Use two free programs from Excubits to run vulnerable programs in containers

Discussion in 'other anti-malware software' started by Windows_Security, Apr 20, 2016.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Excubits offers some free programs to run vulnerable programs in a memory and file sandbox. On our forum @WildByDesign has direct contact with the developers, so when you have questions about releases or features he is the one to ask (although mood and Online_Sword have also played with those programs intensively, so they are also good information sources).

    Here is some english information on them https://excubits.com/content/en/news.html You can download them from https://excubits.com/content/en/products_beta.html

    It are actually not programs but drivers, WildByDesign has explained how you install them in this post


    What is the idea of running programs in containers?
    Containers and sandboxes are often mixed. In a container a program is blocked access to (critical) parts of the system. By containing file access (PumperNickel) and memory access (MemProtect) of vulnarable programs, you mitigate the impact of infections by malware (including exploits). Those vulnerable programs are only allowed to mess with their own (installation) folders. This is not a tight mitigation but still reduces impact of infections and also reduces the need for rules configuration (so less rule tweaking and more ease of use). Since the ini files are limited in size in the free versions, needing less rules is a nice bonus.

    Trying it out in simulation mode [#Lethal]
    When you want to try these free (tiny) drivers, just copy the code below to the ini files of MemProtect and Pumpernickel. After having tested them (the logs are in the Windows directory), you can change the [#LETHAL] to [LETHAL]. Removing the # turns the program from simulation to protection mode. Pumpernickel is by design Default Allow, MemProtect is default allow because I entered [DEFAULTALLOW] in the ini file.

    Using the log files
    As you can see, exception rules can be copied from the log (just add and an ! before the C and remove the spaces for and after the >). Have a look at the example below (using log file to allow access to Windows Caache folder).
    upload_2016-4-20_23-53-7.png
    Just use the log to add priority whitelist rules (starting with an !). When your are done, just add an # for logging [#LOGGING], then both drivers stop writing to the log.

    Pumpernickel
    This is a kernel level file (access) monitor. In the code example below, Office (Excel, Winword, PowerPoint, etc) and Chrome are not allowed (blacklisted) to change UAC protected folders (Windows and Program Files). So they effectively run with file privileges of a Standard User. I run 32 bit OS, so you have to add C:\Program Files (86) when you use an 64 bits OS. The prority whitelist (rules starting with !) overrule blacklist, so both Office and Chrome are allowed to change their own folder and the Windows cache and temp folders.

    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    !C:\Program Files\Office\*>C:\Program Files\Office\*
    !C:\Program Files\Google\Chrome\*>C:\Program Files\Google\Chrome\*
    
    !C:\Program Files\*>C:\Windows\Temp\*
    !C:\Program Files\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\*
    
    [BLACKLIST]
    C:\Program Files\Office\*>C:\Windows\*
    C:\Program Files\Office\*>C:\Program Files\*
    
    C:\Program Files\Google\Chrome\*>C:\Windows\*
    C:\Program Files\Google\Chrome\*>C:\Program Files\*
    [EOF]
    

    MemProtect
    MemProtect is a kernel level memory (access) monitor using a Windows OS-feature (protected processes) available on Vista and higher, but best used on Windows 8.1 and higher. Same approach with the memory container as the file container. Both Office and Chrome are not allowed to modify the memory of other programs (Blacklist C:\Program FIles\Office\*>*) . I also allow them to print (whitelist access to SPLWOW64). You will recognize the rule patterns (see post #9 below).

    Code:
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !C:\Program Files\Office\*>C:\Program Files\Office\*
    !C:\Program Files\Google\Chrome\*>C:\Program Files\Google\Chrome\*
    
    !C:\Program Files\*>C:\Windows\splwow64.exe
    
    [BLACKLIST]
    C:\Program Files\Office\*>*
    C:\Program Files\Google\Chrome\*>*
    [EOF]
    
    Bottem Line
    When you add an Anti-Executable to the mix (or simply use Smartscreen on the desktop on Windows 8 and higher), I can't imagine anything breaking these layers (File access container, Memory access container and Anti-execution). I run them with Software Restriction Policies (as basic user which allows install and update from user folders with "Run as Admin").
     
