Excubits Logo
burger-menu Toggle Menu

 

FAQ

Answers to frequently asked questions.


Last updated on 2017/05/14 by F. Rienhardt

General

Why yet another IT-security company?

We think that there are still too few companies located in Germany that deal with self made IT security solutions, entirely programmed in Germany and with 'German Gründlichkeit'. Security solutions on the market come with quite a lot applications, dynamic libraries, they install several services and drivers, might slow down system performance and at the end the user does not know what such an endpoint security product really does. We think less is more and this is what Excubits is all about: Build tiny, fast and reliable IT security solutions helping you to mitigate against new attacks the ordinary anti-virus and (Desktop-)Firewall cannot mitigate against.

Your solutions are not new! Why should I use your stuff?

Well, the first impression might be that you already know our solutions from other companies, but there is a difference. We only use kernel-modules, no service applications interacting with our protection drivers, this is a novelty. We also guarantee not to track our users, meaning that we do not collect any telemetry data. Additionally we keep things very simple and open, you do not buy a blackbox, you directly interact with our solutions. There are no tricks and no gimmicks, we also provide great support and are open minded. We also do not request annual fees, buy once, use forever.

Where are you located?

We are located in Bonn, Germany. It was the former capital city of Germany and is near to Cologne, a big German city you might heard of. It is a really nice place to live, we like the River Rhine, the very special mentality of the people here (Rhinelander) and Karneval. Cologne/Bonn is a really cool place to live and locate a young company. So, if you visit Germany and are near to Cologne/Bonn let us know.

Can I have the source code?

Question: Would you sell your soul?

I have a great idea about a partnership. How to proceed?

If it is a serious idea, contact us. But please do not waste our time with shady, anonymouse requests hiding yourself behind funny e-mail addresses. Please provide us with enough information about the partnership or project you are interested in, so we can follow up. Please do not send us e-mails just saying you have a "great idea" and "business opportunity" without any further information.

I like your products, but I do not like to pay. Can I have it for free?

Well, go to your local supermarket and try to get things for free. If you are successful, please let us know, so we can go there, too.

We have a "trillion" of active users on our web site, would you feature a giveway?

No.

Do you offer consulting and coaching?

Sure, we do consulting regarding IT-Sec, Kernel Driver Development, Driver Signing, etc. We offer IT-Sec coaching as well. Please get in contact for more details.

I am a business angel, and I'd like to support your company. How to proceed?

Great, please get in contact for more details.


Licensing, Payment and Support

Do you offer technical support?

We offer direct technical and 3rd level support, please contact us for more details and costs. If you buy a non-commercial (private user) license we will provide e-mail support for the first year and provide updates. For more support and pricing, please get in contact with us.

Do you offer custom implementations?

Yes, we offer custom implementations based on our core drivers, but we can also develop new drivers on request. Please get in contact for more details.

What types of licenses do you offer?

We offer personal and company site commercial and non-commercial licenses. Special options, such as no-brand, white-label or reselling agreements are possible. Please get in contact for more details.

What is meant by "no annual fees"?

There are no yearly/annual fees to use our software. Once paid you can use it as long as you like.

Is it possible to deploy your software using MSI files?

Yes.

How long do I receive product updates?

You receive product- and freatire updates for 1 year after purchase. After that year you can still use our software without any restrictions, you only receive no feature updates.

I have lost my software license/download code?

Please contact us and include your Order ID (or date), name or order email address so we can identify your order.

Do you offer discounts for non-commercial entities (e.g. Schools, Universities, or CERTs)?

Yes, please get in contact for more details.

I cannot afford your products? Can I get it for free?

Well, go to your local supermarket and try to get things for free. If you are successful, please let us know, so we can go there, too.

I do not want to use Paypal for payment, what can I do?

You can use direct wire-transfer or send us the money via snail-mail in cash. Please contact us for more details.

I do not trust you, and do not like to pay via prepayment. What can I do?

This is a free world, please be so kind and go to another vendor. Thanks.

Is it possible to re-distribute your solutions?

Yes, please get in contact with us. We only make business with real existing companies and people, do not waste our time with anonymouse requests and as a private person hiding yourself behind funny e-mail addresses. You want to make business?! Act like a business man.

If I buy multiple licenses do I get a discount?

Nope.

Do you offer on-site support?

Yes, please get in contact with us.

We are a large company and would like to license. Do you offer volume based / site licenses?

Sure, we do. Please get in contact with us.

We use GPOs or a scalable Software Distribution System. Is it possible to deploy your software with these?

Yes, we also provide MSI packages for our products on request. We can also build custom MSI packages for you on request. Please get in contact with us.


Bouncer

Is Bouncer suitable for ATMs?

Sure, Bouncer perfectly suits the needs of ATMs and other Self-Service Cash- and Payment-Systems. Please do not hesitate and contact us, we are happy to help.

I am using Bouncer now, do I still need an Anti-Virus?

If you ask us about our opinion: Well, you should still use Windows' built in Defender, but you can save money and yearly fees: Having paid for Bouncer once and using Microsoft Defender is all you need to protect your PC against a lot of threats out there. There is no need for additional protection. But if you feel more comfortable there is no reason not to use an extra Anti-Virus.

Is it possible to configure Bouncer more open (not that strict)?

Sure, but this lowers overall security, so we decided not to provide a non-strict configuration. If you know what you are doing and can handle the risk we could provide suggestions on a less-strict configuration. Just let us know and contact us.

Does Bouncer support Windows 10 Anniversary Update and Windows 10 Creators Update?

Yes, indeed. Bouncer supports Windows 7, 8, 8.1, 10, 10 Anniversary Update and Creators Update: 32-bit and 64-bit editions.

Shall I really use [PARENTCHECK] or [CMDCHECK]?

It depends on your setup and security requirements. If you are a standard user and do not have a lot of applications installed just using the [WHITELIST] and [BLACKLIST] is fine. If you need a more granular security setting we recommend to use the features [PARENTCHECK] or [CMDCHECK].

If you are a beginner we highly recommend to just start with the [WHITELIST] and [BLACKLIST], if you feel comfortable with Bouncer you can bring your security setup to another level using [PARENTCHECK] or [CMDCHECK]. In case of any questions, please do not hesitate and contact us. We are happy to help.

Isn't Bouncer the same as Software Restriction Policies?

No, Bouncer is more and supports all recent versions of Windows right out of the box. No need to do registry hacks or to mess up with SRP configuration dialogs. Bouncer is more powerful and more flexible.

I know other software that is better and more secure. Why should I use Excubits' products?

Ok, thanks for your feedback. Well, read "Company -> About Excubits" and "Company -> Principles".

What about Bouncer and Windows XP/Vista?

We still have internal versions of Bouncer supporting Windows XP and Vista, but they do not support all the cool new features of Bouncer, because both operating systems are fairly old and do not support all the APIs we make use of in Bouncer now. But we can provide special versions for Windows XP and Vista. Please get in contact for more details.

Bouncer is a strange name. What does it mean?

You know these guys at the front and back door of your favorite night club that check the guest list, your dress code etc. We thought that the word bouncer perfectly describes what our software does: it checks the entry against a guest list (the whitelist) and lets executables in or not.

My PC is used by different persons. Do I need multiple licenses?

No, the license is bound to the PC not the user: 1 PC = 1 License, the PC can be used by different users with different user-accounts on it. If you replace the PC you can use the same license on the replaced PC, no relicensing is needed.

On Windows Vista and 7 there is a signature failure, why?

Ensure you have patched Windows Vista and 7 regarding the known code signature bugs which can cause failures while installing and starting kernel drivers using state of the art code signing certificates. You shall at very least install the following patches KB3033929, KB2813430, KB3123479, and KB3097966.

What kind of malware will Bouncer protect against?

Bouncer is a path-based whitelisting driver that can block malicious executables like EXEs, DLLs and system drivers on Windows. Bouncer can lock down your Windows OS to prevent infection by typical malware and ransomware, especially the well known cryptolocker malware. Bouncer can also expeditiously avoid starting malicious executables, dynamic link libraries and drivers accidentally from external USB drives, e-mail attachments, the browser's cache and even through a nasty exploit for example.

Is there a list of executable extensions Bouncer blocks?

Bouncer does not scan for file extensions, it scans for memory initializations. The driver gets notified if any process tries to load executable code into memory, and this can be any type of file, including all extensions one can think of. Bouncer checks if the target memory was marked as executable, if this was the case, Bouncer's rules engine filters out the corresponding file. For this reason, someone can also load an image file, a MP3 or a text file with the executable flag and at the end this will also result in an alert. But normally only real applications are getting loaded with executable flag enabled, hence Bouncer's filter mechanism works very well and cannot be tricked by fake calls to ShellExecute or LoadLibrary using filenames like evil.exe.jpg or evil.dll.mp3 to load and execute a Windows executable with any name or extension.

In general it is difficult to provide a full list of file extensions that will be blocked by Bouncer. Normally it should be .exe, .scr, .ocx, .com, .dll, .cpl, .lib, .so, .bin, .sys and .drv because these extensions are often used for executables.

Are path rules secure?

Well, it depends on how you define secure and especially the conditions you use Bouncer. During development we ran through dozens of proof of concepts, we tried different options and configurations etc. Finally we came to the conclusion that we must balance between comfort and effective protection.

Bouncer features the right balance between usability and additional security with regards to the ordinary Windows installation and everyday business. It can avoid classic attack vectors through exploits that target applications, where just one accidental click infects a system even if it is protected by an AV. On the other hand, using Bouncer is not too complicated, so users will not notice that Bouncer is running and thus are not bothered. The latter should not be underestimated, because a security tool that bugged out its users will more likely be disabled or worked around, making the overall system even more prone for attacks.

Bouncer ideally enhances system security in combination with a firewall and AV installed, hence can mitigate against attack vectors that cannot be overcome by the ordinary AV due to the update difficulty mentioned above. Together with a sandboxed web-browser, not surfing with root/admin permissions highly increases security on daily work. If additionally used together with Microsoft's Enhanced Mitigation Experience Toolkit (EMET), overall security is close to a Silver Bullet. EMET is a great set of tools designed to protect your Windows-based systems before new security threats are addressed by security updates through the vendor itself or security products like malware scanners.

Is Bouncer a Kernel Mode Driver (KMD)? How does it work?

Yes for sure, Bouncer is a real kernel mode driver (KMD), it fully runs in the Windows kernel. There are no trick and no gimmicks. The driver is absolutely independent from user-mode, it does not communicate with any servicing process in user mode, this is what makes Bouncer very special in its own sense. Most of the other security applications need at least one user-mode service (or other auto-start application) managing their solutions.

Technically our driver implements a WDF minifilter KMD that filters out binary excutable code. For more details on kernel based monitoring, please read our technically supported whitepaper KernelBasedMonitoring written by F. Rienhardt Rienhardt (founder of Excubits and passionate hacker).

What means pausing the driver?

Pausing the driver is technically equal to stop the driver, doing whatever you want to do and then start the driver again. It is just a convenience feature.

When does the driver start up?

At an early stage on boot up. The driver fires up directly after kernel init, this means, the bootloader loads the kernel and performs its initializing process, then hands over to the kernel and performs the kernel init. This is where Bouncer is fired up, thus everything happens at an early stage and this is why Bouncer is able to protect your PC even on boot-up. We think that this is something very special in contrast to other solutions that often use drivers on a higher level or just ordinary Windows Services that get started later on.

You can proof it by yourself by just setting no whitelist rules to the .ini and by starting bouncer in [#LETHAL], [LOGGING] mode. You will see what drivers will have been blocked on start up, here you can see that Bouncer starts at an very early stage. Bouncer would be able to block system critical drivers, too. Not that you shall block these, but you can see how early Bouncer is ready to protect.

Some software isn't working properly after installing Bouncer. What can I do?

Enable the so called non-lethal mode of Bouncer by setting [#LETHAL] in the Bouncer.ini. Then restart the driver and try to install or start the software that was not working properly. Open the log file (Bouncer.log) and check if there are any files logged that were not caught by your current rules. If so, try to add the files or paths to your rules and start your application again. If Bouncer does not block and log the executables again, you can enable lethal mode and your software should now run properly. If not, please contact us.

Is Bouncer bullet proof?

Well, answering bullet proof or silver bullet question is a bit difficult in IT... There is no protection software out there that will guarantee you a hundred percent protection. Bouncer can avoid classic attack vectors through exploits that target applications, where just one accidental click infects a system even if it is protected by an AV. On the other hand, using Bouncer is not too complicated, so users will not notice that Bouncer is running and thus are not bothered.

Bouncer ideally enhances system security in combination with a firewall and AV installed, hence can mitigate against attack vectors that cannot be overcome by the ordinary AV due to the update difficulty mentioned above. Together with a sandboxed web-browser, not surfing with root/admin permissions highly increases security on daily work. If additionally used together with Microsoft's Enhanced Mitigation Experience Toolkit (EMET), overall security is close to a Silver Bullet.

Does Bouncer run under Windows Server?

Yes it supports Windows Server, also Windows Core Editions. Bouncer can dramatically help you to secure Cloud Infrastructures based on Microsoft Windows Servers. Bouncer also supports Windows Server Core Editions, yet another thing that makes our solution very special and outstanding!

If you need more information, please do not hesitate and contact us.

Does Bouncer supports Virtual Machines?

Yes of course, Bouncer perfectly runs on VM-based Windows installations. It can not only protect your virtualized Windows guest system it can also help to dramatically enhance security of your Windows-based VM-host. If you have any questions on virtualization, please fee free and contact us.

Can I use on and build a VM-based Secure Desktop?

Sure, you can use Bouncer as a base for virtualized (VM-based) Secure Desktops in modern BYOD scenarios as well as on highly secured virtual business desktop environments. Excubits Bouncer runs on many Virtual Machine Platforms (e.g. VM-Ware, Virtual-Box) and you can use it to secure Virtual Desktops or the underlying Hosts to enhance overall security dramatically. If you need more information, please do not hesitate and contact us.

Does Bouncer support the Windows Event Log?

Yes it does. Additionally you can also set up your own reporting tools for central reporting (e.g. sending e-mail warnings to administratos, SMS or other short messages to mobile and smart phones, snmp traps, etc.). Bouncer is open and we support our customers on extra charge to easily integrate the driver into their existing infrastructure.

Some (automatic) software updates cannot be installed, why?

Some software updating processes internally work the same way as malware. They create temporary folders, copy executable files into such and start their update tools from there. As such, they will also be blocked by Bouncer. In such cases you SHALL disable Bouncer while installing the updates. Do not forget to enable the driver after having installed the update.


FIDES / PUMPERNICKEL

While running FIDES I cannot perform a chkdsk on reboot. What can I do?

Please disable logging via [#LOGGING] in the .ini file and reboot your system to perform chkdsk. After a successfully running CHKDSK you can enable [LOGGING] again.

On Windows Vista and 7 there is a signature failure, why?

Ensure you have patched Windows Vista and 7 regarding the known code signature bugs which can cause failures while installing and starting kernel drivers using state of the art code signing certificates. You shall at very least install the following patches KB3033929, KB2813430, KB3123479, and KB3097966.

Why can network drives not be protected?

Pumpernickel is only able to intercept calls to the local file systems. A network drive is attached to another (remote) computer, your Windows PC and the Windows Kernel do not have access to the core of the remote system, hence cannot block attempts.

Direct and Raw access is not blocked by Pumpernickel, why?

Pumpernickel only intercepts the file system, not the core device, hence cannot block calls to the drive's core, because this is out of scope.

I have installed another device driver. This driver is able to access protected drives, why?

Because it is a driver which runs in Kernel Mode. Code in the kernel has full power over your system, there is little (nothing) Pumpernickel can do. If someone manages to obtain root access and is able to load kernel code, he/she has full control over your system. Please use a layered approach to protect your system. At least you shall use an AV, Firewall, Anti-EXE (e.g. Bouncer), and Pumpernickel. If you have additional questions, contact us.