Bouncer (previously Tuersteher Light)

I can confirm with 100% certainty that you only need to install the driver from the 64-bit folder if that is your architecture. His build system automatically compiles both, in those same directory structures. You just need to install the one that matches your system. If you were to extract the bouncer_demo.exe installer with 7-Zip, you will see similar directory structure, although in that case the installer determines system architecture automatically and installs appropriate driver.

I think what is confusing the situation is that the installer is mistakenly copying to SysWOW64 as well. I have tested a few dozen builds now and were all installed manually by INF, up until new installer. All of those previous (and current) builds have never copied to the SysWOW64 folder, with the exception of when using this installer. So it's a mistake in the installer. I'll talk to Florian in the morning as well and see what part of the installer caused it and it should be a very quick fix. Anyone running current build wont need to reinstall since the fix in this case would only be with the installer, not the contents. I would like to get confirmation from Florian first though before I recommend anyone to delete driver in SysWOW64.

 

Well, I have to consider that as a possibility also for the unknown executable code alerts from drive K:\. The installer I used when experiencing this issue copied the driver to the SysWOW64 driver folder also. I don't know if that was the cause, but I have to at least consider it. Bouncer blocked everything fine with the driver in both directories. Well, I emailed Florian to death today. I hope he is not too upset for sending him so many emails. Since the driver was only being copied to the System 32 driver folder it caused a great deal of confusion for me since the only other build of Bouncer I have used copied the driver to both the System 32 driver folder, SysWOW64 driver folders. I think after this is cleared up things will be much smoother for my testing. I have to reformat my computer tomorrow so I want be testing again for a couple of days. It takes that long for me to get my computer back to how I like it. I have not reformatted in over 2 years. I always keep regular full image backups with Shadow Protect so I don't have to reformat often. Man, get some rest. We can talk about this again another day. Thank you so much for your help!!

 

that is very good

 

I liked that as well. Initially, I suggested to Florian to have the driver automatically restart when the user presses the Save Config button. But I like this way much better and I think it's great that he made it as a prompt, since some users may want the driver restarted at that point but some may not. I think it's a nice improvement and again, this is something that has been made better thanks to user suggestions here at Wilders. So all of our suggestions have been helping to make it a better experience.

I've noticed another change as well in Admin Tool that I wasn't aware of:

- When you press the Status button, it also displays the version of the Bouncer.sys kernel-mode driver

 

I'm glad it seems to be working good for you now and hopefully those weird alerts are a thing of the past. I am not familiar with Bouncer debug mode so I wouldn't know exactly what to look for in debug messages in the logs.

It's unfortunate that you haven't been able to reproduce the issue thus far. But I have to admit, I respect very much the fact that you are very persistent and thorough with your testing. We are all thankful for your time and reporting of issues, some of which already led to fixes if I remember correctly.

That's any interesting point regarding GWX.exe from that Windows 10 free upgrade update that went out to Windows 7/8.x users, I believe. That update seems to be causing quite a bit of conversation across the Internet. You may very well be onto something there since the timing of it was around the same time. I just wish that we had a better understanding of what that GWX.exe process actually does under the hood. But naturally, Microsoft is not always forthcoming about that type of information.

I respect that, 100%. I thought that you were trying to having it installed as Bouncer is normally intended to be installed. But I understand now where you are coming from, you are trying to reproduce identically the exact situation as it was when you were experiencing the conflicts in an attempt to reproduce and find the source of conflict. I see what you mean now. You're welcome, of course, anytime.

Let us know if/when you get setup again and this Microsoft Office 2010 .dll alerts you again, as CGuard and myself are both familiar with this 8.3 filename stuff and either one of us can help you out with that.

You're welcome, my pleasure. I still believe as well that the conflicts are likely between Bouncer and Light Virtualization programs. I'm frustrated that I wasn't able to reproduce it though. I don't have any previous experience with light virtualization programs, so my testing recently was quite brief with them but I was still hoping to find a source of conflict. I think the only one that I haven't tested still is Shadow Defender. Do you think that might be causing issues with Bouncer?

