Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes, logging has been fixed and is working perfectly. I believe the issue was more to do with notification and didn't affect actual filtering. I recall a time period of testing some of the earlier builds of Bouncer where I was always getting double-notifications, essentially what I mean was getting operating system notifications (toasts in Win8/Win10) per each blocked executable. And I also remember a time when it was also notifying twice, one current and legit, while the other was the previous line in the bouncer.log file, it was notifying that as well at one point. But anyway, I can confirm that all of those issues are resolved and the notifications are working great and also the reporting to the Event Log as well.

    Yes, I can confirm that this "Browse for a file" issue is fixed as well. Admin Tool currently has the options to create Allow or Deny rules based on Path, File and Wildcard each with their own selection dialog.

    I believe the filtered executables are something like this:
    Code:
    *.exe,*.com,*.ocx,*.sys,*.dll,*.so,*.cpl,*.scr,*.amc,*.ax,*.bat,*.cmd,*.sdi,*.cpl,*.ime,*.iec,*.uce,*.tsp,*.nls,*.acm,*.drv,*.ps1,*.msp,*.mst,*.appx
    
    However, I believe that there are a few more that I am missing. Quite honestly, I don't believe that Bouncer filters .bin files. But what I am assuming with that previously logged .bin file, Bouncer is still able to determine if a different file extension (that isn't filtered) contains executable code and still block that code from executing. OpenOffice/LibreOffice comes to mind in how they use a .bin file running in memory, although I am sure there are other uses.

    I like Bouncer for the simplicity as well. Personally, I think that the 3kb limit is more than enough for testing and also for most use cases. However, I agree, if you want that level of granularity then you could certainly blow past the 3kb limit. I like to tinker with things more and need more granular control as well which is why I decided to purchase a lifetime licence and now I am starting to go through the system folders with a much finer level of control now.

    If you tested in it's early days, dealing with test signing and such, along with some of the later builds of Bouncer as well... I would strongly suggest that it is worth testing again now, for sure. Bouncer has come a long ways recently and the overall experience is quite good at the moment. The underlying driver has been reliable, stable and efficient for quite some time now. It's more the additional stuff like Admin Tool and BouncerTray which needed some time to mature, along with the related polling mechanism, notifications, etc. All of that has been polished recently. I would say give it a shot and see where things are at now.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I wonder if Bouncer filters scripting files like .vbs, .vbe, .wsf, .wsc, cscript, etc. If it doesn't I think it could be made to easily.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That's a great idea, CE. And it makes good sense as well. I will pass this along to the developer to see if this can be done within Bouncer and/or another driver, depending. I remember him talking about something like that before but I will have to get more details. I will update this thread when I find out more.
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I have updated my blacklist a bit more to further lock certain processes down in Windows and wanted to share what is working well so far. This is just a start, as I plan to add more and test more as I try different things out. Some processes like rundll32.exe, msiexec.exe, etc. can cause problems because they are legitimately called by Windows or programs from time to time. Those troublesome processes will be able to added easier once the Bouncer developer combines the cmdLineScanner kernel-mode functionality to the Bouncer driver sometime in the near future. At the moment, that cmdLineScanner is a separate driver and only in private testing but it is working extremely well. The plans are to combine functionality into the original Bouncer driver.

    I've added a few executables and wildcards to blacklist, including bitsadmin.exe which can be utilized in malicious ways (see here: https://www.wilderssecurity.com/thre...-hack-corporate-networks.375418/#post-2492697). It's an interesting read and a follow up and adaptation to Marcus Murray's research.

    Code:
    [BLACKLIST]
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*
    C:\Windows\System32\com\dmp\*
    C:\Windows\System32\FxsTmp\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\Tasks\*
    *powershell*.exe
    *regedit.exe
    *iexplore.exe
    *script.exe
    *vbc.exe
    *jsc.exe
    *ilasm.exe
    *csc.exe
    *bitsadmin.exe
    *hh.exe
    [EOF]
    I followed up with this great inquiry from CE with the Bouncer developer and I had initially answered CE in private with what the Bouncer dev said regarding those scripting interpreters. However, I realized that other users are likely wondering the same thing as well and that it would be more beneficial to post the follow up in public.

    So this quote below is the Bouncer developer's answer regarding CE's question.

     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Very good discussions guys. Enough so that i'm totally onboard with this and will be following along. Thanks.
     
  6. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    @WildByDesign: Thank you for answering and providing updated info re Bouncer.

    1.
    2.
    Since my remarks and questions were related with most product's versions i tried, including the one prior to the latest, it's really nice to see these fixes. Regarding the Logging function, the strangest thing (briefly stated in my previous post) is that, upon executing a file located in default-blacklisted location (=testing Bouncer), various Log entries corresponding to irrelevant-to-the-actual-testing-exe-file files were getting created. For example, upon executing the C:\Users\cguard\Desktop\a.exe, Bouncer was logging, not only C:\Users\cguard\Desktop\a.exe, but also D:\MySoft\b.exe, D:\MySoft\c.exe, D:\MySoft\d.exe, etc. This behavior was random (=no obvious pattern) and arbitrary (=not always). My "I choose to believe that the buggy functionality is (was?) the Logging, not the Filtering" was based on that particular behavior. What is even stranger than this "strangest thing" is that it hasn't been reported before (if i have properly read through this thread), leaving me to wonder whether it was a system/setup-specific issue or not.

    3.
    So, it's a pretty extensive list -forgot to mention it in my previous post, but i can confirm about *.bat, *.cmd. Good to know. I think that the author must make available the complete list, since it's crucial for whitelisting monitored/controllable file extensions located in default-denied locations, i.e. programdata and user-space.

    Regarding *.bin files:

    a) i remembered the .bin file that got blocked/logged by Bouncer during testing its previous version; it was C:\ProgramData\{28D5D3C0-9147-4bb7-B2D0-453118720FE3}\upddll.bin. I mention this because it's a file that gets created if one enables the shell-integration of Secure Folders, alongside (<-i think) sfshell.dll. Secure Folders is a current WildersSecurity's trending app, so heads up!
    b) your explanation (contained exe code) makes sense to me.



    Anyway, i will definitely try Bouncer again at some point. Right now, i'm experimenting with an Applocker+ERP combo. As for purchasing a license to fully utilize/test Bouncer, i prefer to purchase only well-established and thoroughly-tested (when it comes to security) products. That being said, i value the ideas and security-oriented blog posts of Bouncer's author.

    PS. About blacklisting "vulnerable" system apps, i think that cipher.exe, syskey.exe, vssadmin.exe, bcdedit.exe -depending on one's setup and/or needs- should be taken under consideration. IIRC, they are targeted by some (crypto-) ransomware.
     
    Last edited: May 23, 2015
  7. Dedal

    Dedal Registered Member

    Joined:
    May 24, 2015
    Posts:
    3
    Hi. I had the same bug in old version on Win 7 x64. New build is working fine for me so far.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome, my pleasure.

    You're right, I agree with that. I will suggest to the developer to have available a list of a file extensions filtered with Bouncer. I'm sure that he will have no problem adding that to the F.A.Q. section of his site or something like that. Thanks for the suggestion. I will post here when a list of extensions has been made available.

    Thanks, those are great suggestions as well. I will add those executables to my own testing setup with Bouncer and test it out to see if there are any conflicts.
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Hello

    when I go to http://www.bitnuts.de/ it shows exploitbuster is that the same as bouncer?

    This was the link given on the first page of this thread.

    Thanks
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    ScreenHunter_02 May. 25 13.11.jpg This is what I get when installed in Quitezone after restoring deleted file from Norton.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The developer's research/development/malware blog is http://www.bitnuts.de/ which is where Bouncer was initially introduced. Bouncer was originally called Tuersteher Light (Tuersteher meaning Bouncer in German). Referring to a bouncer / door man in front of a club or bar.

    The official web site is www.excubits.com (Excubits is the name of the company/business that the developer has founded to encompass all of his drivers/software). English site: http://excubits.com/content/en/home.html

    I'm not entirely familiar with his Exploitbuster project. It is something completely different from Bouncer and has not been released to the public at this point. Just a private project, I assume.

    I apologize, but I am not familiar with Quitezone. I tried searching Google for Quitezone but couldn't come up with anything. What is it exactly?

    I am assuming that Norton didn't allow the installation of Bouncer. Did you trying disabling Norton's protection prior to installing Bouncer?

    Judging from the screenshot, it looks like the driver for Bouncer was intercepted and not allowed to start. I'm not entirely sure which component of Norton blocked it though, so please let me know if there are more details. The drivers and executables for Bouncer are all digitally signed and legitimate, so that should generally be a good thing as far as Norton is concerned. Unless a component of Norton is blocking based on how "well known" a software product / driver / digital signature is. It's an area that I am not very familiar with. But please feel free to provide more info if possible and I am happy to do what I can to help. Also, now that I think about it, Bouncer's new Installer is also digitally signed as well.

    Are there any other Norton users here who have used Bouncer together with Norton?
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Thank you

    Thedownloaded file was first detected and deleted by Norton, I then told Norton to White list it. The stop was I am guessing from Quietzone.

    Returnils forum right here on Wilders are the makers of Quietzone just take a peek at their section.

    https://www.wilderssecurity.com/forums/returnil-releases.101/

    I don't want to turn off Quietzone to install it. That is why I use it.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I just installed the latest Demo of bouncer, and it is not blocking anything. It just keeps saying Bouncer has detected unknown code in...... The tray icon is red, but the driver status says running. I selected the box that says Lethal. I left logging checked. I'm not sure i'm understanding how Bouncer is suppose to work. Shouldn't bouncer block anything not allowed by path, or hash? I ran notepad ++ installer from the desktop, and it allowed it to execute. I cancelled the installer because I was only using it to test that Bouncer was working. It only said it detected unknown code within the installer. It was a .dll file it detected. The desktop is within the user profile, and I don't have it whitelisted. Why did it allow the installer to execute? I also configured Bouncer to deny executions from an entire drive path (I:\*), and it is allowing executions from there as well. I'm using the settings in the image below. What am I doing wrong? The shield icon is red right now. I was thinking it should be green when protection is enabled.
     

    Attached Files:

  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I think I discovered the problem. I did not reboot, but Bouncer did not ask me to either. Everything looked like it was up, and running so I started testing it.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I did a short test on the desktop but probably did it wrong. White/Blacklists seem to work well enough however this is what i done in order to run a (selected) single executable within a folder on the Blacklist. I added that single exe in the whitelist both thru the GUI and tried again via direct entry to the config ini with the same result. The blacklist folder overrides my single exe whitelist entry. Be advised i also turned off the bouncer driver before attempting to make changes to the config, then restarted the driver which initializes instantly of course. I read the manual but might be missing something on this. All in all though this is a very interesting work and looking forward to it improving.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    If that's the case then that could pose a problem for me. I need to blacklist an entire drive, and then choose executables within folders on the drive to allow. I just looked at the config ini file, and I don't see any of the rules in it that I have added using the Admin Tool. I don't even see any of the rules in it that came by default. I wondering what the deal is with it scanning executables on the drive that are not attempting to execute, and notifying me that they contain unknown code. That is annoying. It is feeling up my log file quickly. It makes it really hard to find the log entries I need to find to configure rules.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Bouncer keeps saying it has found unknown code in my notepad files. There is no executable code contained within them though. The only thing contained within the notepad files are reminder notes, or URL Links. It logs them too. Something really needs to be done to cut down on the logging so the user can find what they are looking for in the log file. It logged my entire software backup on my external drive saying each installer contained unknown executable code.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    My tray icon stays red most of the time. It appears that Bouncer counts my installers on my external drive as code attempting to execute when in fact the installers are not trying to execute at all.
     
  19. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    I haven't tried the latest version, but:

    @Cutting_Edgetech

    1. Re the Admin Tool - ini config issue, you have to "Load" configuration by browsing for the (\WINDOWS located) .ini file in order to be able to see your rules. Also, after adding/removing rules via Admin Tool, you have to "Save" your new configuration in the .ini file. (aka, Admin Tool does not automatically load/save configuration)

    2. Re the various log entries, are you using the latest version? (haven't tried it myself, though)

    @EASTER

    Strange. Have you tried to stop-start (not restart) the driver?
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yes it was strange but i'll tinker around with it some more. It just wasn't as cut n dried as i expected but no real biggie right now while i try different sets of managing entry lines to the white/blacklists etc. I'll post back on the results (if any)
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm trying the latest version available to the public. Ok, I was looking at the wrong ini config file then. Easter said he stopped the driver before making the changes to the ini file, and then started the driver back again.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The blacklist is overriding the whitelist on my machine also. I blacklisted an external drive which is I:\*, and whitelisted an executable on the drive. The executable gets blocked anyways.
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Well, guys i'm beat. I'm retiring for the night. I have to get up early. I will send the developer some good feedback about the issues i'm experiencing.
     
  24. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    I noticed that he used the word "restarted", probably implying "started back", but since Bouncer is a little peculiar (in my experience) regarding its stop-start-restart driver's operations, i thought to point that out just in case he was actually hitting the "restart" button.

    Anyway, blacklist's exceptions getting blocked sounds like a serious issue -needs to be addressed.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Ok. This is what worked for me (Windows 8.0 64 bit). I had a feeling my Syntax was off balance and it was ;)

    Instead of adding the entire PATH to the Whitelist in Bouncer **DEMO** i just added the single exe that i want permission to execute with the *Wildcard method directly into the config file. Bouncer's Admin Tool does allow to Browse and manually select an executable you want to run and displays the entire PATH from C:\ which for some reason it wouldn't recognize at first, but it seems to work just fine now adding with the Admon Tool. Also i think a little confusion might have came in by having to start n stop the driver in order to make the changes to the config file (whit/blacklists).

    Like i said no real biggie and i am loving this driver coupled with NVT-ERP
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.