Bouncer (previously Tuersteher Light)

I guess it may depend on how you've got your accounts setup. I have my Admin account for admin stuff and also have my LUA for everyday use. When using LUA, BouncerTray is designed to run in LUA without admin prompt (so that there are no prompts every time you start Windows) and will only prompt for admin credentials to start the Admin Tool or to Start/Stop Bouncer. In my LUA, let's say I need to change some rules in Admin Tool, I access Admin Tool directly through BouncerTray and what happens is that I am prompted for the credentials for my Admin account which is what is often referred to as over-the-shoulder (OTS) elevation. Does your setup do something different then prompting for your Admin credentials? Going to the directory and starting Admin Tool manually would still automatically ask for privileges to elevate as that is how it's been designed. So I don't have to right-click and choose Run as Administrator. I'm just trying to get an idea of how your account setup differs so that I can understand better how to help.

That's exciting. So you will have Bouncer for life now. But the good part about that is how Bouncer (driver, in particular) has been programmed to be backwards compatible and forwards compatible with all versions of Windows since it carefully follows Microsoft's specifications without deviating from that. You will also be able to get technical support directly from the developer if necessary.

Agreed. Or realistically, any application whitelisting in general. It's not exactly something new but it has been becoming more important for mitigating threats. For example, there is this one report from the Australian Government (which has been discussed at Wilders before) which shows Application Whitelisting being the number one for their mitigation strategies. Report (PDF): http://www.asd.gov.au/publications/Mitigation_Strategies_2014.pdf Main page with more details on individual mitigations/strategies: http://www.asd.gov.au/infosec/mitigationstrategies.htm

 

Hi, @WildByDesign .
Could you give a simple example on how to write a rule based on hash code?
Thanks.

 

@Online_Sword Sure thing, no problem.

Code:

[LETHAL]
[LOGGING]
[SHA256]
[#PARENTCHECK]
[WHITELIST]
ff9b6c7a61ed20915c380dc7fa740b887c84b926
ff9c9198d3c7256c99e607c1a3b64482d5d5b3eb
ffb4cf57f42a963d9824ad7a485d373732416309
ffb7be421d265c28f49338ba0ad843c357cef130
ffbb58bd3640f632ae06c2f10def8152b35171d1
ffc496e535f0162a4cc1e2f3a480f59d7160f278
[BLACKLIST]
0e25304ea86cc09db687329bc880fc96cbc36380
0e25ab56d00076938b22e8e5d57a89c6b1728f4c
0e2820c0c7c877f0bb4eb5da6c6421c5c7ce6c53
0e2d611b72b4245723bd8855070ba92627ee8fa7
0e4e353e0e45b1c3cde54d356680e54748d0e0b4
0e4efd186a8214b1081735775a56c982898ca48a
0e504ceb48dd96731794ccfb38a7a7a5e3793869
0e5791e3c6418ba3d7f16df14a11139faac5884a
0e5dd40322e6a5b96ea8060b359dafa635c5262e
0e5dfb4948abe1a0c7dd3e862b22a1dd197ee456
0e5e37efff36498b0a7f30829d85f0e742bbf5b1
[PARENTWHITELIST]
[PARENTBLACKLIST]
[EOF]

This is just a very simple example. The SHA256 hashes go into the same [WHITELIST] and [BLACKLIST] sections, same as with path-based rules. So you can have a mix of path-based and hash-based rules in those sections. I believe that hashes can be used within the [PARENTWHITELIST] and [PARENTBLACKLIST] sections as well, but the format is slightly different there and I am just not very familiar with the parent checking rules. You can also find some rules, examples and rationale on the Beta Camp page: http://excubits.com/content/en/products_beta.html That covers some more details on the parent checking in particular.

Please let me know if there is anything else you need.

 

Thank you very much @WildByDesign .
One more question: could we write a rule based on both the path and the hash code?

 

So let me just try to understand this and hope I am understanding correctly here. You are referring to something having to meet both rules to be able to execute, meaning it has to meet the same hash and also has to be within that same particular directory/folder? Is that what you are referring to? If that is what you were referring to, I don't think that is possible with Bouncer rules at the moment. Although I could be wrong, there could be some tricks that could be done with the configuration that I haven't figured out yet. I will pass this inquiry along to the developer as a suggestion and see what is possible.

