Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I have attached the icons that I use for Bouncer to this post. You have to rename the .png extension to .ico for the three attached icon files and copy them over the ones in your Bouncer directory and BouncerTray will use these now. The file names match the icons of the current Bouncer release.
     

    Attached Files:

  2. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Thanks WildBydesign for your efforts and inputs for 'Bouncer'. Well I previously used it when it was "Tuersteher Light" and I found it really complex as compared to the other approach, i.e.Pretty Good Security and Software Policy.
    But now its really simple to use it (with only one limitation of configuration file limit to 3kb) on my win-7 Home Premium 64 bit. I just load it with simple config. for now and will edited in detail (as suggested by other members in the forums like Mr.Brian, Kees, etc.)
    I just think about some addition/combination :
    1. Bouncer + PGS : Want to use PGS just to configure the admin account as user account with 'Run As Admin' option available when needed.
    2. Bouncer + Secure Folder (https://www.wilderssecurity.com/threads/easy-security-for-anti-exploit-anti-ransomware.374923) : Secure folder for detail configuration scope without any limit for free.
    3. PGS + Secure Folder : same reason as above.

    I will play with the combination to see how it goes or might using just bouncer :)
    Thank you,
    HDP
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome, my pleasure.
    I agree, initially as "Tuersteher Light" it was quite tricky to use and configure and now Bouncer has come a long way as far as ease of use and configuration. I have also followed the fabulous advice of MrBrian, Kees, etc. for quite some time as well.

    Regarding the 3KB config file limit. I have to be quite honest, for the free version of Bouncer it seems like a pretty decent and fair limit. For most basic setups and from much of my own testing of Bouncer for a few months now, my configs were always under 3KB anyway. I should also point out that, now with wildcard abilities, you can shrink your config down quite a bit more as well now. I purchased a lifetime licence anyway simply because I believe in the developer's vision and also to show my support. Yet, my config right now is still 2KB.

    From my understanding, the main purpose for the 3KB limit is because, in the right hands and with the right knowledge, someone could make a lot of money from Bouncer. The Bouncer driver is so powerful that you could literally create a completely locked down "Kiosk" type of system and that is where big money can be made. With the right knowledge, creativity, etc. there are almost endless possibilities, particularly now with the wildcards as well. The developer licences custom drivers based on Bouncer to large corporations for those purposes.

    Those are all good combinations. Although I suppose it depends on how far you want to take your security. You would be fine with any one of those security software tools even on their own with a well thought out and defined config/policy. It all comes down to security vs. usability and what suites your style the best. Trying out those different combinations for a few days is certainly a good idea. Feel free to share your findings and conclusions.
     
  4. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    For those using portable software from PortableApps.com, this wildcard Allow rule will help make Bouncer more quiet:
    Allow: C:\Users\xxxxx\AppData\Local\Temp\ns*.tmp\*.dll

    PortableApps's launcher on each execution makes temp folders containing DLLs. Unlike Software Policy (SSRP), Bouncer blocks DLLs by default. This means Bouncer had been notifying me of a block every time a portable app from that site was run. The format of the temp folder names are: NSxxxx.tmp ( e.g. nspD743.tmp/ nsjEB7.tmp/ nsj40BF.tmp/ etc.) and the DLLs vary from app to app but generally include FindProcDLL.dll, System.dll, & newavsplash.dll.

    An alternative could be to use different lines for each expected .DLL file (e.g. Allow C:\Users\xxxxx\AppData\Local\Temp\ns*.tmp\System.dll, C:\Users\xxxxx\AppData\Local\Temp\ns*.tmp\FindProcDLL.dll etc) but that wouldn't really add much more security IMO and would bring the configuration file closer to 3kb.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Upcoming Bouncer bits:

    • A proper Installer to install the Bouncer driver, applications, setup to auto-start tray app with Windows, associate EventSource so that Bouncer logs events to Event Viewer, etc.
    • A more efficient and better method for notifications compared to the previous polling mechanism.
    • New icon set for Bouncer (also icons for other Excubits software such as MZWriteScanner)

    An updated version of Bouncer should be released (with the above features) within the next two weeks. I am still thoroughly testing the hash-based Bouncer Plus which is fantastic so far and is undergoing some more internal changes before it gets released as well. The Plus version of the driver will also include all of the recent wildcard additions as the original Bouncer driver which will be extremely beneficial. I will update this thread when it gets closer to release.
     

