here - Excubits
Excubits Bouncer - Manual
Version 1.8.1 (February 2015)
(c) 2014 - 2015 by Excubits UG (haftungsbeschränkt)
Imprint:
Copyright:
Excubits UG (haftungsbeschränkt)
Phone:
+49 177 5 37 38 38
Internet:
http://excubits.com
E-Mail:
[email protected]
Version:
1.8.1 (Feburary 2015)
Status:
Released.
All rights reserved:
No part of this document may be reproduced in any form without the written approval of Excubits. Excubits reserves the right to modify or amend this document at any time without prior
notice. Excubits UG (haftungsbeschränkt) assumes no liability for typographical errors and
damages incurred due to them.
All used trademarks and registered trademarks are the property of their respective owners.
.
Contents
1 Introduction.......................................................................................................................... 1
1.1 System Requirements ................................................................................................... 1
1.2 Installation Package ...................................................................................................... 2
1.3 Administration rights needed for installation .......................................................... 2
2 Prepare installation ............................................................................................................. 2
2.1.1 Activate and Deactivate Bouncer ......................................................................... 6
2.1.2 Enable and disable logging................................................................................... 7
2.2 How to configurate the whitelist ................................................................................ 7
2.3 How to configurate the blacklist ................................................................................. 9
2.4 Prepare Bouncer for the first start............................................................................. 10
2.5 Function Testing .......................................................................................................... 11
3 Technical Background ...................................................................................................... 13
i
Excubits Bouncer – Manual
1
Introduction
Many spectacular cyber attacks have shown that IT systems are lucrative targets for
cyber criminals. Traditional defense strategies by means of firewalls and anti-virus
systems cannot always stand sophisticated attacks of today.
Excubits Bouncer (of just Bouncer) is a path-based whitelisting driver that assists you
in monitoring, tracking and blocking malicious executables on Windows. Bouncer
can lock down your Windows OS to prevent infection by typical malware and ransomware, especially the well known crypto locker malware which encrypts all your
personal files and then offers decryption after you paid an amount of money.
Bouncer can also expeditiously avoid starting malicious executables, dynamic link libraries and drivers accidentally from external USB drives, e-mail attachments, the
browser's cache and even through a nasty exploit for example.
In the following chapters we will describe how Bouncer works and how to configure
the protection system correctly. Please take the time to fully read and understand this
manual in order to operate Bouncer correctly and safe. It is very important to understand the functioning of Bouncer to configurate the system the right way.
1.1
System Requirements
Bouncer runs on the following versions of Windows:
Version
32-bit/64-bit
Windows XP (SP3)
yes / no
Windows Vista
yes / yes
Windows 7
yes / yes
Windows 8
yes / yes
Windows 8.1
yes / yes
To install and run Bouncer ensure, that the requirements to install and run your version of Microsoft Windows are met. At least you need enough hard disk space to extract the installation archive completely. It is also recommended that at least 8 MB of
disk space is available for installation and operation of Bouncer.
Please note that Bouncer creates a log file where paths and file names of blocked executable files will be stored. Depending on the amount of logged entries, this log file
can require several megabytes on your disk space. Please ensure that there is enough
1
Excubits Bouncer – Manual
free space available for writing into the log file. Delete older entries in the log file, if
you do not need them to shrink down the size of the log.
1.2
Installation Package
The installation package of Bouncer comes as a 7z-compressed archive. In order to
fully install Bouncer, extract the entire contents of the archive on your target computer that will run Bouncer. After unpacking the archive you shall see the following
structure:
The folders x64 and x86 contain driver files for different versions of Windows and
one configuration plus one log file (more details on this later).
In the main directory (see the picture above) you shall see the manual, control scripts
and applications that help you to install and operate Bouncer.
1.3
Administration rights needed for installation
To install and configurate Bouncer, you shall have admin access to the computer.
After Bouncer was successfully installed and is running you need no admin access to
run your Windows PC protected by Bouncer. Once installed, Bouncer runs transparently in the background and keeps up the protection, no matter who is logged on.
For switching on and off, removing or restarting the driver, admin access is required
again. You shall use an admin cmd.exe shell to do most of the operations. Please note
that any user with normal privileges cannot disable nor uninstall Bouncer.
