Bouncer (previously Tuersteher Light)

Do you receive the invoice by email? I have checked the inbox of gmail several times but I find no invoice...

 

Be patient. As far as I know they do not have sophisticated automatic shop system. Orders are decrypted, then managed/handled by hand. In times of Amazon and eBay we automaticly expect fast handling times so... just give them time to handle.

All of my request got handled so far. The developer answers e-mails, he takes time for customer care as far as I know and to mine experiences. I personally have no reason to complain. Maybe other users can provide more information here.

 

Thank for your reply. I get the invoice from excubits just now.

 

Bouncer beta is ignoring it's .ini settings file, and is blocking all directories in logging mode on my main machine. Also which file do I need to click on first run of the Admin Tool, and Tray Icon? They are not loading at boot either.

Edited: I have the .ini file at C:\Windows as I have always before.

Update: I rolled my machine back again, and now Bouncer only appears to be blocking C:\Program Files (x86). I'm not using the Admin Too since I have never been able to get it to work with the latest beta. Below is my policy. I sent Florian an email to ask him if he knew what is wrong. No, my policy does not have Smiley in it Lol The forum software converted it to Smileys.
[#LETHAL]
[LOGGING]
[SHA256]
[PARENTCHECK]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\AMD\*
C:\ProgramData\Microsoft\*
C:\Users\*\AppData\Local\Temp\??-?-?-?-\Dism*
C:\Users\*\AppData\Local\Temp\??-?-?-?-\OSProvider.dll
C:\Users\*\AppData\Local\Temp\??-?-?-?-\LogProvider.dll
C:\Users\*\AppData\Local\Temp\??-?-?-?-\CbsProvider.dll
7F4E7AC770928E9D313B7E91DB4B904A98F3D8BBAC3E0B88FBCA9EF15DD6ED71
[BLACKLIST]
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
[PARENTBLACKLIST]
C:\ProgramData\*>*cmd.exe
C:\Program Files\Google\*>C:\Users\*
C:\Program Files\Google\*>C:\Windows\Temp\*
C:\Program Files\Google\*>*cmd.exe
C:\Program Files\Google\*>*conhost.exe
C:\Program Files\Google\*>*regedit.exe
C:\Program Files\Google\*>*reg.exe
C:\Program Files\Google\*>*rundll32.exe
C:\Program Files\Google\*>*script.exe
C:\Program Files\Google\*>*powershell.exe
C:\Program Files\7-Zip\*>*cmd.exe
[EOF]

Edit: Problem Solved. I had the following two paths below on the WHITELIST, but not on the PARENTWHITELIST. They had to be on both list in order to allow them. I'm not sure if this is expected behavior, but all is working good now.
C:\Program Files (x86)\*>*
C:\AMD\*>*

 

Code:

@ParaXY I apologize for the delay in getting back to your questions. It's been a difficult month or so for me. I will catch up with your questions in the next day or two. My apologies.

No problem at all...I was wondering if things were ok with you! Take your time please. I appreciate your comments.

I've been running the Bouncer Demo (NOT the beta) for a few weeks now and my config looks as follows:

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*
C:\Program Files (x86)\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\*
C:\Sandbox\User\Skype\drive\C\Windows\SysWOW64\msvcp120.dll
C:\Sandbox\User\Skype\drive\C\Windows\SysWOW64\msvcr120.dll
C:\Users\User\AppData\Roaming\Postbox\Profiles\7xb081fu.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
C:\ProgramData\Avira\Antivirus\UPDATE\*
C:\Users\User\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe
C:\PROGRA~1\*
C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
C:\Users\User\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
C:\PROGRA~2\*
[BLACKLIST]
C:\Windows\SysWOW64\Macromed\Flash\*
C:\Windows\System32\Macromed\Flash\*
[EOF]

How does this look? Secure? Good? Bad? I haven't decided how I will manage installing/updating software. Disable Bouncer for the duration of the install/update I guess.

I was thinking this evening, lets say I have whitelisted: C:\Program Files\Skype\skype.exe. Can't some clever hacker just name their Malware file skype.exe and overwrite the genuine file to infect my machine? I know its a longshot but its still possible?

How do I determine if I am under the 2KB limit for the demo version? When I check the file size of bouncer.ini I have two size in the file properties:

Size: 1.93 KB (1,982 bytes)
Size on disk: 4.00 KB (4,096 bytes)

I'm assuming its the "Size" one and not "Size on disk"?

I'm eagerly awaiting the new version of Bouncer (with the hashing) but I still can't figure out how anyone can/will manage their machine with hashinh...

 

I also just sent Florian the following email about the Admin Tool, and Tray Icon. I'm only having problems with them with the latest beta.

