News about Excubits and IT-Security
Keep being updated and subscribe to our newsletter.

New version of Bouncer online

2015/05/11 by F. Rienhardt

Excubits Bouncer InstallerFrom now on Bouncers can be easily installed with our installation package. The installer can install Bouncer within a few seconds on your system and generates a basic configuration. We have also improved the signaling mechanism again, so our helper tools perform even better. In addition, the icons changed their look as previously announced. We hope you enjoy this new version and are looking forward hearing from you.

If you understand a bit German or if you are not afraid of it, just visit our German web site and check out our first demonstration video. It basically shows how to install and set up Türsteher.

Protect your Windows-Servers with Bouncer

2015/04/27 by F. Rienhardt

At this year's RSA-Conference, Marcus Murray has shown how hackers can gain access to a Windows-Server through a combination of weak upload sanity checks and missing execution prevention on the Server. In his detailed presentation he showed, among other things, how he has managed to compile C# code on the server and how to start up the resulting program file (in this case a true Windows executable). This executable then downloaded and executed a metasploit generated executable from the Internet. At the end he fully controlled the Windows-Server and was able to dig deep into the network.

This example demonstrates impressively the consequences of uncontrolled program execution on Windows-Server based machines. This could have been prevented easily by using Excubits Bouncer on the Server. For example it is really smooth to blacklist the C# compiler with Bouncer. It is also very easy to blacklist temporary folders with Bouncer, to avoid starting compiled or downloaded applications on the machine.

Excubits Bouncers will not just protect your Personal Computers running standard Windows, it perfectly suits Windows-Server-based infrastructures and can help to mitigate against attacks there. If you have any questions or need additional information, please contact us.

New icons for Bouncer

2015/04/21 by F. Rienhardt

New Icons for Bouncer

Our new icons for Türsteher, Bouncer and MZWriteScanner are ready. The first design study of the new icon set can be seen in the image on the right. The icons should be kept simple, clean, and with the modern flat design in mind. We also kept the well known T for Türsteher and B for Excubits Bouncer. If necessary, the final design will change just a little, but we think it will be close to the demo picture published in this post. We are currently doing some minor face lifting in the tray application and will hopefully publish the new version within the next two weeks, so stay tuned.

Computers at the White House were attacked using a combination of Adobe Flash and Microsoft Windows Exploits

2015/04/20 by F. Rienhardt (updated on 2015/04/21)

It seems that computers at the White House were infected through a combination of exploits. As the guys at FireEye noted in their Threat Research Report, the hacker crew APT28 is suspected to be responsible for the attack. It was yet another nasty exploit for Adobe's Flashplayer that was combined with a local privilege escalation exploit in Windows, so the attackers were able to persistently install malware on the affected machines.

You might say: "It is just another exploit for Adobe Flashplayer and Microsoft Windows. What exactly is the big deal or News here?" Well, yes. Same exploit business we see and hear of since the last ten or fifteen years. But what we stare on here is the fact:

The shellcode downloads the next stage payload, which is an executable passed in plaintext, to the temp directory with UrlDownloadToFileA, which it then runs with WinExec.

It seems that attackers can still easily infect computers the way FireEye reported. It happens all day, every day. It costs hundreds of millions a year, to clean business information technology, to bring business back on track, to defeat intellectual property and identity theft, just because (business) IT was weakly protected, and for this reason is getting infected. If you are in the IT Security business you shall already know that most attacks have their origin in some exploiting technique that, at the end, executes the final stage executable.

The woeful thing about it is, that mitigations can be so simple. Just use an anti virus, firewall and convenient application prevention or anti executable system like Excubits Bouncer to protect your systems. Even if IT Security is not sexy and might not directly pay off at your balance sheet, it will at the end. IT Security is so important for your business’ health and wealth, you should mitigate best you can.

New version of Excubits Bouncer

2015/04/12 by F. Rienhardt

We have made everything better: Excubits Bouncer now fully supports wildcards (* and ?), this allows a more flexible definition of white- and blacklisting rule sets. In addition the driver no longer distinguishes between upper and lower case and the driver's core now fully supports drive letters. These changes facilitate the configuration and operation considerably. We believe, you will benefit from this update. We have also optimized the drivers again and recompiled the core binaries for different architectures of Microsoft Windows (32-bit or 64-bit). From now on only two different driver binaries are necessary - one for 32-bit and one for 64-bit architectures. There is no dependency regarding the different versions of Microsoft Windows anymore. Essentially everything remains, but it is now even better.

The manual has been updated, too. For more information and details see the updated Bouncer Manual.

Our customers receive the new version as a free download.

