Need your input for NEW zero config application sandbox

D

Deleted member 178

My biggest struggle here at MalwareTips has been getting familiar with all of the many categories and sub-threads and so on. But I will put some effort into familiarizing myself here more at MT and possibly less so at Wilders.
Dont bother navigating through all the sections of the main page (unless you look for a particular topic) , just click on the "recent post" button , all the fun will be displayed then ;)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,895
can anyone tell me if excubits drivers work under hyper-v ? under device guard ?
The problem is that a few people use those drivers (especially under hyper-v), and few of them have Windows Ultimate.
You can simply install Bouncer, and test by yourself. The driver starts in the logging mode, so it does not block anything. Installing, testing and uninstalling will take about 15 minutes.
If you choose to activate LETHAL mode, then do not change default settings, until you will understand well what is happening.
 

WildByDesign

Level 1
Verified
Jan 24, 2016
23
can anyone tell me if excubits drivers work under hyper-v ? under device guard ?
Yes, I have used and tested several of the Excubits drivers many times under Hyper-V. That has been my virtual machine solution of choice over the past year or so now. So the drivers work as per normal under the guest virtual machines and on the host as well. I have zero experience with device guard, however. Under Device Guard, you may have to create some rule within Device Guard to trust the binaries that are digitally signed by Excubits since I believe DG is essentially all about digital signatures and certificates.
 
  • Like
Reactions: Andy Ful

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@WildByDesign,

Thx for the tips (I got the Just For laughs Tickets and saw a show in the Sony Theatre). Also was so lucky to be in Toronto at Nuit Blanche. I also spend a day visiting the Edit (Expo for Design, Innovation and Technology). Saw some amazing innovations on user interface applications. Nice city.

I am certain we will have contact about Excubits products (you being the advocate and early adopter of his programs).

Regards Kees
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@ All interested in this zero config JAIL-app. This thread has attracted the attention of Florian and he emailed me to assure me the 11 december meeting will proceed as planned.

Some remarks of Florian: with a smart installer the need for a GUI can be kept low by:
  1. Using App Path Installation folders of protected programs
    Most programs (office, firefox, chrome) add themselves to the App Paths registry key
    HKLM and HKCU SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

  2. Fall back to less restrictive executable name only rules
    When installation directory can;t be found in registry, we have to see how we can smartly use MemProtect, PumperNickel and MZWrteScanner rules based on executable name only.. We would just have to see how that works out in practice when testing these rules against malware.

  3. Using existng windows mechanisms (and GUI) to add additional user folders
    For adding user folders we could use the Windows default folder variables. Additional user folders to be protected could be realisied by adding these folders to the Windows Libraries. So when you have a folder with your documents on drive D and photo's on Folder E:\photos, just add D:\ to the Documents library and E:\Photos to the Pictures library, restart the JAIL-app and you are okay.

Program signing, ACL and special folders will be outside the scope of the JAIL-app. Florian does not want his protection compromised by GUI or control programs running in user mode. The hacks of Travis Ormandy (from Chrome zero project) using user mode - kernel mode bridges of AV software has convinced him to use driver (ring 0) only protection.


------
Regards Kees
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I am leaning toward three applications lines Microsoft (browsers, office, media player and email), semi-open source (Firefox, Libre/Open Office, VLC-player and Thunderbird) and a commercial line (Chrome, ????). I am meeting Florian on the 11th of December, Currently I am testing these rules with MemProtect, Pumpernickel and MZWriteScanner, CommandLineScanner (Jail app will combine these drivers). The idea is to add substantial protection with zero config (maybe installer has GUI with options).

General rules
  • anti-ransom option only allows installed programs/windows default programs to write to user libraries (similar to Windows 10 Controlled Folder Access). By including a folder in a library this folder would also be protected. So this would be easier to manage for average user as original windows feature (why did Microsoft not use existing library mechanisme?).
  • anti-exploit option blocks guarded apps to start risky commands (priority blacklist) and prevents executable to be executed in user libraries (technically not an exploit-block but a block of the usual next steps of a successful exploit, but what's in a name?).
  • anti-mailscam prevents executables to be dropped by e-mail applications to be executed (may be also block email to write exutables to disk? Combinng PumperNickel and MZWriteScanner)
  • anti-driveby option only allows browsers to drop executables in *\User\Downloads and *\User\Desktop

Generic (MemProtect) exception rules
  • every executable is allowed to start 'the default browser'
  • every executable is allowed to start 'the default pdf reader'
  • every executable is allowed to start 'touch screen'
  • every executable is allowed to start 'print spooler'
Category: browsers
  1. Are not allowed to start executables except:
    • their own executable (e.g. chrome.exe is allowed to start chrome.exe)
    • their own updater(e.g. chrome.exe is allowed to start googleupdater.exe)
    • specific exceptions (e.g. chrome.exe is allowed to start software_reporter_tool.exe)
  2. Are protected from hollow process/dll-injections/process spawning from */users/* (together with general anti-exploit and anti-driveby this should cover all user folders).
Category vulnarable Microsoft programs (e.g. Internet Explorer, Microsoft office and Windows Media Player)
  1. Are ONLY allowed (priority whitelist) to start executables in their own program files folder (block all else with blacklist)
  2. Are NOT allowed to drop executables (Windows Update takes care of this.
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
As posted still have to develop rules for semi open source (firefox, open/libre office, VLC-player, Thunderbird) and commercial leader line (Chrome and .. WPS Office ..and eM Client . and. .Kodi..or . ????. please tell me .....).