 

I'll have to do some testing with this. Currently I don't have Bouncer installed as I uninstalled it in preparation for installing the full version. I think I always run the Admin Tool from File Explorer and didn't even bother trying to run it from the system tray. I'll get back to you on this.

I am excited about it. I feel like I have hit the jackpot for securing my Windows machine. Money very well spent. I may even purchase MemProtect too and MZWriteScanner.

Is it a good idea to install thefull version of the latest beta of Bouncer? I am dying to try hashing in the config file!!

I received an email today about a special on anti virus. Price was reduced from $80 PER YEAR to $15. I thought: No need for that now (even though I have never paid for AV before). I smiled and deleted the email ;-)

 

I'm always keen to hear how people MANAGE these hashes AFTER they have entered all of them in their hash file. Maybe Florian can comment on this or let us know the best approach to this?

I'm also quite interested to hear more about other features in Bouncer like PARENTCHECK.

 

MZWriteScanner is free for personal use, only commercial/business use requires licence. Pretty sure it's the same for MemProtect.

The Beta is really quite stable. The kernel-mode driver at the heart of it all is incredibly stable and efficient. A few bugs were found in Admin Tool in Beta package, but that has since been updated/patched. So it's likely ready for release, but what is lacking at the moment is updated documentation regarding the new SHA256 and Parent Checking features. If you are interested in trying the Beta, PM me with your current bouncer.ini config copied within the forum code tags, and I can get back to you in the morning with your exact config converted to the new Beta config format and I can give you some step by step easy instructions to ensure it's setup correctly. Reason being, beta does not have full installer. But I am happy to help with easy manual instructions to follow. I will also try to find out an ETA for final release with installer and documentation.

 

Maybe the old school approach of sending an Admin Tool shortcut to desktop, setting up "Run as Administrator" via right click tabs could help you out here...

 

Yes, it is just what I mean.
Thank you for passing this suggestion to the developer.

 

@ParaXY One thing that I forgot to mention to you, since you were also quite interested in the SHA256 hashing mechanism as I am as well, was that the Bouncer kernel-mode driver was extremely efficient with how it managed the actual hashing. By that, I mean you could have a hash list of 20,000 to 80,000 (comprised of .exe, .dll, .sys, etc.) hashes utilizing SHA256 algorithm and there were no differences in efficiency and performance. You could have a hash list of say 100 hashes and compare that to a list with say 60,000 hashes and the performance would be the same.

That efficiency comes from the kernel-mode driver itself which is something that the developer has always taken pride in keeping things simple, small, yet efficient. Now, of course there is a performance hit when enabling hashing in general versus no hashing. But when hashing is enabled, there is no difference dependent upon the size of the hash list which is great. Although, as we already know, Bouncer currently lacks a decent method of obtaining and maintaining that hash list. So this is something that I am discussing with the developer right now along with some other brainstorming ideas. It could be the most efficient kernel-mode driver out there, who knows, but without ease-of-use regarding the maintaining of the hash list, that makes that particular feature a bit more challenging at the moment.

 

I appreciate the offer @WildByDesign (re setting up my config for beta Bouncer but I think I may wait for the final version of Bouncer that has hashing. I think its only a couple weeks to go until the final version is released and I am going away this weekend for a week so it'll be perfect timing!

Wow, thats really interesting about the drivers effeciency. I just had a quick look at my hash file list and after running your script on my boot drive and data drive I have a total of about 23000 hashes. The total size of the ini file is just under 1.5MB. I really like the developers approach as I am a minimalist and like things to be small/simple/efficient.

I am REALLY keen to hear the ideas being brainstormed with regard to maintaing the hash list. It also got me thinking, you can't easily identify WHAT each hash value is! For example, if I want to blacklist powershell.exe using the hash value, I can't look in the hash list in the ini file to determine which hash this is.I know I can look in the csv file that your script generates but its still a bit of a pain (not complaining thats just how it is). I guess if you don't make too many changes to your machine maintaining the hash list isn't too bad but I work in IT and go through stages where I can make massive changes in a day/week/month. Trying to update the hash list each time would be painful.

 

So I couldn't help myself and installed the current stable full version of Bouncer. Its great not having the demo file size limit. So a few comments/questions:

1) I was wondering why my config wasn't working until I found a comment I left in the one file I copied from. Does the developer have any plans to check the syntax when you restart the driver?