Update 2015/04/13:

Some users reported issues with our new "Universal Binaries". We were able to find the problem: It was caused by the new Visual Studio 2013 Compiler, hence we decided to switch back and re-compiled the whole package. We apologize for any inconvenience.

Adobe Flashplayer is exploitable again

2015/02/02 by F. Rienhardt

Flashplayer is again exploitable and is currently attacked through Exploit Kits, for more details see Trend Micro. You shall deactivate Flashplayer in your Web Browsers. In order to reduce the attack surface you can additionally blacklist all of Flashplayer's executables by Bouncer. If you need Flashplayer because your business applications demand for it, you shall at least mitigate and protect yourself by using an Anti-Executable like Excubits Bouncer. Bouncer can help to reduce the consequences a succesfull exploration will have.

Update (2015/02/07): Vulnerability fixed

Adobe released a new version of Flashplayer ( The updated version of Flashplayer shall fix the vulnerability that is currently in the wild and exploited by several Exploit Kits. Users shall update or re-install Flashplayer as soon as possible to avoid infections through a drive-by.

Reduce the attack surface on current Flashplayer Vulnerability

2015/01/23 by F. Rienhardt

Flashplayer (version struggles with an unpatched vulnerability, for more details see Kafeine's Blog. Cyber criminals are already exploiting it and distribute malware through the vulnerability. To avoid getting catched, you shall deactivate Flashplayer as soon as possible or at least, enable click-to-play, to control the execution of Flashplayer in your browser.

To check whether you have succesfully deactivated or enabled click-to-play Flashplayer, visit Adobe to check your status.

In order to reduce the attack surface you can also blacklist all of Flashplayer's executables by Bouncer. If you need Flashplayer because your business applications demand for it, you shall mitigate and protect yourself by using an Anti-Executable like Excubits Bouncer. Bouncer can help to mitigate against the consequences a succesfull exploration will have.

Update (2015/01/26): Vulnerability fixed

Adobe has fixed the vulnerability and is shipping the upadte through its Updater. You can also download the newest version from Adobe's website.

Mitigate Windows 8.1 Elevation of Privilege in ahcache.sys/NtApphelpCacheControl

2015/01/08 by F. Rienhardt

Google has published information on a Zero-Day security vulnerability in Windows 8.1. Regarding the information given by the security team it shall be possible to perform a Elevation of Privilege in ahcache.sys through NtApphelpCacheControl. They also provided a proof of concept to test. Unfortunately Microsoft has no patch available, the only way to mitigate is to set UAC to maximum or to use Excubits Bouncer and blacklist the ahcache.sys on your Windows 8.1 system. We actually disabled it on our lab PCs and were able to boot up the machine successfully. We then tried to run the PoC Google provided and the code was not able to exploit the system again.

Please note: Disabling certain drivers on your system (like ahcache.sys) might cause unwanted side effects. So check for any side effects by your own, before releasing and using such a blocking rule for real life systems!

Update (2015/01/22): Vulnerability fixed

Microsoft has fixed its Windows 8.1 vulnerability in ahcache.sys. If you have mitigated against this vulnerability by following our suggestion, you can now remove it from your Bouncer's blacklist.

German website is now online

2014/12/11 by F. Rienhardt

Since we have final clearance from court and trade office we can open up the doors. Our German website is now online customers can order Türsteher from there. The English version and website will be launched soon, but we have to carefully check the international Terms Of Service to avoid legal trouble. If you cannot await, the German website is kept simple, you may try Google translate and order there. We will do our best to support international customers with their orders placed on the German website.

Due to comprehensive feedback and discussions from our international users we decided to re-brand Türsteher, because the name was subject for so many irritations (we did not think that Türsteher sounds so bad for Non-Germans, well...). For our German customers we will keep the name Türsteher, international customers will call it "Excubits Bouncer" or just bouncer, as you like. Why bouncer? Because it is the translation of Türsteher and because every Windows kernel should have a bouncer to defeat against attacks (thanks to Dave for his feedback and ideas). Besides that we heavily optimized the overall user experience. There is an administration tool ("Admin Tool") and a tool for your task-bar's tray, so you can quickly see what is going on with bouncer. This tool also writes into the Windows event log, so more experienced users (or administrators) are able to check computers remotely or due probing. Howsoever, if you have notes, comments or critique just let us know. By the way, Türsteher/"Excubits Bouncer" also runs on x86 based Windows tablet PCs, so you can enjoy our protection system on your tablet, too. A modern UI app might follow up if there is enough demand.

BizSpark Start-up

2014/11/23 by F. Rienhardt

We finally registered to BizSpark Start-up, thanks Microsoft for the great opportunity!