Bouncer (previously Tuersteher Light)

Here are a few examples for 64-bit Windows systems for getting started with Bouncer:

Old Bouncer.ini configuration for releases that do not have the hashing and parent checking:

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
[BLACKLIST]
*powershell*.exe
*regedit.exe
*iexplore.exe
*script.exe
*vbc.exe
*jsc.exe
*ilasm.exe
*csc.exe
*bitsadmin.exe
*hh.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*bcdedit.exe
[EOF]

New Bouncer.ini configuration for latest Beta Camp releases and release that is coming soon:

Code:

[#LETHAL]
[LOGGING]
[#SHA256]
[#PARENTCHECK]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
[BLACKLIST]
*powershell*.exe
*regedit.exe
*iexplore.exe
*script.exe
*vbc.exe
*jsc.exe
*ilasm.exe
*csc.exe
*bitsadmin.exe
*hh.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*bcdedit.exe
[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
[PARENTBLACKLIST]
[EOF]

You can remove Internet Explorer from the Blacklist if you happen to use that or anything else that is blocked in there. That's just an example of what you can do with it.

If you are starting a new config from scratch, I would recommend using the free Notepad++ (https://notepad-plus-plus.org/) and simply copy over one of the provided Bouncer.ini files that comes with the download package. When installed, the file will be C:\Windows\Bouncer.ini and if you like to edit from there, you need to open Notepad++ as Admin so that it has permission to edit/save in that location. But I also highly recommend keeping a backup copy of your config file elsewhere as well. The Bouncer.ini file in the package is in Unicode and that is why I recommend copying over that, as opposed to creating a brand new file, to ensure that it's still in Unicode.

If you want more control over certain folders such as C:\Windows\Temp\ instead of simply allowing all to execute from there, as you get more familiar with Bouncer you can follow excellent configs from @4Shizzle (https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-19#post-2527813) or @ParaXY (https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-22#post-2530754) to see how much more granular control you can get. It can be as granular as you want and really comes down to your own imagination and your own needs. Please feel free to ask if you have any more questions.

 

Thanks. I have to admit at first it's very confusing, especially the wildcards such as...

Code:

C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL

Here's a few things it blocked in non lethal mode, is it safe to whitelist powershell and the bottom 2?
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Users\Public\Desktop\ImgBurn.lnk
C:\Users\Owner\Desktop\Firefox.exe.lnk
C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\reg.exe

 

You can make use of Code tags to remove smileys format...

 

How exactly?

 

If Powershell is a regular part of use on your system, you can simply remove it from the [BLACKLIST] section of your Bouncer.ini config, same goes for mshta.exe and reg.exe. They are safe, signed, Microsoft Windows components. The reason some users choose to block them would be that they can be abused by malware and used in wrong ways. But to keep things simple for now, you can feel free to remove anything from your Blacklist section so that it does not cause any problems. Every system is different depending on how we use our systems and also what other programs we have installed and so on.

For the Code tags, the easy way is click the + button and select Code from the formatting bar above this text box that we use for replies here at Wilders. Place your code in the box that appears.

Also, you can manually do the code tags easily as well. See here: https://en.wikipedia.org/wiki/BBCode And follow the example there for the Code tag. When you use it, you can always use the "More Options" button here at Wilders and choose to Preview your posts before you complete posts that way you know if they appear as you intended or not and make edits that way.

 

Like this?

Code:

C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL

 

@Overkill Yes, exactly. That way code does not get all mangled and processed.

 

I should know this already

 

Has anyone here every used Bouncer with SecureAPlus. I was wondering if they are compatible. They each block executions very early in the kernel. I was worried maybe they try to block executions at the same time if possible, and cause a BSOD. I like how SecureAPlus protects Program Files Folders as well, has it's own cloud AV which gives the user the option to select which engines they use, and conveniently builds the whitelist for you. The only downside is it does not use policy restrictions to limit what an application is allowed to do once it is allowed to run, and I think it still only prevents execution of .exe files. Bouncer comes out ahead of SecureAPlus in this area of mitigation. In most instances Bouncer should stop the exploit before it can download it's binary payload where as SecureAPlus would stop the exploit after the payload has been dropped to the disk. They each have their strengths, and weaknesses. It would we sweat if they could be used together though.

 

My AE policy does not allow my web applications to parent rundll.32, cmd.exe, any script, powershell, etc.. My web applications are also only allowed to write to user-space. That's just a few policies I use. Using MBAE is extreme overkill for me.

 

Sorry about my last post. It was meant to be a pm. I responded in the wrong open tab.

 

I am running Bouncer alongside SAP and ERP but in non lethal mode just for testing purposes and so I can learn it. No problems so far.

 

When you put it in Lethal Mode let me know what happens lol

 

Btw.. I had a conflict with Bouncer, and ERP in the past. I think ERP blocked a command line used by Bouncer Admin tool, or vise versus. I think it had to do with cmd.exe

 

Well it hasn't blocked/logged anything regarding SAP and ERP yet.

Why is the icon red 99% of the time?

 

You may have the same issue as myself, and at least one other user here. I have a bunch of installers on an external drive, and Bouncer treats them as though they are being executed all the time. They constantly show up in my log. Even image, and notepad files show as being blocked in my logs. Check your log, and see what Bouncer says is being blocked. I discovered that Superfetch was the cause on my machine. Superfetch populates the prefetch, and loads files into memory because it's faster than reading from the disk. Superfetch was added with the arrival of Window Vista to improve performance. Bouncer treats files that are open in memory with executable privileges as if they are attempting to execute. I reported this to Florian, and he informed me he would try to find a solution to this without lowering security. He later informed me that Bouncer would not be compatible on my machine. I later discovered that Superfetch was the trigger for the alerts after 2 weeks of trouble shooting. I informed Florian what was triggering the alerts on my machines. I get the alerts on two other machines I have tested Bouncer on as well. I think if Bouncer ever goes mainstream then it would turn into a support nightmare. There are only a hand full of users testing Bouncer here at Wilders, and i'm not the only one to report this here. Imagine how many users this could potentially affect if there were thousands, or even millions of Bouncer users. I just ignore the alerts in the log now. I don't use the Bouncer Admin Tool anymore. I do all my policy changes with notepad, and notepad ++. Let me know if you think that may be the problem.

 

I installed the new version last night after receiving it from Florian. The good news is that my blacklists are working again when I use path base rules AND hash rules in my whitelist. The problem I still have is when I add the C: drives hashes to the whitelist (about 23000 hashes). After adding these hashes the Admin Tool becomes unresponsive and its difficult for me to do anything after that. If I remember correctly I think my blacklisted items stopped working as well. If I remove my C: drive hashes and ONLY have my D: drive hashes (about 1300 hashes for this drive) then it all works great. I have emailed Florian with my findings.

I came across something interesting last night. I use Sysinternal tools...Process Explorer in this instance. I keep these tools in a folder on my D: drive and have added the hashes to the Bouncer configs whitelist. When I tried to launch it Bouncer blocked it because when you run it, the program creates a copy of itself in the the users temp folder. But heres the kicker, the new file it copies into the users temp folder has a new hash! So you have to have two hashes for this program to work (the temp folder program hash and the hash for the one in the D: drive).

The other thing I was thinking about last night was blacklists. Is it better to have hashes in this list or path based rules? I'm thinking the later is better? If the hash ever changes of the blacklisted item then it won't be blocked but if that file changes (maybe from an update) and you are using path based rules then it will still be blocked. I know one could argue that this has to do with managing your hash list properly but path based rules seem to be a safer bet (I think) when blacklisting items?

Just want to say how impressed I am with the developer. He returns all emails and is quick to fix issues with Bouncer. Thank you Florian!

 

Hi, @WildByDesign .
Many thanks for sharing your rule set.
But, with the two rules listed above, web applications can execute anything they want.
Maybe we can add some PARENTBLACKLIST rules to limit the web applications in case they are hijacked.
Have you ever made such rules?

 

Looks like my hashing it working now!! Woohoo. I am running my entire machine with a hash list of about 23000 hashes and my blacklists are now working. It ended up being user error...My hash files were not saved in UNICODE format so when I copied the hashes into my bouncer.ini file it was breaking the rules.

So my next questions relates to Flash. Is it possible for me to setup parentchecking so that ONLY Potplayer can run flash.ocx? Currently I have parentchecking disabled but I'm still trying to figure out the best way to do the rules for this? If I had it my way I would leave Flash disabled completely but everytime I watch a video in Potplayer it accesses flash.ocx so my Bouncer shield turns red and I have to reset it each time.

Bouncers the best security tool ;-)

 

What happened to the demo version?
Several days ago, I downloaded the stable version of Bouncer Demo, which has already had the features of hashing and parentchecking.
The installer of that stable version is digitally signed in Oct 18th.

Just now, I downloaded Bouncer Demo again.
I found that, the date of the digital sign is changed to Oct 5th.
Furthermore, the version installed by this installer has no feature of hasing or parentchecking.
The version number is 1.5.4.
Is the version of Bouncer Demo rolled back?

 

That's correct, that most recent release (Demo and Full) that included SHA256 hashing and parent checking had to be rolled back due to a bug specifically to do with hashing. It only affected very large hash lists, but that had the potential to cause problems and therefore the developer decided the best thing was to roll back temporarily. This release is quite likely going to be reinstated this weekend, today or tomorrow I am hoping. The issues with hashing were resolved and also a few other minor bugs. The internal testing release is fantastic at the moment and also the documentation is looking better than ever so the release is expected soon. Florian just has to recompile the packages. I will update here as I find out more.

 

Sounds about right. Bouncer seems to be very aggressive compared to ERP and SAP. It even blocks a few harmless .eml files of mine.

 

In my case Bouncer is mostly alerting me to unknown code execution for installers I have stored on an external drive. Bouncer is alerting me to other file formats as well on more than one external drive. If you believe it is alerting you to files that you think are not attempting to execute then that is probably the problem.

 

I'm not sure what i'm doing wrong. I have my security software disabled, and i'm using an elevated command prompt. I get the following message from the pic. Do I have to do all the steps in your next post? I'm on Windows 7X64.

 

You need to download hash.7z archive then decompress and launch your command prompt from there:
https://mega.nz/#!ylwECDLQ!eJMtccCupCTqVMJPvddTQZ-LO31QQHXj28Mj9WdlbAc