2
Prepare installation
To install Bouncer, first go into the appropriate subdirectory representing your version of Microsoft Windows. All steps described in the following sections always refer
to the individually selected directory representing your version of Windows. If you
do not know the exact version and architecture of your target machine’s Windows,
you can just use the tool WindowsArchitecture.exe. It will show you a message
box stating the architecture and exact Windows version.
2
Excubits Bouncer – Manual
For example, if you use a 32-bit version of Windows 7, use drivers located in:
\x86\Windows7\
For example, if you use a 64-bit version of Windows 8.1, use drivers located in:
\x64\Windows8.1\
Each directory contains the following files:
Before you can install and run the driver, you shall modify the configuration file regarding your individual installation of Windows and your applications.
The configuration is located in the file bouncer.ini. The file is in Unicode format,
i.e. all the entries may use letters of alphabets which are non-ASCII, for example
Characters from Cyrillic, Asian and Arab alphabets can be used:
‫َﺎ‬
ً
‫َﺒ‬
‫ْﺣ‬
‫َﺮ‬
‫ﻣ‬
‫הלו‬
галдёж
你好
Please note, that Bouncer internally also distinguishes between uppercase and lowercase. For example
\Windows\
\WINDOWS\
\windows\
\WindowS\
are different strings for Bouncer’s rules engine. Thus, choose always the notation that
was used on your individual installation of Windows. For example, if Windows was
installed on c:\WiNdOwS\ then you shall specify \WiNdOwS\ and not \windows
or something.
Bouncer implements a very strict rules engine, meaning you shall exactly specify
which files or paths are explicitly allowed and which are not. Files and paths that are
not listed in this list and were not written exactly as referenced in the filesystem, are
3
Excubits Bouncer – Manual
blocked by driver. Hence take care, in the worst case a wrong rule may cause the system to block loading applications or stops booting.
Caution !!!
It is very important to configure the whitelist carefully. Please read the following
steps and follow the recommendations and descriptions to avoid crashes or a blocking Windows system.
First, open the bouncer.ini file by double clicking on the file name. Now the text
editor (in most cases Notepad) should open and display the following configuration
(the colors of the individual sections shown here are just for illustration):
[#LETHAL]
[FORENSICS_PATH]
whitelist*
[???]\Windows\*
[???]\Program Files\*
[???]\Program Files (x86)\*
[???]\ProgramData\*
[???]\downloads\TrueCrypt\*
[???]\Users\Magnum\Desktop\dirt_bag\*
blacklist|
[???]\Windows\System32\msiexec.exe|
[???]\Program Files\Internet Explorer\iexplore.exe|
[???]\Program Files (x86)\Internet Explorer\iexplore.exe|
The following sections describe the three parts and are discussed in more detail.
You might have noticed a weird format for writing paths in the example above. What
is this all about?! Well, you may already know paths like
c:\Windows\
c:\Program Files\
here they are given as
[???]\Windows\
[???]\Program Files\
Why? The reason for this is that Bouncer works deep in the kernel of your operating
system and thus shall use path definitions the Windows kernel knows of. Unfortunately the Windows kernel does not know about drive letters such as c:\. The kernel
only knows about so-called devices \Device\. The exact name of a device differs
from installation to installation and depends on which hard drive and which partition your Windows was installed on. For example c:\ might internally registered as
\Device\HarddiskVolume8\. Thus c:\Windows\ will internally map to \De-
4
Excubits Bouncer – Manual
vice\HarddiskVolume8\Windows\. The exact assignment of partitions you can
perform about partition management in the control panel, or by calling
fltMC.exe volumes
from your command line (cmd.exe) as admin.
To help you working with the internal device names, you will find a handy tool that
helps you with the translation. Start the program QueryDosDevices.exe and press
the button "Refresh". The following screenshot shows an example:
As you can see in the example drive c:\ is internally known as \Device\HarddiskVolume2\. Drive d:\ is internally known as \Device\HarddiskVolume3\,
the DVD/CD-Rom e:\ drive is \Device\CdRom0\. If you plug in an USB stick or
external hard disk, the list will show more entries with different values.
Typically drive c:\ contains your installation of Windows, hence c:\Windows\ will
be \Device\HarddiskVolume2\Windows\ following the example above. The
same for c:\Program Files\ which will be \Device\HarddiskVolume2\Program Files\.
5
Excubits Bouncer – Manual
Advice!