Above rules are pretty silent and block suspicious behavior. Until now several 'loose' defense policies seem to combine into decent protection (have to test in depth with real one-driver Jail-app). My gut-feeling to combine several 'loose' protections with Excubits drivers into easy to use security app, seems to work well against general in the wild malware. On Windows the 7 anti-exploit option also prevents medium IL processes which are popular victims of ransomware and staged advanced attacks (like taskhost.exe, explorer.exe and dwm.exe) from */User/*. Users who disable UAC increase the attack surface and are better of with other security counter measures. User who enable UAC only have to be concerned for 'hollow process/dll injection' attacks on medium IL processes. Jail protects most of them (all when you use one of the three protection lines: Microsoft, semi open source and commercial leader line).

Every rule in itself is not a 100% solution, but the combination proofs (with my limited testing) to be very efficient (chances of a special designed malware sneaking through the loopholes are slim).
 
Last edited:
D

Deleted member 178

Windows_Security said:
anti-exploit option blocks guarded apps to start risky commands (priority blacklist) and dropping executables in libraries (technically not an exploit-block but a block of the usual next steps of a successful exploit, but what's in a name?)
This is called "Exploit Mitigations", it is what most AVs does, they can't block the exploit itself but stop/hampers the following system modifications from exploited system processes/interpreters.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
This is called "Exploit Mitigations", it is what most AVs does, they can't block the exploit itself but stop/hampers the following system modifications from exploited system processes/interpreters.

Good suggestion, better to call it the "malware mitigation" options:
- ransomware mitigation
- exploit mitigation
- mail-scam mitigation
- drive-by mitigation

Using above terminology also has the advantage that we don't promise protection we can't provide or make promises we can't keep.

The power of colloborate design and community feedback (y)
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
What do you think of the "use what is already avaiilable" design principle?

Asume a users is so sensible to keep UAC enabled and limit dll/injection and hollow process attacks only from */users/*. When webbrowser, office programs, media player and mail program all are protected by Jail-bits from *\Users\* attacks, there won't be many medium integrity level processes available to mis-use?

We have to explain on website how to use the default Windows Mechanisme to add and remove folders to Windows librarues. From these libraries exececutable are not allowed to execute. In theory this only leaves open root folders os system and additional drives or partitions.

Reason for not blocking root is that Windows updater drops new versions of dot.Net installer files into data partition with most disk space left (some driver update programs also create a root folder in the partition with most unused disk space).

We could close this hole down by using Pumpernickel to deny guarded programs to write or delete files/folders into all root folders. I have never encountered a normal situation where Word needed to drop a file in my data partition root folder (D:\), just out of the blue (meaning not user initiated).

Suggestions anyone?
 

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
What do you think of the "use what is already avaiilable" design principle?
That would be a nice idea, just be mindful that you would need a way to tell if UAC is turned on and then act according to the results. I'm not sure if that can be done without admin access or anything like that.
 
  • Like
Reactions: XhenEd

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
UPDATE: Have mailed with Florian, this is the outline of the program. We will be discussing this and other stuff (like how to introduce and position the new program, how to build a community of trusted members for rules building, how to validate and test new rules with known et cetera).

The combined driver will run in default allow mode. Pumpernickel will only provide write protect protection of a preset set of extensions. MZ write Scanner will get a parent-process option. MZ Write Scanner quarantains dropped executables for 14 days.

Exploit mitigation

  1. MemProtect
    Will protect Medium Integrity Level Processes which are often misused (hollow process) by ransomware from user folders */Users/* (on Windows 7 typical Medium Level Processes are Explorer, Taskhost and Dwm.exe). Guarded apps will also be protected from tampering (hollow process and dl injection) originating from user folders */Users/*.
    Guarded apps will only be allowed to start executables in UAC protected folders plus some specific exceptions (e.g. chrome is allowed to start software_reporter_tool.exe).

  2. Bouncer
    Blocks guarded apps to launch risky commands.

Ransomware mitigation
  1. PumperNickel
    Will only write protect office and media files. The default programs associated to the extension that will be protected will be read from the registry and are allowed by default. PumperNickel will protect all user folders which are included in the Windows Libraries. So folders added or removed from the Documents, Music, Pictures and Video's libraries will be added/removed to the protected folders. The libraries and default programs are automatically scanned at driver, (re)start. The tray-app will have an "REFRESH POLICIES" option to update the protected folders and allowed default programs during log-on session (this will stop and start the driver). After changing a default application for a file type, the user would need also select REFRESH in the tray icon. By default Windows explorer is also allowed.

  2. Bouncer
    Will block executions originating from user libraries (protected by Pumpernickel).

Mail-scam mitigation
  1. MZ Write Scanner
    Blocks executables dropped by e-mail (parent). These executables are blocked for 14 days. This should give Antivirus programs enough time to add the dropped executable to AV-blacklist. Files saved in/moved to DESKTOP/UNQUARANTAINE folder are whitelisted immediately. Average PC users should not receive executables by mail, this mitigation should not interfere with average PC usage.

  2. MemProtect/Bouncer (see exploit mitigation)
    MemProtect will block mail program to start executables outside safe folders (UAC protected fodlers). Bounder will also block risky command execution by mail program.

Drive-by mitigation
  1. MZ Write Scanner
    Blocks executables dropped by browser outside the default DOWNLOAD folder. These executables are blocked for 14 days. This should give Antivirus programs enough time to add the dropped executable to the AV-blacklist. Files saved in/moved to DESKTOP/UNQUARANTAINE folder are whitelisted immediately. Since Average PC users rarely download programs. More enthusiast PC users usually only download programs to the default download folder. So even PC enthusiasts would not be affected with this limitation.

  2. MemProtect/Bouncer (see exploit mitigation)
    MemProtect will block browser to start executables outside safe folders (UAC protected folders). so executable's dropped by browser in Download folder can't be started in a sneeky way. Bounder will also block risky command execution by browser.

PRICING IDEA
Freeware-trial version will only monitor/warn (tray icon would change colour). Paid version also blocks and would cost 12 Euro for life time license (same as other Excubits programs). 3 Euro's annual to receive (ini-files) updates. First year updates included with the life time license. This is reasonable since individual licenses are 12 euro each (you get three for the price of 1). Eat a hamburger less a year and you have funded your annual updates.
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Note: I am just mentioning existing drivers for reference. This would be a new driver combining above functionality
 
Last edited:
  • Like
Reactions: askmark and Mr.X

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Today I have spoken with Florian and his girlfriend to discuss a roadmap to a "Excubits Malware Mitigation", this is the idea

Release 1: Only bouncer and MZwritescanner
  1. Adopt MZwriteScanner
    • Add "parent process' feature (like parent process option of Bouncer)
    • Add persistent block option (with configurable number of days
  2. Combine existing drivers into one new driver
  3. Develop GUI for configuration program which sets options in ini-files (so driver still does not have user mode access), this could be done by other developer.
Release 2: Add PumperNickel and Memprotect
  1. Add optional [Extensions] section to define to which extension read-write protection is provided (this would make writing rules easier)
  2. Rewrite configuration program (Florian wants final version to be coded by himself).

We agreed on setting up a community of trusted testers at Wilders and MalwareTips and also on pricing (12 euro's for zero config with 3 euro for updates of ini-files and functionality.

Protection of release 1 is driveby infections and mailscam, release 2 adds exploit protection of often attacked vulnerable Medium IL processes and guarded programs and ransomware protection for Windows libraries (when user ads a folder to library through normal Windows functionality the restart option of tray-app should read Windows libraries and add them to protected files).

The above extra features would also be added (as option) to the existing drivers.

In january we will have contact again about implementation timeline/planning.

Regards Kees
 
Last edited:

Peter2150

Level 7
Verified
Oct 24, 2015
280
Today I have spoken with Florian and his girlfriend to discuss a roadmap to a "Excubits Malware Mitigation", this is the idea

Release 1: Only bouncer and MZwritescanner
  1. Adopt MZwriteScanner
    • Add "parent process' feature (like parent process option of Bouncer)
    • Add persistent block option (with configurable number of days
  2. Combine existing drivers into one new driver
  3. Develop GUI for configuration program which sets options in ini-files (so driver still does not have user mode access), this could be done by other developer.
Release 2: Add PumperNickel and Memprotect
  1. Add optional [Extensions] section to define to which extension read-write protection is provided (this would make writing rules easier)
  2. Rewrite configuration program (Florian wants final version to be coded by himself).

We agreed on setting up a community of trused testers at Wilders and MalwareTips and also on pricing (12 euro's for zero config with 3 euro for updates of ini-files and functionality.

Protection of release 1 is driveby infections and mailscam, release 2 adds exploit protection of often attacked vulnerable Medium IL processes and guarded programs and ransomware protection for Windows libraries (when user ads a folder to library through normal Windows functionality the restart option of tray-app should read Windows libraries and add them to protected files).

The above extra features would also be added (as option) to the existing drivers.

In january we will have contact again about implementation timeline/planning.

Regards Kees

When you talk about ransomware and the windows libraries, what do you mean by windows libraries.

Pete
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
When you talk about ransomware and the windows libraries, what do you mean by windows libraries.

Pete

Only the common ones: Documents, Music, Pictures and Video's.

The configuration utility will readout the library values (there should be commands for it in c++ etc), but they are also located in C:\Users\YOURUSERNAME\AppData\Roaming\Microsoft\Windows\Libraries.

When you right click a folder, you can add it to (or remove it from) a default library.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top