Bouncer (previously Tuersteher Light)

I will check it out, but for me it's probably too bare bones. But perhaps I can use it as a replacement for "Software Restriction Policies", because this is not available on Windows 8 standard edition.

 

Blocking executables, dll's, drivers on kernel level with signed software for free is great when the start/stop driver can be password protected.

 

I will suggest that to the developer, for sure.

 

Thx,

I use a simple default deny SRP, while I have an Ultimate with AppLocker. I know Applocker's kernel mode is more secure as SRP's user mode, but I still use SRP because of the useability. With apply rules except Admin, a simple right click Run As Admin allows me to install something (you need symantec's Run MSI as Admin registry tweak to make it work for MSI's also). Because of the relative weakness of SRP user mode, I have added an ACL deny execute for Everyone in the most vulnarable user land folders (download + mail + media folders). For ACL to work properly in download directory you need the 1806 trick to add another threshold. These thresholds reduces the ease of use of the run as admin (first need to unlock 1806, then move the program to a non-protected folder before being able to install).

With a password protected driver start/stop, bouncer will offer the best of SRP (easy install through start/stop driver) and AppLocker (kernel mode habitat).

Regards Kees

 

I trust your option and value your expertise, so I will research some of your suggestions and see how I can apply them to my own personal security setup. I have also enjoyed the ease of use of SRP for quite some time as well. I will probably add it back into my setup when I am done my testing. Never hurts to have more layers of protection, no doubt.

Regarding the password protection of the driver, I will be suggesting that to the developer later today. I personally don't know much about it, whether it's difficult or easy to add the code to do that. One thing that I know for sure, though, is that this developer doesn't like to take shortcuts to achieve certain things which may end up leaving open holes for attack. What I mean is, if he does this, he will do it proper and thorough which is good. If it's something that could take more time, it would likely be added in a future release since this release is very close to release. The driver itself is solid and stable, but the testing is more to do with the tray icon functionality and the Admin Tool. So far, so good though. Thank you for your info and suggestions.

 

When I try to start the driver, i get an error.

 

What is the specific error?

- Ensure that you have copied bouncer.ini and bouncer.log to C:\Windows

When you right-clicked and chose Install on bouncer.inf did you get any errors?

Code:

To check status of driver:
sc query bouncer

To start driver:
net start bouncer

To stop driver:
net stop bouncer

*Those commands need to be done in Admin command prompt

Let me know some more details and I will be happy to help.

 

Which one is the log? I find the ini file in the folder. Here is the error I'm getting.

"System error 2001 has occurred The specific driver is invalid"

 

If you download the latest package bouncer.7z from http://excubits.com/content/en/products_bouncer.html

The bouncer.ini and bouncer.log files are in the main bouncer folder and also in the individual folders based on OS, x64, x86, etc. They are the same regardless. Copy those two files to Windows directory. The .ini is your config file and the driver wont start without it.

You can get Admin Tool in this package: http://bitnuts.de/tattoo.7z to help get a good config file setup, ensure you save it as bouncer.ini

I highly recommend running NOT enabling LETHAL mode for at least a day or two, but DO enable logging. That way you wont lock yourself out. It will log everything that it would normally block. When you are confident in your config, then enable LETHAL. You have to restart driver after changes to config for those new changes to take effect. The Admin Tool linked above is older beta and will not communicate with latest driver though, so you can only really use it to edit your config. Starting/Stopping driver wont work with that version so you have to do manually or with the scripts in the bouncer.7z package. Any questions, feel free to ask.

 

Just a quick heads up guys/gals. Florian, the developer, has just updated the bouncer.7z package on the web site to include the latest tools, BouncerTray the system tray component and Admin Tool, both of which are now configured to work properly with the latest version of the driver which is also included in the package. I don't believe it has the installer just yet since he is still fine tuning that. But with the latest tools and driver is easy enough for any of us to get it working and set the BouncerTray tool to startup when Windows starts up. The installer normally does all of that, but it isn't released just yet. With all of these goodies now it makes the overall Bouncer experience much more complete.

Download: http://excubits.com/content/files/bouncer.7z

 

From Ready, Set and Go (blog post dated 2014/12/15):

 

Keep getting this error..

starting driver...
System error 193 has occurred.
*** is not a valid Win32 application.

W7 32b. I copied the files to Windows directory, still nothing.

 

Status -

C:\Users\W7USER\Desktop\bouncer>sc query bouncer

SERVICE_NAME: bouncer
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Users\W7USER\Desktop\bouncer>pause
Press any key to continue . . .

