Bouncer (previously Tuersteher Light)

So you're saying that everything can be done via a driver? I really doubt it, but you may be right. This is an interesting article:

http://www.malwaretech.com/2014/10/usermode-sandboxing.html

 

You don't need to user every single technique to protect system. Theoretically, no hooking is better. Hooking is problematic in so far that it is limited by what Microsoft says can be done with hooking.

Windows has built-in mechanisms that require no hooking and those protections are more robust and more reliable than hooking. It isn't viewed as very sophisticated protection, but it will protect against everything except OS vulnerabilities if used properly.

 

This is one thing that I especially admire with regard to Excubits drivers and also ReHIPS.

 

Is the latest BETA version of MemProtect compatible with Win10 AU driver signing requirements?

 

Integrity Levels (with UAC enabled) protects higher IL's (objects and processes) against lower IL's. An AppContainer process can't change untrusted, untrusted can't change low, low can't change medium, etc. A medium level IL process which lives in userland is not protected from (so called side by side attacks) medium level processes. A well known hacker EXPOFF or something demonstrated this by unhooking all user land hooks of ThreatFire making this behavioral blocker blind for intrusions. I can't find the link anymore but probably @EASTER will remember it.

So I agree with @hjlbx

 

No, not as of yet. Although Florian does have EV cert signing in his possession now which is good news. Right now I am testing an internal build of Bouncer which is signed with his EV cert and it's working well so far with secure boot enabled. I have to find out if he plans on signing his beta kernel-mode drivers with EV cert or if he can just release MemProtect as stable with EV cert. I will follow up as I find out more.

 

Its a side nice effect: you can block process creation but MemProtect focus is not anti-exe so it will not block every possible way you can create processes. I suggest not rely on MemProtect to block exe, use Bouncer for this. I think it is clearly written what MemProtect is good for: protecting memory operations.

Fully agree. Hooking is here for more of a decade. I know of hooking since Commodore Amiga, it was possible on all Home Computers and MS DOS, finally Windows, Linux and Mac OS. But it is not good practice. A good operating system should provide API to intercept, but we all know that operating systems we currently use do not have so much API to intercept. Microsoft is on a good way, they changed a lot during the past years, starting with Windows Vista. The included a lot of intercepting and monitoring in the last versions of Windows. Maybe with Windows 11, 12, 13 it get better more.

My opinion on it is: you should avoid hooks if possible, but there are cases you cant do it without using a hook.

 

Its personal flavor I guess: For example I like for example Bouncer and Pumpernickel radical simplicity and how open the developer is. For me this is more important than GUI, 1. stage API-hooking based exploit detection - where other tools use unfathomable cloud-based intelligence and auto-update. I do not really know what this other tools do on my computer and with my data. It is like a dark dust. Bouncer is not for ordinary consumer, I assume target user is admin or high-end/pro user, then it all makes sense how it is like it is. I do not like LINUX much, but also use it recent, so for me doing config with ini file, starting stoping driver from console etc. is no hard problem, Im used to and know a shell It personally gives me confidence to control this thing more than all other security tools which are like magic voodoo - I click in GUI, something happens but I dot really know why and what.

 

As @WildByDesign already writes: no, but Excubits have a CV certifiacte and from what I know from Florian he has account for Microsoft System Dev. Center (I dont know the exact name), so he should able to sign and cross-sign. But if he will sign beta or demo I dont know.

 

I'm not completely sure, but I believe SpyShelter is also not using any user-mode hooking. But most apps that offer protection against banking trojans like HMPA and Trusteer both do. I believe it makes it easier for security tools to monitor stuff.

Yes, but it's possible to protect your hooks.

 

OK, I see. So this means that MemProtect is not meant to be used to block exploits. It's meant to mitigate malware after it's already running. So no need to compare it to HMPA and MBAE who both try to stop malware and shellcode from running at all.

Yes exactly.

 

BTW, I was being silly. A perfect example of tools that need to use user-mode hooking are of course anti-exploit tools like HMPA, EMET and MBAE. They need to monitor the attacked process from "the inside", so there is no other way. So people can not say that user-mode hooking is not needed.

http://www.howtogeek.com/223228/use...o-help-protect-your-pc-from-zero-day-attacks/

 

Hook are a patch for bleeding. MemProtect does not need hooks to protect memory. reHips does not need hooks to sandbox. But you should open a new thread called Rasheed's best theoretical potection practises.

 

@Rasheed187 you should open your own theoretial best practises thread. I searched but could not find a thread which was created by you. I am sure with over 7.500 post you must have started a thread. Could you point me to one?

 

You missed the point once again. The discussion is about if you can offer certain protection features with hooking or not. The answer, is no you can't. So it's cool that some tools don't use unnecessary hooking, but some tools have no choice but to use them. That's a fact, so I'm afraid there is noting theoretical about this.

 

@Rasheed187 Ofcourse I missed your point again. Talking about missing something: I also missed your answer on my question whether you had ever started a thread with over 7500 posts

 

So with my current setup in my signature, would Memprotect or any of the other programs from excubits be worth testing or would would too much overlap of similar programs be at hand?

 

Excubits products combined work similar to AppGuard, whereas Excubits has the advantage of configurability. Many of the programs you are using, like HMPA, Sandboxie and AppGuard, are already good enough on their own, when you know how they work and how to use that to your advantage. Rather than adding anything, I would start removing stuff.

 

Excubits "suite" has an edge on AppGuard - I think - because of the way MemGuard works and the ability - for the initiated user - to monitor and whitelist command lines. Plus, Excubits has fewer moving parts so to speak. By that I mean AppGuard uses a driver and service. Correct me if I am wrong, but the last time I tried Bouncer I only noticed the driver; perhaps it too uses a service, but I obviously missed that fact if does indeed use a service.

