Newsblog

News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.

Reconstruction of Bouncer’s Rules Engine

Should we implement a new Bouncer rules engine?

2017/12/05 by F. Rienhardt

We have received some feedback for Bouncer. Many users asked us to simplify things with regards to the rules or to add more features. We think that the feature list of Bouncer is already near to a maximum. Configuration can be messy and very complex, so we do not want to add more functionality right now. Bouncer is a very solid driver and provides enough functionality to massively harden Microsoft Windows for daily SOHO and even for professional use. More features will just tend to make users more confused and at the end overall security will be lowered, or there is the risk of pesky bugs which lead to an insecure system.

We have to admit that the .ini file got a bit complicated over time. Well, this is also the result of adding new features. We thought about options to make your life a bit easier and think that combining the normal white- and blacklist with the parent white- and blacklist will reduce complexity of rules and will help to get rules specified much easier. Our plan is to just have one white- and blacklist. If you have specified a parent > child line it will be interpreted - guess what - as an parent-checking rule. If there is no >-symbol specified, it will be interpreted as an standard rule (or in other words: it will apply to every parent making the call). This should reduce the complexity and on the other hand will not lower overall security. The only difference is, that there is one white- and blacklist for processes and another one for the command line stuff.

We would be happy to hear from you! What do you think about this idea, should we implement it and make it available in the beta camp? Just contact us and give us some informal notes. You do not need to provide your name or e-mail address in the contacts form, just let us know what you think, no personal information is required though. Thanks.

Some users also asked for reporting of logs and deployment of configuration updates. Well, we will publish scripts and some notes on how to use Bouncer in larger scale. As our tools are designs simple, you can configure them with simple scripts e.g. started on boot-up, on idle or shutdown via standard GPOs: If you are an admin, this should really be piece of cake. There are really no vendor specific tools needed, everything can be done by simple scripts - believe it or not: but this is way to go.


How parent process checking and command line scanning can help to defeat Exploits

Lessons learned from CVE-2017-11882

2017/11/24 by F. Rienhardt

You might have heard of CVE-2017-11882, a Microsoft Office Memory Corruption Vulnerability. Office is failing to properly handle objects in memory. The vulnerability can be triggered e.g. through the Equation Editor. By using scripting languages (VBE or Powershell) or just some well known system tools (e.g. bitsadmin, rundll32) in a "cmd.exe /c"-shell, an attacker could easily download and execute malware on a vulnerable machine. This vulnerability also shows that classical application whitelisting is not enough to protect. Using a blacklist to block well known and often abused system tools or scripting interpreters can help to reduce the risk, on what is going to happen after an exploit hit your machine.

Most payloads are modular and work in stages to infect a target with malware. There is a dropper which is responsible to deliver a component used by attackers to manage the final attack. This component installs and controls other software, connects to remote servers and receive commands. By using a combination of parent process checking, command line scanning and a well defined blacklist, you can defeat against a whole bunch of currently known attack stages and mechanisms.

By using parent process checking you can easily enhance protection. Why should e.g. Microsoft Office execute any system tools or cmd.exe? This is where parent process checking can help to elevate your protection level. Applications like Word, Excel, Powerpoint, Adobe-Reader, Browsers should only execute executables needed to run their core functions and programs, no additional applications shall be executed if not relevant for the main application to function. E.a. all other applications should be blacklisted.

You should also use a blacklist of system tools which are not needed to run Windows on a daily SOHO basis and hence should be blocked for execution. If you want to bring things over the top, you could also add additonal exploit mitigation techniques using MemProtect or EMET.


Minor changes to our blacklist

Updated Blacklist for Bouncer

2017/11/19 by F. Rienhardt

We have updated our blacklist for Bouncer. We added infdefaultinstall.exe, LxssManager.dll, system.management.automation.dll, and fsi.exe among others. We recommend turning Bouncer (and CommandLineScanner) to [#LETHAL] mode before using the new list on production systems. If there are no warnings you can then turn Bouncer into [LETHAL] mode.


64-bit Tray Apps for Bouncer, Türsteher, MZWriteScanner and CommandLineScanner

Updated Binaries

2017/11/01 by F. Rienhardt

We have updated the full versions of Bouncer, Türsteher, MZWriteScanner and CommandLineScanner. All full version now come with 64-bit versions of the Tray App. The Tray Apps for MZWriteScanner and CommandLineScanner were slightly enhanced. All drivers and apps are ready for Windows 10 Fall Creators Update and should integrate perfectly into the brand new version of Microsoft Windows - both flavors 32-bit and 64-bit.

Addendum (2017/11/05): Due to a display error in the TrayApp we have updated the 64-bit version of the Bouncer TrayApp for the full version.


Windows 10 Update

Excubits Tools und the Windows 10 Fall Creators Update

2017/10/15 by F. Rienhardt

On October 17th, Microsoft releases the Windows 10 Fall Creators Update. We tested our drivers with both, the 32-bit and 64-bit editions, of Microsoft Windows 10 including the Fall Creators update and it worked out very well. There are no issues to expect. If you install the update on your computer, we recommend that you either switch the drivers to the[#LETHAL] or[#INSTALLMODE], or simply deactivate/uninstall the drivers for the updating process. After successful installation you can activate the drivers or re-install the binary packages as you want. If you have any questions, we are happy to help, just let us know.


Cybercrime, Malware

Every second Internet user has already been victimized

2017/10/15 by F. Rienhardt

According to a survey conducted by the Bitkom digital association, almost one in two (49%) German Internet users have been victims of cybercrime in the last twelve months. According to the survey, the most common attack vector was malware such as viruses, trojans or ransomware. This shows once again that classical protection programs are no longer sufficient enough. Additional protection such as Bouncer, MemProtect or FIDES can better defend attacks, even brand-new campaings where definition based protection systems fail due late updates.


x64-bit Edition Tools, new option for Bouncer

New versions of TrayApps

2017/09/25 von F. Rienhardt

We have just released new versions of Türsteher's and Bouncer's TrayApp. The tray application now supports a Stop-Click-Start feature: In some situations user's like to quickly stop the driver, then start some applications that would have been blocked with Türsteher/Bouncer enabled, and then like to start the driver again. For your convenience we have integrated this functionality into a one-click option. The driver gets stopped, then a modal message box appears, if you click OK, the driver will be started again, so you can easily decide when to start the driver again. If you do not click OK for 10 minutes the message box disappears and the driver will automatically getting started again.

Besides this feature we have also compiled the tools for Türsteher, Bouncer, MZWriteScanner and CmdLineScanner for x64. Like our drivers the tools will also come in a x64-edition.

You can check out the latest build at the Beta Camp. The tools are almost finished and fully signed, but we decided to first release them to Beta Camp and then build the final installation packages. You can use the binaries for the full- and demo-versions either. Have fun!


MZWriteScanner $FORENSICS-Folder uses a lot of space

Current Microsoft Windows Patchday

2017/09/13 von F. Rienhardt

The updates rolled out in the current Microsoft Windows Patchday can take up a lot of space in the $FORENSICS folder under Windows 7, 8 and 10 in MZWriteScanner with forensic logging enabled. This is caused by a large number of downloaded and patched executables while installing the patches onto the computer. If you don't have enough space on your hard drive (at least 20GB), you should disable forensic logging in MZWriteScanner while running through the current Microsoft Windows Patchday.


Network Maintenance

New network provider

2017/09/02 by F. Rienhardt

Dear customers! Due to increased technical problems on the part of our current network provider we will change to another provider. During this weekend it may be possible to run into connection problems. We apologize for this.


Updates for MemProtect and Pumpernickel

Final version of MemProtect released, fixed Pumpernickel

2017/07/30 by F. Rienhardt

We are happy to announce that Beta phase for MemProtect is over and we have created the final package for MemProtect. The driver now supports module filtering and was signed with our brand new EV code signing certificate.

We have also updated Pumpernickel. While reviewing the source code we optimized the core driver a little bit, the memory management was optimized. We also found a bug which caused some blacklist rules not be over-ruled by specific priority whitelist rules.

Additionally we have integrated the play sound and balloon notification features into the Tray Applications for both drivers. We also compiled 64-bit versions of the tools, so if you are using a 64-bit version of Microsoft Windows, you can make use of true 64-bit tools now. We will update the other packages soon, so all tools will come in 64-bit flavour and the new playsound/balloon feature as well. For clarification: The drivers were and are always available as 32- and 64-bit editions, we now just ship 64-bit versions of the additional tools.

We would like to send greetings to M. King, WildByDesign, and Shizzle for their great ideas, support and feedback. If you have any questions, please do not hesitate and contact us. We are always happy to help and stay in contact with our customers.

2017/08/02 Update:

The previous installer for MemProtect contained an .ini-file which missed some of the optional fields. We have updated the installer package with a new .ini-file.


