Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,291
    How parent process checking and command line scanning can help to defeat Exploits
    Lessons learned from CVE-2017-11882
    https://excubits.com/content/en/news.html (2017/11/24)
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,291
    Should ...
    • a "vulnerable application" be able to ...
      • access (read or write to) the memory of other applications?
      • write files to the root directory, C:\Windows or even C:\Program Files\
      • execute files which are out of the scope of the main application, for example:
        • a PDF reader wants to execute c:\windows\cmd.exe
        • a media player wants to execute a script
        • Chrome wants to load a dll from a temporary directory
    • a dropped file in a temporary be executed (while the user is not installing anything or is only surfing the web)
    No.

    We can restrict File Operations (write operations) with FIDES:
    • The vulnerable application is only allowed to write to its AppData\[...] directory (cache, temporary files) and Downloads-folder.
    • In addition we can protect whole partitions from being written too = no application can write to them.
    ... not only write operations, but also read operations:
    • Now the vulnerable application can't access contents of other USB drives or partitions (Why should Firefox have access to D:\ ?)
    • Or we can do this: Not only vulnerable applications but all applications (or at least files launched from a temporary directory) can't read files/folders from other partitions.
    Memory operations can be restricted with MemProtect:
    • Applications can't access (read/write) the memory of vulnerable applications
    • ... and the vulnerable application can't access the memory of all other Applications.
    • In addition we can use a generic approach: all files launched from temporary directories can't access the memory of all other processes.
    Dropped files/dll's can be blocked from executing (MZWriteScanner):
    • after an executable been dropped into a not whitelisted directory or even to C:\Windows, the execution is prevented.
    • ... this is also the case for dropped dll's.
      • Even after the dropped file/dll has been copied to a "trusted" directory like C:\Program Files\ the execution will be blocked. The file (better: the hash of this file) will be "monitored" from MZWriteScanner.
        • One disadvantage: after the service of MZWriteScanner has been restarted or if the user reboots, remembered hashes will be dropped.
    We can block loading of modules/dll's with MemProtect:
    • We can block not whitelisted dll's from being loaded into vulnerable applications (whitelisted dll's = allowed, everything else is blocked)
    • or dll's in temporary directories can be blocked from being loaded into all applications.
      • Variant: Applications in C:\Program Files are only able to load modules located in C:\Program Files\* or C:\Windows\* (=dll's in all other locations are automatically blocked)
    We also have Bouncer with command-line scanning, parent process checking, whitelisting and blacklisting.

    The system can be pretty much locked down with combination of these tools.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    Great infos @mood useful as usual :thumb:
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,960
    Location:
    Under a bushel ...
    +1 :thumb:. Though it would take some dedication to use these.

    I do use FIDES though, to secure my backup USB - simple enough for this simpleton o_O.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    I used too. But I found SecureFolders much more versatile to block UFD access, reads or writes, even disabling-enabling at will.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,960
    Location:
    Under a bushel ...
    But it doesn't have the granularity of FIDES, i.e. restricting folder access per application ... ?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Good review of the excubits product. Thanks Mood. I love MZwritescanner. I would describe it as a pain in the neck, but it sure keeps the system safe.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood You are truly a Master when it comes to your teaching/educating abilities! :thumb:
    You're input and opinions are always greatly appreciated.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I have 5 days left in this semester. After i'm finished with finals i'm going to be switching from AppGuard to Bouncer. I have ran into too many problems with AppGuard lately with the last 2 feature updates of Windows 10, and with MySQL Server. I can't make allow rules when all that ever shows up in AppGuard's Report is Blocked Process ID's. In my prior experience with Bouncer it always shows process names, and complete paths. I'm looking forward to playing with Bouncer again. I hope MemProtect, and FIDES will be combined with Bouncer one day soon. I may use Bouncer with VS, or ERP.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,291
    You're welcome ;)
    It was fun to go through all protections in my mind and then writing them down.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The thought of my doing that scares the you know what out of me. I tip my hat sir
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,291
    Reconstruction of Bouncer’s Rules Engine
    Should we implement a new Bouncer rules engine?
    https://excubits.com/content/en/news.html (December 05, 2017)
     
  13. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    175
    Location:
    Europe
    :thumb: if complexity is really gonna reduce this sounds great. Anybody know when a beta is planned?
     
  14. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    70
    Reconstruction of Bouncer’s Rules Engine
    First beta version with new rules engine

    2017/12/18 by F. Rienhardt

    We have finished the first version of Bouncer/Tuersteher with the brand new rules engine. We have successfully integrated the parent-check into the normal check. Well, configuration is now not split into separate parts but can still be a bit complicated. There is only a [WHITELIST] and [BLACKLIST] part now.

    You should take extra care which rule you gonna specify first, especially when it comes to parent-rules. From our first internal tests it seems to be a good idea to start with normal white- and blacklist-rules. Then you should think about parent rules to mitigate against specific attacks. Set up blacklist rules for a dedicated application and then place the parent-whitelist rule before the more generic parent-less rules.

    Another way to specify rules can be to fully opt for parent-rules, so you do not make use of classic parent-less rules. This can be a bit tricky if you start from scratch, but then you do not have to take care about ordering the rules depending whether they have a parent or not.

    You can check-out the new beta at our BETA-Camp, but be very careful, it is raw and uncut and really beta. We give absolutely no guarantee!!!
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I took these blacklist rules from Excubit's updated Blacklist on their website. Why would these blacklist rules be needed? These directories are located in the userspace, and any unknown file attempting to execute from the userspace with these extension types should be blocked by default. What am I not understanding?

    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.cmd
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.cmd
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I hope this is a sign that they are thinking about combining Bouncer with FIDES, and MemProtect. I think this would make combining them a little easier.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    The execubits blacklist has mrsa.exe on it. My Windows 10 installation only has msra.exe. Is this a typo?
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,692
    Location:
    Mexico
    Typo it is.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Ok, thanks. I reported it to Florian.
     
  20. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    175
    Location:
    Europe
    There is new blacklist online.
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I asked the question below recently in this thread, and never got a respond. Florian answered it for me. He said it would be ok to share his answer in the thread in case others have the same question.

    I took these blacklist rules from Excubit's Blacklist on the website. Why are the blacklist rules listed below needed? AppData\Local\temp, and AppData\Roaming are located in the Userspace. I thought any file in the Userspace that is not whitelisted should be blocked by default without these additional rules.

    What is it that i'm not understanding? Doesn't Bouncer block all executions from the Userspace unless explicitly whitelisted by the user? I asked this question at Wilders Security Forum, but no one responded to this question. Maybe i'm not the only one confused about this.

    [BLACKLIST]
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.cmd
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.cmd
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys

    Thank you for your help!

    Michael

     
  22. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Thanks @Cutting Edgetech for taking the time to follow up on this :thumb:
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    No problem.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,291
    Regarding the beta, a newer one is now available - Bouncer/Tuersteher (Date: January 14, 2018)
    The drivers are SHA1/SHA256 signed.
    Download: Beta Camp
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @mood This is great news, thank you. I only tested the previous beta briefly since it was only Test Signed. This is much better now for testing.

    I actually quite like the idea of getting rid of the parentwhitelist/parentblacklist section in favour of allowing the parent rules to be included in with the regular whitelist/blacklist sections. I also like the fact that you can entirely use just parent rules and no requirement to use the regular rule. That keeps things more efficient and less similar/repetitive rules. I really like this a lot better now in comparison.

    Any many of these great developments (to all Excubits drivers) are thanks to users here at Wilders sharing their suggestions. :thumb:
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.