No worries, no need to feel bad. I'm always up for a good challenge anyway and was able to resolve the problem, though it was rather tricky since TF blocks/reverses much of what I was trying to do to fix it. But it's all good in the end. You make a good point, as always, and I respect your point of view and therefore I take back what I said about not recommending TF (although I would only caution the combination of light virutualization + Bouncer in general at the moment). You are absolutely right, I can't really expect TF to work perfectly on Windows 10 since the builds (win10) are changing under the hood with each release and especially as you mention TF didn't necessarily have full testing under Windows 8.1 as well, so I respect where your coming from there. I really should get together another testing system for Windows 7 64-bit or at least a few more VM's for testing.

I agree, some of that stuff can be simplified. I will try to provide the developer with some mockup images for Admin Tool in the next few days of some simplified buttons or sliders.

Initially, Bouncer was all about the efficiency of the driver and was intended to be run from command line and also manually editing config file, so it's never been about a fancy GUI. So the idea is still to keep things absolutely simple and efficient. But I do see where your suggestions can still fit into the Admin Tool and yet still keep the simplistic approach. I'll let everyone here know when an update is coming that includes these suggestions. I may even post the mockup images here as well and let the community have input on what they think looks appropriate and makes the most sense.

I apologize that I wasn't able to share some configs yesterday as I told you I was going to. I could have half-assed it and shared some quick configs last night, but I don't like to cheat out on anything. Now that I have caught up on questions/comments in Bouncer thread, my goal now for today is to put together some configs with explanations to share because I enjoy messing with configs and trying different things out.

 

I'm going to share some different config options. For each example, the first code box will be the actual code to copy and paste. The second code box is the same but with some details/comments. Don't use the code box with details to copy and paste into your config because the details/comments could cause problems or at the very least would bloat your config file size.

Basic Bouncer Config with more control over Windows folder and Windows\Temp

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Program Files\*
C:\Program Files (x86)\*
C:\Windows\AppPatch\*
C:\Windows\assembly\*
C:\Windows\Branding\*
C:\Windows\ImmersiveControlPanel\*
C:\Windows\Microsoft.NET\*
C:\Windows\servicing\*
C:\Windows\SoftwareDistribution\*
C:\Windows\System32\*
C:\Windows\SystemApps\*
C:\Windows\SysWOW64\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\explorer.exe
C:\Windows\notepad.exe
C:\Windows\splwow64.exe
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
[BLACKLIST]
[EOF]

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Program Files\*
C:\Program Files (x86)\*
C:\Windows\AppPatch\*
C:\Windows\assembly\*
C:\Windows\Branding\*
C:\Windows\ImmersiveControlPanel\*    {Windows 8.x and Windows 10}
C:\Windows\Microsoft.NET\*
C:\Windows\servicing\*
C:\Windows\SoftwareDistribution\*
C:\Windows\System32\*
C:\Windows\SystemApps\*
C:\Windows\SysWOW64\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\explorer.exe
C:\Windows\notepad.exe
C:\Windows\splwow64.exe                {related to printing}
C:\Windows\Temp\MPGEAR.DLL             {Malicious Software Removal Tool}
C:\Windows\Temp\MPENGINE.DLL           {Malicious Software Removal Tool}
[BLACKLIST]
[EOF]

By default, this already blocks some of MrBrian's old blacklist.
https://www.wilderssecurity.com/threads/anyone-running-applocker.272761/#post-1679077
Although some can be added and I will edit this post accordingly later.

The idea here was to not simply allow anything and everything from Windows directory to run, but to allow only what needed to run based on my usage. This also has control over the Windows\Temp folder since it is blocked by default with this config, with the exception of what I have decided to allow from Temp. So this allows more control there.

What I did to get to this point was start with a basic config (below), have LETHAL mode not started, therefore no actual blocking yet, and allow logging. That way I could see over the course of several days what would need to be run for daily usage.

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Program Files\*
C:\Program Files (x86)\*
C:\Windows\ImmersiveControlPanel\*
C:\Windows\SoftwareDistribution\*
C:\Windows\System32\*
C:\Windows\SystemApps\*
C:\Windows\SysWOW64\*
C:\Windows\WinStore\*
C:\Windows\WinSxS\*
C:\Windows\explorer.exe
C:\Windows\notepad.exe
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
[BLACKLIST]
[EOF]

I started with the Windows directories and executables that were obvious to me, and than just continued for a few days (no blocking, but yes logging) and adding what was necessary within the Windows directory and Temp folder as well.

The same could be done to have more control within the Program Files directories and also the ProgramData folder. Those are projects that I will also venture into over the next few weeks and will be happy to share the results as well. Keep in mind, everyone's usage is different of course. I'm keeping all of my examples here with blocking (LETHAL mode) off and logging mode on, since other users systems and usage may need some tweaking as well.


Example of my current blacklist

For this, I would also like to expand upon this and will update accordingly. I want to add more based on MrBrian's old blacklist. But that will also depend on what the user has (or specifically doesn't have) in their whitelist since some of that would already be blocked.

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
[BLACKLIST]
*powershell*.exe
*regedit.exe
*iexplore.exe
*script.exe
*vbc.exe
*jsc.exe
*ilasm.exe
*csc.exe
*bitsadmin.exe
*hh.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*bcdedit.exe
[EOF]

Miscellaneous Windows and Microsoft Office related whitelist rules

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
Q:\140066.enu\*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*
C:\Windows\Temp\????????-????-????-????-????????????\*
C:\Windows\Temp\MPGEAR.DLL
C:\Windows\Temp\MPENGINE.DLL
[BLACKLIST]
[EOF]

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
Q:\140066.enu\*                                                       {Office 2010 - Click-to-Run versions}
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*                              {Office 2010 - Click-to-Run versions}
C:\Users\*\AppData\Local\Packages\*                                   {Windows 8.x and Windows 10}
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*  {DISM}
C:\Windows\Temp\????????-????-????-????-????????????\*                {DISM}
C:\Windows\Temp\MPGEAR.DLL                                            {Malicious Software Removal Tool}
C:\Windows\Temp\MPENGINE.DLL                                          {Malicious Software Removal Tool}
[BLACKLIST]
[EOF]

Popular Browser and Email Client Updater whitelist rules

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Mozilla\updates\*
C:\Users\*\AppData\Local\Thunderbird\updates\*
C:\Users\*\AppData\Local\Temp\???????.tmp\*
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\*
C:\Windows\Temp\???????.tmp\*
[BLACKLIST]
[EOF]

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe  {Google Chrome Updates}
C:\Users\*\AppData\Local\Mozilla\updates\*            {Mozilla Firefox Updates}
C:\Users\*\AppData\Local\Thunderbird\updates\*        {Mozilla Thunderbird Updates}
C:\Users\*\AppData\Local\Temp\???????.tmp\*           {Mozilla Firefox and Thunderbird Updates}
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\*   {Mozilla Firefox and Thunderbird Updates}
C:\Windows\Temp\???????.tmp\*                         {Mozilla Firefox and Thunderbird Updates}
[BLACKLIST]
[EOF]

With regards to ProgramData folders

As I have learned recently, I would only allow what specifically needs to be run within ProgramData folders which is very little. Within my current setup, there was literally only one thing from within ProgramData that was necessary and it was related to my printer driver, and only when printing. So that was as simple as adding C:\ProgramData\CanonBJ\* to the whitelist in my case. I want to look into ProgramData more at a later time though.


Miscellaneous User shared rules

Code:

[#LETHAL]
[LOGGING]
[WHITELIST]
C:\PROGRA~2\MCShield\MCPROC~1.DLL
C:\PROGRA~2\MCShield\MCDIAL~1.DLL
[BLACKLIST]
[EOF]

I will have to tidy this up more later, it's been a long day.

 

In my signature is my security config. Do you think I should bear anything in mind before installing Bouncer to test it? This KMD anti-malware looks very promising.
TIA

 

Potential issues with ERP since they both have similar KMD intercepting similar calls in kernel, though some users have combined the two. Feel free to ask any questions or if you run into any config issues, myself and a few others here can help. I've heard of it working well with AG, should be fine with MBAE as well. Not sure if anyone has tested it with SBIE though. But if anything comes up, please feel free to share.

 

I am using Bouncer with Spyshelter, Sanboxie, MBAE and Secure Folders. From time to time I also use Try&Decide (kind of virtualization app) from Acronis True Image 2013. At this moment everything is working without problems. Before I had problem with Logging (the same as @Cutting_Edgetech and @CGuard) but after update around 2 weeks ago everything is ok.

 

Thank you for confirming. That's good seeing success with that combination.


@Cutting_Edgetech

I was able to get confirmation from Florian regarding that bug from the installer. The issue didn't affect 32-bit Windows as we had expected. It only happened on 64-bit Windows systems where the Bouncer.sys driver was copying to both System32 and SysWOW64 within the drivers folder.

So as I understand it, the driver in SysWOW64 is not intentional, not utilized, and not really an issue as it's just basically an extra file sitting there. I assume he ran into issues while coding the installer and decided to just release the installer as is with the extra file, as opposed to whatever errors he was seeing with another method. I would assume that it's on his To-Do list but there are likely other higher priority things to do first.

You can safely delete Bouncer.sys from SysWOW64 or you could very well leave it there just the same, either way will make no difference.

 

@WildByDesign
You're so kind! Thanks for your help.

 

@Mister X
Couldn't agree more

 

I've had some time this morning to make some very basic concepts / mockups for Bouncer GUI ideas. Keep in mind that the idea behind Bouncer has always been to keep things very simplistic and functional, not fancy. It has always been intended to be more of a niche security tool for hard core security enthusiasts. I've got 4 concept images to share at the moment.


Concept 01:

• Sliders in Configuration area, basic On/Off
• Added Restart button to top section since it didn't fit in with sliders
• Added vertical divider between rule types and allow or deny section to differentiate
• Added Type of Rule and Permission wording to rule section at bottom (wording can certainly be changed)
• All buttons and slider sections are centered more
• Lethal and Logging are also added as sliders in the top Configuration section

Concept 02:

• Same as Concept 01, except the vertical slider in rule section is changed to fine box lines
• Personally, I think I like the simple vertical line from Concept 01 better than this box line

Concept 03:

• Same as Concept 01 and 02, but with the simple vertical line divider in rule section
• Kept simple, without the wording Type of Rule and Permission in rule section

Concept 04:

• Similar button style as we have now, but combined the Start and Stop buttons into one
• Start/Stop button would be dependent on drivers current status
• Sliders for Lethal and Logging are in bottom section

Some Other Concept Ideas

Tool Tips:

• Some simple tool tips when users hover mouse over button/slider/text can keep things tidy and simple, yet answer a lot of basic user questions easily
• Maybe add those tiny question mark or info icons (small and faded so not distracting) so user knows to hover over it for more details
• Or just have tool tips show when user hovers over buttons, text, etc. (but I think there needs to be some sort of indicator)

Rule Creation Section at bottom:

• Instead of those current radio type of buttons, it is possible to use drop down menu instead
• Example, what type of rule do you want to create? Have a drop-down menu that includes Path, File, and Wildcard. Then a drop-down for Allow or Deny.

Clear Log button:

• As we know, for the Clear log button to work, we have to first stop the driver
• Maybe the Clear log button, when pressed, can auto-stop driver, clear log, then start driver back up without any extra steps from the user

Path- and Filename Rules section in middle of UI:

• Maybe this can eventually be tabbed section in middle
• In future particularly for Plus version, a tab for Hash rules
• As current, maybe a tab showing Path rules, a tab showing Filename rules, tab for wildcards
• This could be beneficial for larger configs

Anyway, I think that is all the creative thinking that my mind can do for one day. Time for another coffee.

 

Thanks guys, I appreciate that. I've got all the respect in the world for users here at Wilders. My account here is only a year or so old, but for many many years before that I used to come to Wilders without an account, but to follow so many different areas of security and had learned so much valuable information over the years. So now is my time to give back, that is why I've created an account. I try to help users with whatever I happen to have knowledge of, and try to share passion for whatever I am passionate about.

Anyway, I forgot one other thought to add to the ideas /concepts in my last post. Simple icons, likely open source icons that could be utilized. I wonder if using icons could be useful in the config section for Start, Stop, etc. Although I wouldn't want it to end up looking like some sort of music/media player. That thought reminds me of the old Avast days.

 

Does anyone have the link to the latest build of Bouncer?

 

Some really nice prospective GUI management arrangement concepts there. He likes it simple but if i had my way and it wouldn't decay the flow of operation it would be nice if it also had an option to have a taskbar alert toast box raise up on certain actions but then now that begins to take on the exhibitions of a HIPS etc.

 

http://excubits.com/content/files/bouncer_demo.exe

 

I figured it out, but thanks anyway -it was a typo. Good to know that you are also using MCShield, though. I have a couple of questions, which i intend to ask at the appropriate thread.

No. Don't put yourself to any more trouble. During the past couple of days, i tried many different system/software settings/configs without any success (also GWX.exe isn't the "answer", here). I have personally come to the conclusions that a) LV apps don't cause the issue, and b) the only consistent characteristic is that Bouncer is detecting/reporting, in a repetitive manner (=multiple Log entries), unknown code from files (not all of them) located in user-space. Here are the exes (only the ones in the red-outlined boxes!) that Bouncer has alerted me for (multiple times) during the past couple of days.




Both conclusions disprove all of my 3 "theories". I'm done trying to find the culprit and/or identifying a pattern. Taken into consideration Bouncer's inner works (from the latest manual),

Code:

The driver gets notified if any process tries to load executable code into memory, and this can be any type of file, including all extensions one can think of. Bouncer checks if the target memory was marked as executable, if this was the case, Bouncer's rules engine filters out the corresponding file.

and given that it's an issue confirmed by other users, i think that the developer should definitely give it a proper look. I've been following Bouncer's development from the 1st day that Mr. Brian brought it to our light (when it was completely free, that is), i learned how to self/test-sign drivers just to tested it on my wife's Win8.1, i really like the idea of spartan driver-based locked down system, but, right now, i will have to wait for a future issue-free release.

All of my GUI suggestions point to simplicity. For example: I bet that the "Restart" button is there because of the corresponding .cmd file, which, in turn, is there for convenience (i.e. not having to run 2 .cmd files). In the presence of a unified switch "Start/Stop", such a button ("Restart") is redundant. BTW, in terms of wording, "Pause" may need to be changed to "Suspend". The former is indirectly implying that a "Play/Stat" option is to be expected.

You have done a great job visualizing your concepts. If i may contribute to your cause, i think that an even more eye-friendly and intuitive GUI is needed IF the developer wants to broaden his customer target group. TimeFreeze's GUI could serve as a starting template...

PS1 @WildByDesign: Given that our security approaches/preferences partially match, i would strongly advise you to try/research light-virtualization -teaser: just think of all the malware that are waiting for a reboot...

PS2 @Dedal:

Did you, by any chance, make any significant change to you setup and/or uninstall any software, during the past 2 weeks?

 

I didnt make any changes to my security setup at that time. I am not sure about other software because recently I have been testing many programs.
Edit. To be clear. In last few weeks I have been testing many software but I haven't changed my security setup.

 

Thank You!

 

MZWriteScanner and CommandLineScanner kernel-mode drivers released:

http://excubits.com/content/en/products_mzwritescanner.html
http://excubits.com/content/en/products_commandlinescanner.html

 

@WildByDesign
Thank you!

 

@WildByDesign

Likewise. Big Thanks!

 

You're welcome. I haven't had a chance to play with these yet but I will dig in tomorrow. I can envision a really good combo with Bouncer and MZWriteScanner together.

Anyway, good news. One of the main scientists behind US-CERT is utilizing the related kernel-mode drivers Bouncer, MZWriteScanner, CommandLineScanner, RegistryScanner and NetworkDivert for some student project training classes and apparently plan on providing their outcome from training and feedback to Florian. I thought this was pretty interesting. After all, these drivers are really intended for forensics use and locking down POS and such. But, of course, us Wilder's members are pretty hardcore and we can spot the beauty in such tools.

 

It will be really nice once MZWriteScanner, and CommandLineScanner have matured and are integrated into Bouncer.