    Attached Files:

  6. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    temp folder.JPG bouncer2.JPG
    Thanks for your thoughts and I completely agree with it.
    I am testing bouncer with secure folder as per "Safe Admin setup by kees" and everything is smooth and silky! I do feel that the bouncer alone is capable for securing the PC, and addition of secure folder seems ok as the both programs compliment each other very well.

    It seems I have got something weird here, the bouncer is keep blocking one file constantly(It's constantly popup on screen) "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" and my D: and E: drives are populated with some temp folder, please check the image. There are no such folder in C: Drive though.

    Thank you
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    For whatever reason, some programs install their registry entries using the short name (8.3) notation for the two folders for program files:

    "Progra~1" and "Progra~2" are just the short file name for "Program files" and "Program Files (x86)" respectively.

    You could put a wildcard exception for:
    c:\progra~1\*
    c:\progra~2\*

    Or I suppose you could mess around in the registry and convert each instance to a long filename notation. I think putting the Bouncer exceptions is the easier approach.

    Some more info and how to disable 8.3:
    https://support.microsoft.com/en-us/kb/121007
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is interesting because I had a similar thing going on with Microsoft Office, but in my case it was the 2010 Starter Edition (Click-to-Run). Whenever I clicked on the Click-to-Run Application Manager in Control Panel it would block something in C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*. It's funny to see that in both cases it is Microsoft software that's using old style 8.3.

    I'm going to talk to the developer and see. It should be possible, internally within the driver, to make it so that if a user whitelists C:\Program Files\*, for example, that it should be able to automatically translate the 8.3 format as well. I didn't expect that there would be much need for it, but it seems that Microsoft themselves are using it within Office in a few cases. So that is something that should be able to fixed internally. But for now, RJK3's suggestion is good and makes sense anyway since those directories are whitelisted generally.

    You could do like RJK3 suggested:

    Code:
    [WHITELIST]
    C:\PROGRA~1\*
    C:\PROGRA~2\*
    Or if you wanted to be more specific:

    Code:
    [WHITELIST]
    C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\*.DLL
    C:\PROGRA~2\COMMON~1\SONYSH~1\VAIOEN~1\VzCdb\*.DLL
    However, if you already have C:\Program Files\ and C:\Program Files (x86)\ whitelisted which is pretty typical, then I would recommend following RJK3's suggestion and go with the shorter code in the first code box.

    And I will talk with the developer regarding having this done internally within the driver because it should be possible.

    EDIT: I almost forgot. Regarding the populating of your D: and E: drives with temporary folders, I am not certain what that would be exactly. Does that happen normally on your system? Or is that related to the Bouncer blockages? Anyway, get the exceptions put into your whitelist from above, restart the Bouncer driver for it to take affect and see if it continues with those temp folders. You may have to restart your computer, depending on which program is creating those temp folders, when that program does that task, etc.
     
  9. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    Have you tried setting the registry entry which controls whether 8.3 are/can be used?

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

    Specifies whether NTFS generates a short name in the 8.3 naming convention for long file names and for file names that contain characters from the extended character set. If the value of this entry is 0, then files can have two names: the name that the user specifies and the short name that NTFS generates. If the name that the user specifies conforms to the 8.3 naming convention, then NTFS does not generate a short name.

    Changing this value does not change the file, but it does change the way that NTFS displays and manages the file. Also, files are named according to whatever rule is specified by this entry at the time of their creation; changing this entry does not alter the names of existing files.
    -----------------------------------------------------
    Value and Meaning

    0 NTFS creates short file names. This setting enables applications that cannot process long file names and computers that use differentcode pages to find the files.

    1 NTFS does not create short file names. Although this setting increases file performance, applications that cannot process long file names, and computers that use different code pages, might not be able to find the files.

    2 NTFS sets the 8.3 naming convention creation on a per volume basis.

    3 NTFS disables 8dot3 name creation on all volumes except the system volume.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thank you for the detailed information on controlling whether or not 8.3 is used or not, jwcca. It's an area that I am not very familiar with. But I don't personally want to dig too far into it to make changes system wide although I am always happy to learn how different things work. By the way, it's good to see another Wilder's member from the same area. Cheers!
     
  11. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Thank you RJK3 for the link and suggestion
    I will add those rules as it doesn't seems to be problematic and is pretty straight forward.
    I really not sure what cause the temp folder in D:/ and E:/, I am sure it either bouncer or Secure Folder. So, let me first whitelist two entries as per suggestion and will see if any temp folder created.
    Thanks jwcca for your post. I do check the registry entry and the value is 1. Honestly, I am not an expert So, still try to learn ;)
    But, I guess after whitlist the two entries, I might not need to use/edit the registry entries.

    Thank you all!
    hdp
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Updated/Polished Bouncer Release:


    New Installer has Bouncer up and running in 10 seconds
    • All binaries/drivers are digitally signed including the installer file, bouncer_demo.exe
    • Proper Installer, default location (C:\Program Files (x86)\Excubits\Bouncer\) but you can change it
    • Automatically installs Bouncer tools and driver, starts BouncerTray and driver as well
    • Driver default config starts in non-LETHAL, meaning it is set to log but not block by default
    • EventSource association with Event Log is done automatically as well to register Bouncer events

    New Signalling/Notifications Mechanism
    • Previous BouncerTray would poll kernel driver every 5 seconds for notifications (although blocking was still instant)
    • Now those operating system notifications and tray icon changes are instantaneous
    • BouncerTray is now much more efficient

    New Icons
    • Updated icon set


    Some details: http://excubits.com/content/en/news.html
    Download: http://excubits.com/content/en/products_bouncer.html
    Updated Manual: http://excubits.com/content/files/bouncer_manual.pdf
    German: http://excubits.com/content/de/produkte_tuersteher.html


    In my opinion, this is the best and most polished Bouncer experience thus far. I have been following it for quite a while and watched it grow and evolve quite a bit. I'm excited to see where it's at now.


    NOTE: I would always recommend backing up your current bouncer.ini config file. Personally, I deleted/uninstalled previous Bouncer tools/driver prior to trying this new installer.

    Have fun with this. Cheers! :thumb:
     
    Last edited: May 11, 2015
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm not being given any option to download the Demo. After I read the license agreement there is no link to download the installer from.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you! I will give Bouncer a try a little later tonight. I will have to take advantage of the lifetime license while it last.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. I agree and that's why I took advantage of the lifetime licence now. Like a lot of other software, once they become well known and so on, you never really know if the price will go up or if lifetime licences stop being sold. I've missed out on some good lifetime licences in the past, but took advantage of Adguard and Bouncer. Dan is considering licencing the KMD and has been in contact with developer as well. That would be incredible if that works out, that would be unstoppable and wickedly efficient.
     
  17. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Awesome steps from Bouncer will give it try soon!
    Thanks WildByDesign for the update.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Your welcome, powerpak.

    Updated whitelist for Mozilla Firefox and Thunderbird updates:

    Code:
    [WHITELIST]
    C:\Users\*\AppData\Local\Mozilla\updates\*
    C:\Users\*\AppData\Local\Temp\???????.tmp\*
    C:\Users\*\AppData\Local\Thunderbird\updates\*
    C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\*
    C:\Windows\Temp\???????.tmp\*
    The latest addition there is
    Code:
    C:\Windows\Temp\???????.tmp\*
    which I noticed after updating to Firefox 38 yesterday. Although, I believe the reason that I had to add that one is because I have started blacklisting C:\Windows\Temp\* recently along with the other blacklisted directories from Kee's Safe_Admin suggestions from here: https://www.wilderssecurity.com/threads/safe_admin-finally-it-is-there.375433/#post-2483907

    Code:
    [BLACKLIST]
    C:\Windows\debug\WIA\*
    C:\Windows\Registration\CRMLog\*
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*
    C:\Windows\System32\com\dmp\*
    C:\Windows\System32\FxsTmp\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\Tasks\*
    C:\Windows\Tasks\*
    C:\Windows\Temp\*
    C:\Windows\tracing\*
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Now what I would like to discuss, together as a community, is the idea of further blocking within whitelisted system folders. By that, I mean locking things down even tighter.

    Generally, we whitelist system folders such as this:

    Code:
    C:\Windows\*
    C:\ProgramData\*
    C:\Program Files\*
    C:\Program Files (x86)\*
    Now that Bouncer allows wildcards, this make it much easier. This is what I have so far:

    Code:
    [BLACKLIST]
    *powershell*.exe
    *regedit.exe
    *bcdedit.exe
    At the moment, do NOT attempt to block cmd.exe because Bouncer utilizes that. I will look into that more later. But for now, what I would like to try to figure out together is what other Windows executables should be blocked from these whitelisted directories. The idea here is to create some sort of Lockdown Mode during regular usage. Then, of course, for updates and things like that we would temporarily disable Bouncer as per normal.

    Is there any interest to work together on this?
     
  20. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    I'm late to the party here. Is the demo the free, limited version of Bouncer?

    Thanks
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That's correct. It's free for as long as you want to use it, with the only limitation being a maximum config file size of 3 KB which is quite decent. I've got a lifetime licence and a pretty solid config and mine is still right on 3 KB. It's similar to software restriction policies, except that Bouncer is kernel level.
     
  22. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    Thanks. I'll give it a try after some reading through this and Kees' thread.
     
  23. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Cheers for the updates as always. I'm still using Bouncer in logging mode for what it's worth, and still am finding new additions to allow.

    A separate, tickable "Lockdown Mode" (i.e. that loads an alternative, far more restrictive config) would be a useful idea.

    I'm in a particularly busy time so I won't have anything substantial to add.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yeah, that would be amazing if the KMD could be used in VS.
     
  25. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    I haven't tried the latest release, but i have the previous ones, including the very first version that Mr. Brian had linked, the one that its driver needed to be self/test-signed in order to be installable on a W8x64 system.

    1. Has the Logging been fixed? I had issues -even with the prior to the last version- with it, as a) there were multiple log entries of the same blocked executable, even though i only had tried to run/test it no more than once, and b) there were log entries of irrelevant exe's, i.e. exe's which i had never run them during testing Bouncer. I choose to believe that the buggy functionality is (was?) the Logging, not the Filtering.
    2. Has the "Browse for a file" (based on its file extension) Admin Tool's functionality been fixed? I remember i couldn't whitelist the file path of an exe, unless the "All files" option was selected in the dialog box.
    3. What other file types, besides exe, com, sys, dll, ocx, does it monitor? I 'm asking because once i saw a log entry of a blocked .bin file.
    4. Even though i like the underlying simplicity of Bouncer, the 3kb limit makes it a true demo (as it is officially stated). There is no way to properly close all WINDOWS loopholes and whitelist specific file paths from user-writable/default-denied locations, without exceeding that limit. In addition to the Accesschk-ed WINDOWS locations, there are -depending on one's setup- exe's, dll's etc. that need to be whitelisted for having a functional system (Panda's URL FIltering, AVG Linkscanner and HitmanPro's Temp installer come first to my mind).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.