The Admin Tool, and Tray Icon has not worked with the latest beta of Bouncer since I have been using it. I have only been using the driver. I have been using an Elevated Command Prompt to stop, and start the driver. I placed all the Admin Tool, and Tray Icon files in the following directory. C:\Program Files (x86)\Excubits\Bouncer\ The Admin Tool Starts, and shows a blank whitelist, blacklist, etc.. When I look in the .ini file the whitelist, blacklist, and everything else that you listed is there. The tray icon will not run at System start either. I'm using Windows 7X64 Ultimate with all the latest patches.

regards,

cutting_edgetech

 

I solved the problem I was having in post 454. The following two paths below had to be added to the PARENTWHITELIST. I added them to the WHITELIST, but not the PARENTWHITELIST. I'm not sure if this is expected behavior. It appears they have to be on both list.
C:\Program Files (x86)\*>*
C:\AMD\*>*

 

Would anyone mind sharing your ini rules?

 

I would, but i'm using a beta. It's not the same, and I could not get it to work right. I just rolled my machine back for the fourth time today. Florian only handles bug reports on weekends.

 

@Overkill: Sure. this is my config built out of the demo ini file the developer gave (and I have adjusted over time, also feedback/help from developer).

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
C:\Program Files (x86)\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
C:\Windows\addins\*
C:\Windows\ADFS\*
C:\Windows\AppCompat\*
C:\Windows\apppatch\*
C:\Windows\AppReadiness\*
C:\Windows\assembly\*
C:\Windows\BitLockerDiscoveryVolumeContents\*
C:\Windows\Boot\*
C:\Windows\Branding\*
C:\Windows\BrowserChoice\*
C:\Windows\Camera\*
C:\Windows\CbsTemp\*
C:\Windows\CSC\*
C:\Windows\Cursors\*
C:\Windows\de-DE\*
C:\Windows\debug\*
C:\Windows\DesktopTileResources\*
C:\Windows\diagnostics\*
C:\Windows\DigitalLocker\*
C:\Windows\Downloaded Program Files\*
C:\Windows\ELAMBKUP\*
C:\Windows\en-US\*
C:\Windows\FileManager\*
C:\Windows\Fonts\*
C:\Windows\Globalization\*
C:\Windows\Help\*
C:\Windows\IME\*
C:\Windows\ImmersiveControlPanel\*
C:\Windows\Inf\*
C:\Windows\InputMethod\*
C:\Windows\Installer\*
C:\Windows\L2Schemas\*
C:\Windows\LiveKernelReports\*
C:\Windows\Logs\*
C:\Windows\Media\*
C:\Windows\MediaViewer\*
C:\Windows\Microsoft.NET\*
C:\Windows\Minidump\*
C:\Windows\ModemLogs\*
C:\Windows\Offline Web Pages\*
C:\Windows\Panther\*
C:\Windows\Performance\*
C:\Windows\PLA\*
C:\Windows\PolicyDefinitions\*
C:\Windows\Prefetch\*
C:\Windows\Registration\*
C:\Windows\rescache\*
C:\Windows\Resources\*
C:\Windows\SchCache\*
C:\Windows\schemas\*
C:\Windows\security\*
C:\Windows\ServiceProfiles\*
C:\Windows\servicing\*
C:\Windows\Setup\*
C:\Windows\ShellNew\*
C:\Windows\SKB\*
C:\Windows\SoftwareDistribution\*
C:\Windows\Speech\*
C:\Windows\symbols\*
C:\Windows\System\*
C:\Windows\System32\*
C:\Windows\SystemResources\*
C:\Windows\SysWOW64\*
C:\Windows\TAPI\*
C:\Windows\Tasks\*
C:\Windows\ToastData\*
C:\Windows\tracing\*
C:\Windows\twain_32\*
C:\Windows\vpnplugins\*
C:\Windows\Vss\*
C:\Windows\Web\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL
C:\Windows\Temp\????????-????-????-????-????????????\MPGEAR.DLL
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????-????-????-????????????\DismCorePS.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismProv.dll
C:\Windows\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\AppxProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\AssocProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CompatProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismCore.dll
C:\Windows\Temp\????????-????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\FolderProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\GenericProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\IBSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\ImagingProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\IntlProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\MsiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\SmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\TransmogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\UnattendProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\VhdProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\WimProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\Wow64Provider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\AppxProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\AssocProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\CompatProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismCore.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismCorePS.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-?????-????-????-????????????\DismProv.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\FolderProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\GenericProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\IBSProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\ImagingProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\IntlProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\MsiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\SmiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\TransmogProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\UnattendProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\VhdProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\WimProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\Wow64Provider.dll
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\mpam-*.exe
C:\Windows\explorer.exe
C:\Windows\HelpPane.exe
C:\Windows\notepad.exe
C:\Windows\regedit.exe
C:\Windows\splwow64.exe
C:\Windows\twain_32.dll
C:\Windows\winhlp32.exe
C:\Windows\write.exe
C:\Windows\bfsvc.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwiftShader\?.?.?.?????\libGLESv2.dll
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwiftShader\?.?.?.?????\libEGL.dll
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismCorePS.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismProv.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
[BLACKLIST]
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*vssadmin.exe
*bcdedit.exe
*mstsc.exe
*hh.exe
*powershell*.exe
*reg.exe
*setx.exe
*flash*.dll
*flash*.ocx
[EOF]

I'm using Windows 8.1 (64-bit). MS Defender is my AV, I also use EMET at times. I can also list config for demo version with parent rules. let know if you interested. Upcoming version you have to configure more and its a bit difficult and tricky at beginning (just for information).

Regards.

 

Thank you for sharing, quite interesting.
Now, what does question marks mean? Why they have different array of characters?
I mean some lines are:

Code:

C:\Users\*\AppData\Local\Google\Chrome\User Data\SwiftShader\?.?.?.?????\libEGL.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe

Hence, how can I acquire knowledge to create my own ones. Where to get appropriate info.

TIA

 

@Mister X The question marks are a special type of wildcard. You can use either asterisk (*) or question mark (?). The difference is very important and can help to create more secure rule sets. Question mark wildcard covers just one single character. In that example in the code that you quoted covers some question marks for DISM and some components for Google Chrome. The Chrome wildcard question marks represent the version number which changes periodically as Google updates those components. For DISM (as well as some other built-in Windows components), those question mark wildcards cover the variables that are automatically generated which could be any characters, but always maintains that same number of characters between each set of dashes. So using question mark wildcards in these cases can be much more secure rule sets with wildcards.

I will follow the same examples to show other possibilities:

Code:

C:\Users\*\AppData\Local\Google\Chrome\User Data\SwiftShader\?.?.?.?????\libEGL.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe

Code:

C:\Users\*\AppData\Local\Google\Chrome\User Data\SwiftShader\*\libEGL.dll
C:\Users\*\AppData\Local\Temp\*-*-*-*-*\DismHost.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.exe

Code:

C:\Users\*\SwiftShader\*\libEGL.dll
C:\Users\*\Temp\*-*-*-*-*\DismHost.exe
C:\Users\*\SwReporter\*\software_reporter_tool.exe

Code:

*libEGL.dll
C:\*DismHost.exe
*\*\software_reporter_tool.exe

As you can see in the above examples, the end result would be the same control. With each example, I made the rules less defined and less secure, yet they would work exactly the same. The asterisks cover any number of characters, directories, driver letters, etc. The asterisks can be quite handy at times, but the question marks will be more secure because the rules are much more strict and defined.

You can also use the question mark for the drive letter:

Code:

?:\Users\*\SwiftShader\*\libEGL.dll
?:\Users\*\Temp\*-*-*-*-*\DismHost.exe
?:\Users\*\SwReporter\*\software_reporter_tool.exe

That just goes to show, the amount of creativity that come with wildcards and any combination of question marks and asterisks. You can really create some amazing rule sets if you let your imagination get to work. Sometimes using the question mark for the driver letter could be beneficial, just one possibility as I wanted to give you some ideas on the many possibilities.

 

Wow! Splendid explanation @WildByDesign
I don' need any other source of info. You'd covered it all, thanks a lot for your kind help.
PS~ Bookmarking your post right away!

 

@Cutting_Edgetech I am glad that you got the issue sorted out that you were having regarding parent process. I noticed the missing C:\Program Files (x86)\*>* part as well during my testing which was also causing problems. That was definitely a mistake on Florian's part. That needs to be there for basic testing of the Beta package, indeed. The AMD folder, as you mentioned, likely also needs to be there for parent checking but would be system architecture dependent. If you reported this to Florian, please let me know. If not, I can report it to him when I get in touch with him later. Thanks.

 

@Mister X You are welcome, my pleasure. For the record, @4Shizzle 's example config in the post that you replied to is a fantastic config. Keep an eye on that config because it is quite thorough and well done. I'm going to go over my own config and reference 4Shizzle's config as well because it is much better than mine at the moment.

 

Theoretically, yes. That is one of the limitations with a strictly path-based whitelisting setup. For this, in particular, I highly recommend setting UAC to the highest level (default UAC level has generally been susceptible to exploits in past) which gives tighter control over Program Files / Program Files (x86) / Windows directories. That way, you are at least prompted if something were trying to write/modify an executable within those protected directories. So that will strengthen a strictly path-based whitelisting setup. In addition (and regardless of path-based or hash-based), I highly recommend combining any application whitelisting setups with a dedicated anti-exploit tool such as EMET or MBAE. My preference is EMET, but any dedicated anti-exploit would be better than not using one at all.

This is actually a very good question, particularly with the 3KB limit of the current stable version. Not as much of a concern with the upcoming release (current beta) of 20KB, but still something that I would like to know as well and makes good sense with the current 3KB limit. So I just sent a quick email to the developer to ask how the kernel driver grabs that file size to determine limit so that we all know. I will update this thread when I find out.

At the moment, disabling Bouncer temporarily will have to do. Although personally I would like to dig into that more and try some Windows updates in the future with LETHAL off and logging on, so that I can figure out some rules that may work to keep the driver running through updates. I will definitely be happy to share my findings when I get around to that.

That config is quite good and nice and easy to manage as well since it's compact. My only suggestion would be to have a look at 4Shizzle's post (https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-19#post-2527813) which is really quite good. The added benefit from that config is that it adds specific control with the C:\Windows\Temp folder. This isn't entirely necessary, but it is more secure as it gives you more granular control over that particular folder. In Windows 8.x/10 that folder has decent permissions to begin with, but still having more granular control is nice. I was able to create a config similar to 4Shizzle's with control over C:\Windows\Temp as well, along with a similar blacklist is known exploited Windows executables, and was able to keep my config right on the 3KB limit which worked out great. But I think it will be important to see what the developer says regarding your file size limit to see how the kernel driver determines the size, then we can look into making these changes if you are interested in more control over that folder. I will let you know the moment I find out about the file size question.

 

@WildByDesign: Thanks for all details. AWESOME and great!!!

 

Ditto. Great to have you here @WildByDesign

 

@ParaXY and All: Regarding method used to determine file size for limitation:

From developer:

 

Thank you!

So how do *I* determine the size Bouncer is seeing for my config file? This is important for the demo version as, I think, if you go over the 2KB limit Bouncer stops working.

More comments to follow after reading the recent posts!

 

@ParaXY This is just a guess at the moment, have a look at the attached image example. And speaking of which, I highly recommend Notepad++ anyway because it is fabulous at working with Bouncer config files and so on. Open your bouncer.ini config in Notepad++, select the entire block of config text, go to View - Summary...

Near the bottom of that Summary box, you will see total characters but also total bytes read or bytes based on characters read.

 

Thats very helpful, thank you. I have just started using Notepad++ so am getting used to it.

I tried 4Shizzles config as it looks VERY impressive (and I hope there is more of where that came from!) but unfortunately it goes over the size limit in the demo version and doesn't work for me. It has given me lots to think about though! This is why I am keen on purchasing the new version when it is announced.

I am very interested in the BLACKLIST section:

Code:

[BLACKLIST]
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*vssadmin.exe
*bcdedit.exe
*mstsc.exe
*hh.exe
*powershell*.exe
*reg.exe
*setx.exe
*flash*.dll
*flash*.ocx
[EOF]

Why block all of these? More specifically things like: *mstsc.exe? I use this daily (Remote Desktop) for connecting to my machines on the LAN, will this be blocked and if so why?

I understand some of them but not all!

Also, if you have *mstsc.exe in the blacklist does this block mstsc.exe as well?

 

I will make this suggestion to the developer:

In the Admin Tool, when a user presses the Status button, within the main Status info pulled from the kernel driver, also show the bytes for the config file size. This could be simple yet beneficial.

 

If I allow all of windows process's, program files etc like EXE Radar does, and whitelist my current installed files/other security will bouncer still be as secure or does it work differently than EXE Radar? In other words are all the rules above totally necessary?

 

Well, @ParaXY you can just specify

Code:

C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*

in your whitelist for basic (but good) start into bouncer protection.

Answering question for blacklist: its up to you and what program you need. if you use only Internet Explorer you must remove *iexplore.exe from blacklist. if you use Remote Desktop you should remove it from blacklist. this is my config, so it is good for my scenario and what i need - you have other tools and apps you need or want to block. my example was just demo for you to see what you can do.

You got it. This is exactly what happens. If you put *notepad.exe to blacklist section it will block all process names that end with notepad.exe and from all locations, no matter from source you start them. if like to block specific notepad, set up complete path like: C:\Windows\notepad.exe

@Overkill:

Yes, see my basic config from this post. Exactly, just do basic config to get fimliar with bouncer and see how it protects. You will see that even basic config is good to avoid common attack vecotrs (not all, but a lot like accident click on donwloaded exe or ransomware etc.). It can't highly targeted and tricky attacks, to avoid you need more configuration here and I think upcoming version is much better (with parent checks and hashing) for deeper and more secure protection - but it is also more difficult to set up but amazing what the developer put in kernel driver without bulk and annoying GUI like in another applications in field - but that's a matter of taste and what developer you like & support.