Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
  2. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    New version work fine. Also the Stop-Click-Start button is nice feature and absolutely makes sense in some of my scenarios. Not a big feature, but nice.

    Btw: I currently encounter log entry for this often

    Code:
    C:\Windows\System32\CompatTelRunner.exe > C:\Windows\system32\rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry 
    Does anyone knows what this GeneralTel.dll,RunGeneralTelemetry is?
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    The dll "GeneralTel.dll" has 8 Exports, and one exported function is RunGeneralTelemetry and this function is executed.
    Iit is doing "telemetry related things" or something similar.

    CompatTelRunner.exe (File Desc.: Microsoft Compatibility Telemetry)
    GeneralTel.dll (File Desc.: General Telemetry)
     
  4. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,931
    Location:
    Mexico
    Updated blacklist for Bouncer (Last Updated: 2017/11/19)
    Code:
    https://excubits.com/content/en/files/blacklist.txt
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    :thumb:
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    How parent process checking and command line scanning can help to defeat Exploits
    Lessons learned from CVE-2017-11882
    https://excubits.com/content/en/news.html (2017/11/24)
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    Should ...
    • a "vulnerable application" be able to ...
      • access (read or write to) the memory of other applications?
      • write files to the root directory, C:\Windows or even C:\Program Files\
      • execute files which are out of the scope of the main application, for example:
        • a PDF reader wants to execute c:\windows\cmd.exe
        • a media player wants to execute a script
        • Chrome wants to load a dll from a temporary directory
    • a dropped file in a temporary be executed (while the user is not installing anything or is only surfing the web)
    No.

    We can restrict File Operations (write operations) with FIDES:
    • The vulnerable application is only allowed to write to its AppData\[...] directory (cache, temporary files) and Downloads-folder.
    • In addition we can protect whole partitions from being written too = no application can write to them.
    ... not only write operations, but also read operations:
    • Now the vulnerable application can't access contents of other USB drives or partitions (Why should Firefox have access to D:\ ?)
    • Or we can do this: Not only vulnerable applications but all applications (or at least files launched from a temporary directory) can't read files/folders from other partitions.
    Memory operations can be restricted with MemProtect:
    • Applications can't access (read/write) the memory of vulnerable applications
    • ... and the vulnerable application can't access the memory of all other Applications.
    • In addition we can use a generic approach: all files launched from temporary directories can't access the memory of all other processes.
    Dropped files/dll's can be blocked from executing (MZWriteScanner):
    • after an executable been dropped into a not whitelisted directory or even to C:\Windows, the execution is prevented.
    • ... this is also the case for dropped dll's.
      • Even after the dropped file/dll has been copied to a "trusted" directory like C:\Program Files\ the execution will be blocked. The file (better: the hash of this file) will be "monitored" from MZWriteScanner.
        • One disadvantage: after the service of MZWriteScanner has been restarted or if the user reboots, remembered hashes will be dropped.
    We can block loading of modules/dll's with MemProtect:
    • We can block not whitelisted dll's from being loaded into vulnerable applications (whitelisted dll's = allowed, everything else is blocked)
    • or dll's in temporary directories can be blocked from being loaded into all applications.
      • Variant: Applications in C:\Program Files are only able to load modules located in C:\Program Files\* or C:\Windows\* (=dll's in all other locations are automatically blocked)
    We also have Bouncer with command-line scanning, parent process checking, whitelisting and blacklisting.

    The system can be pretty much locked down with combination of these tools.
     
  8. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,931
    Location:
    Mexico
    Great infos @mood useful as usual :thumb:
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    +1 :thumb:. Though it would take some dedication to use these.

    I do use FIDES though, to secure my backup USB - simple enough for this simpleton o_O.
     
  10. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,931
    Location:
    Mexico
    I used too. But I found SecureFolders much more versatile to block UFD access, reads or writes, even disabling-enabling at will.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    But it doesn't have the granularity of FIDES, i.e. restricting folder access per application ... ?
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    Good review of the excubits product. Thanks Mood. I love MZwritescanner. I would describe it as a pain in the neck, but it sure keeps the system safe.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @mood You are truly a Master when it comes to your teaching/educating abilities! :thumb:
    You're input and opinions are always greatly appreciated.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    I have 5 days left in this semester. After i'm finished with finals i'm going to be switching from AppGuard to Bouncer. I have ran into too many problems with AppGuard lately with the last 2 feature updates of Windows 10, and with MySQL Server. I can't make allow rules when all that ever shows up in AppGuard's Report is Blocked Process ID's. In my prior experience with Bouncer it always shows process names, and complete paths. I'm looking forward to playing with Bouncer again. I hope MemProtect, and FIDES will be combined with Bouncer one day soon. I may use Bouncer with VS, or ERP.
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    You're welcome ;)
    It was fun to go through all protections in my mind and then writing them down.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    The thought of my doing that scares the you know what out of me. I tip my hat sir
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    Reconstruction of Bouncer’s Rules Engine
    Should we implement a new Bouncer rules engine?
    https://excubits.com/content/en/news.html (December 05, 2017)
     
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    :thumb: if complexity is really gonna reduce this sounds great. Anybody know when a beta is planned?