to release as Bouncer Plus. The question about whether the Plus will be a hybrid of policy and hash whitelisting is actually a question that concerns me as well and I am very curious about that. During my testing over the past few days, I realized that I would probably like a combination of both as well, depending on different setups. I asked the developer that same question a day or two ago and when he responds, I will let you know as well. The other question, "Is he going to use the hashing for something else?", can you clarify that a bit for me? What other good uses could the hashing be used for? I am just not very familiar with all of this hash-based whitelisting stuff and am really quite new to it and learning as I go at the moment. I was more familiar with basic policy-based SRP previously, but not so much hashing. But if you can clarify a bit, what other uses there could be for the hashing, I am certainly happy to pass that information along to the developer if it is something that could be beneficial.

You are spot on, Yuki. Florian doesn't believe in any of the typical user experience fluff. He doesn't even want to add any user mode hooks or anything of the sort that communicates through to the kernel mode driver which can essentially make things more convenient. His goal from the beginning is always keeping everything necessary directly within the kernel.

 

I now see root of confusion is how each one use the word whitelisting. For me, application whitelisting is the same―or rather, bloader meaning than anti-executable. AE only monitors exe, but AW also monitors other thing (Bouncer monitor dll and sys, and SecureAPlus monitor all WinPE files plus scripts and you can even add any file types). Policy-based is another thinkg, if you define policy or you built whitelist it can be called as so, whilte there is cloud-based or pre-defined whitelist in some programs.
Thank you for sharing valuable experience!
Yup, I know that so theoretically they can be piled up but still expect many roubles as I'm not Linux expert.

My wording of "whitelisting" in previous comments can directly be substituted with "policy-based anti-exe" if it fits more to you.
Anyway, hash-based is sperior to path-based in regard to security. And my previous explanation is just an example, there're other flaws in path-based restriction. If you want to dig in more, search for "path-based vs label-based" or sth like that. There had been plenty of discussion about them on around Linux Security Module, and hash-based is somewhat similar to label-based tho much simpler.

W/out use of secure hash, there're many ways to bypass AE.

I personally hope he finally do that great job in other security area (e.g. OS security based HIPS/sandbox) as another product in the future (ofc as long as it doesn't hurt what currently going on)!

 

Some Bouncer / Bouncer Plus news:

• The internal testing version of the Bouncer driver now fully supports wildcards (* and ?). This is something that is needed in some cases but also adds some convenience.

• The internal testing version also no longer needs the device path to be specified (eg. \Device\HarddiskVolume\). That means configuration files will use traditional directory naming (eg. C:\Windows\) and config files are now case insensitive.

• The internal testing version of the Plus driver now supports white- and blacklisted specified paths now.

There are two other interesting drivers coming soon that the hardcore security folks will like, but I am going to wait until the developer announces it and I will mention it at that time. Not sure if he will announce it on his blog (http://bitnuts.de/) or the Excubits site (http://excubits.com/content/en/home.html) but it will be interesting. More for the forensics folks though.

 

@WildByDesign

Thx for the info. I moved back and forth from SRP to Applocker, but always returned to SRP , because I liked the right click "runs as Admin" ease. With all components signed and traditional directory, I will move to AppLocker without dll (just allow a few trusted vendors system wide) AND use bouncer to block everything from user space. Benefit will be ease of use (switch off bouncer to install something) and protection moved to kernel.

Regards KEes

 

A kernel based Registry Scanner

From the developer of Bouncer, see blog for details and download: http://bitnuts.de/


There is actually more exciting kernel drivers coming soon but I am not allowed to say yet.

 

I never clicked on this thread before. I guess I 'judged a book by its cover' -- judging a product named "Bouncer" not to be serious.

But just seeing the participants in this thread alone (WBD, Win_Sec, Yuki...), I guess I need to learn about this.


Thanks,

-Frank

 

Bouncer should be a very solid product for what it covers if there are no significant bugs to work out. Even if any significant bugs were discovered I believe the developer would fix them in a very timely manner. I've been waiting for Bouncer to mature a little before trying it since I already test so much software I find it hard to find additional time in my schedule to test more software. I never really thought of the name being bad in any way. If you think that is not a good name then make some suggestions. You have to keep in mind that most names have already been taken, and copyrighted. It can be tough to think of a good name that has not already been taken.