2) In one of my earlier posts I mentioned that I was running the Admin tool by right clicking it and running it as admin in the installation folder. This forced my to load my config every single time. I am happy to report back that by running the Admin Tool from the system tray it auto loads my config file and it much easier to use.

3) I am one of those users that HATES all modern apps so I was wondering, is it a good or bad ideas to BLACKLIST: C:\Windows\SystemApps?

I'm still running in LOGGING mode and will be for at least another week as this is the first time I can run a full config without the file size limit. Currently my bouncer.ini looks as follows (many bits were taken from 4Shizzle...thank you!):

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Program Files (x86)\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
C:\PROGRA~1\MICROS~1\Office15\*
C:\Windows\addins\*
C:\Windows\ADFS\*
C:\Windows\AppCompat\*
C:\Windows\apppatch\*
C:\Windows\AppReadiness\*
C:\Windows\assembly\*
C:\Windows\BitLockerDiscoveryVolumeContents\*
C:\Windows\Boot\*
C:\Windows\Branding\*
C:\Windows\BrowserChoice\*
C:\Windows\Camera\*
C:\Windows\CbsTemp\*
C:\Windows\CSC\*
C:\Windows\Cursors\*
C:\Windows\de-DE\*
C:\Windows\debug\*
C:\Windows\DesktopTileResources\*
C:\Windows\diagnostics\*
C:\Windows\DigitalLocker\*
C:\Windows\Downloaded Program Files\*
C:\Windows\ELAMBKUP\*
C:\Windows\en-US\*
C:\Windows\FileManager\*
C:\Windows\Fonts\*
C:\Windows\Globalization\*
C:\Windows\Help\*
C:\Windows\IME\*
C:\Windows\ImmersiveControlPanel\*
C:\Windows\Inf\*
C:\Windows\InputMethod\*
C:\Windows\Installer\*
C:\Windows\L2Schemas\*
C:\Windows\LiveKernelReports\*
C:\Windows\Logs\*
C:\Windows\Media\*
C:\Windows\MediaViewer\*
C:\Windows\Microsoft.NET\*
C:\Windows\Minidump\*
C:\Windows\ModemLogs\*
C:\Windows\Offline Web Pages\*
C:\Windows\Panther\*
C:\Windows\Performance\*
C:\Windows\PLA\*
C:\Windows\PolicyDefinitions\*
C:\Windows\Prefetch\*
C:\Windows\Registration\*
C:\Windows\rescache\*
C:\Windows\Resources\*
C:\Windows\SchCache\*
C:\Windows\schemas\*
C:\Windows\security\*
C:\Windows\ServiceProfiles\*
C:\Windows\servicing\*
C:\Windows\Setup\*
C:\Windows\ShellNew\*
C:\Windows\SKB\*
C:\Windows\SoftwareDistribution\*
C:\Windows\Speech\*
C:\Windows\symbols\*
C:\Windows\System\*
C:\Windows\System32\*
C:\Windows\SystemResources\*
C:\Windows\SysWOW64\*
C:\Windows\TAPI\*
C:\Windows\Tasks\*
C:\Windows\ToastData\*
C:\Windows\tracing\*
C:\Windows\twain_32\*
C:\Windows\vpnplugins\*
C:\Windows\Vss\*
C:\Windows\Web\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\SuRunExt.dll
C:\Windows\SuRunExt.exe
C:\Windows\SuRun.exe
C:\Windows\SuRun32.bin
C:\Windows\SuRunExt32.dll
C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL
C:\Windows\Temp\????????-????-????-????-????????????\MPGEAR.DLL
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????-????-????-????????????\DismCorePS.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismProv.dll
C:\Windows\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\AppxProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\AssocProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CompatProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismCore.dll
C:\Windows\Temp\????????-????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\FolderProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\GenericProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\IBSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\ImagingProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\IntlProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\MsiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\SmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\TransmogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\UnattendProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\VhdProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\WimProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\Wow64Provider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\AppxProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\AssocProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\CompatProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismCore.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismCorePS.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-?????-????-????-????????????\DismProv.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\FolderProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\GenericProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\IBSProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\ImagingProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\IntlProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\MsiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\SmiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\TransmogProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\UnattendProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\VhdProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\WimProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\Wow64Provider.dll
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
C:\Windows\explorer.exe
C:\Windows\HelpPane.exe
C:\Windows\notepad.exe
C:\Windows\regedit.exe
C:\Windows\splwow64.exe
C:\Windows\twain_32.dll
C:\Windows\winhlp32.exe
C:\Windows\write.exe
C:\Windows\bfsvc.exe
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????\DismCorePS.dll
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????\DismProv.dll
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\Skype.exe
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Updater\Updater.dll
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Updater\Updater.exe
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmPal.dll
C:\Sandbox\User\Skype\drive\C\Windows\SysWOW64\msvcr120.dll
C:\Sandbox\User\Skype\drive\C\Windows\SysWOW64\msvcp120.dll
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmCodecs.dll
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmMediaManager.dll
C:\Sandbox\User\Skype\drive\C\Program Files (x86)\Skype\Phone\RtmPltfm.dll
C:\Support\KeePass.cmd
C:\Users\User\Desktop\Map X Drive.bat
C:\Users\User\Desktop\Del X Drive.bat
C:\Users\User\Desktop\pageant.exe
C:\Users\User\AppData\Local\Temp\speccycpuid.dll
C:\Users\User\AppData\Local\Temp\cpuz138\cpuz138_x64.sys
C:\Users\User\AppData\Local\Temp\????????-????-????-????-????????????
C:\Users\User\AppData\Roaming\uTorrent\uTorrent.exe
D:\Sort\TemporarySandboxInstalls\*
D:\Sort\BouncerWhitelistInstalls\*
[BLACKLIST]
C:\Windows\SystemApps\*
C:\Windows\System32\Macromed\*
C:\Windows\SysWOW64\Macromed\*
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*vssadmin.exe
*bcdedit.exe
*hh.exe
*powershell*.exe
*reg.exe
*setx.exe
*flash*.dll
*flash*.ocx
*searchui*.exe
*onedrive*.exe
*onedrivesetup*.exe
[EOF]