Please remember to fill each placeholder [???] regarding your individual installation. If, for example, your Windows is in c:\Windows\ and c:\ is, for example,
\Device\HarddiskVolume2\, then [???]\Windows\ is
\Device\HarddiskVolume2\Windows\
The following sections will describe how to configure the three different parts of the
file bouncer.ini.
2.1.1
Activate and Deactivate Bouncer
Once again the example .ini file. Now we are looking at the blue part:
[#LETHAL]
[FORENSICS_PATH]
whitelist*
[???]\Windows\*
[???]\Program Files\*
[???]\Program Files (x86)\*
[???]\ProgramData\*
[???]\downloads\TrueCrypt\*
[???]\Users\Magnum\Desktop\dirt_bag\*
blacklist|
[???]\Windows\System32\msiexec.exe|
[???]\Program Files\Internet Explorer\iexplore.exe|
[???]\Program Files (x86)\Internet Explorer\iexplore.exe|
The configuration file is divided into three sections. In the blue section specifies
whether Bouncer shall block detected files or not. When [LETHAL] is defined,
Bouncer will block any attempt to start an executable file from an untrusted path.
We call Bouncer to be in lethal mode, the driver is armed and ready to fight. If you
specify [#LETHAL], detected files shall be logged (if logging was enabled) but
Bouncer will not block such executable files. In this mode Bouncer is like a secured
weapon, it is ready to enforce, but will not.
When you install and run Bouncer for the very first time we recommend that you use
the [#LETHAL] option to become familiar with the operation of Bouncer and watch
out what the system is doing. Once you are sure that everything is working well, you
can set the [LETHAL] option and turn Bouncer into a lethal weapon.
6
Excubits Bouncer – Manual
2.1.2
Enable and disable logging
You can enable active logging by using the line [FORENSICS_PATH] or disable logging by using [#FORENSICS_PATH]. In principle, we suggest to always enable logging, so you can see which potential attacks Bouncer detected.
If logging was enabled, Bouncer creates a logfile into your Windows’s installation
path (usually c:\windows\) named bouncer.log. This file is in Unicode format
and can be opened by any standard text editor, such as Notepad.
2.2
How to configurate the whitelist
Once again the example .ini file. Now we are looking at the green part:
[#LETHAL]
[FORENSICS_PATH]
whitelist*
[???]\Windows\*
[???]\Program Files\*
[???]\Program Files (x86)\*
[???]\ProgramData\*
[???]\downloads\TrueCrypt\*
[???]\Users\Magnum\Desktop\dirt_bag\*
blacklist|
[???]\Windows\System32\msiexec.exe|
[???]\Program Files\Internet Explorer\iexplore.exe|
[???]\Program Files (x86)\Internet Explorer\iexplore.exe|
Define your whitelist below the entry whitelist*. Define all paths of which you
gonna start program code. You shall at least specify all paths which are necessary for
booting and operating Windows and your installed applications. In Windows 7,
these are typically the following paths:
[???]\Windows\*
[???]\Program Files\*
[???]\ProgramData\*
If you are using a 64-bit version of Windows, you shall also define the path to your
32-bit applications, typically installed at:
[???]\Program Files (x86)\*
Please be careful and end any whitelist line entry with an asterisk (symbol *), as in
the examples above. Lines without the asterisk will not be processed and can lead to
errors or crash your system.
7
Excubits Bouncer – Manual
Your manufacturer may also added special paths for drivers and system applications.
Ensure that you also include these paths into your whitelist. They are often located
below the main drive (usually c:\).
Computers from DELL, ACER and ASUS, for example, have often one of the following folders in c:\:
[???]\ACER\*
[???]\DELL\*
[???]\ASUS\*
[???]\OEM\*
[???]\Intel\*
[???]\AMD\*
[???]\DRIVERS\*
If you have installed applications on other drives specify them, too. For example
rules may be something like:
[???]\My
Personal Folder\Program A\*
[???]\Users\ItsMe\Desktop\SuperTool\*
As described in the beginning, the path information may also contain Unicode characters, for example something like:
[???]\Users\‫َﺎ‬
‫َﺒ‬
‫ْﺣ‬
‫َﺮ‬
‫\ﻣ‬галдёж\*
Besides paths you can also specify individual program files in the whitelist. To do so,
simply specify the full path, including its filename and extension and end this line
with an asterisk *.