Some new versions in the Excubits Beta Camp

Updated Public Domain Tool and x64 Tools for Bouncer

2017/07/09 by F. Rienhardt

We have updated our Public Domain Tool, it now supports querying the drivers' status using winmgmts, so the tray tool does not perform command line calls. This can be beneficial if you make use of the command line filtering options in our drivers, because from now on you do not need to specify whitelist rules for the tray application. We would like to give credits to Shizzle for sharing his adapted version.

You will also find new x64 versions of Bouncer Tray and Admin Tool apps in the Beta Camp. It is just a 64-bit version of the well known Bouncer tray app and admin tool, we plan to release 64-bit versions for all of our tools in the next few weeks.


Blacklist suggestions from the Microsoft's Device Guard Team

Updated Blacklist for Bouncer and Command Line Scanner

2017/06/19 by F. Rienhardt

Microsoft's Device Guard Team maintains a list of “vulnerable applications” which they recommend to put onto a blacklist. The named applications can be used for bypassing Device Guard and other application whitelisting (anti-Executable) software. We also maintain such a list and have updated it with regards to Microsoft's Device Guard Team suggestions. Thanks to WildByDesign for posting this at Wilders Security Forums and Shizzle for giving a hint.


Enhanced memory protection with module filtering

New beta of MemProtect released

2017/06/09 by F. Rienhardt

We have released a new beta version of MemProtect in the BetaCamp. This brand new version now supports module filtering. This feature enables you to exactly define which modules (DLLs) can be loaded by an executable. This feature was inspired by functionality in EMET, we would also like to give shout outs to Dave. We hope you like the beta and are looking forward to push it into the release version soon.

2017/06/11 Updated Binaries

We have updated the beta package, the configuration file can now have 512Kbs in size. You should now be able to test MemProtect with more options and especially with more libraries in the .ini file. Have fun.


Public Domain source code of a demonstration Tray-App

Create your own Tray-App for our drivers

2017/06/07 by F. Rienhardt

Well, we are happy to announce the first version of a generic Tray-App under Public Domain which can be used to create your own eventing apps for our drivers. If there is need we will adjust and enhance this sample, so you can get the maximum out of it. But on the first release we decided to keep things as simple as possible and to show you how simple stuff can be done using our drivers. The source should encourage you to build your own watch-dog applications which perfectly suit your needs and it should proof that you do not get a black box. We do not just say it is simple, it really is as you can now see.

You can download the current version from here. We hope you will find the code useful, if you have something to share with us or the community, please let us know. We are happy to hear from you.


Enhanced notifications for the tray application

New Tray-App in Beta-Camp

2017/05/30 by F. Rienhardt

There was some demand for balloon notifications in Pumpernickel, MemProtect and the other drivers. Some users also requested a “play sounds” feature instead of notifications through colors or balloon messages. You can enable this options by using the following command line parameters:

  • -playsound = plays a sound
  • -showballoon = shows an balloon message

on an event. We decided to first start with Pumpernickel and published the first version into the BetaCamp. Tray Apps for the other drivers will follow up in the next days or weeks. We hope you enjoy, any feedback is welcome.

We will also soon publish some demo code for AutoIt you can use to write your own notification applications. The code will be under Public Domain, so you are free to use and distribute. You will see that the code is pretty simple which proves that there is no need for sophisticated techniques to get things done. We hope you will find the code useful, if you have something to share with us or the community, please let us know. We are happy to hear from you.


Watch out for ^-symbols in the command line

Another way to bypass application whitelisting

2017/05/28 by F. Rienhardt

A while ago, we stumbled over some Word- and Excel-files containing malicious macros, which forced to download and execute ransomware. Nothing new until here, the fact that made us curious was that the cyber crooks utilized the command shell (cmd.exe) in a tricky way. Instead of executing the commands in plain text, they used the ^-symbol to obfuscate their call to the powershell interpreter:

cmd.exe shell ^ blur trick

If you remove the ^-symbol you will quickly identify a well known HTTP downloading and execution powershell script, as seen in many malicious campaigns. This kind of obfuscation technique again will stop some AVs and other anti cyber-attack tools from detecting such threats.

Good to know that Bouncer will detect such attacks instantly if you make use the *>cmd*/c rule which we recommended back in 2016. But you can specify a more generic rule

*>*^*

in the command line blacklist. The same rule can also be used for our Command Line Scanner driver.


« Older Entries