Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Yes I agree, but that was not the point that I was trying to make. The point is that to me, member Windows_Security is making it sound like MemProtect can block the exploitation techniques (or memory corruption), while in reality it simply blocks process execution and also protects memory of certain processes from reading and writing. There is nothing new about this, SSM could do this 10 years ago.

    The difference is that MBAE and HMPA are more advanced if you look at it from a technical point of view, because they can block exploits in stage 1, instead of stage 2 like anti-executables. Which also means they can block so called in-memory payloads, while Bouncer/MemProtect and other tools like ERP and AG can't.
     
  2. hjlbx

    hjlbx Guest

    @Rasheed187

    I understand you. I wasn't singling you out...

    I think Florian needs to answer this debate - afterall, his soft\his designed protections\he knows what MemProtect actually does and does not do.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    From what I've read, there is not much to clear up. Bouncer/MemProtect will indeed mitigate most exploits by simply blocking either the execution of malware or the malicious behavior of malware like code injection and memory reading. You can also do this with ERP + Sandboxie for example.

    But Bouncer/MemProtect will not block the exploitation techniques themselves like EMET/MBAE/HMPA. Both anti-executable and anti-exploit tools have got their advantages and disadvantages. And it's not about me being a HMPA fanboy, I don't even use it at the moment. I agree that it seems to be causing too many issues with certain configurations. But don't forget it offers more than just anti-exploit.

    The bottom line: MemProtect is most certainly NOT more advanced, and even worse, none of the Excubits tool have a user friendly GUI, any news on that? It's clear that the developer has got skills, why not make these tools available to a wider public?
     
  4. hjlbx

    hjlbx Guest

    Florian only has limited time and just a few staff. This is the primary problem for all small developers (< 20 personnel). Plus, I think he has to balance the income versus feature implementation equation - which currently is definitely not for anything more than the products already have integrated.

    IF Excubits products ever get a more user-friendly GUI\way to configure, then as a suite it will be very difficult to outperform it as a complete physical system lock down solution. It might not stop the exploit, but it will block the attack at some point - and that is all that really matters.

    As far as HMP.A, it is a good soft, but I think 3.5 was released without sufficient internal testing. Whatever the case, as is customary with new HMP.A versions, it has caused its share of problems.
     
  5. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    All true, fully agree. I think no one here says Excubits tools are more advanced. They are "just yet" additional way to protect. I lso think not that MBAE or HMPA are so advanced or high sophisticated. They are just yet another sanbox technique that hook user processes and kernel to detect evil behavior. This is also nothing brand new (known for at least 15 years!).

    Also they market their tools as brand new tech, patent pending and with outstanding technics behind. No it is. It is just API hooking and behavior detection, something Symantec, Kaspersky, McAfee, Bit9, ... all have in portfolio if you license their high end APT detection tools. It is snake oil telling you they can detect new threats and that is true..... until hackers find again way to overcome it and trick their engine. Because they also do not have miracle "skynet-like" brain technique to detect evil brand new unknown code and hacking tech, they only can detect what they hooked on and already know from.

    But technically you are absolute right: they can detect at stage 1 where anit-exe and memory protection is somewhere behind that. Question is: how bad is it? That question must answer each person for himself. For me: i dont care if it is stage 1, 2 or 3.... if it detects I am happy and in all cases I would re-install my machine from backup-image for security reasons. Additional I do not expect so many stage 1 only attacks, they are rare and high sophisticated and for special targets. I am not a government member, so chance is littel that someone takes effort to write a memory-only malware to hack me. So I can pretty much live with anti-exe and security essentials.

    I think most users could also. So all this snake oil special force tech is too much for most users.

    Sure, every person has weigh risks and must decide what to use.

    Well, you think it is worse. I think this is huge advantage. The other tools are full of meaningless options, too many. I thinks that most user do not understand all the option and what they mean. Then a lot of tools out there show shields and shiny guard messages that at the end do not say and mean anything, they just should feel you protected.

    I think simplicity is the key. Tavis Ormandy has shown impressively that these old school snake oil protection suits are not that secure. A reason for this is their complex design, one responsible is their terrible GUI, system-design and all the options they offer.
     
  6. 142395

    142395 Guest

    Snake oil aside, mostly agree.
    When most exploits were simple stack buffer overflaw, Comodo and Symantec developed 'proactive' exploit prevention, and some ppl also believed DEP will eliminate all the exploits.
    Now we see ROP and anti-ROP, basically not that different except that techiniques are more complicated.
    Those anti-exploit will fail against brand new attacks such as COP, not so trully 'proactive'.

    An advantage on stopping exploit in what Rasheed calls stage 1 is mostly theoretical and probably only have sth to do w/ high-value target.
    AFAIK, all those in-memory malware can't do their work if all disk & memory access is denied. Theoretically, in-mem malware can still do some bad work, probably by disabling browser's security such as SOP and combining web attack like XSS and/or CSRF.
    Also in so-called government-grade exploit or some exploits seen in Pwn2Own, attacker usually use code execution as a 1st step, often combine it w/ prev escallation to outbreak sandbox. So blocking in early stage may make sense in such sophisticated attack which is mostly no relevant to most of us in reality.

    Well, I guess and hope if GUI was added to Bouncer, it will be just a cosmetic change of current UI. I.e. just monitor log file, and help to config ini file.
    I understand many ppl want to config everything through fancy GUI, But if GUI communicates w/ kernel driver, it can be security risk, and it's the case w/ other security software.

    Tavis Ormandy's work is trully great, but pity that most security vendor seems not to take their products' security seriously. Some flaws in popular giants' products are incredibly stupid, but they just say "We will add additional check" or sth lol. It seems they mostly care sales and adding function which most ppl don't need.

    Windows defender, Windows firewall, and 1 or 2 really reliable security software is not only good enough and less trouble, but also it will actually be more secure.
     
  7. 142395

    142395 Guest

    BTW, I have a question.
    Does anyone experienced desktop flash and restart (sth like explorer restart) after each boot by using Bouncer?
    On my Win 10 Home x64 system, it occures everytime just after I see Excubit's splash, even w/out any other security software.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I just thought of something. What if you try to disable the autostarting of BouncerTray.exe? Use something like Autoruns or CCleaner (or I suppose even Task Manager's Startup tab) to temporarily disable BouncerTray from starting during system boot. Then restart and see if you still experience this flashing.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Actually, this type of tech is relatively new. ExploitShield which turned into MBAE was one of the first to use exploit mitigation techniques, even before the AV companies started to offer this. I believe after that, EMET and HMPA were launched. And this hasn't got anything to do with snake oil.

    The reason why they use API hooking and behavior detection, is because they can block attacks in an early phase and they should only alert when a true exploit occurs. So you don't have the lock-down the whole system or maintain a white-list, like with anti-executable, something that regular users may find cumbersome to do. So they don't use this tech to show off, or just for fun, it has a clear purpose.

    To be clear, it's true that most exploit-kits don't make use of in-memory payloads, so for home users that are not targeted by advanced hackers it's not a problem. At the moment I don't even use MBAE and HMPA, but it's important to know the strength of those tools.

    You can say what you want, but they are more advanced because they stop the exploit techniques themselves, instead of only the payload. But they are not flawless, so it's probably best to combine anti-exploit with a sandbox or anti-executable, depending on how paranoid you are.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Well, you can't protect against stuff if you don't even know about certain attack techniques yet. With "pro active" they mean that all exploits that make use of certain techniques will be stopped, no matter if they are "zero day" or not.

    Yes exactly. That's why stopping exploits/payloads as soon as possible, is important. BTW, long time no see, what have you been up to? :D

    It is worse. Because regular users are not going to bother with tools like Bouncer and MemProtect. And who is talking about a fancy GUI with "meaningless options"? It should be a handy GUI like the ones from EXE Radar, Sandboxie and SpyShelter to name a few. That's why I was baffled by the decision from NVT to build a tool like Smart Object Blocker with only a basic GUI.
     
  11. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    here my latest pumpernickel config which allow to login and work normally windows7 32bit sp1 still need be shorted
    and remove some rules but work fine
    and work with this Programs

    updated with better rule
     

    Attached Files:

    Last edited: Aug 14, 2016
  12. hjlbx

    hjlbx Guest

    Excubits products are intended for\target Admins\security soft geeks. That fact will not change any time soon - if ever.

    I get the impression that Florian does not want to be bothered by "annoying" users = novices\typical users.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Well, this is bad news. I'm not an inexperienced or average user, but I can't be bothered with these kind of tools. GUI is very important. But anyway, just to be clear, the only reason why I became active in this thread again, is not to bash on Bouncer/MemProtect, but it was of certain comments made by member Windows_Security. Perhaps I got the wrong impression, but it sounded like he thinks MemProtect is "superior" to other tools, while in fact it's not.

    Is it possible to present this info in another way? I have turned off JavaScript on Wilders Security, so I actually have to scroll through all of this, the spoiler isn't helping.
     
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    attached.
    for more information
    must problematic exe file are explorer and svchost
    and its better to wait for next beta build for it
     
    Last edited: Aug 13, 2016
  15. hjlbx

    hjlbx Guest

    I think MemProtect is brilliant in its use of Windows' built-in protected processes mechanisms as opposed to hooking.

    No hooking is always a better solution.

    I agree Excubits products represent a usability problem. Hopefully over time it will be improved with more user-friendly GUI.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    My take on MemProtect is that it is certainly not anything revolutionary, but what it does do is open up Protected Processes to users/admins who wish to make use of them. Typically, that would be reserved only for critical Windows processes and has also been used for Anti-Virus software, particularly boot related AV processes if I remember correctly. So what Florian has done is found a creative way to open up Protected Processes to be used by any software from any location at the discretion of any user/admin. It allows for quite a bit of creativity and the protection is solid.

    It's a Microsoft feature at the end of the day and it's entirely kernel based which is great. It's really quite simple in what it does; sandboxing the memory of whichever processes are configured to be protected. Reading/writing/accessing memory is blocked. Some have suggested that it blocks execution similar to Bouncer but that is not the case because MemProtect is specifically blocking memory. With the priority rules along with the ability to define specific processes that are allowed or disallowed to interact with other processes, I find it quite intriguing. Although I find that the beta config file size restriction may be too limiting lately for testing purposes. However, if given the chance to purchase a lifetime licence, I will take advantage of that. But I don't know much at the moment regarding MemProtect licencing.

    I agree on all points. And also I wanted to mention that I appreciate and respect your balanced approach and opinion.

    Zero hooking is one of Florian's principle design goals for his drivers. As he explained to me previously, avoiding hooking allows his drivers to start up much earlier during kernel init and also to prevent opening up attack surface that user-mode / kernel-mode hooking can potentially create. One of his main things is following specifications accurately and keeping his code-base small and efficient and ridiculously tidy.

    I definitely agree that a simple, clean and easy-to-use GUI would be beneficial, for sure. I do have hope that it's something that may come over time as his software moves forward. Florian has said in the past that he would be open to community users creating/collaborating together to create some sort of GUI. For the most part, it would not be too difficult (with the exception of hashing-related functions). If you know any GUI designers who would be interested in helping that would be great. I've reached out for one GUI dev that I know but no response yet.
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    All new binaries are up as of 2016/08/14 with Silent Rules for Bouncer, MemProtect, MZWriteScanner, and Pumpernickel/FIDES. Pumpernickel/FIDES in particular has received some performance improvements as well.

    Download: https://excubits.com/content/en/products_beta.html
    News: https://excubits.com/content/en/news.html

     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,059
    Location:
    Mexico
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome.

    Also, for those interested, there is an updated list of Vulnerable Executables on Page 29 of the updated Bouncer manual if you simply extract the bouncer_beta.exe archive with 7-Zip. I haven't had a chance to review it yet but it looks like there may be some new entries in there.
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,059
    Location:
    Mexico
    Thanks again.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here is the latest suggestions for blacklist from the updated Bouncer manual (included with latest beta) which is based upon malware research. Keep in mind that this is not for users who are uncertain of what some of these executables are intended for.

    Code:
    Recommendations for the [BLACKLIST]
    
    We recommend to blacklist the following system folders and applications because
    they are often used as one step to infect computers with malware. The list is not complete,
    we will try to update if we have gained more information and knowledge
    about new threats and attacking techniques.
    
    ?:\$Recycle.Bin\*
    C:\Windows\ADFS\*
    C:\Windows\tracing\*
    C:\Windows\Tasks\*
    C:\Users\*\AppData\Local\Temp\*
    C:\Users\Public\*
    *taskkill.exe
    *regsvr32.exe
    *InstallUtil*
    *Regsvcs*
    *RegAsm*
    *InstallUtil.exe
    *IEExec.exe
    *DFsvc.exe
    *PresentationHost.exe
    *reg.exe
    *vssadmin.exe
    *aspnet_compiler.exe
    *csc.exe
    *ilasm.exe
    *jsc.exe
    *MSBuild.exe
    *vbc.exe
    *script.exe
    *iexplore.exe
    *journal.exe
    *msiexec.exe
    *bitsadmin*
    *iexpress.exe
    *mshta.exe
    *systemreset.exe
    *bcdedit.exe
    *mstsc.exe
    *powershell.exe
    *powershell_ise.exe
    *hh.exe
    *set.exe
    *setx.exe
    *\at.exe
    *bcdedit.exe
    *bcdboot.exe
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *debug.exe
    *diskpart.exe
    *regini.exe
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *UserAccountControlSettings.exe
    *netstat.exe
    *wmic.exe
    *quser.exe
    *regini.exe
    *attrib.exe
    *cacls.exe
    *xcacls.exe
    *takeown.exe
    *auditpool.exe
    *netsh.exe
     
  22. NT Five

    NT Five Registered Member

    Joined:
    Aug 23, 2015
    Posts:
    16
    Location:
    Stuck in NT 5 land...
    Hoping you don't mind I post here to ask a (silly) slightly off-topic question ;

    The latest MZWriteScanner, MemProtect, and Pumpernickel are not running on XP or are they ?

    I think Florian made some earlier versions of some of these apps that were XP compatble but maybe I'm completely wrong...
     
  23. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    No, not supported.

    Yes, but as far as i know with newer version he told he use modern kernel API not available in Windows XP. But on website somewhere he noted at times that excubits can build individual version of drivers supporting from Windows XP ... current Windows for individual request. I think this is for special customers requesting, not for general version of his driver (individual/extra build version).
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    The thing is, I don't think all type of protections can be offered without user-mode hooking. Take for example SBIE, I don't believe it could offer sandboxing without user-mode hooking combined with a driver. But yes, it's a cool feature offered by MemProtect.

    OK, so with MemProtect you can't block process execution at all? This is really weird, as others have claimed numerous of times that in fact this is possible. The reason why I'm so interested in this, because I was wondering how it blocked all of the exploit tests.

    If it's not difficult then I wonder why Florian has still not implemented a user friendly GUI? It would be really a quite powerful security tool if he managed to combine Bouncer, MemProtect and Pumpernickel.
     
  25. hjlbx

    hjlbx Guest

    Not a single hook is required to protect system.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.