Bouncer (previously Tuersteher Light)

Thanks @4Shizzle. I'm going to experiment with these rules!

I'm curious, can you use Bouncer so that you don't have to run anti-virus? I'm really keen on dumping my AV and I'm wondering what is the right way to do this? WildByDesign: You mentioned that you don't run AV, how did you approach moving away from having AV on your box? How do you know what you are downloading/installing/browsing isn't infected?

 

I just use Windows’ built in AV (Defender). Works perfectly for me. In my config bouncer can also update Defender daily without to stop bouncer. the same for most patchday updates - sometimes some patch needs to stop bouncer. If you are not practiced I suggest to stop bouncer on update, update and while update do not make dangerous things (=download exe from internet, surf on mad web sites, open attachments from e-mail), after update start bouncer. done. works awesome.

I think you can just use Bouncer and EMET (like @WildByDesign said). Ensure that you install the latest patches for OS, browser and another Apps. Only install original (legal) software from trusted sources (meaning: buy software, do not steal software). Keep away from porn sites, do not go into sharing and streaming web sites (they are like illegal software download sites: TOP 1 source of malwares). (I just use Netflix and I am happy with it, why to load any illegal stuff? I also pay for music I like, so for me no fear to catch something).

Additional: Do not use Adobe Flash, avoid Adobe PDF reader, use OO instead of MS Office, for private use it is awesome and have enough features. Also follow @WildByDesign suggestion to set UAC to highest mode, then I would say: possibility to getting infected without AV is not very high.

But why not use Windows’ Defender? it is still there, not so bad and works well, so tis is additional layer security. It is said that it security should be multi layer: bouncer, EMET, Defender, Windows firewall and UAC sounds like a perfect combo.

My opinion: so why spend $30-$50/year for anti virus solution and bulk desktop security software that works not better than combo above. it’s matter of taste i think.

 

I thought the free builtin AV from Microsoft wasn't very good? ie: low detection rate

So when applying updates/upgrades/etc do you stop bouncer...install the updates and then start Bouncer as usual or do you run it in logging mode again to see what may be blocked after the updates?

I, like you, purchase my software and don't install any cracked software or warez on my machine. I am very careful where I download from and usually check digital signaures and hashes on install files before installing them.

I don't use Adobe Flash but, anoyingly, even though I don't have Flash installed, there is a version installed by default in Windows (for Edge I think). I know you can block this with Bouncer but I wonder if you could uninstall/delete it? For PDF viewer I use Foxit. I was using LibreOffice but have started to use Office 2013 recently (fully patched). I run UAC at the maximum setting and run as a non-admin user. I also use SuRun which is excellent!

I currently have Avira installed but, argh, I hate AV and would like to stop using it altogether. I was using AdAware AV. Both were the free versions. I just want to make sure that depsite all my precautions and all the tools I run that I won't be infected with a virus without any AV running. I also run Windows Firewall and block ALL incoming connections and have a very restricted outgoing ruleset for VPN internet access only and have Malwarebytes Premium running with Anti-Exploit and Sandboxie.

I think my setup is pretty secure and safe but I'm still not 100% sure about removing AV altogether so I appreciate your input/comments/concerns regarding this!

 

I think that you have a very well thought out, layered setup and is really quite well done. As you have most of your bases covered already, I can see now why you are looking into an efficient anti-exec/app whitelisting like Bouncer. With Sandboxie, the anti-exploit that you've got, VPN and so on, I think that you could certainly add Bouncer in there. If you ditch the AV, Bouncer along with the remainder of your setup will cover you very well.

Some basic download tips that I would share: Always download from the original manufacturer, open source project, etc. and avoid those large download sites whenever possible. It is good practice to compare hashes as well whenever the software maker shares those. I honestly believe that you will have nothing to worry about with your setup, you have covered your bases nicely with great layers. However, it is nice to have some piece of mind. A regular practice of mine is that anything that I download (particularly if it's new or you are unsure about it) is to use a shell extension that allows comparing with VirusTotal. Their own tool, VirusTotal Windows Uploader (https://www.virustotal.com/en/documentation/desktop-applications/) allows for easy uploading/comparing with VT. Also, simple shell extension allows you to right-click on any suspect downloads and Send To - VirusTotal. Keeping in mind, you would also have a rule to block any execution from that directory in case you accidentally double-clicked on it. There are likely other shell extensions to choose from that can compare with VT. Also, many shell extensions that combine hashing and VT check in one (MultiHasher comes to mind: http://www.abelhadigital.com/multihasher). Or, for peace of mind, you could run an on-demand scanner only such as Emsisoft Emergency Kit or others.

Whenever you decide to go without AV, the first few months are going to have you getting accustomed to it. A year from now, you will be wondering why you didn't ditch it sooner. But keep in mind, the same security setup is not necessarily the best for every different user or use case. The majority of us here at Wilder's are already quite conscious of our security and use good common sense as well, but that is something that the everyday Internet users our there (whom have no interest in security) don't necessarily have that common sense though. A good (and regular) backup plan is, of course, recommended for anyone regardless of skill set and knowledge.

 

Yes.

Sound like my installation

@WildByDesign

thanks for the tip. I always uploaded executables through browser. Will try the shell extension...

Yes, fully agree. For majority of users it is not necessarily the best way to work.

 

Thanks for the kind words! I rebuilt my machine when Windows 10 was released but leading up to that I had many months to give me new install much thought to lock it down good and make it as secure as I could possibly. My previous Windows 8.1 build was pretty secure but this is taking it to the next level!

I agree with everything you mentioned about downloads/installs etc. And thank you for the the link re VirusTotal Windows Uploader, this may just be what I need!! Although I want to ditch my AV I was wondering how I should do some AV scans should the need arise. I will defintely give this a try. Is Emsisoft Emergency Kit one of those products that you boot off a USB/DVD and then run a scan to clean your machine? If it is I can't use tools like this since I encrypt my drives. Unless they support Bitlocker?

I bet I am going to kick myself for not getting rid of my AV sooner! Theres just been this sneaking suspicion that I need to stop using AV. I've tried many over the years and its SO rare that I get an alert to say a virus has been blocked (and this was in the days before I had a looked down machine). Avira has these annoying popup windows that I haven't been able to disable (geez I hate ad popups) so an uninstall should do the trick...

I thought I would share more of my setup as its defnintely been the best setup I have had so far. Maybe this can benefit someone out there and if there is anything missing or incorrect I am happy to hear it to improve things so that my machine is super secure. So here it goes:

I have moved my setup/configuration to:

https://www.wilderssecurity.com/thre...etup-these-days.111264/page-1484#post-2529252

I hope this isn't off topic but my most recent addition to the above is Bouncer. Before installing it I didn't run any path-based anti-exe whitelisting (I wasn't even aware of it!). I'm still running in demo mode and eagerly awaiting the new hash version.

I hope the above was helpful. If its too off topic I will edit and remove the above but I thought it was relevant (and gives some context) so people can see where I am coming from with all my questions regarding the amazing Bouncer!

Cheers!

 

Just found this on VirusTotal which looks like it might be worth a try:

https://www.virustotal.com/en/documentation/browser-extensions/

 

@WildByDesign: Thanks so much for the VirusTotal Windows Uploader...its superb! I've also started using the Firefox browser plugin which is great as well (just right click a link and send to Virus Total to scan).

Today I uninstalled my anti virus. Yes, I am running no AV...woohoo. Thats the last Avira popup I'll ever see! It feels kind of strange but in a good way. I did run a full scan on all my drives before uninstalling.

If I am running Bouncer and I receive a Word document with malicious macros/scripts embedded in it and I launch the Word document from a folder location that ISN'T whitelisted, will Bouncer block this? Also, if I try to open a "clean" (non malicious) Word document from the same location will Bouncer let me open it (even if it has macros/scripts in it)?

I was also thinking, for confidential/private documents that you didn't want to upload to VirusTotal one could use a portable anti virus scanner?

 

You're welcome, no problem. I am happy to hear this and hope that your computer's performance will also now be even snappier.

This is actually a very good question, and to be perfectly honest, I don't know the answer. I have forwarded this question on to the developer and I will let you know the moment he gets back to me on that. There's a good chance that I will get a reply back later today. Anyway, there are a few factors here. These macros/scripts would generally have to work by utilizing built-in Windows tools (cscript.exe, wscript.exe, bitsadmin.exe, etc.) to therefore go ahead and download the malicious executable and/or payload which, based on permissions, typically would go into user directories and execute from there. Basic Bouncer rules would block anything from executing from user directories, so that would stop the execution. Also, my own config (and similar to @4Shizzle's config) includes additional lock-down blacklist of built-in Windows components (cscript.exe, wscript.exe, bitsadmin.exe, etc.) that are commonly abused by malware in the early stages, so that would also prevent execution at an earlier stage. So you are well covered there already. The main question remaining is the initial running of macros/scripts within the Word document, which I also am curious about. So I will let you know what the developer says about that part. Personally, within Word, Excel, also even Adobe Reader and so on, I always disable things like Javascript, macros, etc. But I believe that those programs also have ways to deal with documents that were not created locally and came from the Internet, etc. So there are a few ways to mitigate this.

Absolutely, yes. In these special cases I would use a well trusted on-demand scanner only that does not utilize cloud and so on.

 

Thanks @WildByDesign. It feels good to not run any AV! I have placed my order for Bouncer and eagerly await it.

I look forward to your post with the developers answers to my questions about a Word document with scripts in them.

 

From Florian:

 

For those of you who have been using the Beta builds from the Beta Camp page (http://excubits.com/content/en/products_beta.html), the build available for Bouncer has been updated. MemProtect (beta) and MZWriteScanner (beta) have not been updated.

There were no bugs reported within the Bouncer kernel-mode driver itself, therefore it remains unchanged and as stable as always. The updates and changes are within the Admin Tool and the BouncerTray tool. Most of those fixes/changes were reported here at Wilders. So thank you all for working together as a community as we share this common interest.

If anybody is using the regular Bouncer builds and is interested in trying the beta builds of Bouncer, feel free to let me know if you have any questions or need any help. The beta builds of Bouncer is just a self-extracting executable, not a full installer like the stable build. So it has to be setup manually. Also, an important thing to keep in mind, between the current stable build vs the beta builds, there have been changes within the bouncer.ini config file therefore it is important not to use the old config with the new beta, unless you adapt the formatting of the config to be the same.

 

Thank you once again @WildByDesign
I'll be bothering you here in a few days lol

 

Aaah, well thank you so much @WildByDesign. So basically, don't allow unknown/untrused macros from running in Word/Excel and blacklist the commonly used files that these scripts call (powershell etc).

I was using your hash script today to experiment with creating the hashes for the new version of Bouncer. Its a great script! So thanks very much for sharing it with me/the forum.

It was quite interesting running it on my data drive. Theres only 3 folders that have executables in them and there aren't that many hashes needed for all the software in them. The system drive is another story altogether...that file of hashes is huge!

One thing I realised today was that none of the files in the root of C:\ are the the bouncer.ini (like pagefile.sys). I would have thought these needed to be added? Or are they not considered executable?

 

Still Norton does not like this file. Maybe because was only used by 5 Norton users?

Flags it as
SAPE.Heur.9B897
Detected As:SAPE.Heur.9B897

 

@boredog Yes, I can see why Norton would put up flags, also Google and so on. If you are referring to the latest Beta build, the main reasoning for flagging is because the executable is not digitally signed, but also because the creation date is fresh and new. Rightfully so, any newly created executable package and is not digitally signed should be flagged as suspicious. When those beta builds go final/stable they will be digitally signed and with a trusted sig.

 

You are very welcome, my pleasure.

That's a good question and I can only really speculate on that. .SYS files in general are driver files and as such, they are filtered by Bouncer. However, I'm not entirely sure how pagefile.sys is utilized with regard to being executable or not, I believe there may be a difference there but I could certainly be wrong. It may not be utilized in the same way since it is generally a hidden/protected operating system file. So while it may have the .sys extension, I'm not so sure that it's executable by nature.

 

I just wanted to let you know that, thanks to your questions regarding config file size, the latest Beta build contains an updated version of Admin Tool that now shows the bouncer.ini file size when you press the Status button.

I forgot to mention this the other day, but your security setup from post #481 (https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-20#post-2528580) should probably be moved to this thread: https://www.wilderssecurity.com/threads/what-is-your-security-setup-these-days.111264/ That is, if you would like to share it in that thread. I think that you have a comprehensive and well planned security setup and I think that other users in that thread may benefit from seeing your setup. I think that thread is quite handy for users sharing security setups and sometimes you might see methods that other users are trying and find it worthwhile to your setup and vice versa.

Also, I noticed that you like to use non-admin accounts as well which is good practice. Bouncer is designed to work well with LUA (Standard) user accounts, following the practices of using admin accounts to do admin stuff, while non-admin for regular daily use, surfing the web, etc.

You're welcome, no problem. Anytime you have a question, please feel free to ask. I will always do my best to help, and if I don't happen to know the answer, I can help dig in and figure it out.

 

Thats great!! Really good to see the developer listening to feedback.

Yes, I would like to post my setup there so will proceed to do that tonight hopefully. Its good to have someone else check your own work. I'm always open to suggestions and feedback. If I'm doing something wrong then I want to know about it.

Thats great to hear. In the beginning I was really battling with running an LUA account with UAC turned up full as the popups drove me insane. SuRun helped with that. I just need to remember that I must always run the admin tool as admin AS WELL AS Notepad++ when editing the bouncer.ini file so I can save my changes.

I have a few other admin tool ideas for bouncer:

1. Have the option to stop repetitive log file entries from changing the admin tools icon in the system tray from green to red. Maybe this is asking too much but it would be great to have an option that said: After 3 log attempts of the same item, stop changing icon to red. Otherwise I find that I just start to ignore the red icon (which is bad).
   
2. Auto load the bouncer.ini file when you open the admin tool. Its painful having to open the admin tool, load bouncer.ini and then browse the file system to find this file. Why not just auto load it? Also make saving changes to bouncer.ini quicker/easier: I just want to click save after making changes and it auto saves to c:\windows\bouncer.ini (rather than having to find the file first to then save the changes)
   
3. Time stamps in the logfile maybe with separators for each day. This would be helpful.

Anyways, just some ideas! I'll try to move my setup to the right forum tonight.

My order is in for Bouncer and I am like a little excited kid waiting for the invoice to arrive so I can pay for it and start using it...;-)

Edit: I have moved my setup to https://www.wilderssecurity.com/thre...etup-these-days.111264/page-1484#post-2529252

 

The more I think about it, the more I reckon you guys are on a winner... especially with the no-AV thing. Boy, did we get roped into the hooplah or what?!

 

You can say that again! I have been thinking for ages about dumping my AV but it was @WildByDesign (with his great suggestions) that finally made me decide to do it. I've been through 3 or 4 AVs in the last few months. All have been a pain (slow, adverst etc).

As @WildByDesign said, it will take some getting used to and a different approach is required to run without AV but after a few weeks it will become second nature!

 

At one stage I had 7 installed, only EAM and MBAM were for real time... the rest were on-demand. Overkill much? I hardly use Zemana, only give it a whirl when I remember to check for updates. I also had ClamWin (was laughed at by a bloke on MalwareTips for using this one... he reckons it was crap but I kept it anways) and 9-Labs. I really am intrigued by the non-AV approach. I guess I picked the wrong time to try and stop smoking, huh? lmao!

 

I think a combination of Bouncer (with properly configured rules), MBAM/MBAE, using a non admin account and locked down firewall rules with a browser that has privacy addons installed will protect you from 99.99999% of threats out there.

Common sense is needed of course as well.

I found Clamwin slow compared to EMIS Emergency Kit but theres no harm having it sitting in a folder should I need it. Its portable so no install needed.

I too was intrigued about running no AV. It almost feels "naughty" not running AV anymore. Its only my second day not running AV so I have a long way to go before giving any feedback. The one thing I did do before uninstalling Avira was run a full system scan. Even after uninstalling ti I ran another scan with EMIS and Clamwin just to be sure I was in a good starting point.

 

I just added underlining to point out the key points there. Both points have been implemented in the Admin Tool, but if I'm remembering correctly, that might be just in the Beta release. The developer made it so that those key points occur if you run Admin Tool directly from the BouncerTray tray app. If you start Admin Tool by itself (not through BouncerTray), then it has to be loaded/saved manually. The idea there, is that often an admin has to manage several configs for many different users and in that case scenario the auto-loading served no purpose. But I'm pretty sure that it is only in the Beta release. Although since that Beta build has been rock solid, I would think that it should go stable/full installer release soon. If you have any interest in switching over to the Beta build, I would be happy to help make the switch painless and we could also disable SHA256 and parent checking for the time being so that you have the same functionality that you are accustomed to already.

 

Oh dear, thats a problem for me running as an LUA. In order for me to run the Admin Tool as an admin user I usually have to browse to the folder where it is located and then right click it to run as the administrator. I wonder if theres a work around for this? its not the end of the world but while testing your config multiple times and setting things up it does become tedious browsing for the config file each tile and loading it!

I paid for Bouncer today so am waiting for the full version! I may wait for the new final stable release as I am going away in a few days for a week and I am hoping to start off on the new version. I appreciate your offer and will definitely ask if I need some assistance (which I'm sure I will).

No AV and Bouncer = WINNER