Bouncer (previously Tuersteher Light)

off-topic:

Make use of this tweak to ease your cmd prompt tasks:
https://www.wilderssecurity.com/thre...an-elevated-cmd-and-powershell-prompt.380923/

 

Thank you! I will try that later tonight. I'm not sure how well this is going to workout yet because some of the hashes in ProgramData change often, and if they change they will get blocked. I may have to go with path based for some files like .xml, .ini, etc. You don't have to worry about that with most security solutions because they usually only control execution of .exe files unless you are dealing with a HIPS. Bouncer tries to cover all executable code.

Edited 10/24 @5:48

 

Certainly, this is the type of thing which parent checking will become your new favourite feature because it will give you exactly the control you are looking for. I just finished testing the config below for you and it worked great.

Code:

[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
*\DAUM\PotPlayer\PotPlayerMini64.exe>*\Macromed\Flash\Flash.ocx
[PARENTBLACKLIST]
C:\Users\*>*\Macromed\Flash\Flash.ocx
*\Internet Explorer\iexplore.exe>*\Macromed\Flash\Flash.ocx
[EOF]

• Copy that entire code to replace your current [PARENTWHITELIST] and [PARENTBLACKLIST] sections.
• In your regular [BLACKLIST] section, remove your current method for blocking Flash.ocx. That way it wont give you alerts when you start PotPlayer.
• Enable parent checking by changing [#PARENTCHECK] to [PARENTCHECK].
• Restart Bouncer driver with elevated command prompt:

Code:

net stop bouncer
net start bouncer

You can create similar parent rules to block other programs from accessing Flash. In my example, anything from User directories and also Internet Explorer will be denied access to Flash, good riddance.

Now for curiosity sake to test the theory, you can copy the following line:

Code:

*\DAUM\PotPlayer\PotPlayerMini64.exe>*\Macromed\Flash\Flash.ocx

...into the [PARENTBLACKLIST] section, restart driver, then you will see Flash being blocked again whenever you start PotPlayer.

I think your idea to control Flash usage makes great sense and parent checking will help you with that control. Give PotPlayer access to Flash and specifically block whatever else you want from accessing Flash.

Just wait until next version of Bouncer and you will have even more granular control with it's CommandLineScanner functionality to filter interpreters such as Python and other scripting. Not everyone needs that level of control though, but some users like it.

 

You're welcome, my pleasure.

The idea behind those rules which I posted prior to your comment were intended as just very basic configs for anyone who is just getting started with Bouncer and therefore wasn't very strict or locked down much. I have to be honest, my own knowledge of parent checking rules is still quite limited but I have been playing with it more recently and getting a better understanding of it. I understand now that a lot of creativity can go into parent rules and they are quite a bit more powerful than I first realized.

The developer recently updated the manual to include some examples for parent whitelist/blacklist rules. Since that updated manual is offline at the moment until release, I will copy/paste some of the developer's examples:

Code:

[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
[PARENTBLACKLIST]
C:\Program Files*\Google\*>*cmd.exe
C:\Program Files*\Google\*>*script.exe
C:\Program Files*\Google\*>*powershell*
*iexplore.exe>*cmd.exe
*iexplore.exe>*powershell.exe
*chrome.exe>*bitsadmin.exe
*firefox.exe>cmd.exe
*flash*>cmd.exe
*flash*>powershell.exe
*flash*>*script*.exe
C:\Windows\*.exe>C:\Users\*.dll
C:\Windows\*.exe>?:\*.dll

Those are just examples of what can be done. Users need to be careful and really need to understand what these mean and what they are trying to achieve before using any of these examples. As you can see, wildcards can also be used here. In the next day or so when the release comes out, I urge any Bouncer users to check out the updated manual that comes with the release because it covers all of the new features well and in general the manual has come a long way since earlier versions.

 

Thank you for the flash PARENTBLACKLIST rules. I was going to make some myself, and forgot. I'm going to try the policy you posted above. I think 0 day flash exploits are one of the biggest dangerous for sneaking something in on a robust security setup.

 

@WildByDesign: Thanks very much for the assistance! Always appreciate your posts.

I have parent checking enabled now although in logging mode only to test. My rules/ini look as follows:

Code:

[WHITELIST]
many hashes
C:\Sandbox\User\TemporarySandboxInstalls\*
D:\Sort\TemporarySandboxInstalls\*
[BLACKLIST]
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*hh.exe
*powershell*.exe
*reg.exe
*regedit.exe
*setx.exe
*searchui*.exe
*onedrive*.exe
*onedrivesetup*.exe
*MicrosoftEdge.exe
*MicrosoftEdgeCP.exe
*vssadmin*.exe
*wordpad*.exe
*wordpad.exe
*write*.exe
*write.exe
*flash*.dll
*FlashUtil_ActiveX.dll
*FlashUtil_ActiveX.exe
*cipher.exe
*syskey.exe
*utilman.exe
[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
C:\Sandbox\User\*>*
D:\Software\*>*
C:\Users\User\AppData\Local\Temp\proc*64.exe>C:\Windows\*
C:\Users\User\AppData\Local\Temp\proc*64.exe>C:\Program Files (x86)\*
C:\PROGRA~1\*>*
C:\PROGRA~2\*>*
[PARENTBLACKLIST]
C:\Users\*>*\Macromed\Flash\Flash.ocx
*\firefox.exe>*\Macromed\Flash\Flash.ocx
*\firefox.exe>cmd.exe
*flash*>cmd.exe

I removed the explicit Potplayer rule in the whitelist as the Program Files location is already there. I did do a test with blacklisting Potplayer and Flash and it did work. This is fantastic control! Skype can also run in a sandbox and access Flash.ocx with this config.

So my parent white/black list allows me to run programs from my D: drive and from the Sandboxie folder as well. I had to add two rules to allow two sysinternal tools to run (Process Monitor/Explorer).

I've also used your rule to blacklist anything trying to access Flash.ocx from the C:\Users folder. I also added firefox to the list to block access to Flash.ocx. This should block it for all sandboxed browsers too. I removed the Internet Explorer rule as I already block *iexplore.exe in the blacklist section.

I'm sure theres more I could do with parent checking but considering that I am running a fully hashed setup I'm not sure if its needed! I'll keep my eye open for other peoples configs to see how others manage their parent checking rules to lock things down.

Speaking of hashing rules. Yesterday I had to update two pieces of software on my machine. Obviously after the update Bouncer blocked the programs from running. Luckily Bouncer logs the hash file in the log of the program its blocked so it was a simple case of opening the ini file and adding the new hash values to the config, restarting Bouncer and all was good after that! I wouldn't do this with a big update (like Windows Update) as there are probably so many files that get changed so I would just rehash the system in this case.

 

You're welcome. As a matter of fact, that was entirely a learning experience for me and some of my first real experimenting with the parent checking rules. It was your ideas which helped me to visualize the rules and helped my learning process. So thank you!

That is a very good point as well. I often make use of Bouncer's log as well in the case of updating a few hashes here and there, very handy.

If I come up with any scripts, I will definitely share them here first. I'm going to also help with the brainstorming process to come up with some logic and ideas behind a system for Bouncer going forward as well. At some point in the future, there will likely be an additional program to assist with maintaining the hashes. The next release (after this coming one with SHA256 and parent checking) will focus on integrating the CommandLineScanner functionality. And hopefully a small helpful hashing utility may come after that if enough users suggest that this is something that is important. I think that it is important. But it all comes down to how many people end up utilizing the hashing feature since SHA256 is not necessarily for everyone. By that, I mean not every use-case needs it. The general population would be more than adequate with path-based rules preventing the majority of malware out there. It's more the hard core security enthusiasts like Wilders members, security researchers, forensics purposes, etc. that would utilize that extra granular control with hashing, parent checking, command line scanning and so on.

EDIT: By the way, your current configuration is looking awesome. You have learned a lot over a short period of time and seem to have the control that you wanted. It's good to see that.

 

I think we have much to learn to unlock the full potential of Bouncer! I honestly can't wait to see the future versions of Bouncer.

I appreciate you sharing your scripts. I have used your hash script quite a bit to generate my hash list for Bouncer. I hope you'll share the ideas you and the developer discuss when it comes to maintaining the hash lists.

I haven't read anything about the CommandLineScanner so I don't much about this (yet). I'm also keen to hear what is happening with MZWriteScanner!

I'd be surprised if people didn't use the hashing feature, even if it was used just for an external data drive. I hashed my entire D: drive (where I store all my software installs) and this worked great as I can now access this files without disabling Bouncer. I didn't want to whitelist the D: drive as I didn't think that would be a secure/safe option.

Thanks for the feedback re my config. I'm still tweaking it and I think it may need further locking down but I'm happy right now! Since hashing my system I have had to add a further 30 hashes from software upgrades and a few other items. I *think* all the naughty files that can be used by malware/virii/ransomware are locked down quite well. I just thought adding cmd.exe might help lock things down that little bit more. I can now play videos in Potplayer and launch Skype without the Bouncer icon going red in the system tray when it blocks flash.ocx.

Thanks again for all the help and looking forward to Bouncers future!

Edit: I should also mention that its been about a month now since I have been running without Anti Virus on my machine. This really is a great setup to have Bouncer protecting you with Malwarebytes Anti Malware and Exploit. Before downloading files from the web I use the Firefox addon to scan the file online with Virus Total and once a week or so I run an offline AV scan with the Emsisoft Emergency Kit.

 

Updated release is available now: https://excubits.com/content/en/news.html
Updated Manual: https://excubits.com/content/files/bouncer_manual.pdf

Demo and Paid/Full release packages available.

 

Good to see manual has been revised. Current version does not support XP as written.

 

On it. Thanks for the new heads up!

 

Where is the full version?

 

Woohoo, well done Florian. I have updated my Bouncer to the latest version. I forgot to add the new hash to the ini for the Admin Tool...oops.

Still got a long way to go to remembering how to manage my machine with Bouncer!

 

It was as unfortunate circumstance but I am glad that the documentations reflects that now.

The developer has confirmed to me that he will put together a special version for XP and Vista that will include the SHA-256 hashing feature, but will not include parent checking. There is no estimated time frame for this but I will let everyone know as I find out more.

You're welcome, anytime.

Paid/Full version users get a URL that is unique to them which also comes with a unique password that comes in an email after purchase or could likely be requested if it's been lost.

So far so good here with the new bits as well. Very impressed. Now I would like to explore locking it down more with the parent rules.

I had to add a new parent whitelist rule for the proper functioning of DISM, seems okay so far. If I have to adjust the rule then I will share any changes.

Code:

[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*>C:\Windows\System32\*

 

I'm not sure what happened to Bouncer, but I just discovered that my .ini file was completely blank. There was no log file either. I'm glad I had a backup of my rules. I can't believe I did not have a BSOD. I can only assume that whatever happened happened before the driver had been stopped, and started again.

 

I reported the issue to Florian. I had an external hard drive go bad just before discovering the problem. I don't know if that had anything to do with it. I doubt there's anyway to discover what happened short of Florian having physical access to the machine.

 

New version works absolutely awesome. Fast and better than before. Parent checking is a dream I also did some testing with hashes, seems also work fine (my list is ~1.9MBs and everything works like butter). Great.

@Cutting_Edgetech: For me doesnt sound like Bouncer, I guess its external hdd. If ini is empty driver will not start, so this cannot be bouncer (impossible).

By the way: SigCheck of provided (by @Mister X) Mega-package is outdated, check out https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx - new version is from 2015!

 

I've been running a fully hashed desktop at home for a few days now and its great so far! Parent checking has only been enabled for a day but so far so good. I'm a happy bunny ;-) My bouncer.ini is 3MB in size (I think this is the limit?).

 

Where do I check the version of Bouncer?

 

@Cutting_Edgetech Do you use CCleaner or similar cleaning software? I have found over time that CCleaner with randomly (maybe once every 3-4 months or so) delete that Bouncer.ini file from C:\Windows. In CCleaner, I have created a rule in Options - Exclude to specifically exclude Bouncer.ini from being cleaned/removed by CCleaner. It's possible that other cleaner programs might do similar since some follow the same logic.

 

At the top of Admin Tool, you will get a version there for Admin Tool. Currently it should be 1.6.3. If you press the Status button within Admin Tool, the Status window will display the version of the Bouncer KMD (Currently, Kernel Mode Driver: v1.8.24).

 

Yes, ~3MBs is the max. for ini file (see Bouncer Manual). To be clear: Full version: ~3MB, Demo Version: ~20KBs.

Have you shrinked your hash values using the scripts from @WildByDesign and @Mister X ? Use the sort command with the option to remove double entries.

 

Thanks..added ini to ccleaner just incase thanks for the warning

 

Yes, I use CCleaner. That may be what happened then. Thanks! I will make an exception in CCleaner then.

 

Thank you! I think it may have been CCleaner like WildByDesign alerted me to below.