 

Just to confirm, try reinstalling driver with these steps:

- open an Admin command prompt
- type: sc delete bouncer
- press Enter
- extract bouncer.7z or go to where you already extracted in File Explorer (whatever they called it in Win7)
- in File Explorer ensure that you navigate to: bouncer\x86\Windows7\
- right-click on bouncer.inf and choose Install
- now still with the same 'bouncer\x86\Windows7' directory, copy bouncer.ini and bouncer.log to C:\Windows
- allow it to overwrite if already there
- open Admin command prompt again
- type: net start bouncer
- you should now get message that it started successfully

Let me know how it goes. If it's all good then you can go ahead and customize your bouncer.ini config. Using the Admin Tool is easier and has the options to start/stop driver, edit your config and so on.

 

Ok, it seems to be working now, but it's going crazy. Keeps popping up saying, Unathorized attempt in Kernel Driver, over and over, what does that mean?

 

Since the bouncer.ini config is not setup yet, it is essentially logging everything that it would be blocking if it were set to LETHAL mode. That would be bad because it would block everything since nothing is whitelisted yet.

Try adding this to your bouncer.ini file, either on your own with Admin Tool or with a good editor like Notepad++. Copying into one of the bouncer.ini from the package will ensure it has support for unicode. Then copy over the bouncer.ini in Windows directory and restart driver.

Code:

[#LETHAL]
[FORENSICS_PATH]
whitelist*
\Device\HarddiskVolume2\Windows\*
\Device\HarddiskVolume2\ProgramData\*
\Device\HarddiskVolume2\Program Files\*
blacklist|

It will allow what is whitelisted and log everything else it would normally block. There may be some legitimate directories you need to whitelist. Once you are confident, remove the # from LETHAL line, restart driver and it will now be blocking whatever you throw at it that is not in the whitelisted directories.

For future reference:

Code:

[#LETHAL] means driver is not in blocking mode
[LETHAL] means driver is in blocking mode (careful not to lock yourself out of Windows)
[#FORENSICS_PATH] logging to C:\Windows\bouncer.log is disabled
[FORENSICS_PATH] logging to C:\Windows\bouncer.log is enabled

 

Thanks for the assist.

 

You're welcome.

The developer has just updated the bouncer.7z download package with an updated version of BouncerTray.exe which fixed a minor problem with BouncerTray showing the wrong status (icon) after the driver was stopped and started again. The hourly demo splash screen has been removed and the initial demo splash screen has been reduced to five seconds.

Later versions will include support for writing bouncer blockage events to the Event Log. That is including in my testing build and seems to work great so will likely be included soon.

 

Salutations,

Can you run with other security software like Dr. Web Security Space and Malwarebtyes Anti-malware on Windows 8.1 X64 bits?

Also, what is the different between the Demo and the Beta below:

http://excubits.com/content/en/home.html

 

Salutations!

Yes, absolutely. Like most anti-executable software, the developer has stated that it is a good compliment to any antivirus/firewall in a typical layered security setup which is quite common these days.

Personally, I haven't used antivirus in five years or so, keeping things simple. I just use an anti-exe layer (currently Bouncer; previous anti-exe layer was Software Policy SRP), along with basic security principles like Standard User Account, OS hardening, EMET and some good old common sense. Also a lot of my security is done within my multiple router setup with OpenWrt.

You would just have to ensure that you create rules in your bouncer.ini config file to ensure that your other security software isn't blocked. I'll copy a pretty basic bouncer.ini file to start with below.

Code:

[#LETHAL]
[FORENSICS_PATH]
whitelist*
\Device\HarddiskVolume2\Windows\*
\Device\HarddiskVolume2\ProgramData\*
\Device\HarddiskVolume2\Program Files\*
\Device\HarddiskVolume2\Program Files (x86)\*
blacklist|

That would allow normal function within Windows, ProgramData and Program Files directories which is good for a basic starting setup. It is set to not block yet, but simply to log what would be blocked. You could then use the bouncer.log file from the Windows directory to determine the other paths/locations that may need to be added to your bouncer.ini config file based on your particular setup and configuration of your programs and security software. Once you get everything added accordingly and nothing else blocked in bouncer.log that needs clearance, then you could remove the '#' from the LETHAL line in your config and blocking it will now be in blocking mode.

It's pretty crucial to get things right first before enabling blocking mode because this thing is so strong that you can literally lock yourself out and essentially brick Windows.

One of these days I would like to put together a simple How-To for Bouncer basics. The developer is a truly impressive programming and security researcher, but design is not his specialty.

 

Getting Started With Bouncer
The quick and easy to understand method.​

Download and extract the latest bouncer.7z package from: http://excubits.com/content/en/products_bouncer.html
* use the free and open source 7-Zip (http://www.7-zip.org) if you need a decent archiving tool.

• Use File Explorer and navigate to: bouncer\Tools_EN\
• Run Admin Tool.exe (requires Administrator privileges).
• Check Enable logging. Do NOT check Lethal mode yet.
• Press the Add Rule button to bring up familiar Windows folder/file selector.
• Add Allow by Path rules for system directories: Windows, Program Files, Program Files (x86) and ProgramData.
• Admin Tool will convert rule paths to device paths readable at kernel level.
• Press Save Config button and save as bouncer.ini within the Windows directory.
• To modify rules later, use Admin Tool to load your bouncer.ini and save as necessary.
• Bouncer, by default, denies everything that is not whitelisted. Rules are case sensitive.

​

Note: Copying a bouncer.ini config from one machine to another is not a good idea because device paths can be different, depending on hardware setup, partitions, etc. and you could potentially lock yourself out of Windows. Trust me. Been there, done that.

Installing the Bouncer kernel mode driver​

• Use File Explorer and navigate to bouncer\x64\ or bouncer\x86\ depending on CPU and system architecture.
• Navigate to the operating system folder matching your OS.
• Right-click on bouncer.inf and choose Install. (requires Administrator privileges)
• Copy bouncer.log to Windows directory.

Installing the tools and tray startup​

• Create a folder, C:\Program Files (x86)\Bouncer\ for example. If you do something like C:\Bouncer\ just ensure you allow that folder in your rules.
• Copy extracted contents of bouncer\Tools_EN to the folder that you created.
• You can create a simple startup shortcut to BouncerTray.exe or a registry entry in usual Run location.

Fire It Up​

• Use Admin Tool and press Start Driver.
• Start BouncerTray.exe as well by double-clicking
• Bouncer driver and BouncerTray will automatically start with Windows

This method, we have logging enabled and blocking is still disabled, but it will log everything that it would normally block according to your rules. You can use this to determine legitimate programs or directories that you may need to create rules for. After using Admin Tool to modify your bouncer.ini rules, remember to save it of course, but more importantly remember to restart the driver after any changes.

If you bork your system like I did (more than once) by locking yourself out of Windows, your only choice is to literally press F8 and log into Command Prompt mode for Win8/Win10 in the advanced startup options and run 'del C:\Windows\System32\drivers\bouncer.sys' from the command prompt and then restart. You'll have to copy the bouncer.sys file there again after you fix your rule set mistake. For Win7 and earlier would have to use Safe Mode unless it has Command Prompt mode as well.

I will tidy this up a bit tomorrow.

 

@WildByDesign Thx for the update. Are all executable files signed and ASLR enabled allready?

If so, it would be tempting to try it on my ASUS T100 with win 8.1 on it

 

Digitally signed, no. ASLR enabled, yes. Admin Tool.exe and BouncerTray.exe are ASLR enabled by default due to the method used to compile. But I am not sure why the developer didn't sign those at this time. All of the driver files are signed though, even x86. Since the developer has signing all setup now it shouldn't be too difficult to sign the executable as well but I'm guessing it was a bit of a rush before the holidays or maybe he didn't see as much need to sign those. But I will send him a quick note anyway and see what he says about that. I will get back to you on this as soon as I can.

That's a nice little system, by the way. Let me know how things go if you do decide to give it a try.

 

This is what I worry about. I think the developer should somehow white-list certain essential Windows OS processes, so that you can never lock yourself out of your system. But I really wonder how such a tool would perform against "in the wild" exploit-kits.

 

I can definitely see your perspective on this, Rasheed. My understanding is that the developer only intends for Bouncer to be tailored toward highly technical individuals, users that don't need that helping hand. He believes more in the security under the hood as opposed to how many large security companies rely so heavily on fancy GUIs (and changing year after year) which often gives users a false sense of security whether they realize that or not. Also, he wants to keep it small, efficient and to the point, and keeping things kernel level for the most part. Once you start adding in more usability features then you have to have more and more user mode services hooking certain mechanisms to communicate with the purely kernel level portion of the drivers running under the hood. That is where developers can unintentionally add more attack vector to their products.

But anyways, regarding the second part of what you said about "in the wild" exploits and all. The current Bouncer wouldn't do much to help that. The developer would have to release the Plus version which adds the hash list for known/common executables. Not sure of a time frame on that though.