Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,771
    Location:
    U.S.A. (South)
  2. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    159
    Location:
    Europe
    New version work fine. Also the Stop-Click-Start button is nice feature and absolutely makes sense in some of my scenarios. Not a big feature, but nice.

    Btw: I currently encounter log entry for this often

    Code:
    C:\Windows\System32\CompatTelRunner.exe > C:\Windows\system32\rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry 
    Does anyone knows what this GeneralTel.dll,RunGeneralTelemetry is?
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,701
    The dll "GeneralTel.dll" has 8 Exports, and one exported function is RunGeneralTelemetry and this function is executed.
    Iit is doing "telemetry related things" or something similar.

    CompatTelRunner.exe (File Desc.: Microsoft Compatibility Telemetry)
    GeneralTel.dll (File Desc.: General Telemetry)
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,351
    Location:
    Mexico
    Updated blacklist for Bouncer (Last Updated: 2017/11/19)
    Code:
    https://excubits.com/content/en/files/blacklist.txt
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,183
    Location:
    Under a bushel ...
    :thumb:
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,701
    How parent process checking and command line scanning can help to defeat Exploits
    Lessons learned from CVE-2017-11882
    https://excubits.com/content/en/news.html (2017/11/24)
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,701
    Should ...
    • a "vulnerable application" be able to ...
      • access (read or write to) the memory of other applications?
      • write files to the root directory, C:\Windows or even C:\Program Files\
      • execute files which are out of the scope of the main application, for example:
        • a PDF reader wants to execute c:\windows\cmd.exe
        • a media player wants to execute a script
        • Chrome wants to load a dll from a temporary directory
    • a dropped file in a temporary be executed (while the user is not installing anything or is only surfing the web)
    No.

    We can restrict File Operations (write operations) with FIDES:
    • The vulnerable application is only allowed to write to its AppData\[...] directory (cache, temporary files) and Downloads-folder.
    • In addition we can protect whole partitions from being written too = no application can write to them.
    ... not only write operations, but also read operations:
    • Now the vulnerable application can't access contents of other USB drives or partitions (Why should Firefox have access to D:\ ?)
    • Or we can do this: Not only vulnerable applications but all applications (or at least files launched from a temporary directory) can't read files/folders from other partitions.
    Memory operations can be restricted with MemProtect:
    • Applications can't access (read/write) the memory of vulnerable applications
    • ... and the vulnerable application can't access the memory of all other Applications.
    • In addition we can use a generic approach: all files launched from temporary directories can't access the memory of all other processes.
    Dropped files/dll's can be blocked from executing (MZWriteScanner):
    • after an executable been dropped into a not whitelisted directory or even to C:\Windows, the execution is prevented.
    • ... this is also the case for dropped dll's.
      • Even after the dropped file/dll has been copied to a "trusted" directory like C:\Program Files\ the execution will be blocked. The file (better: the hash of this file) will be "monitored" from MZWriteScanner.
        • One disadvantage: after the service of MZWriteScanner has been restarted or if the user reboots, remembered hashes will be dropped.
    We can block loading of modules/dll's with MemProtect:
    • We can block not whitelisted dll's from being loaded into vulnerable applications (whitelisted dll's = allowed, everything else is blocked)
    • or dll's in temporary directories can be blocked from being loaded into all applications.
      • Variant: Applications in C:\Program Files are only able to load modules located in C:\Program Files\* or C:\Windows\* (=dll's in all other locations are automatically blocked)
    We also have Bouncer with command-line scanning, parent process checking, whitelisting and blacklisting.

    The system can be pretty much locked down with combination of these tools.
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,351
    Location:
    Mexico
    Great infos @mood useful as usual :thumb:
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,183
    Location:
    Under a bushel ...
    +1 :thumb:. Though it would take some dedication to use these.

    I do use FIDES though, to secure my backup USB - simple enough for this simpleton o_O.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,351
    Location:
    Mexico
    I used too. But I found SecureFolders much more versatile to block UFD access, reads or writes, even disabling-enabling at will.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,183
    Location:
    Under a bushel ...
    But it doesn't have the granularity of FIDES, i.e. restricting folder access per application ... ?
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,009
    Good review of the excubits product. Thanks Mood. I love MZwritescanner. I would describe it as a pain in the neck, but it sure keeps the system safe.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,544
    Location:
    Toronto, Canada
    @mood You are truly a Master when it comes to your teaching/educating abilities! :thumb:
    You're input and opinions are always greatly appreciated.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,472
    Location:
    USA
    I have 5 days left in this semester. After i'm finished with finals i'm going to be switching from AppGuard to Bouncer. I have ran into too many problems with AppGuard lately with the last 2 feature updates of Windows 10, and with MySQL Server. I can't make allow rules when all that ever shows up in AppGuard's Report is Blocked Process ID's. In my prior experience with Bouncer it always shows process names, and complete paths. I'm looking forward to playing with Bouncer again. I hope MemProtect, and FIDES will be combined with Bouncer one day soon. I may use Bouncer with VS, or ERP.
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,701
    You're welcome ;)
    It was fun to go through all protections in my mind and then writing them down.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,009
    The thought of my doing that scares the you know what out of me. I tip my hat sir
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    7,701
    Reconstruction of Bouncer’s Rules Engine
    Should we implement a new Bouncer rules engine?
    https://excubits.com/content/en/news.html (December 05, 2017)
     
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    159
    Location:
    Europe
    :thumb: if complexity is really gonna reduce this sounds great. Anybody know when a beta is planned?
     
  19. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    61
    Reconstruction of Bouncer’s Rules Engine
    First beta version with new rules engine

    2017/12/18 by F. Rienhardt

    We have finished the first version of Bouncer/Tuersteher with the brand new rules engine. We have successfully integrated the parent-check into the normal check. Well, configuration is now not split into separate parts but can still be a bit complicated. There is only a [WHITELIST] and [BLACKLIST] part now.

    You should take extra care which rule you gonna specify first, especially when it comes to parent-rules. From our first internal tests it seems to be a good idea to start with normal white- and blacklist-rules. Then you should think about parent rules to mitigate against specific attacks. Set up blacklist rules for a dedicated application and then place the parent-whitelist rule before the more generic parent-less rules.

    Another way to specify rules can be to fully opt for parent-rules, so you do not make use of classic parent-less rules. This can be a bit tricky if you start from scratch, but then you do not have to take care about ordering the rules depending whether they have a parent or not.

    You can check-out the new beta at our BETA-Camp, but be very careful, it is raw and uncut and really beta. We give absolutely no guarantee!!!
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,472
    Location:
    USA
    I took these blacklist rules from Excubit's updated Blacklist on their website. Why would these blacklist rules be needed? These directories are located in the userspace, and any unknown file attempting to execute from the userspace with these extension types should be blocked by default. What am I not understanding?

    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.cmd
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.cmd
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,472
    Location:
    USA
    I hope this is a sign that they are thinking about combining Bouncer with FIDES, and MemProtect. I think this would make combining them a little easier.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,472
    Location:
    USA
    The execubits blacklist has mrsa.exe on it. My Windows 10 installation only has msra.exe. Is this a typo?
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,351
    Location:
    Mexico
    Typo it is.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,472
    Location:
    USA
    Ok, thanks. I reported it to Florian.
     
  25. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    159
    Location:
    Europe
    There is new blacklist online.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.