Andy Ful

Level 48
Verified
Trusted
Content Creator
The general idea is to always run executable files (from the User Space, no EV certificate) with SmartScreen check. There are many ways to accomplish this.
The most simple one is to check immediately if the dropped file has the proper Zone.Identifier file stream. If so, that is OK. If not, then Zone.Identifier file stream is added. I assume that the file stream will not be changed/deleted afterwards, and all executable files in the User Space have already got the proper file stream (it can be done during installation of MZWriteScanner).
The second solution (more robust) would be to make the checking/adding always when any executable file from the User Space tries to run (but before SmartScreen is triggered).
The third solution would be to make the checking as above. If the dropped file has the proper Zone.Identifier file stream, that is OK. If not, then MZWriteScanner triggers SmartScreen Filter in another way (does not add the file stream).
It would be great, if Florian could extend the functions of MZWriteScanner or Bouncer to do this task.
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
Florian is an expert and he knows very well how to improve his software. Anyway, he is also a busy man, so I tried to imagine what could be done without changing the main idea of MZWriteScanner.

Force SmartScreen check ON RUN = all executable files in the User Space cannot be run without Smartscreen check. The User Space is defined in [Whitelist] and [Blacklist] sectors.
The flags: [#SMARTSCREEN] , [SMARTSCREEN], and [!SMARTSCREEN] can be used to control the new function.

1. Do not interrupt SmartScreen = no changes in the work MZWriteScanner
[#SMARTSCREEN]

2. Force SmartScreen check ON RUN, and if no good reputation, then always block (User can not bypass SmartScreen) = smart & silent anti-exe
[SMARTSCREEN]

3. Force SmartScreen check ON RUN (User can bypass SmartScreen) and do not block = smart anti-exe
[!SMARTSCREEN]

Personally, I would like to adopt MZWriteScanner with [SMARTSCREEN] flag. I have some relatives and friends who need help with computer maintenance. So far, they use Windows 10 on hardened SUA locked by absolute SRP (User Space default deny, elevation deny). If they need to install something, they call me to do it. They mostly use Windows Store Metro apps for daily work, so the admin has really little to do. This is a very safe and silent setup.
I think that MZWriteScanner with [SMARTSCREEN] flag and some system hardening could be used by many people to do similar tasks on Admin Account (SUA was never especially popular). Then, users could safely install/update popular programs with good reputation installers, could not be fooled by double extension files or get infected by malware from a friend's pendrive. All this is pretty probable in the Windows 10 standard setup. Finally, the expert help will be rarely needed.
The more experienced users (like many of Malwaretips members) would prefer [!SMARTSCREEN] flag. They know how to check that the low reputation file is safe.
 
Last edited:
H

hjlbx

Bouncer is really nice, but I hate the UI. It just doesn't feel very user friendly.
Actually it is quite simple using the Bouncer.ini directly - IF you know how and what rules to create.

The technique is to log, log, log ... review the log ... create the rules. Log, log, log ... review the log ... create the rules.

However, I do agree - for most users some form of further-developed GUI with rulesets already included will be a requirement.
 

vertigo

Level 2
Wasn't sure whether to revive this old thread or start a new one, but I figured since it is titled as a/the support thread for the program, and I wanted to be sure @WildByDesign saw it, I figured it best to do it here:

The latest (2017/07/01) version of Bouncer is flagged by 6/65 scanners on VirusTotal. Not a lot, but enough to cause some concern, especially since four of them (2/3) are consistent in reporting it as a mining trojan.
 
  • Like
Reactions: AtlBo and upnorth

upnorth

Level 34
Verified
Trusted
Content Creator
The latest (2017/07/01) version of Bouncer is flagged by 6/65 scanners on VirusTotal. Not a lot, but enough to cause some concern, especially since four of them (2/3) are consistent in reporting it as a mining trojan.
VT url/link?
 
  • Like
Reactions: AtlBo

WildByDesign

Level 1
Unfortunately as we all know too well, the AV industry is well known for trying to "cut out" the competition in many malicious and negative ways. Not the only "cutthroat" business in this day and age, no doubt. But they are well known for taking the legs out from under the smaller guys before any of the up and comers have a chance to grow. Florian has already told me several stories that relate to AV industry doing shady things to take his business out. But I can only imagine how widespread this really is in the security software industry.

Is it the installer binary/sfx package that is flagging? Or tray tool or admin tool from within the package?

None of the running tools seem to be flagging via VT through Process Hacker on my system. I'll have to dig into this a bit more. My tool binaries might be slightly newer but I'll have to double check.


EDIT: I just checked a handful of the tray tool binaries and admin tool binaries (x64 and x86 and different release versions, beta and stable) and these AV scanners seem to be all over the place. I'm seeing binaries here and there with 0 detections. binaries with 3 detections. Binaries with 6-8 detections. And these are all essentially the same functioning binaries with slightly different versions. This sort of random detection is quite interesting to say the least.
 
Last edited:

WildByDesign

Level 1
It's the installer itself, the demo version downloaded from the bottom of this page: Bouncer - Products | Excubits
Thanks. I just added an edit to my post above. It seems that detections from AV are quite literally all over the place and entirely random for the binaries contained within the installer package as well, such as the tray tool and admin tool.

The unfortunate thing here is that Florian had to entirely re-write from scratch the entire tools less than a year ago due to targeted (shady) AV detection and all detections were gone after that. Clean as a whistle. Now it seems that the industry is targeting his business again. I'll have to let him know the bad news.
 
  • Like
Reactions: AtlBo