I'd appreciate any feedback (good or bad)! I haven't whitelisted my data drive and all the installation software on there yet as I am still thinking about how to manage this. Maybe hashing will be better for this drive.

Oh the one thing I have constantly noticed is that flash.ocx is called often! Has anyone else noticed this? When I launch Skype it calls:
C:\Windows\SysWOW64\Macromed\Flash\Flash.ocx

When I launch Potplayer to play an MKV video file it calls:
C:\Windows\System32\Macromed\Flash\Flash.ocx

Why would Flash be needed when playing back a movie? Or launching Skype?

 

That is one massive list! How truncated was it when the 10kb file size limit was enforced?

In regards to PotPlayer, have you skimmed through the Preferences and Plugins sections (don't quote me on tab names, I haven't used PP yet). Maybe there is a converter/plugin/inbound or outbound reference that triggers Flash detection... sorta similar to how Firefox has a Winamp Detector?

I also have a question... would there be a reason to use AppGuard, EXE Radar Pro or Simple Object Blocker if one were to use Bouncer? These 3 seem to cherry-pick bits and pieces of what Bouncer does as a whole.

 

When I ran the demo version I still had the entire config in bouncer.ini but because it was too big Bouncer stopped working so I had to remove big chunks of it.

Not sure about Potplayer and Flash. I didn't see anything Flash related in preferences but it'll be interesting to see if Potplayer still works when I enabled LETHAL mode. Same goes for Skype.

I'm not familiar with AppGuard, EXE Radar Pro or Simple Object Blocker so I can't comment, sorry. I chose Bouncer because of its speed and simplicity. No fancy bloated GUI. Simple install with no dumb activation needed. Easy to backup as well if you get a new machine: Just copy bouncer.ini!

 

You would likely not need to combine those since there would be quite a bit of overlap. EXE Radar Pro, SOB, and Bouncer quite likely monitor the same process calls with similar kernel-mode drivers. Although AppGuard could be interesting in combination with Bouncer since it has additional memory protections. Realistically, though, any one of those programs would do a great job of protecting the system alone. Some of those have very well designed GUI's that are done in a more user-friendly way to make it easier for everyday users. But what I like about Bouncer, in particular, is the simplicity and efficiency but also because I enjoy taking my own security into my own hands. I like to create my own rules and, of course, if I make mistakes I can only hold myself to blame. I don't want my own security in someone else's hands. I like to take responsibility for it.

 

I am not familiar with Pot Player, but I decided to install it and dig into this and see where Pot Player is utilizing Flash functionality. Also, a quick Google search for "pot player flash.ocx" in general shows a history of Pot Player problems with Flash.

