Bouncer (previously Tuersteher Light)

I can't wait until the signed releases are available. You guys have this member going bonkers watching all of these analysis but I want to extend my sincere thanks for your determinations in helping to test, advance, and promote these different drivers to their absolute best for when the release does come.

 

it missing in beta setup file.but still dont block anything or log.
also i deleted Bouncer.cat to see what happen.but still same

 

you're welcome.
also i see in your signature you are using Tweaking.com Registry Backup v.3.3.1
i don't used that so much(i think one time) but i like to suggest you using RegBak 1.5
that's much better

 

I'll check it out. Tweaking.com Registry backup is pulled my tail out of a mess more times then I care to count though.

I've even fashioned a Linux Pen Drive for the times it's been needed to manually replace all the User.Dat etc. and CONFIG (SAM, SOFTWARE etc.) registry files by hand.

 

ok Florian send me an ini file that work
there are some changes in rules and file name changed from Bouncer.ini to bouncer.ini
also some news from Pumpernickel driver
I have just finished move/drag&drop detection in Pumpernickel.
This feature will soon be releases in the beta camp. I am currently doing
some internal checks on stability etc.

Spoiler

Code:

[LETHAL]
[LOGGING]
[SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
C:\Windows\*
C:\Program Files\*
C:\Program Files (x86)\*
C:\ProgramData\Microsoft\*
C:\New folder (2)\*
E:\Utility\*
C:\Users\Default\NTUSER.DAT.LOG2
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
C:\Sandbox\*
C:\KMPlayer\*
*Admin Tool.exe
*BouncerTray.exe
[BLACKLIST]
[PARENTWHITELIST]
C:\Windows\*>*
C:\Program Files\*>*
C:\Program Files (x86)\*>*
C:\ProgramData\Microsoft\*>*
[PARENTBLACKLIST]
[CMDWHITELIST]
!C:\Program Files\Excubits\Tuersteher\Tools\TuersteherTray.exe>*cmd.exe /c
* Tuersteher
!C:\Program Files\Excubits\Tuersteher\Tools\Admin
Tool.exe>C:\Windows\system32\cmd.exe /c * Tuersteher
!C:\Program Files
(x86)\Excubits\Tuersteher\Tools\TuersteherTray.exe>*cmd.exe /c * Tuersteher
!C:\Program Files (x86)\Excubits\Tuersteher\Tools\Admin
Tool.exe>C:\Windows\system32\cmd.exe /c * Tuersteher
!C:\Windows\*svchost.exe>C:\Windows\*rundll32.exe
C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {*} -Embedding
!C:\Windows\*svchost.exe>C:\*rundll32.exe
C:\Windows\system32\invagent.dll,RunUpdate
!C:\Windows\*svchost.exe>C:\*rundll32.exe
Windows.Storage.ApplicationData.dll,CleanupTemporaryState
!C:\Windows\*svchost.exe>*rundll32.exe WSClient.dll,WSpTLR licensing
!C:\Windows\*wermgr.exe>"*runDll32.exe"
"C:\Windows\system32\WerConCpl.dll", LaunchErcApp -responsepester
!C:\Windows\*svchost.exe>*rundll32.exe /d
acproxy.dll,PerformAutochkOperations
*>*
[CMDBLACKLIST]
*>*rundll32*
*>*cmd*/c*
[EOF]

 

You're very welcome. For several years now (and prior to signing up for my account here) I have appreciated your sense of humour and personality throughout Wilders forums. I have a great amount of respect for you.

I, too, wish that the betas were digitally signed because we would have more users on board testing. I am generally a pretty neutral person and I can see valid reasons for/against signing the betas from several different perspectives. I see Florian as a real perfectionist with his coding, aiming for efficiency and proper coding at all times. And therefore, he is extra cautious when it comes to releases in general but also when it comes to signing betas. As he once explained it to me, programmers/businesses who have digital certificates also have a great responsibility to for the releases in which they sign. So if he were to release a buggy beta build that is signed and it were to cause widespread damage, for example, he could potentially lose his credibility to digitally sign any future releases. And so with his already meticulous care of his coding in general, he is also cautious when it comes to signing. Recently, I have proposed a suggestion to Florian to have three stages of release: Alpha (unsigned) releases, Beta (signed) and Stable (signed) releases.

