Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @hjlbx I believe that the command line scanning functionality within Bouncer has received more improvements (performance and otherwise) in comparison to the standalone command line scanner. For instance, the one in Bouncer has priority rules and other newer features, I believe. The initial command line scanner driver was sort of like a playground to test the new features and implement them cleanly before transferring over to Bouncer.

    Anyway, here is a few moments of logging from the CMDCHECK feature in Bouncer since it is more up to date.:
    Code:
    2016/10/07_14:36:26 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:26 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
    2016/10/07_14:36:26 > CMDCHECK > C:\Windows\System32\svchost.exe > C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    2016/10/07_14:36:26 > CMDCHECK > C:\Windows\System32\svchost.exe > C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    2016/10/07_14:36:33 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:33 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:34 > CMDCHECK > C:\Windows\explorer.exe > "C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE" "Microsoft Word Starter 2010 9014006604090000"
    2016/10/07_14:36:45 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:45 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:46 > CMDCHECK > C:\Windows\System32\svchost.exe > C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    2016/10/07_14:36:48 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:48 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:52 > CMDCHECK > C:\Windows\explorer.exe > "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
    2016/10/07_14:36:59 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:36:59 > CMDCHECK > C:\Windows\System32\svchost.exe > "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    2016/10/07_14:37:03 > CMDCHECK > C:\Windows\explorer.exe > "C:\Windows\system32\notepad.exe"
    
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Some positive news from Florian regarding all drivers leaving Beta stage soon, shipping digitally signed, etc.
     
  3. hjlbx

    hjlbx Guest

    So what is the licensing model to be with the new release ?

    What about those that already have purchased lifetime licenses of Bouncer, Command Line Scanner and MZ Write Scanner ?

    Will those folks have to switch to the annual subscription to get the most recent builds - as they will only be available in the Excubits "suite" ?
     
  4. hjlbx

    hjlbx Guest

    Thanks bro... I am thinking about using Command Line Scanner as a command line with arguments capture and logging utility... LOL - because, basically at default install, that is what it is...
     
  5. guest

    guest Guest

    Regarding Bouncer, "early adopters" shouldn't be affected by this, but new users:
    According to the readme.txt and after looking in the cmdscanner.sys it should have Priority Rules.
    But the last version was released more than half a year ago, so Bouncer (final=~4 months ago, beta=~2 months ago) has definitely received more improvements (performance, etc.) than "cmd-scanner".
    Users of Bouncer have an "optimized version" of Command Line Scanner, so to speak. :)
     
  6. hjlbx

    hjlbx Guest

    Anyone know what the annual subscription fee will be for Excubits "Suite" ?
     
  7. guest

    guest Guest

    If you buy it now = ~39 EUR. After one year you have to pay the same amount for an updated version, but maybe someone has more information about it.
    If you want no updated version after one year = no fee.
     
  8. Schorg

    Schorg Guest

    I have asked Florian this very same question if previous purchase, roughly 5-10 euros each (don't quote me ;)), I never went into detail as i believe very reasonable but for big changes higher price as expected, not anytime soon tho.

    Only if you wish to have latest features, even then very reasonable price. No need to purchase every year because they can be used for longer period.

    CmdScanner has the same as bouncer priority rules, silent rules etc. Also on the todo list add CmdScanner tray functionality, which will be great.

     
    Last edited by a moderator: Oct 7, 2016
  9. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    Can you not just but FIDES or Mem instead of Bouncer. Website just goes to Bouncer
    I look at this site everyday and must admit I'm lost. Is it FIDES ,Bouncer or Memprotect. the posts need to be split up into categorys with stickies of the .ini files.
    I,m back using SSRP instead of SOB because its a signed installer but I would gladly buy Bouncer or FIDES and Memprotect .
    And PLEASE does someone have a bog standard Bouncer .ini as of of SRP nothing fancy, just to play with on Virtualbox just to get started.

    Thanks in advance

    Steve
     
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    yes you can also buy just FIDES and MemProtect, write developer a e-mail.

    There is thread here, this should help.

    About basic configuration for VM. It depend on your config: What version of Win do you use? Is it 32-bit, 64-bit edition. What additional apps installed?

    Normally you first whitelist trusted application and paths. Then you basically blacklist untrusted paths or limit applications to do evil stuff if exploited. Eg. dont allow Google Chrome EXE (chrome.exe) to inject code into other executables (example for MemProtect). Or for FIDES/Pumpernickel dont allow chrome.exe to write doc-files or into personal folders (eg. your private pictures or videos).
     
  11. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    Thanks for the reply I.ll set up a new Virtual box,
    I,m using Windows Home x64 with Windows defender, SSRP, FIDES(beta I think)
     
  12. 142395

    142395 Guest

    Firstly very sorry for too much delayed reply.:(
    I actually read your reply soon but couldn't find time to login here.
    Yes, and thanks for that, I didn't know about space, actually including space spoiled any rule I created.
    But it means we can't simply copy & paste from log...bit inconvenient.
    No, as I didn't know that space matter, it seemed most of my rules didn't work.
    As I have some time now, I'll test these things again.
    I know, and wondering how granular rule sets are best fit for me...in my testing, it seems priority rule doesn't work in expected way for parent rule section.

    What I tried: blacklist entire %Systemroot%\Temp\ in [Blacklist] and only allow individual needed files, that is:
    Code:
    C:\Windows\Temp\mpam-o_Oo_O??.exe
    C:\Windows\Temp\o_Oo_O??-o_O?-o_O?-o_O?-o_Oo_Oo_Oo_O\MPSigStub.exe
    (I confirmed # of ?s, it's difinetely right.)
    by putting ! before whitelist rules.
    Same goes for parent rules, put ! before any parent rule which include above 2 strings while all other execution from/to Temp are blacklisted by * wildcard.

    Result: Whatever I tried, I always get alerts about mpam-o_Oo_O??.exe & MPSigStub.exe.

    Haven't tried yet but seems make sense. Currently trying to execute msiexec only when proper command line is passed by Windows Update. Oh, but Windows Update do not come often...maybe need to test it w/ some .msi package first.


    I understand, thanks. I blacklisted exes listed in your post #1501 , only msiexec (same as you) and reg.exe made alert so excluded them. I also find some exes listed are not on my Win10, seems no more supported (maybe only on older Windows) so skipped them. And BTW, auditpool (next to the bottom in your list) must be typo, it's auditpol.exe.;)

    JFYI, tho I no more experience that flashing issue, I found it actually has sth to do w/ Bouncer itself but not tray app, even in non-LETAHL mode. It seems the issue was caused because too much processing were caused and this forced explorer to restart, because just after I enabled parent rules w/ too general blacklisting rule I exeperienced that again. After I toggled rules (I needed to kill BouncerTray first to suppress endless flood of alerms) the issue disappered.:)

    Sorry again for delay, but thanks for those your imputs. Especially space matter really saved me![/QUOTE]
     
    Last edited by a moderator: Oct 26, 2016
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is actually a really good point. It would be nice to be able to simply copy and paste blocked lines from the log files. I will talk to Florian about this soon and see if he can have those spaces before and after the > symbol removed from the log files. I'm certain that it will be possible. There is expected to be a big release soon of all drivers being promoted to stable versions. So I will discuss this space issue with him after the release since he has already compiled and signed the binaries for this upcoming release.

    So one of the tricky things regarding the priority rules is that those rules need to be at the top of their specific section. Also, I should note that environment variables such as %Systemroot% do not work because it would require a user-mode component.

    Example:

    Code:
    [WHITELIST]
    #    Google Chrome / Chromium
    !C:\Windows\Temp\??_?????.tmp\setup.exe
    #    Mozilla Firefox
    !C:\Windows\Temp\???????.tmp\*.dll
    #    DISM
    !C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
    !C:\Windows\Temp\????????-????-????-????-????????????\*.dll
    #    Intel Dynamic Platform and Thermal Framework
    !C:\Windows\Temp\DPTF\esif_assist_64.exe
    !C:\Windows\Temp\DPTF\dptf_*proxy.dll
    #    Malicious Software Removal Tool
    !C:\Windows\Temp\MPGEAR.DLL
    !C:\Windows\Temp\MPENGINE.DLL
    #non-priority rules here
    #non-priority rules here
    #non-priority rules here
    #    Windows
    C:\Windows\*
    [BLACKLIST]
    C:\Windows\Temp\*
    [PARENTWHITELIST]
    #    Chrome \ Chromium
    !C:\Windows\Temp\??_?????.tmp\setup.exe>C:\Program Files (x86)\Google\Chrome\Application\??.?.????.*\Installer\setup.exe
    !C:\Windows\Temp\??_?????.tmp\setup.exe>C:\Windows\*
    #    DISM
    !C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
    #    Intel Dynamic Platform and Thermal Framework
    !C:\Windows\Temp\DPTF\esif_assist_64.exe>C:\Windows\*.dll
    #non-priority rules here
    #non-priority rules here
    #non-priority rules here
    #    Windows
    C:\Windows\*>*
    [PARENTBLACKLIST]
    C:\Windows\Temp\*>*
    As you can see above, I have C:\Windows\Temp\ blocked in both my blacklist and parent blacklist sections. Therefore, we need priority rules in whitelist and parent whitelist to override those blacklist rules to allow legitimate executables that are known to run from those locations. So the most important part to remember is that the priority rules need to be at the top of their specific section, followed by the regular non-priority rules. The order is important because within the kernel, the config file is processed in order of the lines. So for example, if we put a regular non-priority rule of C:\Windows\* above the priority rules, it would process C:\Windows\* whitelist rule first.

    Hopefully that helps clarify the importance of priority rules ! (and also $ silence rules) being at the top of their specific sections.

    When you copy/paste rules here at the forum, please try to paste within code tags so that the forum does not mess up the rules. So I just copy/paste your examples for the code box below but you will have to review the characters because it has likely been garbled up a bit.

    So from your example:

    Code:
    [WHITELIST]
    !C:\Windows\Temp\mpam-o_Oo_O??.exe
    !C:\Windows\Temp\o_Oo_O??-o_O?-o_O?-o_O?-o_Oo_Oo_Oo_O\MPSigStub.exe
    #    non-priority rules below
    C:\Windows\*
    [BLACKLIST]
    C:\Windows\Temp\*
    [PARENTWHITELIST]
    !C:\Windows\Temp\mpam-o_Oo_O??.exe>*
    !C:\Windows\Temp\o_Oo_O??-o_O?-o_O?-o_O?-o_Oo_Oo_Oo_O\MPSigStub.exe>*
    #    non-priority rules below
    C:\Windows\*>*
    [PARENTBLACKLIST]
    C:\Windows\Temp\*>*
     
  14. 142395

    142395 Guest

    How can I get new version?
    I purchased permanent license and got download link and password, so do I need to re-download new version from the link?
    Also, do you know if I can change my email address used for that?

    Really!? Oh, I didn't know that too...I think I should re-read the manual more carefully. I'll test this later.

    Thanks for that too, I'll take your advise from now on.

    Also, does silent rule work in current stable version? I know it but as the manual doesn't mention it, I assumed its only in beta.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Generally whenever an updated paid version is available, yes, you would use that special link and password to download the new build. However, that still has the version from May 24, 2016. If you email Florian, as a paid user, he would likely send you a copy of the upcoming stable build. You can also email him regarding a change to your email address with regard to your registration. Although, and I'm taking a guess here, but I assume that all drivers will likely be released this coming weekend as stable (in 3-4 days) and therefore the paid and demo builds will be available very soon. The drivers are already compiled and SHA256 / EV cert signed with Microsoft Windows cross-signing to deal with Secure Boot and Windows 10 Anniversary Update requirements and the tray tool binaries are also SHA256 signed. So he is essentially just running some last minute tests with these upcoming stable builds (Bouncer, cmdScanner, MZWriteScanner, MemProtect, and Pumpernickel/FIDES) and these will all leave beta stage. There are some more exciting things to come as well but I will try to keep some things as a surprise for now. But I am crossing my fingers and hoping for this coming weekend if all goes well.

    No, those silent rules are still only available in those beta releases. But the nice thing is that silent rules are in all of the drivers now and will be available in the upcoming releases. Personally, I've found the silent rules to be quite a nice feature. A lot of great suggestions, such as that silent rule feature, came from users here at Wilders.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Brand new build of Bouncer up as of 2016/10/30.

    News: https://excubits.com/content/en/news.html
    Demo download: https://excubits.com/content/en/products_bouncer.html
    Updated user manual: https://excubits.com/content/files/bouncer_manual.pdf

    Updated paid builds available already as well on the unique links/passwords that were provided initially.

    It looks like what Florian is doing is releasing Bouncer builds today and the stable builds for MemProtect, cmdScanner, MZWriteScanner, and Pumpernickel/FIDES will come later throughout the week. :thumb:
     
  17. guest

    guest Guest

    Nice new feature. Switching between different ini-files is easy now.
    :thumb:

    Some more days and all other tools are out of beta. Finally.
    I had no problems with the beta-versions in the last months.
     
  18. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thanks for Update . i don't have too much time test it now.
    but tested config exchange file.its very good and fast ,just need predefined config for different purpose
    also note that backup your config it will overwrite your current config.
     
  19. 142395

    142395 Guest

    @WildByDesign Thanks for clarification as always. Congrats for new version!
    I wonder how much Memprotect & Pumpernickel will be.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. I am especially happy to see all of the recent features (Install Mode, Silent Rules, Priority Rules, Exchange Config File, EV cert., etc.) across each of the drivers now plus identical tray tools for each.

    I don't know yet what the individual cost is, but you can certainly feel free to email Florian directly and he can let you know.
     
  21. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    84
    Probably around 10 Euros.
     
  22. 142395

    142395 Guest

    Putting "!" ahead of all other rules seems to solved the problem. I'm now thinking how to use different ini files, as well as command line things.

    It will be great if he can provide set/combo price (I don't know what to say correctly) i.e. if each of 3 costs $10, sell all 3 at $25, not $30.
    But I'll just wait official release.
     
  23. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    OK I'm using SSRP with windows temp local appdata blocked, tried Bouncer many times, I just want FIDES and Memprotect they fill they gap in my setup.
     
  24. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    OK sent Exubits an email
    I,ve been a member of Wilders Security Forum for a few years now which is where I first heard about Exubits, I've tried bouncer, pumpernickel etc, and now feel confident enough to put software on my main machine (not Virtualbox). Could you please give me a price for FIDES and Memprotect as I'm sure a lot of people on Wilders would like to know as well. Or do you buy the Bouncer package.

    Bad english for an Englander well it is 5 in the morning LOL hope I get a reply!
     
  25. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Asked Florian: As you said each is 10EUR, there will be a combos price if you order three out of {MemProtect, Pumpernickel/FIDES, cmdScanner, MZWriteScanner}. Bouncer/Türsteher keep it current price tag which is somehow ok/fair because more functions in it.

    I also had time to install new versions of Türsteher: Work great and no issues so far. Silents rules are a nice feature. Set skype on blacklist on Windows 10 system, other exe will follow that i dont want to start automatic. Great idea.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.