Bouncer - Discussion & Support Thread

[WildByDesign]

Hi guys/gals,

I have followed the forums here for a few months now before deciding to create an account. I had seen some questions and discussion regarding Excubits Bouncer and therefore figured that it would be good to make a discussion and support related thread here. If anybody has any questions or wants to discuss anything related to Bouncer, I would be happy to help in any way possible. Users can feel free to share configuration examples as well if you would like, but please ensure that those are done within CODE tags.

Bouncer is a tiny, powerful, and significantly granular kernel-mode driver (KMD) which starts very early in the boot process during kernel-init. It is an Application Whitelisting / Anti-executable driver.

Please keep in mind that Bouncer can be rather complicated to configure as it is intended toward security researchers, academics (US-CERT), forensics work, etc. It is for those who don't mind getting their hands dirty, so to speak.

My best initial advice for anybody trying Bouncer would be to run Bouncer in non-lethal (#LETHAL) mode which means no blocking is done, but with logging enabled to show what would have been blocked. That will the logs will provide you with all of the detailed information that you need for creating rules.

Bouncer Information Links

Bouncer Product page: Products - Bouncer | Excubits
Bouncer News page: Newsblog | Excubits
Developer's Blog: Florian Rienhardt's Blog | bitnuts.de

Beta Camp* page: Products - BETA CAMP | Excubits

*beta drivers (at the moment) are not digitally signed.​

 

[hjlbx]

Thanks for opening discussion here at MT - @WildByDesign

 

[WildByDesign]

Thanks for opening discussion here at MT

You're welcome. I am always happy to help anyone whenever I can. I'm still getting accustomed to this forum, the organization of sub-forums, etc. It looks like it uses a similar forum software as Wilders, but obviously quite a bit different settings and design layout of forums. So it's taking me some time to get used to it.

any new giveaway?
if we report bug can receive free license?

I am not aware of any giveaways at the moment. Although, I don't recall who had organized that initial Bouncer giveaway a while back and not sure who the Bouncer developer had worked with that to make it happen. I think that giveaways are good ideas to do sometimes. Once Bouncer reaches another stable version with lots of the latest features that were implemented within internal/beta versions, along with some great documentation, then I think that another giveaway would be a good idea. I can talk with the developer about that in the next phase of development and I will report back here if/when that happens.

 

[Exterminator]

I am not aware of any giveaways at the moment. Although, I don't recall who had organized that initial Bouncer giveaway a while back and not sure who the Bouncer developer had worked with that to make it happen. I think that giveaways are good ideas to do sometimes. Once Bouncer reaches another stable version with lots of the latest features that were implemented within internal/beta versions, along with some great documentation, then I think that another giveaway would be a good idea. I can talk with the developer about that in the next phase of development and I will report back here if/when that happens.

I originally did the Bouncer giveaway with Florian on a members suggestion.It was a great giveaway and if you are interested in another you can contact me here via PM or I can email Florian.
Apologies for a member asking for a free license and a giveaway

 

[Online_Sword]

A signed beta version would be released soon:

I find that Bouncer has not released new versions for a long time, and I wrote an email to Florain for this. Following is his reply.

the coding and testing is nearly finished. We plan to release a signed beta soon. In parallel we will do an update to the manual and then start to pack everything into the installer.

 

[WildByDesign]

@exterminator20 Thank you for your previous reply and also thank you for tidying up the thread earlier, I appreciate that, sir.


The Beta Camp releases have all been updated on Febraury 29th and all drivers, both 64-bit and 32-bit, are now digitally signed. So now it is easier to test these beta builds without having to switch into Windows Test Mode. Beta Camp link is in post #1 at the top of this thread.

At the moment, at least within the beta builds, Bouncer is under the name Tuersteher which is where the name Bouncer is derived from. Tuersteher, in German, refers to the bouncer (or door man) at a local club or bar.

The Beta Camp releases have a more limited config file size, so I wanted to point that out first and foremost:

Bouncer 5KB
Pumpernickel 3KB
MemProtect 2KB

Each build contains some example configs to get started with. But I figured that I would share the configs that I am currently using on some test systems which are working very well and also fit within the file size limitation. So hopefully these rule sets may be beneficial for some users who may be getting started with any of these Beta Camp release builds.

