Bouncer (previously Tuersteher Light)

Bouncer's manual is outdated - Version 2.1.7 (May 2015)
I say this because I'm installing Bouncer for the very first time and according to the manual I should be able to find a series of files including the famous Bouncer.ini to begin configuring the program.
No Bouncer.ini at all, only Bouncer .cat .inf and .sys.
Can't go any further with setup...

Edit: After a file search in C:\ both files Bouncer.ini and bouncer.log are located in %WINDIR%. Yes the manual should be updated.

 

@Mister X You are probably right, the manual may very well be behind.

Are you trying to use the latest stable? (http://excubits.com/content/files/bouncer_demo.exe)
Or latest beta? (http://excubits.com/content/files/bouncer_beta.exe)

From my understanding, the current stable version is now an easy to use installer. While the beta version is more of a basis self-extracting executable. Although I believe you could always use something like 7-Zip to manually extract either if you are trying to install manually.

I just had a look at the manual now and I see what you mean. There are some inconsistencies in there from previous versions with regard to which directory some of those files should be in. I'll mention that to the developer. Thank you for letting me know. Please feel free to let me know if you have any questions or need any help with config and so on. Cheers!

 

Code:

The Admin Tool, however, is lacking with regard to helping to create hashes in the whitelist/blacklist. Currently, the Admin Tool can only hash one file at a time. That is actually great as far as simple updates go. But of course, when it comes to the initial hashing of an entire system/partition, that alone does not cut it. There are programs such as HashMyFolders (http://www.nirsoft.net/utils/hash_my_files.html) which make it easy to get a list of hashes for an entire folder and sub folders. Also, personalized scripting can be done with free command line tools like OpenSSL and also Sigcheck (https://technet.microsoft.com/en-ca/sysinternals/bb897441.aspx) from Sysinternals. Personally, I use a script created for Sigcheck to do the initial hashing of the entire system which takes maybe 10 minutes, depending on system hardware and so on. After that, it's easy to update hashes after program updates.

Would you mind sharing the script you use to hash your system? So when you do this (hashing your entire system) does it only hash exes, dlls, etc?

Also, how does one handle/manage updates to the files? How do you find out what files have changed that need rehashing? ie: what do you do after updating your system?

Code:

If there is enough interest in Bouncer (and SHA256 hashing feature in particular), then the developer may create a much better built-in hashing program and database of some sort. He's got the skills to do so, it's just more the time which he lacks.

I am definitely interested in better hashing handling in the admin tool. I personally thing this is time well spent since using the hashing option makes your system that much more secure.

Code:

Actually I agree with you 100% here, it does sound like your idea makes the most amount of sense and really is a great idea. I can talk with the developer about this because I do like the idea.

I'd be very interested to hear what the developer has to say about this idea! I think disabling Bouncer for the duration of installing software is a bad idea!

Code:

Great idea! I really need to give hashing a try. Does anyone have an ETA for stable version of Bouncer with this feature?

Realistically, I would guess about 3-4 weeks.

Thanks! I plan on purchasing a license once I have tested Bouncer with the hashing feature. Having up to date documentation is key for this new version I thinks.

One more question about hashing. I'm assuming that is a programs folder location changes that the hash whitelist doesn't need to be updated? Is this correct?

Edit: Sorry for brief post but I have family visiting me for a week so snuck a quick post it!

 

https://mega.nz/#!ylwECDLQ!eJMtccCupCTqVMJPvddTQZ-LO31QQHXj28Mj9WdlbAc

• Extract that archive to a folder, let's say D:\Hash for example (extract using 7-Zip)
• Open an elevated command prompt and navigate to D:\Hash

Code:

D:
cd hash

Now, the script is in two parts because my REGEX is seriously lacking. If I had those skills, I would be able to keep it more simple. You will need either Microsoft Excel or LibreOffice Calc.

Running the first part of the script is as simple as:

Code:

hash c:

or

Code:

hash C:\Windows

Or whichever folder(s) or partitions you like. It will automatically look within sub folders. That script will take around 10 minutes (more or less) depending on system.

Once complete, open the created hashes.csv file in Excel or Calc. Select the SHA256 column, and simply copy and paste that into the already created hashes.txt file. Notepad++ works fantastic for working with the hashes.txt file (no slow downs like Notepad). Delete the blank row at the bottom of hashes.txt and delete the SHA256 line at the very top. Save hashes.txt

Run the second script from your elevated command prompt:

Code:

hashfix

That will automatically change all letters to lowercase, sort, and remove any duplicate hashes. You will have an output file of hashes.ini which contains the final hashes. Copy those into your Bouncer.ini whitelist section (or blacklist) depending on your intent. Just keep in mind of Bouncer beta versions 20KB limit during testing. A full system hash list is going to be 800KB and up, depending. So for testing purposes you would have to test with smaller folders and so on.

I will try my best to answer your other questions later tonight hopefully.

 

@WildByDesign
I'm actually using the last stable one: bouncer_demo.exe

See, I was following to the letter the user manual when suddenly found no Bouncer.ini in the mentioned directory. That's the only inconsistency I've found so far but I explained what happened in my previous post, although it's a minor "issue" it could lead people to confusion and waste some time trying to find the ini file.

Have a nice weekend!

Edit: I'm currently using AppGuard and all that stuff in my signature lol, specially Sandboxie which has its FileRootPath in R:\ (RAMdisk). Is there something to bear in mind while using Bouncer? Fyi I just want Bouncer as the deepest layer of protection (not for forensic analysis) for daily use. For what I read the driver is in kernel mode so it makes a superb protection to my PC.

 

How does AppGuard compare to Bouncer (out of curiousity)?

 

I haven't heard any other users mention specific problems of Bouncer conflicting with AppGuard or Sandboxie, so it should be perfectly fine. The best thing that I could recommend for the first few days would be to run Bouncer with [LOGGING] (logging enabled) and [#LETHAL] (blocking disabled) to determine if there are any conflicts and also determine any rules that may need to be created based on what shows up in the log. And if you have any specific questions regarding what is showing up in the log or which rules to create, you can always feel free to ask here. Myself and a few others here would be happy to help.

To be perfectly honest, I have never tried AppGuard before at all. But from what I have read and heard about it, AppGuard seems to take anti-exec to another level with special memory protections which I believe are patented. So AppGuard is really quite sophisticated.

@Cutting_Edgetech If you have a moment, would you mind elaborating on the question regarding comparison between AppGuard and Bouncer? You've got quite a bit of experience with AppGuard and also some good experience with Bouncer now as well.

 

Code:

To be perfectly honest, I have never tried AppGuard before at all. But from what I have read and heard about it, AppGuard seems to take anti-exec to another level with special memory protections which I believe are patented. So AppGuard is really quite sophisticated.

The reason I ask is because there is a huge price difference between Bouncer and AppGuard ($89 vs. about £20 respectively).

When I have time again and the family that are visiting me have left I will have a look into this. Very interesting products!

WildByDesign: Thank you for taking the time to answer all my questions!

 

AppGuard is fabulous and I suggest you to read this thread, very large unfortunately although very informative. If you don't have the time to read it just shoot a question there and the experts or Barb_C from BRN will assist:
https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/

Thank you @WildByDesign that's exactly what I'm doing then I'll come back to nag you with questions and doubts lol

 

Many thanks for your fantastic script! I have some more questions:

1. I ran your script in a test VM of the entire system drive and it generated about 15000 hashes. Size was 977kb. I haven't tried the beta Bouncer yet but what I am battling to understand is, what happens after I copy all these hashes into the bouncer.ini file and I enable LETHAL mode, how do I manage the hashes when I install/update things on my machine? Do I then have to rehash the entire machine each time something changes as I wouldn't know which files hashes have changed? My understanding of hashes leads me to think that even logfiles updating would be an issue? How is this handled in Bouncer? I really wish there was some more functionality built into Bouncer wrt hashing as its such an AMAZING way to secure your system!
   
2. On my live day to day machine I am still running Bouncer in logging only mode. One thing I have noticed is that Bouncer continually turns my shield red when accessing blacklisted files. This is great in the beginning when fine tuning the setup but after a few days it becomes annoying as you keep seeing the same entries in the log reoccurring. Will there be some sort of option in the future version to only alert x amount of times and then to stop?
3. Does the pay version have date/time stamps in the logfile?

@WildByDesign: You said in one of your previous posts that you ran your system fully hashed for about a month. Would you mind sharing your experiences? Good/bad/etc. Are you still running Bouncer with the hash mode enabled? If not, why not? How did you manage updates on a day to day basis?

I'm REALLY looking forward to the next version of Bouncer!

As always thank you!

 

You're welcome, my pleasure. I am always happy to help whenever possible. Years ago, I had learned so much through Wilders forum and other forums and now is my time to give back more.

Bouncer is one of the most efficient yet powerful kernel-mode drivers around at the moment which has tremendous potential. However, without a doubt, it is seriously lacking when it comes to actually managing the list of hashes. I agree with you 100%, there needs to be more functionality with regards to managing the hash list. The one question regarding log files (hope I am understanding correctly) should not be an issue because log files would not be hashed since they are simply just text. The driver only hashes executables (.exe, .dll, .ocx, .sys, etc). But with regards to updates, for example updates to Flash Player, you would have to point the script (or other hashing program) toward C:\Windows\System32\Macromed\Flash\ and C:\Windows\SysWOW64\Macromed\Flash\ to obtain updated hashes to copy into your hash list. If it's individual program updates such as Flash, Chrome, Firefox, etc. it's not too difficult. But as you can imagine, an update to Windows for example, which could have updated executables in many directories throughout the file system, that could be much more difficult when it comes to updating the hash list. That is an example where I would likely just re-hash the system and certainly an example where Bouncer's current hashing functionality is lacking.

This would be a good question for the developer. He has just gotten back from a two week long business trip throughout Europe and therefore has some more time now to answer questions and also work on coding Bouncer. He's a great guy to have conversations about security with as well, you would like him. I would suggest going to his blog (http://bitnuts.de/) and you will find his personal email at the very bottom of his blog. I understand your question, personally, but I'm not so sure I would want to dismiss the alerts in that way. I suppose everyone would have different opinions with regards to that, and I totally respect that. But you are accessing blacklisted files, as I understand, running executables from blacklisted areas. In that case, you could temporarily stop Bouncer, or even consider hashing that directory if it is known trusted programs.

Unfortunately, no. But I agree with you, that would be extremely helpful to have date/time stamps. I had suggested that to developer and I believe it is on his To Do list. There are some difficulties with obtaining and parsing that detail through the kernel and it would take some time to develop. But I think that it would be extremely beneficial to have that in the logs. If you do contact the developer with your other question(s), I think that you should mention this suggestion in the email as well. If he sees that more users would appreciate that functionality, it may move up more in priority on his list of future features/functionalities to add.

Yes, that's correct. I ran it fully hashed (SHA256) for probably a little over a month. And it was also my first experience creating hash lists and with hashing in general, so it was a great learning experience for me. It also happened to be around the same time that there were numerous Flash exploits in the wild where we had received something like 3 Flash updates during that same testing period, so that made it more of a challenge for me. I had to alter the scripts a bit to make it easier to obtain the updated hashes for each of the Flash updates. At one point, I had also used that HashMyFiles program with one of the Flash updates. But I found the scripting to be easier in the end. Overall stability was phenomenal, and I have to admit I've never had any stability issues with Bouncer. I am the type of person who values computer performance as part of my priorities. So I haven't used an antivirus on my systems for five years or potentially even more. Prior to using Bouncer, I used Simple Software Restriction Policy (http://sourceforge.net/projects/softwarepolicy/) utilizing basic SRP path based functionality for 3-4 years or so. I loved the simplicity and efficiency in that, using hardly any resources. And that is why I adapted to Bouncer and enjoy it for those same reasons. Although with Bouncer, it's strictly kernel-mode, and you can go basic path based or go full hash based or any combination. Running Bouncer in SHA256 hashing mode was essentially like the difference between running without an antivirus, and running with an antivirus. The performance hit is just like using an antivirus. Hashed based is about as secure as you can get. Path based, on the other hand, is still quite secure but is best combined with other mitigating strategies such as anti-exploit programs. Personally, my day to day preferred systems are low powered netbooks. SHA256 hashing was actually not too bad on performance with these low powered netbooks. But in the end, I am sticking with path-based combined with EMET. If I had powerful desktop rigs with 4-core or 8-core systems then I would have no issue running hash based. But any performance hit on my netbooks drives me crazy.

 

Aaah, excellent point. I forgot that Bouncer only monitored executables. Does your script only hash the executable files then? I assume that all non-executable files do not have to have their hashes added to Bouncers white/black list? Hmmm, managing hashes as you have described above is ok but a bit of a pain I think. I really (really!) hope the developer adds some kind of functionality into Bouncer to manage this. Even updating/upgrading a single program could be a pain as it could save files all over the system (ie: not just in Program Files). Yes you could rehash the entire system but a bit painful! Yes, Windows Updates would be the worst kind of updates here. In todays world of having everything connected and having so many ways of being hacked/attacked one would have to keep all software up to date constantly so as to protect one self.

Well I am a bit of a security nut myself and take great interest in most things security related. Thanks for the blog link! I can feel an email coming on to the developer. I'm just wondering if theres a better way to manage alerts with Bouncer as, if it keeps going red in the system tray then you tend to ignore it after awhile (autopilot). For instance I have blocked flash in my bouncer.ini and for some reason every single time I launch a movie file in my video player the flash files are accessed (I have no idea why) and then the shield goes red.

The more I tinker with this software the more ideas or questions I have. I don't want to bother the developer too much as he has to get some coding done haha.

Fascinating that you don't run AV. How do you know a file is not infected with something? I have often thought of not running any AV but then I think: How do I know if a file I download is not infected? I have bookmarked Software Restriction Policy to investigate so thanks for this. Do you still use this or has Bouncer replaced it on your machine?

You said: Running Bouncer in SHA256 hashing mode was essentially like the difference between running without an antivirus, and running with an antivirus. The performance hit is just like using an antivirus

This is interesting. So running with SHA256 hashing mode has that much of a hit on performance then? I am a performance nut too when it comes to my machine I love speed! But luckily I have a fast i7 now with 32GB RAM and a fast SSD so I think hashing mode should be ok? Having said that I still prioritise security as much as I can (provided it is practical and usable on a day to day basis)

I'm assuming that before you enable hashing mode on your machine it should be in a clean state? Otherwise you could whitelist a hash of a bad file? Correct? Or not?

I still worry about path based mode as I keep thinking that a bad file could sneak its way into the Windows folder (or wherever). I know it would need the rights to get there but still, if the folders whitelisted the possibilities there?

One very minor thing that bugs me is the splash screen that shows itself when the Boucner system tray loads. Can this be disabled?

 

@Cutting_Edgetech The Beta page is still not linked at all on the site. I assume that he intends for the Beta use by those of us who have been in contact with him through email and so on, so not entirely public yet I suppose. Just those of us who have the link. But he is OK with us sharing that link with any security acquaintances of ours whom we think is knowledgeable enough regarding kernel drivers and such. Bouncer would still be way too difficult for the majority of the general public, although that is not the intended audience anyway.

@ParaXY I apologize for the delay in getting back to your questions. It's been a difficult month or so for me. I will catch up with your questions in the next day or two. My apologies.

 

Oh boy! I didn't win a Bouncer license at malwaretips.com
I want it very badly lol
I can't start my experiments with that 3KB limit

 

@Mister X One thing that may be good to know is that with the current Beta (and upcoming release), the limit has been raised to 20KB to factor in the rules for parent checking and SHA256 hashes. But you could certainly use the Beta version (http://excubits.com/content/en/products_beta.html) and just uncheck the features for parent checking and SHA256 hashing, that would keep things simple with the tried and tested features.

 

Ah yes, I was already aware of those 20KB. I completely forgot it, thanks for the reminder. On the other hand I didn't know Florian was going to include the extension to the upcoming final release.

 

Seems to me there is no limit in "TuerSteher Light" or releases before 2015 Feb.

 

I was not quite sure on what all I had to do for the giveaway on Malwaretips, and I have been very busy recently. I have not been home much. Well, I'm happy for those that got the free license. I hope they use them.

 

Hi guys, I won a license for Bouncer @ malwaretips, so I was wondering if Bouncer can be used alongside Secureaplus or Exe Radar or would that be redundant? Is it pretty similar to ERP?

 

I have used Bouncer with ERP, but there was a conflict with ERP. I can't remember exactly what happened now. Dan, the developer of VS tested Bouncer with ERP, and had the same experience. I think it may be possible to make an exception for Bouncer in ERP, but I don't remember for sure. I have not tried Bouncer with SecureAPlus, but there drivers intercept executions at about the same time so back up your machine before testing them together. It's possible you could experience a BSOD using them together. Congrats on winning the license!

 

Well, I'm signing off for now. I have to roll my machine back in a while to install the latest beta build of Bouncer on my main machine. I'm going to try using it instead of ERP for a while to see what I think. It will make testing it much easier, and less time consuming for me. I think the beta may be stable enough to use on my workstation considering I backup my data pretty often. I have not had any crashes, or freezes with it so far.

 

As long as system files/folders are excluded and other security is whitelisted everything should work right? Thanks
Can you add rules directly to the ini? or do you have to use the program?

 

@Mister X: As @WildByDesign said: The beta comes with a 20KB limit which is fairly enough for a lot of classic Bouncer rules

@Overkill: Yes you can add rules directly into ini file, you do not need to use the additional tools (which is great). I personally use notepad to edit ini file, for me its faster. BTW: Dont forget to restarts the driver after you have changed ini file. I often just use cmd.exe: net stop bouncer & net start start bouncer

 

Would anyone know that how to purchase a license of Bouncer?
Just now I tried to click "place my order now" in this webpage: http://excubits.com/content/en/products_order.html (I have not decided to buy it or not...I just want to see whether its payment website support my bank card or not)
But after clicking that button, only a pop-up appears saying "Thank you! We received your order and message."
There is no following steps after that...

 

Yes @Online_Sword: follow the order web page, fill in the fields. You will then receive a invoice. that you can pay with paypal or bank transfer (dont know the exact english term: bank referral with IBAN/BIC). I used paypal, and got a paypal invoice/payment request - worked for me.
As far as I know they currently do not support credit cards.