    Last edited: Apr 22, 2016
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,770
    Location:
    Mexico
    Neither I can. Unfortunately somebody will figure out...:ninja:

    Thanks for sharing your knowledge.:cool:
     
  3. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Great post, Kees! I'm running AppGuard, so it seems I don't need to run Pumpernickel. I have MemProtect set up and running with no issues. Does MemProtect also duplicate AppGuard's protection? Am I gaining anything by running both together? :doubt:
     
  4. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    890
    AppGuard protects all guarded apps from writing to protected folders (read-only).
    With Pumpernickel it's possible to block all processes from writing to folders.
    In this configuration only the Filemanager can write files to d:\
    All other processes are blocked from writing to d:\
    The modification of all mp3-files is forbidden.
    "mp3editor.exe" is allowed to modify mp3-files in D:\MP3-Collection (but nowhere else)

    A lot more can be done with Pumpernickel.
    In Protected Mode the guarded Browser is able to download files and execute them.
    With MemProtect it can be further restricted.
    First: Firefox can only execute files from the Firefox-Directory (downloaded files can't be executed)
    Second: Firefox can only access/(and write to) the memory from Processes in the whitelist.
    Third: MemProtect doesn't have to be disabled before updating the browser or other programs that are in the whitelist.
    But it maybe depends on the configuration.

    AppGuard: A Guarded Firefox can theoretically start a Password Manager and access the memory of it. In this case AppGuard is not protecting the memory-access.
    (Only if the password manager was "already running" (and is not a child-process), then AG protects it)
    MemProtect: You can further restrict your apps. In the above whitelist Firefox can't run a password manager (it can only run files in the Firefox-Directory),
    Firefox can't inject into other processes and Firefox can't read/write the memory of other processes (it depends on the whitelist)
    It can be started as an additional security-layer.
    Even if AppGuard is disabled, MemProtect and/or Pumpernickel are protecting apps/files.
     
  5. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Thanks Mood! I'll go ahead and look into setting up Pumpernickel. As I said earlier, I've already got MemProtect set up and running. It would be nice if we had more than 2kb to work with in the .ini file...
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    @Kid Shamrock

    I prefer minimal setups. I think AppGuard is one of the smartest programs. In stead of monitor a lot, it focusses on a few gates which malware needs to pass. I don't want to sound as an AppGuard sales man, but I think AppGuard by itself is enough protection against all sorts of malware. This idea is strengthened by the fact that AppGuard has won homeland security awards/certification.

    Security is a process and a state of mind, so each for themselves to decide (since your sig says AppGuard+VoodooShield+HPMA, it seems that you like to cover threats twice) Research shows that encountering False Positives actually increases the sense of security. This could explain why so many forum member prefer HPMA over MBAE.

    What I like about the MemProtect+Pumpernickel combo in above container/containment usage is that they provide solid protection with (until now) no compatibility issues and set and forget configuration.

    Regards Kees
     
    Last edited: Apr 21, 2016
  7. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Thanks Kees, I've been running AppGuard for several years and won't be without it. Like you say its probably enough just by itself, but I like to tinker and add other programs here and there just for fun not because I feel unsafe with AppGuard alone. When I was running Win7, I once went several months with just AppGuard and no AV other than on demand scanners. Never got infected by anything.
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,202
    Location:
    in a remote land :)
    anyone being infected while using Appguard or any anti-exe must be a professional happy clicker :D
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    I used ProgramX, Y and Z for easy recognition of the rule-set patterns for contained programs. The rules can be made tighter, but that will provide marginally more security (and a lot more hassle writing rules).

    Pumpernickel example containing ProgramX, Y and Z
    Allow contained programs write access to Windows Temp and Cache folder.
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    !C:\Program Files\ProgramX\*>C:\Program Files\ProgramX\*
    !C:\Program Files\ProgramY\*>C:\Program Files\ProgramY\*
    !C:\Program Files\ProgramZ\*>C:\Program Files\ProgramZ\*
    
    !C:\Program Files\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\*
    !C:\Program Files\*>C:\Windows\Temp\*
    
    [BLACKLIST]
    C:\Program Files\ProgramX\*>C:\Windows\*
    C:\Program Files\ProgramX\*>C:\Program Files\*
    C:\Program Files\ProgramY\*>C:\Windows\*
    C:\Program Files\ProgramY\*>C:\Program Files\*
    C:\Program Files\ProgramZ\*>C:\Windows\*
    C:\Program Files\ProgramZ\*>C:\Program Files\*
    [EOF]
    
    MemProtect example containing ProgramX, Y and Z
    Allow contained programs access to splwow64 (print) and explorer (first try whether they work alright without access to explorer.exe).
    Code:
    [#LETHAL]
    [LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !C:\Program Files\ProgramX\*>C:\Program Files\ProgramX\*
    !C:\Program Files\ProgramY\*>C:\Program Files\ProgramY\*
    !C:\Program Files\ProgramZ\*>C:\Program Files\ProgramZ\*
    
    !C:\Program Files\*>C:\Windows\splwow64.exe
    !C:\Program Files\*>C:\Windows\explorer.exe
    
    [BLACKLIST]
    C:\Program Files\ProgramX\*>*
    C:\Program Files\ProgramY\*>*
    C:\Program Files\ProgramZ\*>*
    [EOF]
    
     
    Last edited: Apr 24, 2016
  10. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,202
    Location:
    in a remote land :)
    @Windows_Security , you always amaze me by combining some less-known applications to get very tight protections :D
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Thx, your welcome

    (I have developed this weird habit when not being able to write text for marketing purposes to throw myself on another problem to unlock my writers block and it works, have to go now :D to meet my deadline).
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    And 'advisable to insert MemProtect rules with a browser protected from an anti-exploit?
     
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    The idea of containment, is to mitigate the impact, so I would not bother about anti-exploit (for patched systems the window of infection is limited) in the first place when containing the with MemProtect and Pumpernickel. To check for incompatibilities, I tried a freeware setup: EMET (for Office) and MBAE (for browsers) and they worked fine, see pictures.

    MBAE injected in Chrome
    upload_2016-4-24_10-53-33.png
    Note: I did not opt for the Premium trial, this would overlap protection (according to Malware Bytes, you should not use MBAE and EMET together).

    EMET protecting Office 2007 apps
    upload_2016-4-24_10-54-10.png

    Note: I removed browsers from protected programs and disabled Certficate trust pinning in EMET to make sure EMET did not overlap with MBAE-free.

    Edit: I tested EMET with hardened ASR setting (block: flash*.ocx;jscript*.dll;vbscript.dll,mshtml.dll;mscoreei.dll;msxml*.dl;vgx.dll) and deselected Tray Icon (notification) and that also worked fine.
     
    Last edited: Apr 24, 2016
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Good.:thumb:
    I prefer to use MBAE Premium for the protection of the apps (Music,Film,Reader PDF) - Appcontainer.
    TH.
     
  15. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    732
    Does Pumpernickel and MemProtect need to be started every time Windows boots, or is it automated?
     
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
  17. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    I have read it right now:

    MemProtect:


     
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    Yes, it is a demo, but with very strong mitigation against exploits and other memory based attacks as is shown by the HPMA testtool.

    All exploit based (in-memory attacks) are blocked from launching calculator. The only test which is allowed to run calculator is not an exploit (but a check to show that the HPMA testtool is working OK, so it needs to start calculator otherwise the test results are not reliable).

    upload_2016-4-25_12-23-23.png

    Settings which were used while running HPMA testtool against Chrome contained by Memprotect. Chrome is allowed to access Chrome (subprocesses), GoogleUpdate (for updates) and Splwow64 (for printing).
    Code:
    [LETHAL]
    [#LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Windows\splwow64.exe
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Program Files\Google\Chrome\Application\chrome.exe
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Program Files\Google\Update\GoogleUpdate.exe
    [BLACKLIST]
    *chrome.exe>*
    [EOF]
    
     
    Last edited: Apr 25, 2016
  19. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Kees, these programs seem ideally suited for you (spekkie naar je bekkie ;))
    Are you in contact with these guys? Any info on beta->rc path?
     