Spoiler: Bouncer / Tuersteher.ini (5KB)

[#LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
?:\PortableApps\*
?:\Program Files\*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????
Q:\140066.enu\*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*
D:\Bouncer\*
D:\Tools\*
C:\Program Files (x86)\*
C:\ProgramData\CanonBJ\*
C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
!C:\Windows\Temp\{????????-????-????-????-????????????}\.ba1\mbahost.dll
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
C:\Users\*\AppData\Local\Temp\procexp64.exe
C:\Users\*\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe
C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe
!C:\Windows\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe
!C:\Windows\Temp\???????.tmp\*.dll
C:\Users\*\AppData\Local\Temp\???????.tmp\*.dll
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
C:\Users\*\AppData\Local\*\updates\????????????????\updates\0\*
*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
!C:\Windows\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\DPTF\*
!C:\Windows\Temp\MP*.DLL
C:\Windows\*
C:\????????????????????\mrtstub.exe
C:\Users\TIFFAN~1\AppData\Local\Temp\??????.tmp\*.dll
[BLACKLIST]
*iexplore.exe
*regedit.exe
*bitsadmin.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*regedit.exe
*Regsvcs*
*RegAsm*
*wusa*
?:\$Recycle*
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
C:\Windows\Temp\*
[PARENTWHITELIST]
*>*
[PARENTBLACKLIST]
[CMDWHITELIST]
*>*
[CMDBLACKLIST]
[EOF]

Spoiler: Pumpernickel.ini (3KB)

[#LETHAL]
[LOGGING]
[WHITELIST]
*chrome.exe>C:\Users\*\AppData\Local\Temp\etilqs_*
*chrome.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent*
*chrome.exe>C:\Users\*\AppData\Local\Google\Chrome\User Data*
*chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\*cache_*.db
*chrome.exe>C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\counters.dat
*chrome.exe>C:\Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\*
*chrome.exe>C:\Users\*\AppData\Local\Temp\???*.tmp
*chrome.exe>C:\Users\*\AppData\Local\Temp\????_???*
*chrome.exe>C:\Users\*\AppData\Local\Temp\scoped_dir_????_????*
*chrome.exe>D:\Downloads*
*firefox.exe>*\Mozilla\Profiles\Firefox*
*firefox.exe>C:\Users\*\AppData\Local\Temp\etilqs_*
*firefox.exe>C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\counters.dat
*firefox.exe>C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations*
*firefox.exe>C:\Users\*\AppData\Local\Temp\mozilla-temp-files*
*firefox.exe>C:\Users\*\AppData\Local\Mozilla\updates\????????????????*
*firefox.exe>C:\Users\*\AppData\Roaming\Mozilla\Firefox\Crash Reports\*
*firefox.exe>D:\Downloads*
C:\Windows\System32\*>*
C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\*.db
C:\Program Files (x86)\Adguard\AdguardSvc.exe>C:\ProgramData\Adguard\*.db*
Q:\140066.enu\Office14\*>*
!*notepad.exe>D:\Tools-Protected\Test\*
[BLACKLIST]
*explorer.exe>D:\Tools-Protected\Test*
[EOF]

Spoiler: MemProtect.ini (2KB)

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
?:\PortableApps\*>*
?:\Program Files\*>*
D:\Tools\*>*
*ProcessHacker.exe>C:\Windows\*
*ProcessHacker.exe>C:\Program Files (x86)\*
*ProcessHacker.exe>C:\Program Files\*
*ProcessHacker.exe>*peview.exe
*peview.exe>*ProcessHacker.exe
*procexp.exe>C:\Windows\*
*procexp.exe>C:\Program Files (x86)\*
*procexp.exe>C:\Program Files\*
*procexp64.exe>C:\Windows\*
*procexp64.exe>C:\Program Files (x86)\*
*procexp64.exe>C:\Program Files\*
*procexp.exe>*procexp64.exe
*procexp64.exe>*procexp.exe
C:\ProgramData\Adguard\Temp\?.?.???.???*\setup-?.?.???.???*.exe>*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>C:\ProgramData\Adguard\Temp\?.?.???.???*\setup-?.?.???.???*.exe
[BLACKLIST]
[EOF]

So all of those rules are working perfectly well on a Windows 10 64-bit machine and I have also tested them on a Windows 7 32-bit virtual machine as well. You don't have to use all of the drivers, of course. From a learning perspective, it is best to use one at a time and utilize the detailed logging (and in non-lethal non-blocking mode) to give a great idea of what all activity is going on within your system.