For example, the folder \Sandbox\ contains several applications and libraries, but
you want to only allow the application TestA.exe. to run, not all the other DLLs
and EXE files. Well, just add to the following rule
[???]\Sandbox\TestA.exe*
With this line, Bouncer allows running application TestA.exe, all other program
files in the directory \Sandbox\ are still blocked.
Please note: Remember to change [???] to the device names of your system. Do not
specify [???], specify the device names.
8
Excubits Bouncer – Manual
2.3
How to configurate the blacklist
Once again the example .ini file. Now we are looking at the red part:
[#LETHAL]
[FORENSICS_PATH]
whitelist*
[???]\Windows\*
[???]\Program Files\*
[???]\Program Files (x86)\*
[???]\ProgramData\*
[???]\downloads\TrueCrypt\*
[???]\Users\Magnum\Desktop\dirt_bag\*
blacklist|
[???]\Windows\System32\msiexec.exe|
[???]\Program Files\Internet Explorer\iexplore.exe|
[???]\Program Files (x86)\Internet Explorer\iexplore.exe|
Below the entry blacklist| you will define all paths from which no program code
shall be started. By default Bouncer will block all paths that are not specified in the
whitelist. You shall leave the blacklist blank, if there is nothing you want Bouncer to
block.
This option is ideal for blocking certain programs from paths that are part of a whitelisted path. Example: If you want to block the Windows calculator (located in
c:\windows\system32\calc.exe) but have already whitelistes the path to Windows via
[???]\Windows\*
the given rule will also allow executables located in [???]\Windows\System32\.
Thus the calculator will also be allowed. To block Calc you shall explicitly deny the
calculator with the following blacklist rule:
[???]\Windows\System32\calc.exe|
Please note to close every line in the blacklist with the symbol |. Instead of a single
application an entire directory can also be blocked, too.
For example, suppose that Microsoft Internet Explorer (IE) is hit by a serious security
vulnerability. Suppose this vulnerability is not patched and you gonna prevent IE
and its libraries getting exploited. Normally this is an hard task, but with Bouncer
this is quite easy, just define the following rule:
[???]\Windows\Program Files\Internet Explorer\|
If you are using a 64-bit version of Microsoft Windows, you shall use the following
rule to avoid running IE and its components:
[???]\Windows\Program Files (x86)\Internet Explorer\|
9
Excubits Bouncer – Manual
With some simple rules you can avoid running untrusted or exploitable applications
or libraries. Once the vulnerability has been closed you can simply remove the rules
and everything is fine.
Instead of an entire directory, it may also be appropriate to disable certain files, such
as a vulnerable DLL to a plug-in, for example, if they are at risk due to a security
breach. It is often the case that certain libraries or plugins are vulnerable to attacks,
cyber criminals use exploits to trigger the security breach in such an executable and
to infect your computer. If you block the vulnerable plugin using the blacklist, they
can no longer be abused for an exploit. After the libraries or plug-ins have been updated, you can remove the rule from the blacklist.
Please note that disabling program files sometimes results in that certain programs to
stop working correctly.
Caution!
Before disabling any executable you should always test the behaviors and be careful
with what you disable. Always check your rules and system behavior, before
deploying them on production systems.
2.4
Prepare Bouncer for the first start
When you have completed all the steps from above, you can prepare Bouncer for the
first start. To verify your configuration, you shall not start Bouncer in lethal mode, instead start it in non-lethal as follows
[#LETHAL]
This way Bouncer starts in non-lethal mode and you can check the log file
(bouncer.log) to see if your rules function as expected.
To install Bouncer, go to the directory regarding your Version of Windows and where
you modified the configuration file bouncer.ini:
Copy bouncer.init to your Windows system folder (in most cases c:\Windows\).
Cross check again, that the copied files in the system folder contains all the rules you
have specified, and that the option [#LETHAL] is set!
10
Excubits Bouncer – Manual
If not already done, copy the file bouncer.log to your Windows system folder (in
most cases c:\Windows\), too.
Cross check again, that both files are located in your Windows system folder:
bouncer.ini
bouncer.log
and that bouncer.ini containts all your rules!
You can now install the driver by right-clicking on bouncer.inf and selecting the
option „Install...“:
Now change to the root path of the Bouncer archive package and run the script
start_driver.cmd as admin (right click on the script file and select „Run as Admin“). Now Bouncer shall be running. You can restart your computer, if you like or
start testing right away.
To stop the driver run the script stop_driver as admin.