Anyway, I recall way back when Bouncer was initially under the German name Tuersteher and was a simple yet powerful kernel-mode driver, I saw tremendous potential at the time. And to think of how far Bouncer has progressed in the past year or two, along with the other up and coming kernel-mode drivers from Florian to potentially integrate into Bouncer, the possibilities seem endless as far as Administrative granular control over every aspect of the system.


@co22 Excellent, I am glad to hear that your setup is working correctly now. As Florian explained to me, it came down to some sort of syntax error. And the good news is that Florian has just developed/integrated better config file syntax checking into Bouncer which will be in the next Beta Camp release. Also, the basic syntax checking that was already in that bouncer_beta build prevented the Bouncer driver from loading the config file which is a good thing because it could have been disastrous. However, future releases will notify the user if there are syntax errors in the config file so that the user is aware that protection is not on at the moment.

There's a pile of other bits and pieces coming soon to Bouncer, such as another icon colour to let the user know when they are in non-lethal mode, in case the user sets non-lethal to do Windows updates and forgets to turn it back to lethal. A few other small but essential developments as well coming soon.

Also, as you mentioned, some nice developments in Pumpernickel as well. Especially thanks to user feedback.

 

Has a signed beta been released yet ?

Obviously I am on 64 bit system...

 

I've been waiting for a signed beta myself, but I don't think Florian is going to sign his beta builds anymore. I hope i'm wrong. I just don't like making changes to my work computer to allow unsigned drivers.

 

I'll have a conversation with Florian in the next day or so to see about signing betas. I know that it would be beneficial because more users would be willing to test the betas plus considering the fact that the beta releases have all of the latest goodies/features to play with.

 

Thank you for checking for us!

 

Signing a beta can cost money - I get that - but at the same time, I don't want to fidget with Secure Boot.

As a 64 bit user I can't test the soft until a signed stable release - and it just might turn out to be quite problematic - since I was unable to test the unsigned beta.

 

You're welcome. And I gotta be honest, his beta builds have consistently been rock solid as far as efficiency and stability goes.

I think that the bigger issue, at times, came down to minor config file syntax and essentially user error. So if the latest development that he's added for checking syntax works well to prevent user error and warn the user as well, I think that would be important. Maybe if that proves itself, we can see some signed betas. But ultimately, of course, that comes down to Florian's decision. I will try to talk to him about that and discuss pros/cons and see how it goes. It would definitely get more users testing comfortably, for sure. Also since the betas have generally been rock solid stable from much of my testing. So let's hope for the best.

 

I absolutely get your perspective, 100%. I would love to see the betas signed as well. That is why I proposed the idea to Florian about three tiers of releases: Alpha (unsigned) kind of like internal-hardcore ring of testers (play ground for new features), Beta (signed) with some new features that have proved themselves within internal testers for several weeks, and Stable (signed) releases. Does that sound like a good idea? What are your thoughts? I respect your opinion and appreciate your time.

 

That is balanced approach.

I think Florian's objections will be cost and inconvenience\logistics of having to obtain digital certificate for each version of beta. (I'm not sure how that all works honestly)

It depends upon how he releases betas - which as far as I can see - are few and far between - unlike some vendors - that shoot one off one after the other in rapid sucession.

 

I think he needs to work on more documentation on how to actually configure rules. He needs to have more example rules to go by because sometimes it's no so clear how to write the rules. When I looked at Pumpernickel it seemed to be a little more complicated than I imagined it would be. I have never used it though since it's not signed. I think he should have given example rules how to block any executions in the user-space from writing to the System Space, and Program Files Folders. That would have been a much better example than the rule for the application notepad that was given as an example. I think that was the kind of rule he gave as an example. I only looked at it when it first came out since it was not signed.The user is kind of left up to guess how to write the rules with such little documentation.

 

I think Training Mode would be huge convenience and time saver in configuration.

• Clean install OS
• Install & configure desired softs
• Enable Bouncer Training Mode and run for X amount of time

I guess Florian will just say logging is Training Mode... LOL.

There is no doubt if you have the knowledge - or time available to research and obtain the knowledge - and time to review logs and configure Excubit products, then you have extremely high-level protection.

However, I can just install AppGuard and not have the time-intensive hassle of configuring - well, not anywhere close to that of Excubit products.

I suppose Florian's approach mimics that of Enterprise solutions - which is essentially review logs, configure and maintain.

It's great protection, but not practical in terms of time and effort.

 

For a small development team or developer it would be wise to spend time on functionality.

Let the network of power users on this forum do the support on usage and configuration for novice users.

When memprotect and pumpernickle are out of beta, they form a great combo to put an exploit and execution wall around Chrome's sandbox.

 

@WildByDesign Thank You for your understanding. and those kind words.

I'm also x64 so, like others, I also haven't been able to make any real assessments by testings either but am curious that if these drivers/programs really take off, I wonder if there's a chance to instead of manually writing in all the "user config rules" if it wouldn't be even more favorable to have a GUI with all those settings readily accessible and configurable for Blacklist/Whitelist with a BROWSE function to Folder/File point and click type variety as many have already grown accustomed to.

In short if so, would make not only Bouncer but the other's a sort of Super HIPS (FINALLY!) for especially x64 windows platforms.

 

I wish Florian would make MemProtect compatible with my setup. I have wanted to add MemProtect permanently to my Layered Security Setup for some time now. It's not compatible with Eset Smart Security on my machines. It will causes the System to hang. The mouse cursor will not even move. It would occur each time I access Eset's settings, and would also occur on it's own after the system was idle for a while.

I would love to see most of the current products bundled together. I can't imagine anything bypassing Bouncer, Pumpernickel, Command Line Scanner, and MemProtect bundled into one product. I would just like to see them in a more user friendly format. I think better documentation would be a huge help. I realize some are still in beta phase though. Florian will have to invest in a user-friendly GUI to do the rule writing for most users if he wants to reach users outside the professional, and super-user community. He's going to want to bring in enough revenue to justify all the time he is investing at some point.

 

I most definitely agree. In their current, essentially GUI-less forms, I cannot see Excubits' products as economically viable - as they will appeal only to a subset of hard-core security soft geeks. And those users will use the freeware version... LOL.

 

Agree that geeks tend to prefer free, because it demonstrates "I am so smart that I can configure out security myself".

But what about a zero configuration sandbox version for Firefox combining the goodies of all of Florians software into a set and forget paid solution?

 

Of course, but Florian is charging - what - $75 or so - for current premium Bouncer - LOL ?

I know, I know... Lifetime license.

My problem isn't paying for Bouncer, my problem is that I am not US-CERT\NSA certified level configuration expert; I am just typical user interested in solid security - with only a finite amount of time to devote to configuring Bouncer.

Why should I buy Bouncer when I can buy AppGuard at nearly half cost, install it, and with a few minor tweaks - as needed - with essentially lock-down SRP.

 

@hjlbx: As far as I know Florian has adjusted the price for private users. I mailed him a few weeks ago, he told that for private/non-commercial user he will offer license for a moderate fee $35. I think this is ok, private users do not want pay a lot.

I also hoping that the beta drivers will be signed. It bother to use that F8 trick on boot-up and I think that unsigned drivers hinders a lot of people testing his great work. I assume that more would test if the drivers are signed.

Howsoever: Bouncer (I am using Türsteher) is great and I'm amazed what you can do with just a few lines of rules. Pumpernickel is also very powerful I think and funny to see what you can do. I also use MZWriteScanner, but only in [#LETHAL] mode to see what executables are saved to my hdd.

 

@4Shizzle - thanks for infos on private price.

I agree totally with other.

 

I also have no qualms on forking for the private user license (and will) when released with Da Bombs LoL included. Great security no doubt and as they say it's hard to stop a train and well fashioned security "drivers" are a driving force on Windows.

However (we'll see what (if) he does or not) also give it a simple simplistic BROWSE menu in order to set certain rules settings in a GUI display that would help it be even better for the other half of customers who prefer that approach IMO.