All that being said, there's enough commonalities between the two that I think skilled use of each gets the same end result: clean system - which is all that really matters.

Excubits|AppGuard : AppGuard|Excubits

One half dozen | Six : Six | One half dozen

* * * * *
And to address @FleischmannTV's point - I have found less is more all the way around.

 

yes, AppGuard have a service. In contrast: Excubit's drivers are just drivers, everything in kernel, you can use Tray application, but you must not use them. the driver full works without anything running in usermode (no tray app, no exe, no service, no nothing). So this is somehow great approach, all you need is to run driver. Even if you do not like to protect the drivers are great source for just monitoring. I do with MZWriteScanner, I just monitor - that is great and absolut transparent, nothing bothers me, no speed lag. That makes different here in contrast to other solutions. I dont know how Florian's make it, but his drivers are extremely performant, something other vendors should cut a slice and see what is possible.

That is my impression, too Same level, slightly different approach maybe.

Exactly, fully agree here. Less is more and that is what is great about Excubit's product. I have feeling that I can control it granular and know what will happen. It is no blackbox to me. On other side it can be difficult/dangerous, if you dont understand what you doing But after a couple of configs done it gets more easier and now I - personally - feel comfortable and secure.

By the way, like with AppGuard, you do not pay yearly costs. Once you have for example Tuersteher/Bouncer you can use it as long as you want. Benefit for me, do not like solution where I pay $30-50 a year.

 

If you already use NVT/NVT Driver/Appguard/Malwarebytes Pro/HMPA/ Sandboxie I thinks there is already overlap. I wouldnt add another one, you can reduce a bit, but more is too much in my opinion.

 

For curiosity sake, I did some more testing last night with HMPA Exploit Test Tool and MemProtect mostly to ensure that my latest testing configuration is solid enough and working appropriately.

• I ran hmpalert-test.exe and hmpalert64-test.exe from D:\Tools\hmpalert-test\
• D:\Tools\hmpalert-test\ was allowed in MemProtect via Default Allow (therefore HMPA Exploit Test Tool itself was not running as protected process)
• Target application to exploit was: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
• In some cases (particularly 64-bit testing) I did testing against other applications as well
• AcroRd32.exe (and other tested applications) were configured as protected processes
  
• Bouncer was set to Install Mode so as to not interfere; EMET was removed

Rather simple and limited testing setup, however it did block every attempt from HMPA Exploit Test Tool.

Spoiler: MemProtect.ini

Code:

[LETHAL]
[LOGGING]
[DEFAULTALLOW]
[WHITELIST]
!*chrome.exe>*chrome.exe
!C:\Program Files\*>*chrome.exe
!C:\Program Files (x86)\*>*chrome.exe
!C:\Windows\*>*chrome.exe
!*\Mozilla Thunderbird\thunderbird.exe>*chrome.exe
!*chrome.exe>*\Mozilla Thunderbird\thunderbird.exe
!*\Office14\*.EXE>*chrome.exe
!*chrome.exe>C:\Program Files\*
!*chrome.exe>C:\Program Files (x86)\*
!*chrome.exe>C:\Windows\*
!*AppTimer.exe>*chrome.exe
!*chrome.exe>*AppTimer.exe
!*ccleaner*.exe>*chrome.exe
!*ccleaner*.exe>*\Reader\AcroRd32.exe
!*thunderbird.exe>*\Reader\AcroRd32.exe
!*AcroRd32.exe>*AcroRd32.exe
!C:\Program Files\*>*AcroRd32.exe
!C:\Program Files (x86)\*>*AcroRd32.exe
!C:\Windows\*>*AcroRd32.exe
!*AcroRd32.exe>C:\Program Files\*
!*AcroRd32.exe>C:\Program Files (x86)\*
!*AcroRd32.exe>C:\Windows\*
[BLACKLIST]
$*procexp64.exe>*chrome.exe
$*ProcessHacker.exe>*chrome.exe
C:\Users\*>*
*>*chrome.exe
*chrome.exe>*
*>*AcroRd32.exe
*AcroRd32.exe>*
[EOF]

 

I honestly have no idea what you're talking about. But let us not clutter this thread with silly discussions. To me it's much more interesting to understand how MemProtect works, and looks like WildByDesign has done some testing.

Now we're talking! Could you perhaps do the same test, but now with the ETT being protected by MemProtect? With that I mean, the ETT should be protected against memory reading/writing and can also NOT access others process memory. According to my theory, the ETT should now be able to launch calc.exe, simply because process execution should normally not be blocked by MemProtect.

 

Sure thing, I am happy to test whichever suggestions make good logical sense. I followed your suggestion by making the HMPA Exploit Test Tool itself specifically as a protected process this time. The results were very much the same; since the now protected process of hmpalert-test.exe was trying to view/modify/access the memory space of calc.exe (and other various Windows components) it was blocked entirely by MemProtect (or more specifically the protected process memory protection specifications). The end result is that calc.exe never runs because in order to execute, hmpalert-test.exe would first need memory permissions to do anything at all with that calc.exe process.

Anyway, I'm the type of person who respects everyone's opinions and also I am very thankful that we all have such a wide variety of security programs to play with. Choice is a wonderful thing. So with regard to some of that back and forth that has gone on from time to time, I can always visualize, understand, and respect views on all sides.

If you have any other specific suggestions that you would like me to test, please feel free to let me know. Enjoy your weekend!

 

OK, now this is interesting. Thanks for testing, so seems like MemProtect is in fact also an execution blocker? I wonder how it would act in a real life exploit attack, where malware is downloaded from the web and executed from disk. But I still need some more info about this subject, so I will ask for more info to a developer. Also, what if your browser needs to load certain child processes, will you be able to make rules with MemProtect in order to let the "protected process" load them?