News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.

Living Off The Land Binaries And Scripts

System hardening by blocking LOLBins- and Scripts

2018/09/17 von F. Rienhardt

We know that many system admins are happy with Windows' built in AppLocker, but as it comes to harden your systems even more you need the parent checking capabilities of Bouncer. This is particularly true for Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) which are needed by system processes but are not required to be run via your office tools, web browsers or accounting applications. Here Bouncer's (and our other drivers') parent checking feature provide a powerful extra layer of security. So we would like to draw your attention to this feature and also like to reference to a great collection of well known LOLBins and LOLScripts you should check and take into account.

To sum it up, consider parent checking within your malware mitigation strategy and have a look at the following GitHub here. Check to what extent your Windows boxes really need to have full execution access rights to these binaries and if you can make use of parent checking to reduce the risk.

Extended blacklist for better protection

New binary packages for bouncers and a new blacklist

2018/08/31 von F. Rienhardt

We have renewed our blacklist recommendation for critical system applications often exploited to drop and execute malware. Protect yourself even better with the new and extended ruleset. You can download the list here.

Unfortunately, some virus scanners have once again rated our installers as harmful, although they are not. This is an failure and is referred to as false positive. To save you the trouble, we have already contacted the AV vendors to remove the false positives from their lists. However, since this can sometimes take several days and weeks, we have also rebuild the binary packages. Nothing has changed in our software, the packages have just been repackaged.

Updated installer and tray application

New binries for Bouncer and Türsteher

2018/06/21 by F. Rienhardt

We have to update the installer packages for Bouncer and Türsteher. Once again some AV vendors flagged our installer as malicious although the installer is no malware, we are a trustworthy vendor, have an EV-certificate and are a real existing, officially registered company. What a mess!

We also updated the tray application, the icons for the executables are not branded for Bouncer or Türsteher, so it better suits our other drivers which are supported by the tray application. We have also fixed an issue where some users reported an installation-mode balloon message although the driver was running in normal mode (greetings and thanks to Jeff). We also changed some wordings in the .locales files, and last but not least added the playsound and shortmenu options. The latter suits environments where the user does not have the permission to do any changes with regard to the driver, so it does not make sense to show all the possible options.

Secure Dev Conference Heidelberg

Meet us at heise devSev() 2018

2018/06/20 by F. Rienhardt

We are happy to give a presentation at heise devSev 2018 conference from 16th to 18th October 2018 in Heidelberg, Germany. Come and see us live. More information can be found at devSec() 2018. We are very delighted to have a talk about secure kernel driver development and how to use kernel-only solutions for malware analysis and detection. If you want to meet us, discuss with us in or near Heidelberg, this is your chance: get in touch with us.

Beta phase of Bouncer and Türsteher completed

Release of brand new Bouncer and Türsteher

2018/06/11 by F. Rienhardt

We have finished the beta phase and are happy to announce the new version of Bouncer. We have not only revised the driver, but also rewritten the manual, it is now clearer and much shorter. In addition, the tray application has been completely revised and now supports localization. You can edit the files bouncer.locales and tuersteher.locales to fully localize the TrayApp regarding your needs.

But that's not all. The tray application now not only supports Bouncer, by changing the file names the tray application can also support all our other drivers. For example, rename BouncerTray_x86.exe and BouncerTrayHelper_x86.exe to MZWriteScannerTray_x86.exe and MZWriteScannerTrayHelper_x86.exe, so the TrayApp will support MZWriteScanner. Of course you shall adjust the locales file fitting the driver, but it gives you a first glimpse of what's next... Enjoy!

« Older Entries