Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    No, I had to disable Quietzone to be able to make any changes to Bouncer because it kept discarding changes made while Quietzone was enabled, however that seems to be the intended behaviour of Quietzone so it worked as it was intended. Personally, I could never be bothered to use something like Quietzone or that TimeFreeze program. If a system has been secured adequately, there would be no purpose to those programs as there would be no malware damage or negative consequences to begin with. But I do respect that everyone has their own preferences, opinions, and their own techniques with regard to securing their systems. And of course it is always good to have choice as there is quite a variety of security software these days.
     
  2. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    First of all, my "busted" theory
    was based on the misobservation that Bouncer reports only exes that share the same folder location with its installer/inf. Well, fjwdcp6m.exe (GMER)

    blf.JPG

    proves me wrong (right in front of my eyes...) + i remembered that older versions were also reporting exes located in my DATA partition (on 2nd internal hard disk), where i usually don't run anything/currently it's SecureFolder-ed (Locked).

    What "blurred" my vision/perception was the fact that there are other Desktop folders containing exes that haven't been reported by Bouncer! Not to mention any other folder (containing exes) of my system partition.

    So...
    ...definetely YES!

    In regards to my security setup, even though i normally test new software
    right now i (additionally) have Panda Free AV+Panda URL Filtering, SecureFolders, EMET, MBAE Free (Browsers), Zemana Antilogger Free, MCShield, K9 Web Protection installed (testing a potential Friends and Family Setup). BUT, like i said, Bouncer exhibits the same behavior on my just-for-testing setup as well.

    Now, i think that maybe @WildByDesign is right about the conflicting co-existence of light-virtualization apps and Bouncer,

    minifilters.JPG

    but before i present my new "stange" theory ( :D - just trying to discover the pattern here, so please bear with me), @Cutting_Edgetech, i have to ask you if your Bouncer's "unjustified" alerts point ONLY to locations, either a) not protected by Shadow Defender, and/or b) excluded by Shadow Defender-ed partitions (via "Exclusions" and/or "Commit Now" - iirc), regardless of the mode (Shadow/Normal).

    In other news:

    It must have been the *.*.dll "include filter". Just renamed a dll file and now it is visible to the "Browse for a file" box.

    I believe that @WildByDesign has already established a trusted communication channel with the dev. In addition, i would like to believe that Florian is somehow monitoring this thread. If that's the case, (either of them) here is my 2 cents worth of suggestion/wish:

    Instead of "Status", "Start", "Stop", "Restart" buttons, a single "Start/Stop" button depending on the driver's status, i.e. if the driver is running, that single button will appear with a "Stop" label on it; if it's not, with a "Start" label -aka: a toggling ON/OFF button with a accordingly changeable text on it.
    So, in effect, there will be 2 rows of upper buttons:
    "Show Log" - "Clear Log"
    "Start (or Stop, depending on driver's status)" - "Pause"
     
    Last edited: May 30, 2015
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Bouncer mostly alerts to files on drive K:\, and a few files on drive I:\. Bouncer also alerts to one file for Microsoft Officer 2010 on drive C:\, but I can't remember which one. I think it was a filter.dll file. I just rolled my machine back, and it is not in the log now. I have not been running in Shadow Mode, but I only run C:\ in Shadow Mode when I do. DefenderDaemon.exe runs when Shadow Defender is not in Shadow Mode, but I can't remember what that process is responsible for.
     
  4. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    So to be clear, SD protects (when it does) only your C:\ (without any exclusions) and your only non-system disk/partitions are K:\ and I:\. Right?

    A couple of more questions:

    1. Do you remember if the Office dll file that gets reported by Bouncer is in the 8.3 format?

    2. Are the files that get unexpectedly reported by Bouncer located in the root or the upper directory level of your external disks? (X:\x.exe or X:\xfolder\x.exe)

    BTW, DefenderDaemon.exe is related with SD's UI, IIRC.

    PS @WildByDesign: When you tried to reproduce the issue did you use the DEMO version?
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    No. When I tried to reproduce the issue, I was using the lifetime version. But I don't believe that there are many differences other than the config size limit. However, it's certainly possible that a bug could slip through on one and not the other, you never know. If you want me to try something for testing purposes, I am happy to remove the lifetime version and try the demo version and see if there is something specific going on there. Just let me know.

    The thing that makes this issue so tricky is that it seems to be very limited which is frustrating. It's only been reported by you and CE at the moment.
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    From: http://excubits.com/content/en/news.html

    I have checked, and can confirm that the English, German, and paid versions are all updated on the server. I haven't tested yet though but I will be over the next few hours.

    I don't believe there are any updates to the driver. So in this case, I would just extract the executable with 7-Zip, close out of BouncerTray and Admin Tool (if open), and simply copy over those files and start them up again.
     
  7. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    If it's not so much trouble, could you please try the DEMO version alongside TimeFreeze? If you're up to it, exclude a (test) Desktop Folder from Time Freeze and put some random installers in it. (sequence: create folder->put some installers/exes in it->exclude the folder from TF->reboot->enable TF->toggle "Enable Folder Exclusion when TimeFreeze is ON" (check/uncheck) every (let's say) 10 minutes)

    There is another member who had experienced (not anymore) the same Bouncer's behavior -i think there is/was a 4th person, also.

    3 out of 8?, 10?, 12?, 15? (WS members who have actually tested Bouncer), is something to be taken under dev's consideration.
     
    Last edited: Jun 1, 2015
  8. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Logical explanation, but what's the motive of "someone (a process)" to repeatedly try to execute Kaspersky Virus Removal Tool (or other installers, for that matter)?
    [​IMG]

    Anyway...
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I hope this works out well and many compliments to Florian for his timely responses to users questions and concerns to date. I been out the security apps loop awhile so you guys will overlook if i post a question only to discover the darn answer after repeating some steps several times. I'm usually fairly good at focusing in on my own oversights with new programs like this (and others) but sometimes make haste to put questions out there early before having full grasp of it's workings.

    I'm interested in the PAID version of this (PLUS) but first want to be certain that i'm not clashing apps with overlap so here is what's working presently and very stable on a Windows 8.0 64bit OEM. Secure Folders + MBAE + NVT-ERP.

    On-Demand is ShadowDefender + Sandboxie, expressly for entering foggy areas of the net where i do most of my malware hunting & captures.

    I'm open to suggestions as to which current app i should (if any) pull from the profile in order for Bouncer to operate at it's dead level best without issue.

    @WildByDesign Perhaps you have a better handle on the best default Whitelist/Blacklist rules you might could share that will offer the current best preventions offered by Bouncer.

    Regards, EASTER
     
  10. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    SecureFolders (blacklisting) - Bouncer (whitelisting(by default)/blacklisting) - ERP ("micro"-whitelisting/blacklisting (supports command line filtering)): triple driver-based anti-execution.

    I haven't tried that combo -only SF+B and SF+ERP. Assuming that SF is used as a file/folder locker, the question is B or ERP? ERP offers granular filtering + script's interpreters filtering, while B is capable of filtering drivers as well. I'd say, either ERP+DriverRadarPro or B+ERP (use ERP only to control system's and users' TEMP folders/threatgates (usability)).

    Anyway, both products have their (more) pros and (more) cons, but in the end it comes down to personal preference, security approach and probable buggy or conflicting (with other security apps) behavior.
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For this point, I just wanted to add that internal testing versions of Bouncer have a kernel level filtering capability of command line filtering. I believe CE has a testing copy of this now. I have been testing it for a while as well. Initially the command line scanning was it's own kernel-mode driver for testing purposes, but it has now been added to original Bouncer driver within the same KMD. It will soon come out of internal testing and all users of Bouncer will have command line filtering as well.

    I agree with this 100%. Security often depends on how far users want to get into it, to what level, to what amount of time they want to put into it. Some users like to keep security easy and simple, while others likes to get their hands dirty. That's why it's great that we've got so many security tools to choose from these days and many different methods/techniques used by these programs as well.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Absolutely, I will give this a try today and will report back. That is interesting because when I did test it, I did not try the Exclusion feature at all, so you may be on to something here. I'll let you know how that goes.

    That's true, I respect that. Bouncer is a very niche security tool and hasn't had much exposure on a consumer level. For the most part, the underlying Bouncer driver gets licenced out to large companies/organizations and each one is typically a custom driver tailored to each particular business needs, based on whatever network infrastructure, software setup, etc. And from my understanding, the Bouncer devs support those companies directly. Therefore, I would assume that those companies wouldn't necessarily test the driver quite as thoroughly as members here at Wilders. Or I suppose another thought that just came to mind is that those companies likely wouldn't use a lot of the security tools that we are seeing conflicts with. That is just my assumption anyway.


    EDIT: Regarding testing of Toolwiz TimeFreeze with Bouncer

    Instead of creating another post I just decided to edit this post to add information of my testing of TimeFreeze and Bouncer.

    I followed your suggestions precisely and had a feeling that the Exclusions in TimeFreeze might be what makes the difference here. I also unchecked and checked every 10-15 minutes the button to turn off/on the exclusion functionality as suggested. I literally tried everything that I could think of along with your suggestions as well, but sadly no luck as I could not reproduce the issues with TimeFreeze and Bouncer. Now, during this testing I had Bouncer installed and configured and I was manually turning TF on in testing, and manually turning off TF which included having to restart. So I figured, OK, maybe I will try checking the button in TF to allow TF to start automatically with Windows instead of manually to see if that could make a difference. Bouncer was removed at this point entirely, to start fresh.

    This is where things went south fast. TimeFreeze, when auto-start with Windows was enabled, borked my system entirely. The TF tray app would not function as the process was always crashed/suspended. I checked for signs of Bouncer, in case TF brought it back, but it was still cleanly gone. Process Explorer, even started as Admin, or Task Manager, could not kill or restart the TF process. Any command prompt attempts to kill or remove TF was reversed upon restarting Windows. This was like a nasty virus that you could not get rid of at this point. Uninstalling TF failed because it says you need to turn TF protection Off, but I had no access to TF interface or tray app. Needless to say, TF blocked or reverted any changes made. The only thing that did work was using Windows advanced startup features and using Command Prompt mode only. I had to go DOS mode commando here to delete the individual TF kernel-mode drivers in the system folders, delete the TF executable, etc. I had to take it out like a dirty virus. So unfortunately, I was not able to reproduce the issues even when manually enabling TF mode, exclusions, etc.

    I would strongly caution the use of Toolwiz TimeFreeze with or without Bouncer.
     
    Last edited: Jun 1, 2015
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Absolutely, I am happy to help with this. I just wanted to let you know that I didn't miss or forget your question here, but I will have to wait until this afternoon or evening to get back to you on it. I think what I am going to try to do is put together several difference configs to share here in code boxes, maybe of different levels of protection, with some explanations so that users can hopefully understand it well and copy/paste whichever they think works best based on their system and their individual use case. I will also write later about program suggestions to hopefully prevent overlap or conflicts. For me personally, I'm always about keeping my security light, simple and efficient, yet thorough and tight.
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Some users seem to favor that program but i have always had my doubts although none realized but then again i have never tested it once nor entertained any idea to do so since i always found Shadow Defender quite adequate and stable.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm using Windows 7X64 Ultimate. Florian sent me a build of Bouncer with debug code. There is a little more involved with installing it though. The driver is failing to install to the SystemWOW64 driver folder. I copied the driver to the folder manually. Will it work like that? I did that since left clicking on the .inf, and choosing install would not install the driver. The driver installed fine to the System 32 driver folder. It only failed to install to the SystemWOW64 driver folder.
     
    Last edited: Jun 1, 2015
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yes, C:\ disk is the only disk I run in Shadow Mode, and I use no exclusions. I don't know what format the Office Filter file is in. I will let you know when I find out. The files reported by bouncer are in the root, and upper directory level. I was aware that DefenderDaemon.exe operated the UI, but thought maybe it was responsible for other operations as well. I will check with Tony if it turns out to be the problem, but I doubt it is.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I'm going to assume I can't install the driver by coping it to the driver folder. Bouncer's Log is full of entries of critical items being blocked. I will have to wait for Florian to return my email. I was just hoping to get this out of the way now so I can start reformatting my computer.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It seems like maybe Bouncer is working fine after all. Maybe the driver can be copied to the driver folder instead of just using the .inf file. I guess all those entries in the log were just info Florian needs for debugging. I switched to lethal mode, and so far Bouncer is working fine. I think I will know what is triggering the alerts soon. I will keep you guys updated.
     
  19. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    @WildByDesign, i appreciate your efforts in reproducing THE issue and i feel bad for TF giving you a hard time. Truth be told, TF is not properly tested under 8.1/10 (personal conclusion). But on 7 it runs flawlessly in any mode (manual/auto). I've been using it regularly for the past 3+ years (from the old engine's days) and i've never noticed any conflict with other sec apps -0 issues, and please rest assured that i've tried a ton of them. I'm hearing any doubts and concerns about it, but the same goes for every software (and sudden re-appearances...). Please, don't jump into any conclusions, since i've purchased an SD license, after its re-emergence -still i prefer to use TF for its simplicity and snappiness.

    Anyway, maybe W10 isn't the proper environment for reproducing this issue, or maybe light virtualization apps aren't a "suspect" after all. Who really knows for sure?

    Thanks for confirming my guesses. We are experiencing the same Bouncer's + Light Virtualization "symptoms", here.

    So, maybe Bouncer keeps reporting/filtering (for some reason) files located in areas where SD/TF doesn't monitor for intercepting file operations and redirecting their outcome to its "container", i.e., 1. excluded folders of to-be-virtualized system partition + 2. root and/or upper levels of (non-to-be-virtualized) non-system partitions.

    Finally, my third and LAST personal guess (light-virtualization independent) is that Bouncer reports (for some reason) files from user-space locations (i.e., all but default whitelisted areas) where, at some point, a file (residing in that location) was tested against Bouncer's protection.

    [it's easily reproducible: place a test-exe inside a user-space folder (Desktop, Downloads, non-system partition, etc.)->try to execute it (obviously it shouldn't be path-whitelisted)->optionally cut/copy it to a different location->check Bouncer's Log for any alert pointing to the test-folder (or, optionally, to the copy of the test-exe)]


    BTW, I've forgotten to report another (minor) bug:

    I've been able to whitelist via Admin Tool ("Add Wildcard Rule") this

    C:\PROGRA~1\KEYCRY~1\KEYCRY~3.DLL

    but not an MCShield dll (i think MCDialogs.dll) using the same (8.3) format.
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I have been unable to reproduce the alerts that Bouncer gives for unknown executable code since yesterday. That's just my luck! I can't trigger the alerts anymore now that I have the debug code to diagnose the problem with. I will keep rolling my computer back, and reinstalling to see if I can trigger the alerts. I hate not being able to solve this issue.

    Has anyone else gotten an alert from Microsoft yet informing them they are eligible for a free upgrade to Windows 10? GWX.exe was a recent update for Windows that checks your eligibility for the upgrade, and i'm sure it also checks your computer for compatibility for Windows 10. It says i'm eligible for the upgrade. It makes me wonder if GWX.exe was triggering the alerts for Bouncer since it has finished checking my system eligibility, and compatibility for the upgrade. I don't want to upgrade this computer to Windows 10, but I will upgrade one of my other computers.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here you go, sir:
    Code:
    C:\PROGRA~2\MCShield\MC*.dll
    EDIT: Alternatively,
    Code:
    C:\PROGRA~2\MCShield\MCPROC~1.DLL
    C:\PROGRA~2\MCShield\MCDIAL~1.DLL
    I will have to answer remaining questions in the morning.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Should Bouncer install it's mini KMD to SystemWOW64 driver folder, and System 32 driver folder? The prior version with the Admin Tool does, but the test version Florian gave me does not. The test version only installs it's driver to System 32 driver folder. I'm using Windows 7X64 Ultimate.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    To be quite honest, I don't believe that the bouncer.sys in C:\Windows\SysWOW64\drivers is necessary or even utilized in any way. I just tested by installing latest stable/public release manually (by right-clicking INF) and it only copied to System32, not to SysWOW64. My assumption here is the shiny/new installer for Bouncer is copying bouncer.sys to both locations, when only System32 is necessary. Florian would be best to answer this and I think that either you or I should report it to him. Good catch, CE. I don't think it's harmful in any way. but at the same time, it doesn't need to be there.
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I rolled my computer back 4 times today trying to reproduce the unknown code execution, but cannot reproduce the alert with this test build. The unknown code execution on drive K:\ actually stopped on Saturday so I don't know if the problem still exist. I think the GWX.exe utility that Windows uses to check to see if you are eligible for a free upgrade to Windows 10 could have been causing the problem, but that's just one of many things that could have caused it. I manually installed the driver in the SysWOW64 driver Folder, and Bouncer worked like that as well. I did that because the prior build of Bouncer I used installed to System 32 driver Folder, and also to the SysWOW64 driver folder. I will have to ask Florian which way is correct. I want to make sure I have Bouncer installed correctly, or there is no reason to try to reproduce the problem I was experiencing.
     
    Last edited: Jun 1, 2015
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    The build I have with the debug code came with 2 folder; one called 32-bit, and the other called 64-bit. I guess he already knew which version of Windows I was using. I just don't know for sure if I'm suppose to install the driver from both the 32-bit folder, and the 64-bit folder. I tried installing both twice today, and the driver still only got installed to the System 32 driver folder so I copied it to the SysWOW64 driver folder manually. I'm waiting for Florian to respond to my email now. May you will want to report it as well. Sometimes I don't explain things in the easiest to understand way.
     

    Attached Files:

    Last edited: Jun 1, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.