News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.
2018/11/28 by C. Lopez and F. Rienhardt
We were asked several times, if we could implement an optional feature into our drivers which allow elevated (admin / system) processes to bypass our driver’s rules engine. This would be a powerful feature to reduce the amount of effort one have to spend on updates and patches etc. Well, as security guys we were (and are) not happy with such an option, but we listen to the community and understand why this is required. So we started to find a way integrating this feature into our drivers. You guys might already know what will follow... :-)
Well, we are happy to introduce the [ADMINBYPASS] feature which allows elevated parent processes (with system, admin permissions) to start processes and execute command line calls without going through our rule decision function in Bouncer. If you have enforced “normal user” for daily business and “admin user” for updates and software installations, this now makes the process much more comfortable, as you do not need to switch into [INSTALLMODE] or [#LETHAL] anymore. This should also lead to more generic configurations not aiming the fully fledged “bullet proof” hedging, but should enable you to build hardening configurations that help to mitigate against many risks without being too strict.
We are currently heavily alpha testing internally and will soon release our first version of Bouncer in our beta camp. If you can’t await the release, hook up to our newsletter and you will receive a notification as soon as it is ready. We're also going to have a live seminar very soon, so if you ever wanted to get in touch with us, this will be your chance. Stay tuned, to be continued...
2018/11/16 by F. Rienhardt
The days are getting shorter again, so we usually make ourself comfortable at home and read books. We are asked again and again why you should use one of our application whitelisting solutions. Well, I had some time and recently read the following book by Wil Allsopp: Advanced Penetration Testing, Hacking the World's Most Secure Networks. Security specialists might know one or the other attacks, Wil Allsopp describes with a lot of love for anecdotes. We strongly recommend this book to every IT security specialist. Read this book and ask yourself if and how secure your Windows-Systems really are :-) Trust me, it is worth reading.
We have also updated the list of LOLBins in the blacklist, please use with caution as some of the tools are required; here parent checking is the key.
2018/09/17 von F. Rienhardt
We know that many system admins are happy with Windows' built in AppLocker, but as it comes to harden your systems even more you need the parent checking capabilities of Bouncer. This is particularly true for Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) which are needed by system processes but are not required to be run via your office tools, web browsers or accounting applications. Here Bouncer's (and our other drivers') parent checking feature provide a powerful extra layer of security. So we would like to draw your attention to this feature and also like to reference to a great collection of well known LOLBins and LOLScripts you should check and take into account.
To sum it up, consider parent checking within your malware mitigation strategy and have a look at the following GitHub here. Check to what extent your Windows boxes really need to have full execution access rights to these binaries and if you can make use of parent checking to reduce the risk.
2018/08/31 von F. Rienhardt
We have renewed our blacklist recommendation for critical system applications often exploited to drop and execute malware. Protect yourself even better with the new and extended ruleset. You can download the list here.
Unfortunately, some virus scanners have once again rated our installers as harmful, although they are not. This is an failure and is referred to as false positive. To save you the trouble, we have already contacted the AV vendors to remove the false positives from their lists. However, since this can sometimes take several days and weeks, we have also rebuild the binary packages. Nothing has changed in our software, the packages have just been repackaged.
2018/06/21 by F. Rienhardt
We have to update the installer packages for Bouncer and Türsteher. Once again some AV vendors flagged our installer as malicious although the installer is no malware, we are a trustworthy vendor, have an EV-certificate and are a real existing, officially registered company. What a mess!
We also updated the tray application, the icons for the executables are not branded for Bouncer or Türsteher, so it better suits our other drivers which are supported by the tray application. We have also fixed an issue where some users reported an installation-mode balloon message although the driver was running in normal mode (greetings and thanks to Jeff). We also changed some wordings in the .locales files, and last but not least added the playsound and shortmenu options. The latter suits environments where the user does not have the permission to do any changes with regard to the driver, so it does not make sense to show all the possible options.
2018/06/20 by F. Rienhardt
We are happy to give a presentation at heise devSev 2018 conference from 16th to 18th October 2018 in Heidelberg, Germany. Come and see us live. More information can be found at devSec() 2018. We are very delighted to have a talk about secure kernel driver development and how to use kernel-only solutions for malware analysis and detection. If you want to meet us, discuss with us in or near Heidelberg, this is your chance: get in touch with us.
2018/06/11 by F. Rienhardt
We have finished the beta phase and are happy to announce the new version of Bouncer. We have not only revised the driver, but also rewritten the manual, it is now clearer and much shorter. In addition, the tray application has been completely revised and now supports localization. You can edit the files bouncer.locales and tuersteher.locales to fully localize the TrayApp regarding your needs.
But that's not all. The tray application now not only supports Bouncer, by changing the file names the tray application can also support all our other drivers. For example, rename BouncerTray_x86.exe and BouncerTrayHelper_x86.exe to MZWriteScannerTray_x86.exe and MZWriteScannerTrayHelper_x86.exe, so the TrayApp will support MZWriteScanner. Of course you shall adjust the locales file fitting the driver, but it gives you a first glimpse of what's next... Enjoy!