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    @Baserk, WildByDesign has a direct line with the Developer (Florian). MemProtect is a tiny driver which uses Windows build-in mechanism, so yes I am following it closely.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Since it was asked. Appguard's memory guard also prevents guarded apps from having their memory read or having them read other processes memory
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    My current setup using Memprotect and Pumpernickel

    Chrome locked down (caged in File and Memory container)
    Office run in LUA container (can't infect UAC protected folders/programs)
    Protect user data (Office and media files) against ransomware by limiting write access to Office (and explorer) only

    Memprotect
    Code:
    [LETHAL]
    [#LOGGING]
    [DEFAULTALLOW]
    [WHITELIST]
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Windows\splwow64.exe
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Program Files\Google\Chrome\Application\chrome.exe
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Program Files\Google\Update\GoogleUpdate.exe
    
    !C:\Programm Files\Microsoft Office\*>C:\Windows\splwow64.exe
    !C:\Programm Files\Microsoft Office\*>C:\Programm Files\Microsoft Office\*
    [BLACKLIST]
    *chrome.exe>*
    
    C:\Programm Files\Microsoft Office\*>C:\Windows\*
    C:\Programm Files\Microsoft Office\*>C:\Program Files\*
    [EOF]
    
    Pumpernickel
    I have my Office docuents on D, Entertainment (pictures, movies) in E and , Mail (plus download) in M partition (all on second harddisk)
    Code:
    [LETHAL]
    [#LOGGING]
    [WHITELIST]
    !C:\Windows\explorer.exe>*
    !C:\Program Files\*>C:\Windows\Temp\*
    !C:\Program Files\*>C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\*
    
    !C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Users\Kees\AppData\Local\Google\*
    !C:\Program Files\Google\Chrome\Application\chrome.exe>M:\Downloads\*
    !C:\Program Files\Google\Chrome\Application\chrome.exe>M:\Downloads
    
    !C:\Program Files\Microsoft Office\*>D:\*
    !C:\Program Files\Microsoft Office\*>E:\*
    !C:\Program Files\Microsoft Office\*>M:\*
    !C:\Program Files\Microsoft Office\*>C:\Programm Files\Microsoft Office\*
    
    [BLACKLIST]
    *chrome.exe>*
    
    C:\Programm Files\Microsoft Office\*>C:\Windows\*
    C:\Programm Files\Microsoft Office\*>C:\Program Files\*
    
    *>M:\*.pst
    *>D:\*.pdf
    *>D:\*.xps
    *>D:\*.doc
    *>D:\*.docx
    *>D:\*.xls
    *>D:\*.xlsx
    *>D:\*.ppt
    *>D:\*.pptx
    *>E:\*.jpg
    *>E:\*.mov
    *>E:\*.mpg
    [EOF]
    
    Note: only ransomware hole is Explorer access, but with SRP anti-execute and Memprotect mitigation this is reduced to very low rsk
     
    Last edited: May 2, 2016
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    @Windows_Security Your thoughtful and detailed setups, regardless of which software used, are always very interesting and educational. Thank you for sharing.

    I was speaking with Florian yesterday and he had mentioned that the Pumpernickel project driver has actually been downloaded far more times recently in comparison to Bouncer or MemProtect. There seems to be a lot of interest in Pumpernickel at least as far as downloads go.
     
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,083
    Location:
    Netherlands
    @WildByDesign
    For a family member with soms click happy kids, I can confirm that pumpernickel with explorer++ beats ransomware. Replacing explorer with explorer++ closes the allow all hole for Windows Explorer. Ransomware infects explorer but pumpernickel allows explorer++. All family foto's were untouched. So I can imagine the interest in Pumpernickel.

    I am also changing to explorer++ now. I had not installed explorer++. The guy is a teacher on a school which promotes the use of open software. For ease of use he had also installed explorer++ on his own PC. I had not realized what an advantage dropping explorer would be (explorer running medium integrity level is often a target for malwares).

    Thx 4 info
     
    Last edited: Apr 30, 2016
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,078
    @Windows_Security
    Does explorer++ replace explorer.exe as a shell or only as file manager? If it's only file manager then explorer.exe still runs in background and could potentially be targeted by malware.
     
Loading...