Please note: You shall restart Bouncer every time you changed the rules in
bouncer.ini. You can use the script restart_driver.cmd and start it as admin
to do so. If you change bouncer.ini outside of your Windows system path
(c:\Windows\), ensure that you copy the new version of bouncer.ini into your
Windows’ system path again.
2.5
Function Testing
Open the log file bouncer.log and check whether there are applications logged.
Since you allowed c:\Windows\, the file explorer, calculator, Notepad or MS Paint
shall be started without any entry in the log file.
11
Excubits Bouncer – Manual
For testing you may add notepad.exe or calc.exe to the blacklist, restart the
driver and try to start notepad.exe or calc.exe again. It shall be blocked and
listed in the log file.
Bouncer works strictly according to the rules specified by you. From a folder that is
not in the whitelist, no program file, nor any library (DLL) or diver (SYS) shall be
started. Just try and plug in an USB stick containing some executables. Try to execute
them from the USB stick. If there was no rule to allow executables from the USB stick,
they shall be blocked by Bouncer.
Once you are fine with your rules set you can switch Bouncer into lethal mode.
Change your bouncer.ini from [#LETHAL] to [LETHAL]. After changing the corresponding row in bouncer.ini you shall copy it to your Windows system folder
(usually c:\Windows\). Then restart the driver. Now Bouncer should be active in the
lethal mode, program files outside the permitted paths cannot be started and will be
blocked.
If you enable, for example, the sample rule from above regarding Internet Explorer,
the following message should be displayed when attempting to start IE again:
When an application attempts to run a DLL from a folder that was not whitelisted,
you shall see the following message, for example:
12
Excubits Bouncer – Manual
3
Technical Background
There are a lot of security solutions on the market featuring heavy weight endpoint
security solutions to defend against many attacks. Solutions on the market come with
quite a lot applications, dynamic libraries, they install several services and drivers,
might slow down system performance and at the end the user does not know what
such an product really does. Most of the systems also need periodical updates to
their engines and internal databases to function properly and to protect the system
regarding the newest malware out there. Most of them also send back additional forensics information, so the Anti Virus (AV) company can measure out information of
new (unknown) threats to build updates for. This can be critical in some scenarios regarding data protection and thus might be disabled; on the other hand without additional forensic information the AV company cannot build signatures detecting and
mitigating against new attacks.
Problems arise if the security solution cannot update the databases or if it is subject
to a new threat not even detected by an AV yet. Attackers constantly create hundreds
of malware executables a day that are invisible to most AVs on the market right now.
For example, just receiving an e-mail containing an newly infected attachment, one
accidentally click installs the malware and the ordinary AV can do little against, until
it gets updated and is able to detect the threat ‒ but it may then be too late, the system is already owned by malware and the AV might already have been deactivated,
thus no chance to clean it without huge effort afterwards. Having another protective
barrier up one's sleeve can prevent worse and might help to mitigate against. Excubits Bouncer is exactly such an additional barrier. Having it set up correctly and running all the time, one can avoid a lot of those standard situations where malware gets
installed just by accident.
Of course Bouncer is not the Silver Bullet and there are still attack vectors to pass by,
there are other solutions with greater mitigation and security impact, but they often
come with higher complexity and are not easy to maintain. We belief that Bouncer
features the right balance between usability and additional security with regards to
the ordinary Windows installation and everyday business. It can avoid classic attack
vectors through exploits that target applications, where just one accidental click infects a system, even if it is protected by an AV. On the other hand, using Bouncer is
not too complicated, so users will not notice that Bouncer is running and thus are not
bothered. The latter should not be underestimated, because a security tool that
bugged out its users will more likely be disabled or worked around, making the overall system even more prone for attacks.
13
Excubits Bouncer – Manual
Bouncer ideally enhances system security in combination with a firewall and AV installed, hence can mitigate against attack vectors that cannot be overcome by the ordinary AV due to the issues coming with timely updates as mentioned above. Together with a sandboxed web-browser, not surfing with admin permissions highly increases security on daily work.
If additionally used together with Microsoft's Enhanced Mitigation Experience Toolkit1 (EMET), overall security is close to a Silver Bullet. EMET is a great set of tools designed to protect your Windows-based systems before new security threats are addressed by security updates through the vendor itself or security products like malware scanners.
1
For more details see http://www.microsoft.com/emet.
14
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement