Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Great News!

    Thanks ever so much in staying right on top of every new development with this.
     
  2. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @WildByDesign . Thank you very much for contacting the developer.:thumb:
    But, it is difficult for me to understand this:
     
  3. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Thank you for that, that was very helpful! I have updated my config as follows:

    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELIST]
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\ProgramData\Microsoft\*
    C:\PROGRA~1\*
    C:\PROGRA~2\*
    C:\Windows\addins\*
    C:\Windows\ADFS\*
    C:\Windows\AppCompat\*
    C:\Windows\apppatch\*
    C:\Windows\AppReadiness\*
    C:\Windows\assembly\*
    C:\Windows\BitLockerDiscoveryVolumeContents\*
    C:\Windows\Boot\*
    C:\Windows\Branding\*
    C:\Windows\BrowserChoice\*
    C:\Windows\Camera\*
    C:\Windows\CbsTemp\*
    C:\Windows\CSC\*
    C:\Windows\Cursors\*
    C:\Windows\de-DE\*
    C:\Windows\debug\*
    C:\Windows\DesktopTileResources\*
    C:\Windows\diagnostics\*
    C:\Windows\DigitalLocker\*
    C:\Windows\Downloaded Program Files\*
    C:\Windows\ELAMBKUP\*
    C:\Windows\en-US\*
    C:\Windows\FileManager\*
    C:\Windows\Fonts\*
    C:\Windows\Globalization\*
    C:\Windows\Help\*
    C:\Windows\IME\*
    C:\Windows\ImmersiveControlPanel\*
    C:\Windows\Inf\*
    C:\Windows\InputMethod\*
    C:\Windows\Installer\*
    C:\Windows\L2Schemas\*
    C:\Windows\LiveKernelReports\*
    C:\Windows\Logs\*
    C:\Windows\Media\*
    C:\Windows\MediaViewer\*
    C:\Windows\Microsoft.NET\*
    C:\Windows\Minidump\*
    C:\Windows\ModemLogs\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\Panther\*
    C:\Windows\Performance\*
    C:\Windows\PLA\*
    C:\Windows\PolicyDefinitions\*
    C:\Windows\Prefetch\*
    C:\Windows\Registration\*
    C:\Windows\rescache\*
    C:\Windows\Resources\*
    C:\Windows\SchCache\*
    C:\Windows\schemas\*
    C:\Windows\security\*
    C:\Windows\ServiceProfiles\*
    C:\Windows\servicing\*
    C:\Windows\Setup\*
    C:\Windows\ShellNew\*
    C:\Windows\SKB\*
    C:\Windows\SoftwareDistribution\*
    C:\Windows\Speech\*
    C:\Windows\symbols\*
    C:\Windows\System\*
    C:\Windows\SystemApps\*
    C:\Windows\System32\*
    C:\Windows\SystemResources\*
    C:\Windows\SysWOW64\*
    C:\Windows\TAPI\*
    C:\Windows\Tasks\*
    C:\Windows\ToastData\*
    C:\Windows\tracing\*
    C:\Windows\twain_32\*
    C:\Windows\vpnplugins\*
    C:\Windows\Vss\*
    C:\Windows\Web\*
    C:\Windows\WinStore\*
    C:\Windows\WinSxS\*
    C:\Windows\Temp\????????-????*-????-????-????????????\DismHost.exe
    C:\Windows\Temp\????????-????*-????-????-????????????\*.DLL
    C:\Windows\Temp\MPGEAR.DLL
    C:\Windows\Temp\MPENGINE.DLL
    C:\Windows\explorer.exe
    C:\Windows\HelpPane.exe
    C:\Windows\notepad.exe
    C:\Windows\regedit.exe
    C:\Windows\splwow64.exe
    C:\Windows\twain_32.dll
    C:\Windows\winhlp32.exe
    C:\Windows\write.exe
    C:\Windows\bfsvc.exe
    C:\Windows\SuRunExt.dll
    C:\Windows\SuRunExt.exe
    C:\Windows\SuRun.exe
    C:\Windows\SuRun32.bin
    C:\Windows\SuRunExt32.dll
    C:\Users\User\AppData\Local\Temp\????????-????*-????-????-????????????\DismHost.exe
    C:\Users\User\AppData\Local\Temp\????????-????*-????-????-????????????\*.dll
    C:\Users\User\AppData\Local\Temp\speccycpuid.dll
    C:\Users\User\AppData\Local\Temp\cpuz138\cpuz138_x64.sys
    C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????
    C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
    C:\Users\User\AppData\Roaming\Postbox\Profiles\7xb081fu.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Updater\Updater.dll
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Updater\Updater.exe
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmPal.dll
    C:\Sandbox\User\Skype\drive\C\Windows\SysWOW64\msvcr120.dll
    C:\Sandbox\User\Skype\drive\C\Windows\SysWOW64\msvcp120.dll
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmCodecs.dll
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmMediaManager.dll
    C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmPltfm.dll
    C:\Sandbox\User\TemporarySandboxInstalls\*
    C:\Support\KeePass.cmd
    C:\Users\User\Desktop\Map X Drive.bat
    C:\Users\User\Desktop\Del X Drive.bat
    C:\Users\User\Desktop\pageant.exe
    D:\Sort\TemporarySandboxInstalls\*
    
    [BLACKLIST]
    C:\Windows\System32\Macromed\*
    C:\Windows\SysWOW64\Macromed\*
    C:\Program Files\WindowsApps\*
    *aspnet_compiler.exe
    *csc.exe
    *ilasm.exe
    *jsc.exe
    *MSBuild.exe
    *vbc.exe
    *script.exe
    *iexplore.exe
    *journal.exe
    *msiexec.exe
    *bitsadmin*
    *iexpress.exe
    *mshta.exe
    *systemreset.exe
    *bcdedit.exe
    *hh.exe
    *powershell*.exe
    *reg.exe
    *setx.exe
    *flash*.dll
    *flash*.ocx
    *searchui*.exe
    *onedrive*.exe
    *onedrivesetup*.exe
    *MicrosoftEdge.exe
    *MicrosoftEdgeCP.exe
    [EOF]
    
    Hopefully this looks a bit tidier! I still need to test blacklisting C:\Program Files\WindowsApps\*. I think this config locks down the C:\Windows\Temp and the users profiles temp folder quite nicely?

    My thinking behind this config was to block Flash (this may break Pot Player but can be resolved with parent checking in the next version), IE, Cortana (SearchUI), Onedrive, Edge and the files malware tries to use when infecting a machine (powershell etc). Is it worth doing something with cmd.exe? regedit?

    I've also whitelisted two folders:

    D:\Sort\TemporarySandboxInstalls\*
    C:\Sandbox\User\TemporarySandboxInstalls\*

    Anything that is run from the first folder is forced into a locked down Sandbox folder (TemporarySandboxInstalls). Anything can run in this locked down sandbox folder.

    This brings me to installing new software (or updates/upgrades). Since the temp folders are locked down I would have to follow these steps for new software needing to be installed:

    1) Check downloads hash
    2) Scan with AV online and/or offline
    3) Check digital signature
    4) Disable Bouncer and install program
    5) Re-enable Bouncer after install finishes and test program to ensure no additional rules are needed

    I still need to decide what to do for my Software folder as I have many utilities etc that I use in there. I think hashing this folder would be a good idea?

    My thinking is there are two options for installing new software and updates with Bouncer:

    1) Disable Bouncer for the duration of the install (not ideal)
    2) Have many many Bouncer whitelisted folder in the config so that something can be installed

    I am leaning towards option 1 as then I don't have to whitelist so many temp folder locations etc which malware could use to infect my system. Obviously while installing new software with Bouncer disabled/stopped you wouldn't be surfing the web etc.

    I (like you) will keep the "toast" alerts but I would really like an option whereby I can say: Don't change the Bouncer icon to red after the same event has been logged after 3 times. Flash gets blocked frequently on my machine and its frustrating opening the log each time to reset the icon to green.

    Theres two things here: Checking the syntax to ensure Bouncer will load the config but VERY importantly, there needs to be some kind of notification/alert/warning that Bouncer is NOT protecting you. Even if I see the green/red shield in the system tray I never really know if Bouncer is operational. Does this make sense? When I had that config error I had no idea that Bouncer wasn't working which is worrying.

    Lots to think about and I haven't even tried hashing yet! ;-)
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome, EASTER. It seems silly how I get excited over updates to a simple kernel-mode driver, but I suppose that is not a bad thing. I have maintained that same level of excitement over it for quite some time now which actually surprises me now that I think of it. :)

    You're welcome. As I understand it, I believe that he means that Windows contains many, many duplicates of certain executables, drivers, etc. and scatters those same duplicates across many directories/locations within the file system. For example, when I hash my entire system recently, I've come up with a list of 37,500+ hashes, yet after sorting and removing duplicates with the script, that number is reduced down to 20,020 unique hashes. So that means that in that example, there were 17,000+ which were duplicates. So I believe that what Florian was referring to when combining directories + hashes to match for rules, it would be a much larger rule set in that case, or at least potentially. But he is curious about that feature and intends to look into implementing your suggestion, but that it would be more of a long-term feature to add for Bouncer.

    Yes, that looks nice and tidy, yet thorough and well controlled. I like that config very much. I think that it gives you great control over those Temp locations, for sure. And as you play around with Bouncer rules in the future, and considering you have no limit to config size, you could even gain that same type of granular control over directories such as ProgramData or even further into System32/SysWOW64 although that would be quite a challenge.

    Be careful with cmd.exe because the BouncerTray app relies on cmd.exe and I believe also conhost.exe, so blocking those outright could cause problems. But there is a possibility there with using parent checking or the upcoming command line feature to gain more control there, allow certain use of those but decline certain use as well. But yes, you can block regedit.exe and other reg* related programs to prevent tampering, and as a matter of fact, I block those in my config. But you would need to disable Bouncer when you install programs and then re-enable Bouncer right after installing, that is my preferred method with anti-exec programs anyway.

    Indeed, in this particular case, hashing would be a great idea. You could use those simple scripts, or you could use a simple GUI type of program like HashMyFiles or others. I think that makes the most amount of sense, given your purpose for this particular directory and your overall config.

    Yes, I would think so as well. And I think that it makes good sense anyway with most anti-exec programs in general. Sure, some of them have Install type of features/modes which are nice, but those have to be programmed and updated on the backend by the developers as well and don't always work, depending on the types of installers. So even when testing those other type of anti-exec programs, I would still disable them when installing software and not rely on those special modes, but that is just my preference and my mindset going back over the years.

    Yes, that makes good sense and I agree with you 100%. The changing of the tray icon makes sense, but I think you are right that there needs to be something else in this particular scenario for sure. Possibly some sort of "toast" message here indicating that there was a problem with loading config? And of course, mentioning the fact that there would be no protection in that case? I agree with you for sure and will mention that to the developer if I get more time over the weekend, but unfortunately I've got to go away for a few days or more starting this Monday so my time is more limited at the moment. I will make a note of it for now though so that I don't forget.
     
  5. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Thanks @WildByDesign . I'll be going away tomorrow as well for a week so my postings will continue when I return.

    I will try to reply to your last post before I leave tomorrow!

    Quick edit: Finally enabled LETHAL mode. I have Flash blocked but Pot Player and Skype are still working. Got much more testing to do though!
     
    Last edited: Oct 2, 2015
  6. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @WildByDesign .:) Thank you for your reply.
    I guess your (or the developer's) opinion is that, if we only use hash code, then we can remove the redundant hash codes caused by duplicated files. But if we combine file path with hash, we cannot do this...right?
    Please correct me if I misunderstand it.
    Thanks and best regards.
     
  7. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Thanks! Theres so much going on in System32/SysWOW64, i wouldn't even know where to start!

    Thats good to know, thank you. I have blocked regedit.exe but not cmd.exe. I feel good blocking SearchUI.exe (Cortanta) which I believe is a security risk and isn't good for you and your datas privacy. I had SearchUI.exe blocked in the outgoing connections in the firewall but who knows if it can bypass it since its an MS service. Also, I keep deleting the Cortana folder as it keeps returning after Windows Updates!

    I often use Sysinternals tools which I run directly from my Software folder on my data drive. WIth Bouncer running I can't run these tools and hashing would be great here. I temporarily whitelisted the one tool (Process Explorer) and guess what, it copied it into the temp folder in my user profile and was blocked from running! So I can't wait for hashing. Parent checking is going to have some interesting uses too. I can see my Bouncer config growing over time...

    In the beginning I was against disabling Bouncer for installs/updates but now I think its the way to go rather than having a million whitelisted temporary (loophole) paths in your config.

    Maybe there needs to be a "Check syntax" button in the Admin Tool that you can click after making changes to the config to ensure everything is ok before restarting Bouncer? But THE most important notification that Bouncer should have is to say that Bouncer is currently not working and that you are not protected. With the current red/green system icon you just have no idea if Bouncer is working or not (unless you delibrately try to execute something in a blacklisted area but thats not practical on a day to day basis).
     
  8. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    This is correct. If you have path and hash there is redundancy. Windows has several backups of driver and application in C:\Windows\[...] so you waste.

    But it can be more secure to have filename & path with specific hash value. I think for normal use it is still enough security - or do you need military grade safeguarding :) ?
     
  9. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @4Shizzle .:)
    I guess here you mean that we can just apply the filename/path check for most of the files, while only apply the hash check to some specific files to avoid waste, right?
    I agree with this.;)
    But the problem is, it is difficult for novice users like me to figure out which file should be whitelisted by path-based rules and which file should be whitelisted by hash-based rules.:confused:
     
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I would protect NTFS-protected paths with path-based rules. it's unlikely that attacker can then write own executable into path if you dont use PC with admin permissions all time.

    For paths without "integrity"/access protection by Windows file system I add hash values. Example: on external drives i have some Portable Apps I often (and only) need just with specific external drive. I whitelisted the Portable Apps by hash value because I cannot ensure that someone (something) malignant changes executables. But I thinks there is no general rule for it. Look at your envrionment and ask yourself who/what can change your executables (exe, dll, sys, ocx, ....) on a specific path. If it is anybody: USE HASH!!! Is is just admin: use path I would recommend.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    It has been a while since I have looked into how deep the Bouncer driver is when it comes to loading after kernel init. For anyone that is curious, you can use an awesome kernel-mode driver program from NoVirusThanks called Kernel Mode Drivers Manager (http://www.novirusthanks.org/products/kernel-mode-drivers-manager/) which is free and comes as a regular installer and also a portable version which I prefer.

    On my Windows 10 64-bit Enterprise LTSB N system, the Bouncer driver Load Order comes in at number 60, far before display drivers, many network drivers, etc. So on mine, it's number 60 out of a total of 170 kernel-mode drivers reported by this NVT-KMDM program. So for anybody that is curious, you can check this out. I have attached a screenshot below as a thumbnail.

    NVTKMDM.png

    Over time, the remainder of Bouncer's additional kernel-mode drivers will be added to the main Bouncer.sys driver as they are tested further and will come bit by bit. First up will be the CommandLineScanner functionality. Likely the MemProtect functionality after that. MZWriteScanner is uncertain at this point though, but time will tell.
     
  12. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Nice! You have just convinced me to reinstall that NVT app...
     
  13. Looks like you are on Windows 8.1 or 10. In Windows 10 it seems that microsoft has closed all the user writeable folders (holes as some said) by removing the execute right, so in short either UAC pops-up (when moving/copying into that folder) or "admin blocked" or "not enough rights" ACL message pops-up.

    So you could simply allow Windows with all subfolders and blacklist a few subfolders of your liking.
     
  14. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    Yes, I am running Windows 10. Thats an interesting comment but I think I will stick with whitelising the various Windows subfolders for now as it gives you granular control. For instance, I like whitelisting:
    Code:
    C:\Windows\Temp\????????-????*-????-????-????????????\DismHost.exe
    C:\Windows\Temp\????????-????*-????-????-????????????\*.DLL
    
    rather than allowing anything and everything in c:\Windows\Temp. I am open to your thoughts on this of course!

    Does anyone know when the next version of Bouncer will be released? I thought after returning from holiday for a week that it would be available but it still looks like it is in beta?
     
  15. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Thanks @WildByDesign for letting us know the tool :) I didnt know of it.

    I think that Bouncer will load earlier. Have tested it with empty whitelist and [#LETHAL] and [LOGGING]. Bouncer then logs system essential driver like null.sys amongst others. so i think it is really early bird on start up (much much earlier than the majority of drivers). The developer told me that Bouncer also works very well on Windows Servers (incl. Core Editions).

    @ParaXY: Dont know when new version is online.Its very close to release I think. The developer said he finished manual this weekend and is reviewing it.
     
  16. ParaXY

    ParaXY Registered Member

    Joined:
    Sep 2, 2015
    Posts:
    70
    I'm just excited about the new version, thats why I keep asking! :cool:
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I'm glad that I am not the only one who shares this same level of excitement. I feel better now knowing that. :D
     
  18. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Good idea.:thumb:
    Thank you for your comments.
     
  19. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Hi, @WildByDesign . Do you mean that a driver that is loaded earlier works in a deeper level? (Sorry I know little about drivers.)
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  21. Online_Sword

    Online_Sword Registered Member

    Joined:
    Aug 21, 2015
    Posts:
    146
    Thank you very much @WildByDesign .:thumb:
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Online_Sword You're welcome, my pleasure. :)


    For any Bouncer user who is also using Google Chrome, with the recent Flash Player update from today I have had to add a new whitelist rule for Bouncer and figured I would share this rule in case anyone needs it. This is for current Flash Player 19.0.0.226, with Chrome version 46.0.2490.71.
    Code:
    [WHITELIST]
    C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
    Typically Flash Player in Chrome is accessed from: C:\Program Files (x86)\Google\Chrome\Application\*\PepperFlash\pepflashplayer.dll

    What I don't know is why Chrome is now deciding to execute Flash from User directory. I don't know if this is something that is temporary or not yet.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    New Stable Bouncer Released Today! :thumb:

    Latest Bouncer with SHA-256 hashing and Parent Check features has been moved from Beta Camp to Stable as of today. The builds are fresh as of 2015-10-17, full installers and all digitally signed for Demo and Paid versions.

    The Bouncer manual has been updated to include the new SHA-256 hashing and Parent Check features. The updated manual is available online and also included in the installer packages.

    Manual: http://excubits.com/content/files/bouncer_manual.pdf
    Download: http://excubits.com/content/en/products_bouncer.html
    • SHA-256 is enabled by default with [SHA256] - you can disable hashing with [#SHA256]
    • Parent Checking is disabled by default with [#PARENTCHECK] - you can enable with [PARENTCHECK]
    • Bouncer.ini config size limit increased to 20KB in demo - up from 3KB
    It is always recommended to test Bouncer with blocking [#LETHAL] disabled and logging [LOGGING] enabled for the first few hours or days to ensure that your config is proper and good for your system.

    Paid Bouncer users have their own unique URL for which to download the updated stable build. The unique URL provided after purchase remains the same and the same goes for your uniquely generated password.

    Enjoy and have fun! :)
     
    Last edited: Oct 20, 2015
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thank you very much!!!
     
  25. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    84
    on XP SP3 En it says "System error 127 has occurred." when trying to start the driver.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.