Bouncer (previously Tuersteher Light)

To block those .DLL's from spawning in Temp directory from rundll32.exe, I would suggest adding the following rules:

Code:

[BLACKLIST]
C:\Users\*\AppData\Local\Temp\*.dll
[PARENTBLACKLIST]
C:\Windows\SysWOW64\rundll32.exe>C:\Users\*\AppData\Local\Temp\*.dll
C:\Windows\System32\rundll32.exe>C:\Users\*\AppData\Local\Temp\*.dll

Those blacklist and parentblacklist rules should do the trick. Depending on how rundll32.exe is spawning those .DLL's, you may need a [CMDBLACKLIST] rule to prevent it. Let me know how it goes and I can help you further.

Yes, those can be combined into one line like you have “C:\Windows\*>*”.

Try to narrow this rule down like you had mentioned:

Code:

[WHITELIST]
C:\Windows\*
[PARENTWHITELIST]
C:\Windows\*>*

If the blockage in the log regarding "C:\Windows\System32\dllhost.exe > C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll"still shows up after that, it could mean that you have a blacklist rule that is blocking. In the case of a blacklist rule blocking something specific, you can create a whitelist or parentwhitelist rule as a priority rule ! that would overrule the blacklist rule.

So give those rules a try and see how it works for you. As always, after making changes to your Bouncer.ini rules, make sure that you restart the Bouncer driver for the newly saved changes to take affect within the kernel.

 

The SpyShelter image is too small for me to see. I have *regsvr32.exe on my blacklist, and I have not had any problems blacklisting it on my machine. You might also try adding this to your PARENTBLACKLIST. *regsvr32.exe>rundll32.exe I think I have that rule written correctly. Someone can correct me if i'm wrong.

 

I would also add PresentationhostHost to your blacklist if you don't need it. Sorry, for the double post. I thought you would miss it if I added to my other post late.

 

Thank you! I'm going to try that policy with my config for a while. Does Bouncer's white/blacklisting policy allow any .dll to run in the user-space without being whitelisted? Maybe that should be changed. I'm not sure that is a good ideal. I have portable applications I run from external USB drives, and I have to whitelist .dlls used by those portable applications. I'm not sure why it should be any different in the user-space on C:\ drive.

 

I don't think the policy i'm currently using would ever allow the behavior by Tomin since my vulnerable apps are BLACKLISTED from spawning any child processes, but maybe it can find another way in.

Code:

[#LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[#CMDCHECK]
[WHITELIST]
!*C:\Windows\Temp\emu????????????????.dll
!*C:\Windows\Temp\emu???????????????.dll
!*C:\Windows\Temp\emu??????????????.dll
C:\Windows\*
C:\Program Files (x86)\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
C:\AMD\*
C:\Users\achilles\AppData\Local\Temp\procexp64.exe
C:\Users\achilles\AppData\Local\Zemana\Zemana AntiMalware\helpers\ArchiveManager.dll
C:\ProgramData\ESET\ESET Smart Security\updfiles\nod0776.nup
C:\Program Files (x86)\Excubits\Bouncer\*
[BLACKLIST]
?:\$Recycle.Bin\*
*regsvr32.exe
*InstallUtil*
*Regsvcs*
*RegAsm*
C:\Windows\ADFS\*
C:\Windows\tracing\*
C:\Windows\Tasks\*
C:\Windows\rescache\*
C:\Windows\Temp\*
C:\Windows\Logs\*
C:\Windows\AppCompat\*
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*PresentationHost.exe
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*ilasm.exe
*jsc.exe
*MSBuild.exe
*vbc.exe
*script.exe
*iexplore.exe
*journal.exe
#*msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
[PARENTWHITELIST]
!*firefox.exe>C:\Program Files (x86)\Mozilla Firefox\firefox.exe
!*firefox.exe>C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
!*firefox.exe>C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_??_?_?_???.exe
!*C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe>C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_??_?_?_???.exe
!*PDFXCview.exe>C:\Program Files\Tracker Software\Update\TrackerUpdate.exe
C:\Windows\*>*
C:\Program Files (x86)\*>*
C:\Program Files\*>*
C:\ProgramData\Microsoft\*>*
C:\Program Files (x86)\Excubits\Bouncer\*>*
C:\Users\achilles\AppData\Local\Temp\procexp64.exe>C:\windows*
[PARENTBLACKLIST]
*firefox.exe*>*.exe
*firefox.exe*>*.tmp
*firefox.exe*>*.bat
*plugin-container.exe*>*.exe
*plugin-container.exe*>*.tmp
*FlashPlayerApp.exe*>*exe
*FlashPlayerApp.exe*>*.tmp
*FlashPlayerPlugin.exe*>*.exe
*FlashPlayerPlugin.exe*>*.tmp
*FlashUtil32_??_?_?_???_Plugin.exe*>*.exe
*FlashUtil32_??_?_?_???_Plugin.exe*>*.tmp
*FlashUtil64_??_?_?_???_Plugin.exe*>*.exe
*FlashUtil64_??_?_?_???_Plugin.exe*>*.tmp
*FlashPlayerInstaller.exe*>*.exe
*FlashPlayerInstaller.exe*>*.tmp
*FlashPlayerUpdateService.exe*>*.exe
*FlashPlayerUpdateService.exe*>*.tmp
*notepad.exe*>*.exe
*notepad.exe*>*.tmp
*wordpad.exe*>*.exe
*wordpad.exe*>*.tmp
*PDFXCview.exe*>*.exe
*PDFXCview.exe*>*.tmp
*wmplayer.exe*>*.exe
*wmplayer.exe*>*.tmp
*mpc-hc64.exe*>*.exe
*mpc-hc64.exe*>*.tmp
*vlc.exe*>*.exe
*vlc.exe*>*.tmp
*WinRAR.exe*>*exe
*WinRAR.exe*>*.tmp
*Rar.exe*>*.exe
*Rar.exe*>*.tmp
*Ace32Loader.exe*>*.exe
*Ace32Loader.exe*>*.tmp
*tixati.exe*>*.exe
*tixati.exe*>*.tmp
*WINWORD.exe*>*.exe
*WINWORD.exe*>*.tmp
*EXCEL.exe*>*.exe
*EXCEL.exe*>*.tmp
*POWERPNT.exe*>*.exe
*POWERPNT.exe*>*.tmp
*.jpg*>*.exe
*.jpg*>*.tmp
*.png*>*.exe
*.png*>*.tmp
*.gif*>*.exe
*.gif*>*.tmp
*.bmp*>*.exe
*.bmp*>*.tmp
*.dib*>*.exe
*.dib*>*.tmp
[CMDWHITELIST]
[CMDBLACKLIST]
[EOF]

 

Are you testing on an infected webpage? Is that why regsvr32.exe>rundll32.exe is launching those .dll's in the temp folder. I guess it's also what launched PresentationHost.exe, taskhost.exe, and cmd.exe, etc..

 

I just added msra.exe, schtask.exe, and at.exe to my blacklist. I have it blacklisted with other software I use.

 

I figured that it has been a while since I had last shared my Bouncer.ini configuration as well. Now that the parent process feature, command line feature, etc. are all in Stable, I'll share my current config as well so that we can all share ideas. My config has commented lines as well which helps me to keep everything organized and as tidy as possible. The good part about using Notepad++ is that the program highlights your priority rule lines, commented out lines, along with individual sections within brackets are highlighted and collapsible, super handy. Please keep in mind, though, that since my Bouncer.ini config has commented lines and additional stuff, it weighs in at 17 KB. But I wanted to share anyway for the sake of community collaboration and brainstorming.

I am still behind on a few questions and private messages which I hope to get caught up on over the next few days.

Spoiler: Bouncer.ini - 17 KB

Code:

[#INSTALLMODE]
[LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
# PortableApps
?:\PortableApps\*
?:\Program Files\*
# Speccy
C:\Users\*\AppData\Local\Temp\cpuz???\cpuz???_x??.sys
R:\Temp\cpuz???\cpuz???_x??.sys
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????
R:\Temp\????????-????-????-????-????????????*
# Office 2010 Click-to-Run
Q:\140066.enu\*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*
# Bouncer
D:\Bouncer\*
# Tools
D:\Tools\*
# Program Files and Program Files (x86)
C:\Program Files\*
C:\Program Files (x86)\*
# Canon Printer
C:\ProgramData\CanonBJ\*
# Adguard For Windows
C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
!C:\Windows\Temp\{????????-????-????-????-????????????}\.ba1\mbahost.dll
# User Directory
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
# Process Explorer
C:\Users\*\AppData\Local\Temp\procexp64.exe
R:\Temp\procexp64.exe
# iTunes
C:\Users\*\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe
# Flash Player
C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
R:\Temp\{????????-????-????-????-????????????}\fpb.tmp
C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
# Adobe Reader DC
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe
C:\ProgramData\Adobe\ARM\*.exe
# Google Chrome / Chromium
!C:\Windows\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe
# Mozilla Firefox
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
C:\Users\*\AppData\Local\Mozilla\updates\????????????????\updates\0\*
C:\Users\*\AppData\Local\Temp\???????.tmp\*.dll
R:\Temp\???????.tmp\*.dll
# Mozilla Thunderbird
C:\Users\*\AppData\Local\Thunderbird\updates\????????????????\updates\0\*
*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
C:\Users\*\AppData\Local\Temp\???????.tmp\*.dll
R:\Temp\???????.tmp\*.dll
!C:\Windows\Temp\???????.tmp\*.dll
R:\Temp\??????.tmp\System.dll
R:\Temp\MozUpdater\bgupdate\updater.exe
# DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
!C:\Windows\Temp\????????-????-????-????-????????????\*.dll
R:\Temp\????????-????-????-????-????????????\DismHost.exe
R:\Temp\????????-????-????-????-????????????\*.dll
# Intel Dynamic Platform and Thermal Framework
!C:\Windows\Temp\DPTF\esif_assist_64.exe
!C:\Windows\Temp\DPTF\dptf_*proxy.dll
# Malicious Software Removal Tool
C:\????????????????????\mrtstub.exe
!C:\Windows\Temp\MPGEAR.DLL
!C:\Windows\Temp\MPENGINE.DLL
# TeamViewer 11 PortableApps
C:\Users\TIFFAN~1\AppData\Local\Temp\??????.tmp\*.dll
# PhotoMove - ExifTool
*\cache-exiftool-?*.??\*
# Windows 8.1 - 10
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
# Windows Directory
C:\Windows\*
[BLACKLIST]
*iexplore.exe
*regedit.exe
*bitsadmin.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*regedit.exe
*Regsvcs*
*RegAsm*
*wusa*
?:\$Recycle*
# *reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
# *msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Tasks\*
C:\Windows\Temp\*
[PARENTWHITELIST]
# Program Files and Program Files (x86)
C:\Program Files\*>*
C:\Program Files (x86)\*>*
# ProgramData
C:\ProgramData\Microsoft\*>*
# Process Explorer
C:\Users\*\AppData\Local\Temp\procexp64.exe>*
# Adguard For Windows
C:\ProgramData\Adguard\Temp\*>*
C:\Program Files (x86)\Adguard\AdguardSvc.exe>C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>*
# Tools
D:\Tools\*>*
# Office 2010 Click-to-Run
Q:\140066.enu\*>*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\CVH.EXE>*
# Flash Player - PPAPI Updater
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil*_??_?_?_???*.exe>C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
# Adobe Reader DC
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe>C:\Windows\*.d??
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe>*AdobeARM.exe
# Google Chrome
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe>C:\Windows\*
!C:\Windows\Temp\??_?????.tmp\setup.exe>C:\Program Files (x86)\Google\Chrome\Application\??.?.????.*\Installer\setup.exe
!C:\Windows\Temp\??_?????.tmp\setup.exe>C:\Windows\*.dll
!C:\Windows\Temp\??_?????.tmp\setup.exe>C:\Windows\Temp\??_?????.tmp\setup.exe
# iTunes
C:\Users\*\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe>C:\Windows\*.dll
# Mozilla Thunderbird
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
# DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
R:\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
R:\Temp\????????-????-????-????-????????????\DismHost.exe>R:\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
# Intel Dynamic Platform and Thermal Framework
!C:\Windows\Temp\DPTF\esif_assist_64.exe>C:\Windows\*.dll
# PortableApps
?:\PortableApps\*>*
?:\Program Files\*>*
# Malicious Software Removal Tool
C:\????????????????????\mrtstub.exe>C:\Windows\System32\MRT.exe
C:\????????????????????\mrtstub.exe>C:\Windows\System32\*.dll
# Windows
C:\Windows\*>*
[PARENTBLACKLIST]
# Blocking user space from accessing .NET
C:\Users\*>C:\Windows\Microsoft.NET\Framework\*
# Windows Temp
C:\Windows\Temp\*>*
[CMDWHITELIST]
*cmd.exe>sc  query Bouncer
*BouncerTray.exe>C:\Windows\system32\cmd.exe /c sc query Bouncer
*cmd.exe>\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
*winlogon.exe>"LogonUI.exe" /flags:0x0 /state0:0xa3973855 /state1:0x41c64e6d
*esif_uf.exe>"C:\Windows\TEMP\DPTF\esif_assist_64.exe"
*services.exe>C:\Windows\System32\*
*svchost.exe>C:\Windows\system32\*
*smss.exe>\??\C:\Windows\system32\autochk.exe *
*smss.exe>\SystemRoot\System32\smss.exe 000000a8 00000074
*smss.exe>%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows*
*smss.exe>wininit.exe
*smss.exe>winlogon.exe
*wininit.exe>C:\Windows\system32\*
*services.exe>C:\Windows\SysWow64\*
*BouncerTray.exe>C:\Windows\notepad.exe C:\Windows\bouncer.log
*cmd.exe>net  stop bouncer
*net.exe>C:\Windows\system32\net1  stop bouncer
C:\Windows\*>*C:\Windows\*
*BouncerTray.exe>*Admin Tool.exe*
C:\Windows\*>*
*Admin Tool.exe>*cmd.exe*
*BouncerTray.exe>*Admin Tool.exe*
*thunderbird.exe>*chrome.exe*
*chrome.exe>*chrome.exe*
*firefox.exe>*plugin-container.exe*
*plugin-container.exe>*\Flash\FlashPlayerPlugin_??_?_?_???.exe*
C:\Program Files (x86)\*>*C:\Program Files (x86)\*
C:\Program Files (x86)\*>*C:\Windows\*
C:\Program Files\*>*C:\Program Files\*
C:\Program Files (x86)\*>*Q:\140066.enu\*
Q:\140066.enu\*>*C:\Windows\*
Q:\140066.enu\*>*C:\Program Files (x86)\*
Q:\140066.enu\*>*Q:\140066.enu\*
C:\Program Files (x86)\Adguard\Adguard.Tools.exe>*
C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\acrotray.exe>*
C:\Program Files\*>*C:\Windows\*
D:\Tools\*>*
C:\Program Files (x86)\Mozilla Maintenance Service\*>*
C:\Program Files (x86)\Mozilla Firefox\updater.exe>*
*chrome.exe>*software_reporter_tool.exe*
C:\Program Files (x86)\*>*
C:\Program Files\*>*
C:\ProgramData\Adguard\Temp\?.?.???.???\setup-?.?.???.???.exe>*
C:\ProgramData\Adguard\Temp\?.?.???.????\setup-?.?.???.????.exe>*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>*
?:\PortableApps\*>*
?:\Program Files\*>*
[CMDBLACKLIST]
# *>rundll32*
[EOF]

 

No, I don't believe so. Since Bouncer is default-deny as I understand it, Bouncer would block anything that is not specifically whitelisted.

 

I used your policy to not allow the user-space to access Microsoft .NET Framework. I really like that one. I will see if I can find some more rules of yours that will work for me that I like later this evening. I have to do a few things around the house. I may have a couple of questions that's been nagging me that I don't understand about Bouncer Policy for the temp folder.

 

I was just thinking of Microsoft .NET Framework rule further, and I do not see it making any difference on my machine since I do not have any applications installed in the user-space, and any executable that attempts to start in the user-space should be blocked. I will make the following rule below to block any user-space application from accessing the System Space, and see if anything gets blocked in non-lethal mode. I had to change the Microsoft .NET rule because the one you used only covered part of Microsoft .NET Framework on my machine.

PARENTBLACKLIST
C:\Users\*>C:\Windows\*

I was just thinking of the Microsoft .NET Framework rule further, and I do not see it making any difference on my machine since I do not have any applications installed in the user-space, and any executable that attempts to start in the user-space should be blocked. I will make the following rule below to block any user-space application from launching any System Space executable, and see if anything gets blocked in non-lethal mode.

I had to change the Microsoft .NET rule to following below because the one you are using only covers part of Microsoft .NET Framework on my machine. Well, I got to get back to working around the house now.

PARENTBLACKLIST
C:\Users\*>C:\Windows\*
#C:\Users\*>C:\Windows\Microsoft.NET\*

 

In lethal mode only. In other word, not in lethal mode, block stuff in blacklist only.

Page 12 in PDF manual:

If you specify
[#LETHAL]
in the configuration area of the .ini file, detected files shall be logged (if logging was enabled) but Bouncer will not block such executable files. In this mode, Bouncer is like a secured weapon, it is ready to enforce, but will not.

 

WildByDesign, and I both know that non-lethal mode will not actually block anything. It will just log what would be blocked if the user was in Lethal Mode. WildbyDesign knew I was already aware of that when answering my question. Sorry, we should have been more clear.

 

Was you the one testing in the screen shots you posted, or did someone else test? I was wondering if you had tried Bouncer against that exploit page. I remember you informing me about the exploit, and I thought it was really cool to see how the different Security softwares defended against it. I think it was an exploit anyways. It was pretty well written from the looks of it.

 

I still confused with wheather should I add two rules in parent whitelist or not?

I have already have two rules:
C:\Program Files\*>*
C:\Program Files (x86)\*>*

In consideration of this:

*\root\Office1?\*.exe>C:\Windows\*
C:\Program Files (x86)\*>*splwow64.exe

Do you think Is it necessary to add two rules below?

C:\Program Files (x86)\*>C:\Windows\*
C:\Program Files\*>C:\Windows\*

 

In fact,I've just share it with you here,I do not test it by myself.

If I know any website like that from any motheds, I will let you know.

 

Thank you for sharing it with me! I really like watching videos of Security Apps tested against well designed exploits that bypass many security apps. It's really nice to see the behavior of the exploits because it helps to write better SRP (software restriction policy).

 

thank you WildByDesign for rules.

i have bellow rule in [CMDWHITELIST] what should i do to this work?

Code:

!C:\KMPlayer\KMPlayer.exe> "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1

and also added this in [CMDBLACKLIST]

Code:

*>"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1

but still get log

Code:

2016/06/04_04:05:56 > CMDCHECK > C:\KMPlayer\KMPlayer.exe > "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1 

also how can define best rule for this

Code:

C:\Program Files\WinRAR\WinRAR.exe > "C:\Program Files\Notepad2\Notepad2.exe" /z "C:\Windows\system32\NOTEPAD.EXE" C:\Users\username\AppData\Local\Temp\Rar$DIa0.892\file.txt

i added bellow and work.but at the end i can launch another program with Notepad2
i want Notepad2 just able open txt nfo htm

Code:

*WinRAR.exe>"C:\Program Files\Notepad2\Notepad2.exe" /z "C:\Windows\system32\NOTEPAD.EXE"*

thank you

 

Your rule contains a space character after >. You shall ensure that parent and child are separated with ">" symbol and without any spaces in between. Like this:

Code:

parent>child

NOT: parent > child, or parent> child

This should work:

Code:

!C:\KMPlayer\KMPlayer.exe>"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1

You must define rules for notepad2, not for winrar. Your rule just allows winrar to start notepad2. If you want to limit access from notepad2 to other application you should define a rule telling what notepad2.exe is allowed (or not allowed) to start as parent pocess.

 

thank you very much

 

Christmas in July? Well, maybe...

Link: https://excubits.com/content/en/news.html


I believe this was the most requested feature recently, particularly due to Secure Folders being abandoned. I am excited!

 

Thanks for the good news @WildByDesign
I wonder why they underscored that. Does this driver is able to stop low level writes to the protected data?

 

@Mister X You're welcome. I apologize, that was me who added underlining to the quote. I should have mentioned that.

To be quite honest, I don't know yet if it would stop low level writes to the protected data. That's something that we can all try once it shows up on the Beta Camp page. I don't have an early copy of the driver yet because I assume that he's still got to digitally sign the driver now that his internal testing of filtering read access has been achieved. Florian typically releases on weekends so I am keeping my fingers crossed.

 

Alright, great! Thanks a lot.