As always, if anyone has any questions or needs some help with anything, I am more than happy to help out whenever possible.

 

[Windows_Security]

A really great little program from Excubits: MemProtect

I was surprised how such a small driver (meaning little code), could offer so much functionality. Until Wildbydesign told me that it was a kernel feature build into Windows to protect Anti-Virus programs. Because you can create rules, it has to be possible to set run time/on execution flags to enable it for specific processes. This left me with only two soft based protections. One introduced with XP release 2 and the other introduced with Vista. It was the Vista process mitigation. This feature was introduces with Vista, so this provides some clues where the protection is based upon (Memprotect is freeware and the developer of Memprotect did not disclose where it is based upon).

So when you want to play with Memprotect, here are my settings to protect the system from Chrome (blacklist *chrome>*) and protect Chrome from the system (blacklist *>*chrome). Because it is in beta I have an allow all in the whitelist (*>*) and added priority rules (starting with!) to overrule the blacklist, allowing chrome to touch chrome and splwow64 (for printing) and allowing explorer, audiodg, csrss, lsass and svchost to touch Chrome.

Whitelist is overruled by blacklist, Priority whitelist overrules blacklist

[LETHAL]
[#LOGGING]
[WHITELIST]
!C:\Windows\explorer.exe>*chrome.exe
!C:\Windows\System32\audiodg.exe>*chrome.exe
!C:\Windows\System32\csrss.exe>*chrome.exe
!C:\Windows\System32\lsass.exe>*chrome.exe
!C:\Windows\System32\svchost.exe>*chrome.exe
!C:\Program Files\Google\Chrome\Application\chrome.exe>*chrome.exe
!C:\Program Files\Google\Chrome\Application\chrome.exe>C:\Windows\splwow64.exe
!C\Program Files\Security\ProcessExplorer\procexp.exe>*chrome.exe
*>*
[BLACKLIST]
*chrome.exe>*
*>*chrome.exe
[EOF]

When you want to copy this to your system, first run Memprotect with [#LETHAL] and [LOGGING]. Check whether your programs function properly, do a re-boot and check the MemProtect.txt log file in Windows folder. MemProtect is still Beta, so use a VM when you want to throw some malware at it and have an image restore at hand.

When my guestimate is correct, it works best at Windows 8.1 and higher (see Microsoft)

Download Products - BETA CAMP | Excubits

 

[Deleted member 178]

Similar concept than Smart Object Blocker, interesting.
Btw, i wonder what NVT guys are doing, been a while without any updates.

 

[Windows_Security]

Similar concept than Smart Object Blocker, interesting.
Btw, i wonder what NVT guys are doing, been a while without any updates.

Well Smart Object Blocker, only allowing chrome to start chrome (executable) and only allowing regular DLL's to load from Windows (signed by Microsoft) and from Chrome's Program Files folder (signed by Google), complements MemProtect protection. Only downside with latest SOB it delays startup of Chrome on my PC. I am awaiting next SOB release.

 

[WildByDesign]

@Windows_Security Thank you for sharing that solid MemProtect configuration for protecting Chrome. That is valuable information and nice descriptions as well. Also, I am glad that you included that link to Microsoft specs on Protected Processes because it helped me to track down the original Vista Protected Processes whitepaper which I had read about 6 months prior, but could not find initially when I was discussing with you. Within your Microsoft link, led me to (http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_Vista.doc) which is unfortunately down/broken at the moment. But I was able to find another site hosting that same original document of the Vista Protected Processes whitepaper which is interesting since it details the starting point of where protected processes originated from. Alternate host with whitepaper: (process_Vista.doc - Hitpages)

Cheers. And thank you for always sharing such valuable information with the community and providing explanations along with configurations.

 

[hjlbx]

@Windows_Security Thank you for sharing that solid MemProtect configuration for protecting Chrome. That is valuable information and nice descriptions as well. Also, I am glad that you included that link to Microsoft specs on Protected Processes because it helped me to track down the original Vista Protected Processes whitepaper which I had read about 6 months prior, but could not find initially when I was discussing with you. Within your Microsoft link, led me to (http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/process_Vista.doc) which is unfortunately down/broken at the moment. But I was able to find another site hosting that same original document of the Vista Protected Processes whitepaper which is interesting since it details the starting point of where protected processes originated from. Alternate host with whitepaper: (process_Vista.doc - Hitpages)

Cheers. And thank you for always sharing such valuable information with the community and providing explanations along with configurations.

@WildByDesign - thanks for document link. Useful infos.

 

[WildByDesign]

@WildByDesign - thanks for document link. Useful infos.

You're welcome. So that is where the memory protection began with Vista, and it evolved with each platform upgrade, particularly with Windows 8.x and 10. What Florian had done is simply extend that built-in protection so that the user can utilize memory protection for any process, any location. Normally it was restricted more toward antivirus software and also some Windows components and services. There is a good chance that Florian will integrate MemProtect into Bouncer within the next few development stages.

 

[hjlbx]

You're welcome. So that is where the memory protection began with Vista, and it evolved with each platform upgrade, particularly with Windows 8.x and 10. What Florian had done is simply extend that built-in protection so that the user can utilize memory protection for any process, any location. Normally it was restricted more toward antivirus software and also some Windows components and services. There is a good chance that Florian will integrate MemProtect into Bouncer within the next few development stages.

As soon as next stable is released I plan on purchasing the entire Excubits "suite."

@WildByDesign - you , Kees, mood, @Online_Sword are more in-depth with the rules creation and always willing to help. That's greatly appreaciated.

I actually understand the rules creation.

What, as you already know, I dislike is the amount of time that the "mechanics" of creating the rules takes.

Anyhow that is irrelevant.

My plan is to utilize MemProtect to bolster memory injection protection on 64 bit. CMDLineScanner & Bouncer to specifically address tricky malicious services\drivers (*.sys & *.dll - believe it or not) .

I have definite objectives in-mind.

Excubits has the only solution in town to protect against these pesky security weaknesses on 64 bit systems.

 

[WildByDesign]

I actually understand the rules creation.

What, as you already know, I dislike is the amount of time that the "mechanics" of creating the rules takes.

I have definite objectives in-mind.

I respect that, absolutely. I've seen a lot of your other posts and so I know you've got a great understanding on a technical level and you know what your objectives are and how to achieve them. And so I can definitely understand why dealing with logs and creating rules can be time consuming at times. I think that we (any of us, really) can be a different stages in our own personal security preferences and our own needs out of software. And I don't mean knowledge level. But specifically, when it comes to either having extra time in our days or even just the patience and things like that. I totally understand and respect that, sincerely. A few years previously, I probably would have no patience for the rules creation and the logs. And who knows, a few years from now, that patience may very well go away again.

Any of us will always be happy to share rules as a community. Without a doubt, each individual driver (or even each function/feature within Bouncer itself) has it's own learning curve to get an understanding of how it works and also how the rules reflect how it operates. And, of course, the rules creation also has that initial learning curve. Once the learning curve is passed and, particularly once you've got all of your rules setup, it is pretty much set-and-forget. That's one beauty of it. I rarely ever have anything show up in logs, maybe once or twice per month. And rarely have to make any modifications to rules. So after that learning curve and creating rules per my systems and VMs, now I've earned my time to be lazy and enjoy it.

Also, I just wanted to mention that even when having multiple Excubits drivers running, it takes zero performance hit. The only feature which adds a bit of weight to performance is the SHA256 hashing. So if a user does not make use of that feature, I recommend disabling it.

 

[hjlbx]

I respect that, absolutely. I've seen a lot of your other posts and so I know you've got a great understanding on a technical level and you know what your objectives are and how to achieve them. And so I can definitely understand why dealing with logs and creating rules can be time consuming at times. I think that we (any of us, really) can be a different stages in our own personal security preferences and our own needs out of software. And I don't mean knowledge level. But specifically, when it comes to either having extra time in our days or even just the patience and things like that. I totally understand and respect that, sincerely. A few years previously, I probably would have no patience for the rules creation and the logs. And who knows, a few years from now, that patience may very well go away again.

Any of us will always be happy to share rules as a community. Without a doubt, each individual driver (or even each function/feature within Bouncer itself) has it's own learning curve to get an understanding of how it works and also how the rules reflect how it operates. And, of course, the rules creation also has that initial learning curve. Once the learning curve is passed and, particularly once you've got all of your rules setup, it is pretty much set-and-forget. That's one beauty of it. I rarely ever have anything show up in logs, maybe once or twice per month. And rarely have to make any modifications to rules. So after that learning curve and creating rules per my systems and VMs, now I've earned my time to be lazy and enjoy it.

Also, I just wanted to mention that even when having multiple Excubits drivers running, it takes zero performance hit. The only feature which adds a bit of weight to performance is the SHA256 hashing. So if a user does not make use of that feature, I recommend disabling it.

Magic words = "set-and-forget" and "zero performance hit."

 

[Deleted member 178]

I'm used to create rules with SOB so Bouncer, even if i never used it, seems to have a similar approach for creating rules; what @hjlbx mentioned is exactly why i stop using SOB , took me too much time to create those rules.

 

[hjlbx]

I'm used to create rules with SOB so Bouncer, even if i never used it, seems to have a similar approach for creating rules; what @hjlbx mentioned is exactly why i stop using SOB , took me too much time to create those rules.

It's like 6 month project - then you're done.

 

[WildByDesign]

Official Launch: New version of Bouncer
2016/05/24 by F. Rienhardt
Link: Newsblog | Excubits

Download: Products - Bouncer | Excubits
Updated User Manual: https://excubits.com/content/files/bouncer_manual.pdf

Paid/Licenced users have their own unique download URL's along with their own unique passwords to initiate their download.

This is a new Stable release build of Bouncer. Both the Demo and Paid build installers are digitally signed with SHA1 and SHA256. This release contains a number of new features that have been seen throughout some of the beta builds and have now landed in stable build.

• Priority Rules (! symbol)

Priority rules are rules, that can overwrite any other classic Bouncer rules whether they are on the white- or blacklist. Although Bouncer supports a very powerful rules engine right now, we think that priority rules will provide more flexibility and result in better protection rules.

A priority rule can be set by adding "!" at the beginning of a rule's line, e.g.:

[WHITELIST]
!C:\Windows\Temp\AVUpdaterXy0001.exe
C:\Windows\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
...
[BLACKLIST]
C:\Windows\Temp\*
...

In the example from above we declared C:\Windows\Temp\* to be on the blacklist. For good reasons you shall limit access to this folder, but it often happens that legit applications need to write and execute from C:\Windows\Temp\, hence you cannot block the folder without having issues afterwards. With priority rules you can define rules that will overwrite other rules, so in our example the whitelist rule

!C:\Windows\Temp\AVUpdaterXy0001.exe

will overwrite the blacklist rule

C:\Windows\Temp\*

Hence in this example the AVUpdater can execute from C:\Windows\Temp\ but other applications started from C:\Windows\Temp\ will still be blocked. Additional note: If you have set priority rules in both sections [WHITELIST] and [BLACKLIST], then the priority rule from [BLACKLIST] will always overwrite the priority rules from the [WHITELIST].

Please note, that the order of rules matters. If you have a whitelist rule C:\Windows\* you shall set the priority rule !C:\Windows\Temp\SomeUpdater.exe before C:\Windows\*, otherwise the rules engine will find C:\Windows\* first and this rule will then be blocked (because it is no priority rule) by the blacklist rule C:\Windows\Temp\*.

• Command Line Scanning

Bouncer now supports command line scanning, hence you can white- and blacklist command line parameters with Bouncer. You are able to white- and blacklist executables by their command line options. This feature can be very beneficial to lock down interpreters and virtual machine (e.g. .NET or Java) executables which are often misused by intruders and malware's first and second stage infection mechanisms.

Enable Command Line Scanning by setting

[CMDCHECK]

in the init part of Bouncer's .ini file. Then specify

[CMDWHITELIST]
...
[CMDBLACKLIST]

for your command line white- and blacklist. Please start Bouncer in [#LETHAL] mode to play with this feature. It is not an easy task to set up rules, so beware. But it is great fun to see what happens behind the scenes and know more about all the command line options Windows and other applications make use of. With this new feature Bouncer is now close to a silver bullet and can dramatically enhance your system's overall security, especially when it comes to harden your interpreters and virtual machine executables like .NET or Java.

• Install Mode - the ability to easily have an administrative mode in which you can install programs and other administrative duties such as Windows Updates. This Install Mode persists through reboots.

• Newly designed BouncerTray app system tray menu. This newly designed menu with easy to navigate sub-menus makes the overall workflow of Bouncer much smoother and more efficient. There are a number of features within this new BouncerTray app. Please have a look at the following link (Bouncer (previously Tuersteher Light)) where I've shared some screenshots (within spoiler) of the new design of BouncerTray app along with some details on the individual features contained within it.

If you want to know more about some of those new features such as Priority Rules, Command Line Scanning, etc., check out the News link above or also the updated PDF User Manual.

 

[Andy Ful]

Thanks to a discussion on another topic, I have got an idea about excubits MZWriteScanner.
Actually, it can monitor and keep track of Windows executable files (MZ files) which are dropped onto the hard disk.
I think that functionality of MZWriteScanner could be extended to force executable files (cmd, com, cpl, exe, msi, pif, scr) in the User Space to trigger SmartScreen Filter (App Reputation on RUN). So far, SmartScreen can be easily bypassed by any 0-day malware executable (see the topic Video Review - Ransomware- Musings with UAC). Of course Windows can be locked by SRP, Bouncer, etc., but locked system is not especially user friendly. Something like 'SmartScreen SRP' would be more welcomed in Windows 8+ ('do not block, but go for Smartscreen'). In this simple way MZWriteScanner could reduce the vectors of malware infection, and should still be useful for average users.
The system can be easily hardened by using some reg tweaks:
* enable Windows Defender PUA protection
* disable command prompt
* disable Windows Script Host
* disable PowerShell script execution
* disable loading untrusted fonts (Windows 10)
* disable 16-bits
* deny Execute for Removable Storage Devices
Average user should not greatly miss any of above (disabled) functions.
This setup + web browser in a sandbox, should be as secure as well known antivirus suites, and has the advantage to be more stable and compatible with Windows system.
Anyway, nothing is bulletproof. SmartScreen Filter does not check programs signed by an EV code signing certificate, so can be bypassed by targeted attacks.

 

[WildByDesign]

I think that functionality of MZWriteScanner could be extended to force executable files (cmd, com, cpl, exe, msi, pif, scr) in the User Space to trigger SmartScreen Filter (App Reputation on RUN).

That is rather interesting, indeed. So if I understand this correctly, your idea would involve MZWriteScanner monitoring the hard drive for any executable/binary writes to disk (which MZWriteScanner does in general) and take that a step further by having MZWriteScanner force those executables through Microsoft's SmartScreen to allow for reputation checking. So by default, SmartScreen would generally come into play when the user attempts to execute those binaries. With your suggestion, you would want SmartScreen to come into play earlier and check the binary reputation as soon as it hits the hard drive, whether that is downloaded by a browser, copied from one drive to another, etc.

That might be possible and is an interesting concept. I am not a programmer myself, so I don't know for certain whether or not Microsoft provides an API in which third party programs can interact with SmartScreen directly. That's something that Florian would need to look into. Another possibility here would be to have MZWriteScanner intercept (as it typically does) but extend further by modifying the zone details to ensure that the executables have that "Downloaded from Internet" type of attribute (if not, then have the driver add it) and try to force the executable to run in some sort of safe way. I'm not certain which of these two methods would be possible or which would make the most sense. But certainly interesting for discussion.

The system can be easily hardened by using some reg tweaks:
* enable Windows Defender PUA protection
* disable command prompt
* disable Windows Script Host
* disable PowerShell script execution
* disable loading untrusted fonts (Windows 10)
* disable 16-bits
* deny Execute for Removable Storage Devices
Average user should not greatly miss any of above (disabled) functions.

I agree 100%, and those are all great suggestions to further lockdown systems. I am strongly in favor of preventative security measures such as these.