 

i installed SoftPerfect RAM Disk and image is auto mounted example drive letter is S: And lable is the name of image,example portable (S: )
now i add this drive to Bouncer but after restart pc must add this drive again(and every time it get another name \Device\00000044\*)
is this normal?
edit:in windows 8.1

 

It's a pleasure to see you over here, Frank. Indeed, the heavyweights must see that same potential that I see here in Bouncer. It's about 10-12KB of pure kernel-mode madness and quite efficient at what it does. I'm not sure if you've played around much with Application Whitelisting software before, but that is essentially what Bouncer is. You are in the driver seat. You are responsible for your own security. You control what programs are allowed to run, and where they are allowed to executed from. Similar to built-in Software Restriction Policies (SRP) in a way. Although SRP is user-mode, while Bouncer and also AppLocker are kernel-mode. It all comes down to if Application Whitelisting is your thing or not.

The developer is from Germany, so you know it is Sicher. Joking aside, the original name for the driver is "Tuersteher" which is simply referring to the door man at a night club, bar, etc. So translating it directly over to Bouncer seemed to make good sense and stick to it's roots. So think of it as that big dude in front of clubs that you don't want to mess with. Bouncer is therefore running within the kernel and completely in control of what executable is allowed to execute and which is not. We can talk more if you are interested.

I agree C_E, time is a valuable thing and testing takes time. In your case, quite honestly, I would wait until the current internal testing build comes out to the public. That way it will include proper drive letter and directory paths instead of the previous device paths and also wildcards. The current internal build has been a dramatic improvement for my setup and I am totally in heaven with it now. And it's been rock solid in testing for the past few weeks as well, so I will suggest to the developer to push it out soon. But the internal builds need to be digitally signed along with the executables. Right now for testing, I have to switch to Windows TESTSIGNING mode. You don't want to mess with that. But I will let you know when it comes out and if it's worth your while testing. Cheers!

I haven't personally used SoftPerfect RAM Disk software before. But if it is assigning a new device path name after each boot, I can certainly see how that is problematic with that release of Bouncer. I am assuming that is normal and specific to the way in which SoftPerfect RAM Disk works within Windows to create the virtual drive. It would be better, in your case, if it didn't assign a new device name each time though.

The good news, though, is that the next release of Bouncer will feature proper drive letter and directory naming which will make configuration much easier, which will solve your problem. Also, it will feature wildcards with * and ?. Asterisk (*) would cover for a whole block of characters, while question mark (?) would cover for just one character. Wildcards is great and useful, but you have to be very careful. Wildcards, in my testing, has allowed me to create rules for the updating of Firefox, Thunderbird, Chrome and also a few other things that were problematic before. I will share my ruleset once the internal Bouncer build is approved and available for public use. It's been incredibly stable in my testing, more efficient and literally zero issues. I will update this thread accordingly with any news.

 

thanks WildByDesign

 

Anytime, my pleasure.

 

Guys/gals, go nuts! I will write more later when I have time. But these are the updated versions, fully signed plus executables as well along with the better usability for config files by using proper drive paths and wildcards * and ?. Be sure to check the updated manual as well. Enjoy!

English: http://excubits.com/content/files/bouncer.7z
German: http://excubits.com/content/files/tuersteher.7z


EDIT: Also wanted to share my current ruleset in case it is helpful. It's pretty basic at the moment.

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
Q:\*
D:\Tools\*
D:\Bouncer\*
C:\Windows\*
C:\ProgramData\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Mozilla\updates\*
C:\Users\*\AppData\Local\Temp\???????.tmp\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
C:\Users\*\AppData\Local\Thunderbird\updates\*
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\*
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
D:\Backup Files\Mozilla\Profiles\Thunderbird\extensions\*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*
[BLACKLIST]
[EOF]

Code:

C:\Users\*\AppData\Local\Temp\???????.tmp\*
C:\Users\*\AppData\Local\Mozilla\updates\*
C:\Users\*\AppData\Local\Thunderbird\updates\*
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\*

are for Mozilla Firefox and Mozilla Thunderbird

Code:

C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe

is for Chrome updates

Code:

C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*

is for DISM temp

 

thankyou very much WildByDesign work great.i can not restart pc for some reason but seems problem with ramdrive solved
also thanks for rules added to my config
and about rule like below
C:\Users\*\AppData\Local\Thunderbird\updates\*
first Asterisk mean include any folder inside Users folder?

 

You're welcome, my pleasure. I haven't seen any issues personally, but I should point out the new strict change to config format. Let me know if there are any errors. But I could only assume it is either unrelated or something to do with config.

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
[BLACKLIST]
[EOF]

Make sure your config isn't missing any of those sets of brackets. Although internally the driver does check for any config issues.

Yes, the asterisk in that case would allow for any user name/profile (all users, in that sense). But mostly I did that remove my user name from the config.


One important reminder for anyone testing Bouncer would be to use [#LETHAL] for the first few hours/days of testing to ensure that everything is set up properly. That mode will allow executable to run but will log what would normally be blocked according to your config.

 

Binaries for both English and German have been updated. There may have been an issue due to the way the most recent drivers were compiled that affected a few users. If you have any issues, download the re-compiled package.

 

I,ve got this working on Windows 10 build 10051 so I have a couple of questions I hope someone can answer.

1). Ive tried to start at boot the BouncerTray through task scheduler doesn,t work. How can it be done?

2). I noticed after a long read at http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information these are the main areas of cryptolocker attacks can this be done, because there is already an allow rule %AppData% or is this covered.

Block CryptoLocker executable in %AppData%

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block CryptoLocker executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exeSecurity Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block Zbot executable in %AppData%

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block Zbot executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exeSecurity Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

Just getting into this as I believe this is the way to go with PC security!

Sorry for the long post and thanks in advance.

Themorpethian

 

I've been doing much of my Bouncer testing on Windows 10 as well, currently build 10056.

I had issues with Task Scheduler initially as well. I personally use the registry and that works well, so I would recommend that to you at the moment.

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Place an entry there to have BouncerTray.exe run when Windows starts.

Alternatively, you could place a shortcut in this exact Startup folder under Windows 10:

Code:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

But I prefer the registry method. It starts up a little faster from the registry as well.

I will get back to the other part of your questions later tonight when I have more time.

 

Thanks WildByDesign will do it now.
Have you noticed that you get blocking information in the new notification area

 

You're welcome.

Yes, the Bouncer alerts show up as "toasts" notifications in Windows 10 and also the notification area.

 

Alright so I wanted to respond to the second part of your question now regarding those recommended CryptoLocker locations to block and explain how the path-based application whitelisting works with this original Bouncer driver. We'll start with the basic rules that the developer bundles with the driver currently and we'll go from there.

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
[BLACKLIST]
[EOF]

With this type of path-based application whitelisting, everything is already blocked that is not defined within the [WHITELIST] section. So this default setup is a decent starting point. Also, to answer your question, by default this setup would already block everything from execution within those AppData directories as well as anything within the User profiles like Downloads, Documents, Temp, etc. So with this setup, you don't have to define further rules to block those areas.

Now to explain the [BLACKLIST] section. This is simply to blacklist something within the directories that you have whitelisted. For this example, let's assume you wanted to block Internet Explorer from running. Also, let's assume there is a nasty Flash Player exploit in the wild and you wanted to temporarily block that as well.

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
[BLACKLIST]
C:\Windows\System32\Macromed\Flash\*
C:\Windows\SysWOW64\Macromed\Flash\*
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
[EOF]

The only time you would specifically need to add those AppData folders to the [BLACKLIST] section would only be if you were to make a whitelist rule that allowed the entire user profile. But I would never recommend that. It's best to keep the user directories blocked from execution but make some exceptions for certain folders if necessary.

The best thing to do when starting out with Bouncer is keep [#LETHAL] set so that nothing will be actually blocked during initial testing. Run it for a while, several reboots, etc, run your normal programs and so on. Then check up with the log file C:\Windows\bouncer.log to see what legitimate programs would have been blocked, then you can add rules to the [WHITELIST] section to ensure that those will be allowed to run. Once everything is fine-tuned for your system, then you can switch [LETHAL] to enable blocking and restart the driver for that to take effect.

I shared my ruleset in post number 116 to show some of the exceptions that I added within user profile and what some of them are for. Some are operating specific, some are program specific. When it comes to wildcards, you have to be pretty careful because you don't want to open things up too much.

Let me know if you have any more questions, I'd be happy to answer. Also, any of us Bouncer users can share our rules here too since that could be beneficial.

 

Thanks WildByDesign.
Been a while since I used applocker but Bouncer seems to be along that line.

So its a bit like putting exceptions in windows applocker when you have say a) Everything is DENIED except this Path, File, Hash etc in the White list.

And vice versa everything ALLOWED except this Path, File etc For example I put an allowed directory on my desktop for playing TRLE games and allowed
my external harddrive.

I did notice that the download folder and the desktop was blocking softwares you cant right click and run as Admin but you can move them to a directory
that you set as allowed or even use the tray app to stop the driver.

I hope you understand what I'm saying!!

Themorpethian.