Bouncer (previously Tuersteher Light)

Thank you for your explanation. When the "executions" are blocked by Bouncer, would the function of SuperFetch be influenced?

 

I just thought of something. I just assumed all the entries I just posted were caused by Superfetch. Almost all the files Superfetch alerted to before came from an external drive. They were a bunch of installers, .txt, and jpeg files. Bouncer alerted to those files all day every day. Turning Superfetch off stopped all the alerts. I haven't really turned Superfetch off in a while. I don't think Bouncer started alerting to those files until Florian added the PARENTCHECK FEATURE. I know those files are not trying to execute, and I have C:\Windows\*>* whitelisted so there's no other reason for Bouncer to alert to those files that i'm aware of.

edited 12/15 @ 2:35

 

I honestly don't know if it influenced Superfetch because Superfetch is something that works in the background, and is suppose to speed up the user's computer. I don't know how my computer performs with it turned off because I have never left it off for very long. There's plenty of reports on the internet of Superfetch causing very high memory usage, high CPU usage, and slowing user's computers down. I would not leave it turned on if I did not have much memory installed. It requires considerably more memory than machines that don't have it turned on. That's because it opens up files in memory so it does not have to read them directly from the disk. That's how it speeds up Vista OS, and above computers. The way Superfetch behaves on my systems is not normal by the definition of Superfetch according to Microsoft because it opens up all kinds of files in memory constantly that I rarely ever access. I kind of wonder if some of the Telemetry updates that Microsoft was secretly pushing out for a while is reason Superfetch was basically inventorying all my drives.

edited 12/15 @ 2:29

 

Sorry, I probably didn't reply back about that. I can't remember for sure. I have had multiple BSOD's (4-5 per day) every day that just ended yesterday. That is with no real-time security software installed. I suspect they are being caused by my video card graphics drivers. I removed Catalyst Control Center, and things seems to have calmed down now for now.

 

Depending on how much RAM you have, it might be worthwhile disabling Superfetch?

 

Yes, if you are running a machine with the minimum requirement of RAM it may be better to turn it off. I would at least try it to see if you notice a performance improvement. If you notice a decrease in performance then just turn it back on. Make sure your machine does not have any dependencies on Superfetch. I don't think there are any that the OS has to have, but i'm no system expert.

I've read several cases on the internet where the User ended up having to turn Superfetch off because it used all their memory, or caused high CPU usage. I have 8 GB's of memory so I don't have to worry about my memory being maxed out, and I don't experience any high CPU usage. Bouncer, and Superfetch just don't play well with one another on my machine. The real question is why is Superfetch opening up files I never access, or rarely access. Superfetch is only suppose to open up files in memory that are accessed often so they don't have to be read from the disk. That's how Superfetch works to speed up one's machine. Maybe it's one of the those Telemetry updates of Microsoft doing it; who knows. I tried to make sure not to install any of the telemetry updates, but maybe I missed one.

 

Your above post mentioned something that reminded me of Superfetch's partner in crime...
"The real question is why is Superfetch opening up files I never access, or rarely access."
That sounds like something Prefetch does. There are 3 of them if memory serves me correctly; Superfetch, Prefetch and Write-Cache Buffer.

For the sake of curiosity, can you load up regedit.exe and navigate to this directory, please...
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet[1 and 2 also exist]\Control\Session Manager\Memory Management\PrefetchParameters"
Check the values for EnablePrefetcher and EnableSuperfetch

The possible values for EnablePrefetcher are:

• 0 – Disable Prefetcher
• 1 – Application launch Prefetching enabled
• 2 – Boot Prefetching enabled
• 3 – Application launch and Boot Prefetching enabled

The possible values for EnableSuperfetch are:

• 0 – Disable Superfetch
• 1 – Enable SuperFetch for boot files only
• 2 – Enable SuperFetch for applications only
• 3 – Enable SuperFetch for both boot files and applications

One of the first things I disable if performing a fresh install is this Super/Prefetch stuff... it's usually a race between what gets trashed first; Superfetch or HomeGroup... lol

 

Thank you for the location of the settings in the registry. I had not looked at them. Prefetch, and Superfetch are both set to the value 3. I could just try the value 1 for boot files only to see if that keeps Bouncer from constantly alerting to unknown code execution. I think I read that Superfetch populates the files in Prefetch in more than one article so i'm not sure how they also work separately considering there is an option to control logging for both of them in the registry. Maybe Superfetch is a helper application for Prefetch, and they each populate files in the Prefetch cache. I think I should leave Write-Cache Buffer on. Do you leave it on on your machines? I can't check to see if that works tonight because i'm working with an image with ERP on it instead of Bouncer at the moment.

 

Thank you!

Ever since I returned to a LUA, I have forgotten some tweaks I made on my previous install which always ran as Admin. One of those tweaks was to disable Prefetch and Superfetch. Yay! (one down, x amount to go...). The only negative I have experienced from disabling these two settings is encountered after a system clean provided by your favourite cleaner, whether it is Privazer or CCleaner, etc... The boot time is slightly (but noticably) longer, and you can see that the machine is doing something (prefetching everything?) because the HDD light flickers on and off like an epileptic at a rave. After the first post-clean bootup, things return to normal.

In regards to Write-Cache buffer, while I was rocking a traditional HDD, I kept this feature ticked. I must thank you once again, because this is another tweak that slipped my mind after jumping back into LUA mode. Now that I am running a SSD, to me it made sense to turn this feature off, because data r/w/x on an SSD is handled differently.

I believe more research must be done on this, as we both know assumptions are the mother of all blunders. Although I have noticed my system is a tad more responsive, and feels more crisp, if that makes sense.

 

You can make an exception in CCleaner so it does not erase anything from Prefetch, etc.. Just go to options, and exclude. That is if you have not already done that.

 

I found some more Telemetry updates installed that I removed. The next time I install Windows I will check every update to make sure I don't install any again. Maybe some of those updates are causing Superfetch to trigger all those unknown code alerts in Bouncer. I'm exploring all possibilities.

 

@Cutting_Edgetech With this clash between Supefetch and Bouncer, is this happening on only one specific version of Windows? I am curious about that. The majority of my experience with Bouncer has been with Windows 8.x and 10, but I don't think I've used it with Windows 7 though.

 

I only use Windows 7X64 Ultimate. I have 3 machines that I have tried Bouncer on, and got the same result. I tried it on my test machine without any other Security Software installed, and still experienced it.

 

Some responses from Florian:

1. Me: I hope that Pumpernickel could be integrated into Bouncer. But the execution white/black lists should be separated from the writing white/black lists.
Florian:

Code:

Sure, we will first implement it and then see how it in cooperates with Bouncer.
If everything works fine we can integrate it (and yes, it will be separate from the other rules).

Good News!
Note: I use the "CODE" label here because the content rounded by the "Quote" label is not easy to read.

2. Me: Please check why Bouncer would prevent data files from execution.
Florian:

Code:

The issue you described is caused by superfetch on Windows 7 only.
It seems that Superfetch has a bug and loads all kind of files (for caching) with executable privileges into memory.
Thus my driver detects that something executable shall be loaded and triggers an alert.
This was also discussed and described in the Wilder's Forum.
It is *NOT* a bug in Bouncer, it is a bug or misbehavior in Microsoft's Superfetch, thus there is little I can do.
And I will not work around a bug made by others (here Microsoft) because this will lower overall security of my product.
Bouncer is not compatible with Windows' 7 Superfetch. If you want to use Bouncer on Windows 7, please disable Superfetch or do not use Bouncer.
On my experiences and experiences of some users there is no performance loss on normal end-user machines with Superfetch disabled.
Personally I really do not know what this Suprefetch thing is good for, I never felt that Windows 7 is going to boot or act faster with Superfetch enabled.
Starting with Windows 8++ there is no Superfetch and Windows 8, 8.1 and 10 are fast as hell without that crappy service.

3. Me: Please consider to add a timestamp to each item in the event log. This could help the users to figure out >which event log has been read and which one has not. It is significant when the log file is long and many events are added to the log file at a time.
Florian:

Code:

It is on our to do list (road map). Since we do all and everything within the kernel it is not always simple to implement stuff that look simple.
There is no dedicated API in the kernel to format time stamps in an adequate way, this is why it currently was not implemented. But we try to do...

(In another mail)

Code:

As I said, the time stamp is on our road map and I think that we will include such values soon to the log file.

4. Me: Please consider to allow the users to write some comments in the rules file (Bouncer.ini). This would be helpful when we create some SHA256 rules.
Florian:

Code:

You can already comment out a line by set # or | at the beginning.
Example: #C:\Users\Magnum\Temp*

Note: When I asked Florain this question, I had not read the post of @WildByDesign on the same issue.

 

@Online_Sword Excellent news, thank you for sharing. Florian is always a great guy to have conversations with regarding security. As you can see, he never wants to make a compromise in security (cutting corners) ever and that is something that I respect a lot. Sure, we can always get better usability, but usability often comes with a sacrifice.

@Cutting_Edgetech I decided to fire up some old Windows 7 virtual machines to look into this Superfetch thing a bit more out of curiosity and to see if I could figure anything useful out. I definitely see what you mean now, as I am also experiencing a lot of blockages on Windows 7 as well with Bouncer.

I went ahead and disabled Superfetch service and also followed the registry tweaks provided by @marzametal and rebooted several times. However, I am still experiencing these blockages on my Windows 7 virtual machines. I don't know if this might be specific to VMs or not.


Those of you experiencing blockages on Windows 7, did those blockages disappear after disabling Superfetch and Prefetch?

EDIT: Nevermind, I was able to get a hold of a physical Windows 7 laptop and was able to confirm that the disabling of Superfetch service and registry tweaks for Prefetch and Superfetch was successful for those blockages. That's good that we've got a workaround for the Windows 7 issue for Superfetch. I've been using this old laptop with old style HDD for a few hours now and I cannot tell the difference between Superfetch On or Off.

 

@Cutting_Edgetech I decided to fire up some old Windows 7 virtual machines to look into this Superfetch thing a bit more out of curiosity and to see if I could figure anything useful out. I definitely see what you mean now, as I am also experiencing a lot of blockages on Windows 7 as well with Bouncer.
[/QUOTE]
Are most of the files triggering the unknown code execution alerts the same files over, and over again? In the past the files that triggered almost all the unknown code execution alerts were files on my external drives. The files were installers, .txt, and .jpeg files. 90% of the time it would be the installers that gave the alerts. That has now changed with the last 2 builds. Most of the unknown code execution alerts now are for the files on my blacklist which are located on C:\ Bouncer alerts to the files on my blacklist over, and over again.

 

Is anyone else blocking AxInstUI.exe? It is the installer service for activeX. It's in the System32 folder.

 

Yes, pretty much same files over and over. For me, it was mostly installers from my Downloads folder plus some frequently used programs. I looked in the Prefetch folder and it corresponded with the executables that were being blocked in the log so it made sense that Superfetch/Prefetch was at the root of the issue. After disabling Superfetch/Prefetch the blockages in log have all gone away.

 

It's strange that almost all the unknown code execution alerts are from files I never access. Most of them are on my blacklist. In the past all the alerts were from files on external drives that I rarely ever accessed also. It's strange how Superfetch keeps opening the same files in memory over, and over again. One would think that it would not need to check the file so often after reading the data in the file. The data in the file should tell Superfetch that it is rarely accessed. Maybe Microsoft has a bug in Superfetch that they don't know about.

 

Very strange Superfetch bug, indeed. The odd thing is how it only seems to affect Superfetch on Windows 7, while Windows 8.x and 10 both still have a running Superfetch service yet seems unaffected. So Microsoft resolved the strange behaviour in 8.x/10 but did not backport the fix to 7 for some reason.

 

I am glad that the bug has been flushed out of W7 Superfetch & Prefetch. I had no clue that S & P didn't exist in W8 - W10.

More good news for the Bouncer crew!

 

I have never used Windows 8-10, but I think they have Superfetch & Prefetch.

Edited 12/18 @ 6:45
Google search says Windows 8-10 has Superfetch, and Prefetch.

 

Seems that Windows 10 is missing one of those registry entries. It has the Superfetch service and also the EnablePrefetcher registry key. But it does not seem to have the EnableSuperfetch key. I would assume Windows 8 would be similar.

 

I may start using Windows 7 with Superfetch turned off. I don't even know that Superfetch helps performance on my system since I have never turned it off for a considerable amount of time. My machine is using 27% of the 8GBs of memory I have installed. I wonder how much memory it will free up by turning Superfetch off.

 

Hi, @WildByDesign .

I have not tried to disable SuperFetch on my real machine, but I have disabled it on one virtual machine, whose OS is Win 7 Pro Edition x86.

I only disable and forbidden the service of Superfecth, but I do not modify the registry items.

After several hours' test, I find that, the strange blockages no longer appear again on my virtual machine.