From what I can see in Preferences - Filter Control - Source/Splitter - There is a source/splitter for .FLV (Flash video). That means that Pot Player has the ability to play Flash videos and therefore queries the flash.ocx file to utilize that functionality in a similar way that Internet Explorer does. I tried switching the default source/splitter for .FLV to another built-in type, hoping that it might stop Pot Player from querying flash.ocx. Sadly, it still queries it. I did some more digging and it looks like Pot Player also utilizes flash.ocx in parts of the program itself which makes things even trickier. It appears that it adds Flash (.swf) animated file functionality to Pot Player's "Logo" section, likely utilized by Skins. So it looks as though Pot Player is reliant/dependent in multiple ways upon Flash. Looks like no way around this.

I am not familiar with Skype either, but likely utilizes Flash as well for some functions. There are likely methods online that detail how to remove the built-in Flash Player from Windows 8.x/10, but it's also quite possible that Microsoft can put it right back there again with future updates and so on.

Another aspect to look at here might be to control which programs can/can't access flash.ocx, as I imagine your main concern is likely Internet Explorer. It may be possible using the parent check features in upcoming Bouncer release to give more control over which programs can access flash.ocx, or in particular a parent blacklist rule to block only the ones you want, while allowing legit programs like Pot Player and Skype to utilize flash.ocx as they seem to rely on that. I will look into this in the next few days.

 

Thanks @WildByDesign! I had a tinker myself with Pot Players settings and every time I launched it and watched a video Flash.ocx is called. Since I am still testing my config I am a bit nervous to enabled LETHAL mode but after I do enable it I am curious what will happen to Pot Player and Skype if I continue to block flash.ocx.

Luckily I don't run Internet Explorer...at all. I uninstalled from Programs and Features. I also don't use Edge. Oooh, you just reminder me to block Edge in my config so I have added these to the blacklist:

*MicrosoftEdge.exe
*MicrosoftEdgeCP.exe

I am interested in the parent checking feature and I hope this will be in the updated documentation. I really like Pot Player (and its built in codecs) and its been working well for me so I may use parent checking to say ONLY Pot Player and Skype can access flash.ocx. I'll have to have a think about this from a security point of view.

As always appreciate your input and efforts.

Edit: I've been meaning to ask, is there any difference in the following in bouncer.ini:

*file.exe
file.exe
file*.exe
*file*.exe

I just want to make sure I am adding files to the config with wildcards correctly. Thank you.

One more edit: This may sound like a silly question but do you run any kind of "friendly" exploits/malware/virii to test the security configuration of your setup? I'm always looking for ways to verify that my setup has been correctly secured! I know MBAE had a program you could run to test their program but I'm wondering if there are other tools like this?

 

These would all work pretty much the same. The asterisk helps if there are changing version numbers or other factors to simplify the rules.

For example, we could simplify some of your rules from your config post above:

Code:

C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL
C:\Windows\Temp\????????-????-????-????-????????????\MPGEAR.DLL
C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????-????-????-????????????\DismCorePS.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismProv.dll
C:\Windows\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\AppxProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\AssocProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\CompatProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\DismCore.dll
C:\Windows\Temp\????????-????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\FolderProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\GenericProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\IBSProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\ImagingProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\IntlProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\MsiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\SmiProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\TransmogProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\UnattendProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\VhdProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\WimProvider.dll
C:\Windows\Temp\????????-????-????-????-????????????\Wow64Provider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\AppxProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\AssocProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\CbsProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\CompatProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismCore.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismCorePS.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-?????-????-????-????????????\DismProv.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DmiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\FolderProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\GenericProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\IBSProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\ImagingProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\IntlProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\LogProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\MsiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\OSProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\SmiProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\TransmogProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\UnattendProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\VhdProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\WimProvider.dll
C:\Windows\Temp\????????-?????-????-????-????????????\Wow64Provider.dll

Condensed to:

Code:

C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????-????-????-????????????\*.dll
C:\Windows\Temp\????????-?????-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-?????-????-????-????????????\*.dll

Or even like this:

Code:

C:\Windows\Temp\????????-????*-????-????-????????????\DismHost.exe
C:\Windows\Temp\????????-????*-????-????-????????????\*.dll

 

Yes, wife and/or kids would be the ultimate test.

Surfright (HitmanPro) devs have a nice test tool (http://www.surfright.nl/en/downloads/) but it is more geared toward exploits and generally more for testing anti-exploit programs such as EMET, MBAE, and HMPA. Not too sure about testing anti-exec / app whitelisting though, that I often test manually. You can throw malware samples against Bouncer in a VM all day long too, but they will never succeed at executing.

 

I would advise against this. With Windows 10, as I understand it, the functionality for the Start menu, lock screen and more is contained within that directory and could potentially cause problems. Blocking modern apps within C:\Program Files\WindowsApps directory would likely be safer in comparison to blocking system critical apps within Windows\SystemApps directory. As always, you can test to a certain extent with logging enabled but no blocking, just to get an idea of what would be blocked under regular use.

 

I tested Memprotect with surfright test tool and it was able to block most of it.(Even though the firefox process were shown as running in task manager).... Memprotect will be a great tool to look out for

 

I would assume using *file*.exe is the better of the choices as it would catch ALL changes to this filename?

Thats very helpful, thanks! I have a long way in developing my config file and would like to try and make it small and easy to understand yet locked down.

Haha. Its a bit of a tricky one to test all of this. At the end of the day the only way to really find out is to browse the internet but I was hoping there could be a safer option of testing this.

Thats good advice since I have seen many logfile entries for c:\Windows\SystemApps. I will be blocking SearchUI.exe as this is Cortana and maybe a couple others like Feedback.. I use Start10 so I don't care about the built in start menu searching not working. Cortana is a very sneaky app. I have deleted/disabled it so many times and it keeps coming back after the monthly Windows Updates! I also have it blocked in the firewall for outgoing connections.

I am going to spend some time tonight tidying up or streamling my Bouncer rules. Will post an update later on hopefully.

Thanks for all the help.

 

Some users had apparently requested that the developer add an option for Bouncer to disable the operating system alerts for when some code is blocked from execution. What I am referring to is the balloon messages that are built into Windows, or I believe referred to as Toasts in Windows 8.x/10. So in the latest Beta version, the developer has added a flag to disable balloon messages. Using this flag, the Bouncer tray icon will still change status color as per normal, but you will not receive any balloon/toast messages from Windows regarding the blockages. The flag for that is nopopups and I have tested it and it's working correctly. Although, personally, I still prefer to receive these operating system toasts. But this is an option for some users who have requested this.

So this would work as follows:

Code:

C:\Program Files (x86)\Excubits\Bouncer\Tools\BouncerTray.exe nopopups

Therefore, if you already have the BouncerTray setup to start automatically when Windows starts via the registry from using the initial Bouncer installer, you just have to add nopopups to the string. The same could be done if you are starting BouncerTray from a desktop shortcut as well.

Sorry, I had forgotten to answer this question the other day. This is a good question, and I do remember talking to the developer about checking syntax quite a while ago. Within the Bouncer kernel-mode driver itself, it does check the syntax of the config to a certain extent, in that it would not bork (BSOD, etc.) your entire system. So as opposed to suffering BSOD of something, I believe that the driver would just decline to load the config and therefore not be configured correctly. So while you would not suffer a BSOD, you would likely be without protection though as I understand it and in that situation the tray icon would signify that something is wrong. I hope that I've understood it correctly. It's a very valid and good question and I think still worthwhile to clarify with the developer. If you want, you can email him and have that conversation with him. After all, you do have full technical support with your lifetime licence which is great. Just mention in the email that you are a licensed user. Or, if you don't have the time to ask him right now just let me know, and I would be happy to ask him for you and can get back to you on that.

 

I have just received a long and detailed response from the developer discussing all of my current ideas, future ideas and just general brainstorming regarding Bouncer and combination as well with some of this other drivers. I'll just say this for now, I am beyond excited. Lots of interesting stuff to come bit by bit. The first step will be to move the current Beta build of Bouncer to a stable release with installer so that the stable release will include all of the latest fixes along with SHA256 hashing and parent checking, hopefully within the next couple of weeks. The next step after that will be to combine the CommandLineScanner feature into the main Bouncer kernel-mode driver, so that will likely show up first in the Beta Camp releases in a month or so. There's more to come after that as well but I will keep it at that for now.

Yes, that's correct.

We had discussed this the other day and I told you that I would follow up once I hear back from the developer.

Quoted from developer: