Bouncer (previously Tuersteher Light)

An updated version of the Pumpernickel project driver is available today with some important bug fixes, performance increases, and some significant Ransomware protection.

Beta Camp (https://excubits.com/content/en/products_beta.html) unsigned driver. Hopefully another week or two of this driver proving it's stability and reliability and it can be released signed and then eventually integrated into Bouncer if the demand and potential is there.

From Florian:

I added the underlining in the quote. Anyway, I have been testing this build of the Pumpernickel for about 2-3 hours so far, and approximately two weeks of testing the previous builds as well. So far this is really shaping up nicely.

I realize that not as many users are testing the unsigned builds for obvious reasons, and I totally respect that. I will do my best to thorough test these builds and provide as much feedback as I can to Florian in hopes that these beta builds will end up stable and reliable. So far the few bugs that I have reported for Pumpernickel have been fixed promptly.

 

Thanks for the information. It work very well on my test machine (win 8.1 64-bit). I start windows with sig. check disabled, so driver can be load.

great idea. we just need good rules now... Maybe should suggest to Florian to make web site containing (best of) rules. It is sometimes difficult to configure the drivers.

 

I hope that at some point Bouncer, MemProtect, Pumpernickel, and Command Line Scanner are all combined into one product. It would be one hell of a mitigation package. It's hard to imagine that anything could get through with the proper configuration. I know there's always a chance, but I have to say it would be very slim. It's all about one's ability to create smart rules. I do have a problem with MemProtect though not being compatible with Eset so I think it would be a good ideal to leave it up to the user to decide whether to enable the feature in the .ini file.

Edited 1/18 @ 6:16

 

A question regarding Windows Updates:

Hi, I would like to learn how to deal with the windows updates.

In some cases, windows update installers will release executable files to a "random" folder under the root of a random partition. The name of the folder seems to be the hash of the installer. The problem is that the folder name has no fixed form, even no fixed length. This makes it difficult to whitelist these installation files.

I do not know whether we could solve this problem by "stopping" the service of Bouncer, because Bouncer service will be started again automatically in the boot up period. It seems that windows updates will perform some operation in the boot up period. I am not sure whether these operations will be influenced by Bouncer.

Currently, I solve this problem by turning off the LETHAL mode, since the LETHAL mode will not be automatically turned on. In such case, the updates will not be influenced. But this approach also has a problem. In win 7, the updates will be carried out in the shutdown period. Generally, I will shutdown the computer at night just before the sleep. After one night, when I start the computer again, I often forget to turn on the LETHAL mode, due to the sleep.

How could we solve the problem of windows updates efficiently and conveniently?

 

This is definitely an important topic to discuss, it's good that you've brought it up.

With my Bouncer configuration on Windows 10, I don't have to disable Bouncer or even go in non-lethal mode anymore. But I have a feeling that this may be a difference between Windows 7 and 10. Windows 10 seems to install much of it's updates from with C:\Windows\SoftwareDistribution and therefore is easier to control. I do recall as well, a few years back, that Windows 7 would temporarily create random folders for updates within the root of the drive and I can certainly see why this could cause complications with whitelisting.

You are right, it is possible that Bouncer could interfere during system startup when these updates are finalizing whatever they need to be doing. I personally have not seen a Windows update cause problems during system startup, but I can see a possibility there. That is where I would used to use non-LETHAL mode temporarily as you have mentioned as well.

I can definitely understand your point here, waking up in the morning and forgetting that it is not in lethal mode. So there are a few points to figure out here. One, is figuring out how to configure Bouncer to not potentially get in the way of updates. Two, would be the non-lethal mode. In the case of the second point, I think that there needs to be a warning of some sort. Similar to the warning that comes up when the Bouncer driver is stopped. I think that there should be a warning when in non-lethal mode, maybe every 15 minutes or something like that. Also, maybe when in non-lethal mode the tray icon could display another shade of colour (maybe yellow for caution). What do you think about that?

Now as far as configuration goes, you said the problem "is that the folder name has no fixed form, even no fixed length" which is certainly complicated. It has been a while since I have used Windows 7 on a regular basis, sometimes I use 7 in a VM but I usually avoid updates lately for 7. But clearly security updates a necessary here.

Are you able to share some examples/logs of these random folders that have been created and also the executables that are used?

 

I think I may have found a great console program for computing the Hash of any directory. It is called Directory Checksum Tool. It supports MD5, SHA-1, SHA-256, SHA-384, and SHA-512. This one was developed by the makers of VeraCrypt which is based off of TrueCrypt. I don't see a user-manual for it, but I doubt it could be too difficult to use. https://www.idrix.fr/Root/content/category/7/31/46/

 

I am not sure. When I started to use Bouncer, I use the non-lethal mode as a "training mode". I used the non-lethal mode for about one week to ensure that every essential item is properly whitelisted. If Bouncer reminds me in every 15 minutes that the lethal mode is not enabled, I am afraid that there will be too many alerts in one day. Your second idea, changing the appearance of the tray icon, is much more practical in my opinion, since there are many other security products using this approach.

But there is still a problem: some users may not install the GUI. In such case, there would be no tray icon...

Following is an example corresponding to the random folders. These log events were generated when I installed some windows updates yesterday.

Spoiler: Log Events

*** excubits.com demo ***: C:\Windows\System32\services.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\SoftwareDistribution\Download\Install\Silverlight_x64.exe > E:\82ed10e9a349c8aa83d6be\install.exe
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\sysfer.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\msimg32.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\apphelp.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\AppPatch\AppPatch64\AcGenral.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\sspicli.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\sfc.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\sfc_os.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\dwmapi.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\sechost.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\mpr.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\imm32.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\riched20.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_2b299db671e86e03\GdiPlus.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > E:\82ed10e9a349c8aa83d6be\install.res.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\msi.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\cryptbase.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\version.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\cryptsp.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\rsaenh.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\netapi32.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\netutils.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\srvcli.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\wkscli.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\RpcRtRemote.dll
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\ieframe.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Program Files\Microsoft Silverlight\xapauthenticodesip.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\propsys.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\ieframe.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\urlmon.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\secur32.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\rundll32.exe
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\ieframe.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll
*** excubits.com demo ***: E:\82ed10e9a349c8aa83d6be\install.exe > C:\Windows\System32\rundll32.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\services.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\SysWOW64\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe
*** excubits.com demo ***: C:\Windows\System32\msiexec.exe > C:\Windows\System32\msiexec.exe

Please note that the reason why there are many events corresponding to msiexec.exe is because I blacklisted it according to Florain's Blog. This problem (I mean the problem of msiexec.exe) is not serious, and can be solved when we have the priority symbol.

 

Some seriously exciting news from Florian today. Florian has been successful in combining Bouncer with CommandLineScanner (CLS) drivers into one driver. Some of his concerns over the past few weeks were that the CLS functionality came in at a later stage during Windows boot. Bouncer starts during Kernel-init. So his worry was that adding CLS to Bouncer would cause Bouncer to start much later then during Kernel-init. He was not willing to sacrifice Bouncer's super early start. So after those few weeks, today, he has finally figured out a way to have Bouncer start during Kernel-init still as always, but have CLS functionality come into play at the next appropriate stage during Windows boot at the stage in which that feature/functionality is supported. Keep in mind, this is still far before seeing the desktop. And the main Bouncer functions that we all know and love still start at Kernel-init.

Some details:

It just keeps getting better!

 

@Online_Sword As a temporary measure, at the least for the time being until priority symbols and other ideas are implemented in stable version, here is what I would do:

Code:

[WHITELIST]
E:\??????????????????????\install.exe
[PARENTWHITELIST]
E:\??????????????????????\install.exe>C:\Windows\*
E:\??????????????????????\install.exe>C:\C:\Program Files\*
[BLACKLIST]
# *reg.exe
# *msiexec.exe

During Windows updates and other software updates, I have had issues with the *.reg.exe and also *.msiexec.exe so, if and when you are expecting Windows updates or other software updates, I personally block those lines of code temporarily. This allows the updates to go through without issue. In future versions I am sure there will be better methods.

For the installers, you could do something like:

Code:

E:\??????????????????????\install.exe
or even like
?:\??????????????????????\install.exe

But as you said, some don't follow specific patterns, so you may have to add more over time as you come across more examples. Anyway I will put some more thought into this later tonight.

 

That's great news! Will this be included in the free version of Bouncer? The command Line Scanner is currently a paid feature if the user is using a 64bit OS.

 

That's a very good question. I haven't actually spoken to Florian about that aspect. This is just a guess, but I would assume that it would be included in the free/demo version, but there would continue as before with a limit to the config file size. Right now I believe the current builds of Bouncer have a 20KB limit to the config size which I think is pretty generous and fair and should allow for secure configurations, but I believe the only limitation there would be full system hashing or going to the extreme and locking down systems like kiosks, PoS systems, etc. So that is my guess. He's pretty fair. He doesn't believe in implementing a licence or activation type of system for Bouncer, so it will likely remain as config file size limit. If things pick up more and interest/demand continues to increase for Bouncer, he said he is going to consider hiring someone to make a nice GUI for Bouncer as well. I think he is trying to balance how much of his own money and time goes into Bouncer versus the possibility of being a bust. You never know, something could be a huge success or it could potentially fail. Personally, I think that with his various kernel drivers, he's got the underlying framework for something great. Hopefully he will sometime be able to work full time on Bouncer.

 

I'm looking forward to Pumpernickel being integrated into Bouncer. It should be the perfect Combo.

 

@WildByDesign

When I first noticed this problem (the problem of random folders), I also considered to solve it with wildcards "?", but it may not be a good idea, because as mentioned, the lengths of the name of the folders can vary significantly from case to case. Please check the following links:
https://superuser.com/questions/130125/windows-updates-folders-with-strange-names-in-c-drive
https://superuser.com/questions/692683/random-folder-keeps-appearing
http://www.tomshardware.com/answers/id-1752853/folders-long-random-words-letters.html
https://superuser.com/questions/719...ve-root-from-appearing-without-disabling-wind

What do you think of the following rules?

Code:

[WHITELIST]
?:\*\install.exe
[BLACKLIST]
?:\*\*\install.exe
[PARENTWHITELIST]
C:\Windows\SoftwareDistribution\Download\Install\*.exe>?:\*\install.exe
?:\*\install.exe>C:\Windows\System32\*.dll
?:\*\install.exe>C:\Windows\SysWOW64\*.dll
?:\*\install.exe>C:\Windows\winsxs\*.dll
[PARENTBLACKLIST]
C:\Windows\SoftwareDistribution\Download\Install\*.exe>?:\*\*\install.exe

The problem is that, I even do not know whether all the installers of Windows Updates will be "install.exe".

 

@Online_Sword

When you want to create a permanent whitelist try this:

1. Most safe updates are originated from safe locations (e.g. Windows and Program Files) which are UAC protected.
2. Most updates are executed from the Temporary folder in the User profile

Try to create a priority "parent" whitelist rule for
a) Parents located in UAC protected locations
b) only applicable for User Profile Temp folder and subfolders

You could also add SmartObjectBlocker and allow only Executabels/DLL's/Drivers in TEMP with safe SIGNERS, to make it watertight

Regards Kees

 

Just not user-friendly...

 

Yes, it is not difficult to handle such kind of updates, since we can create relatively precise rules for these updates.
The problem here is that it is difficult to create a precise rule for the installers in the random folder created by windows updates. Please check the log I posted in https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-34#post-2557489 . Please also check the links I posted in https://www.wilderssecurity.com/thre...-tuersteher-light.359127/page-34#post-2557618 .

I do not know whether all the windows updates are digitally signed by Microsoft. It seems that Microsoft does not like to sign its files. In the windowns folder, a lot of executable files are not digitally signed.

 

Those rules will work well for your current setup, absolutely. And you are right, it is quite possible that other Windows updates may have a different executable name other than install.exe, so that is something that can be adjusted as time goes on. That's one thing that I love about Bouncer, the detailed logging that lets us know exactly what is happening on our systems. Sometimes when I am expecting an update for Windows, Adguard, Chrome, etc. I will switch to non-lethal mode but keep logging enabled. Then I utilize the logging data to create rules and therefore, next update cycles, I can remain in lethal mode and the updates go through without issue.

 

It may seem so to some (it's a challenge to fine fit every rule even for me) but suggest to let it run it's course in development and as a reminder it is still in development in a manner of speaking for all intended purposes. I think @WildByDesign mentioned that if this program draws enough of an audience going forward that it's in the makings to make it more user-friendly? (GUI etc.) as expected.

 

Some interesting and fun additions to my test machine configuration today:

Code:

[#LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
# PortableApps
D:\PortableApps\*
# Office 2010 Click-to-Run
Q:\140066.enu\*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\*
# Bouncer
D:\Bouncer\*
# Tools
D:\Tools\*
# Program Files and Program Files (x86)
C:\Program Files\*
C:\Program Files (x86)\*
# ProgramData
C:\ProgramData\CanonBJ\*
C:\ProgramData\Leapfrog\*
# Adguard For Windows
C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe
!C:\Windows\Temp\{????????-????-????-????-????????????}\.ba1\mbahost.dll
# User Directory
C:\Users\*\AppData\Local\Packages\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
# Process Explorer
C:\Users\*\AppData\Local\Temp\procexp64.exe
# iTunes
C:\Users\*\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe
# Flash Player
C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
# Adobe Reader DC
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe
# Google Chrome / Chromium
!C:\Windows\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe
# Mozilla Firefox and Mozilla Thunderbird
!C:\Windows\Temp\???????.tmp\*.dll
C:\Users\*\AppData\Local\Temp\???????.tmp\*.dll
C:\Users\*\AppData\Local\Temp\MozUpdater\bgupdate\updater.exe
C:\Users\*\AppData\Local\Mozilla\updates\????????????????\updates\0\*
C:\Users\*\AppData\Local\Thunderbird\updates\????????????????\updates\0\*
*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
# DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
!C:\Windows\Temp\????????-????-????-????-????????????\*.dll
# Intel Dynamic Platform and Thermal Framework
!C:\Windows\Temp\DPTF\esif_assist_64.exe
!C:\Windows\Temp\DPTF\dptf_*proxy.dll
# Malicious Software Removal Tool
!C:\Windows\Temp\MPGEAR.DLL
!C:\Windows\Temp\MPENGINE.DLL
# Windows Directory And Windows Temp
C:\Windows\*
C:\????????????????????\mrtstub.exe
C:\Users\*\AppData\Local\Temp\HWiNFO64A.SYS
[BLACKLIST]
*iexplore.exe
*regedit.exe
*bitsadmin.exe
*cipher.exe
*syskey.exe
*vssadmin.exe
*regedit.exe
*Regsvcs*
*RegAsm*
*wusa*
?:\$Recycle*
# *reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
# *msiexec.exe
*bitsadmin*
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Tasks\*
C:\Windows\Temp\*
[PARENTWHITELIST]
# Program Files and Program Files (x86)
C:\Program Files\*>*
C:\Program Files (x86)\*>*
# ProgramData
C:\ProgramData\Microsoft\*>*
# Process Explorer
C:\Users\*\AppData\Local\Temp\procexp64.exe>*
# Adguard For Windows
C:\ProgramData\Adguard\Temp\*>*
C:\Program Files (x86)\Adguard\AdguardSvc.exe>C:\ProgramData\Adguard\Temp\*
C:\ProgramData\Package Cache\{????????-????-????-????-????????????}\setup.exe>*
# Tools
D:\Tools\*>*
# Office 2010 Click-to-Run
Q:\140066.enu\*>*
C:\PROGRA~2\COMMON~1\MICROS~1\VIRTUA~1\CVH.EXE>*
# Flash Player - PPAPI Updater
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil*_??_?_?_???*.exe>C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\fpb.tmp
# Adobe Reader DC
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe>C:\Windows\*.d??
C:\ProgramData\Adobe\ARM\?\?????\AdobeARMHelper.exe>*AdobeARM.exe
# Google Chrome
C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\?.??.?\software_reporter_tool.exe>C:\Windows\*
!C:\Windows\Temp\??_?????.tmp\setup.exe>C:\Windows\*.dll
# iTunes
C:\Users\*\AppData\Local\Apple\Apple Software Update\SetupAdmin.exe>C:\Windows\*.dll
# Mozilla Thunderbird
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe>*\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbasecomps.dll
# DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
# Intel Dynamic Platform and Thermal Framework
!C:\Windows\Temp\DPTF\esif_assist_64.exe>C:\Windows\*.dll
# PortableApps
D:\PortableApps\*>*
# Malicious Software Removal Tool
C:\????????????????????\mrtstub.exe>C:\Windows\System32\MRT.exe
C:\????????????????????\mrtstub.exe>C:\Windows\System32\*.dll
# Windows
C:\Windows\*>*
[PARENTBLACKLIST]
# Blocking user space from accessing .NET
C:\Users\*>C:\Windows\Microsoft.NET\Framework\*
# Windows Temp
C:\Windows\Temp\*>*
[CMDWHITELIST]
*cmd.exe>sc  query Bouncer
*BouncerTray.exe>C:\Windows\system32\cmd.exe /c sc query Bouncer
*cmd.exe>\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
*winlogon.exe>"LogonUI.exe" /flags:0x0 /state0:0xa3973855 /state1:0x41c64e6d
*esif_uf.exe>"C:\Windows\TEMP\DPTF\esif_assist_64.exe"
*services.exe>C:\Windows\System32\*
*svchost.exe>C:\Windows\system32\*
*smss.exe>\??\C:\Windows\system32\autochk.exe *
*smss.exe>\SystemRoot\System32\smss.exe 000000a8 00000074
*smss.exe>%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows*
*smss.exe>wininit.exe
*smss.exe>winlogon.exe
*wininit.exe>C:\Windows\system32\*
*services.exe>C:\Windows\SysWow64\*
*BouncerTray.exe>C:\Windows\notepad.exe C:\Windows\bouncer.log
*cmd.exe>net  stop bouncer
*net.exe>C:\Windows\system32\net1  stop bouncer
C:\Windows\*>*C:\Windows\*
*BouncerTray.exe>*Admin Tool.exe*
C:\Windows\*>*
*Admin Tool.exe>*cmd.exe*
*BouncerTray.exe>*Admin Tool.exe*
*thunderbird.exe>*chrome.exe*
*chrome.exe>*chrome.exe*
*Admin Tool.exe>*cmd.exe*
*firefox.exe>*plugin-container.exe*
*plugin-container.exe>*\Flash\FlashPlayerPlugin_??_?_?_???.exe*
[CMDBLACKLIST]
*>rundll32*
[EOF]

[CMDCHECK], [CMDWHITELIST] and [CMDBLACKLIST] are coming for public beta release sooner than I was expecting. Running wickedly smooth already. Hopefully there will be a beta release within a week or two.

 

@WildByDesign

Thank you for sharing your rules. Could you briefly explain the meaning of your rules for command lines? It seems that there is no help document available yet.

 

You're welcome. This was my first time using a Bouncer build combined with command line scanning functionality, so it has been a learning experience for me. Playing it safe, I started this in non-lethal mode with logging enabled. As you can see with my first bunch of lines under the [CMDWHITELIST] section, I simply copy and pasted from the log file exactly as is (although removing space before/after > symbol) and it worked great as I was learning how to create these rules. After I gained more understanding, I started to refine my rules further. The rules are similar to parent check rules, although command lines can sometimes be massively long. So that is where wildcards play a role in helping with the rules. One important thing, you may notice, is that some lines I added an * wildcard at the end. The reason there is because there is often more to that command line after that point, so I chopped it shorter with the wildcard. Some examples:

Code:

*cmd.exe>\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Code:

*cmd.exe>*C:\Windows\system32\conhost.exe*

Notice, I shortened that by replacing the \??\ with an *, also shortened the end as well. Only some command lines have the \??\ in the logging, most don't have that.

Anyway, that is my understanding so far after some trial and error. That config is running smoothly on Win10 x64 without any further alerts or logging at the moment. I still have to clean up those rules a bit just to tidy up now that I understand it better now.

 

From: https://excubits.com/content/en/news.html
Updates in the Beta Camp
2016/01/31 by Florian

More details available on the News page (linked above) and also on the Beta Camp page: https://excubits.com/content/en/products_beta.html

* Please keep in mind that these beta camp releases are still unsigned at the present time.

 

* Please keep in mind that these beta camp releases are still unsigned at the present time.

Arggg!!!

Oh well, by the time they're fully ready for prime time I can license a complete fully signed version with all the neat bells, whistles. and flaws corrected.

 

I just don't know why you add "#" in the red color and leave out "exe" ?
*Regsvcs* →*Regsvcs*.exe
*RegAsm*→*RegAsm*.exe
*wusa*→*wusa*.exe
# *reg.exe→*reg.exe
BTW, I add some processes in blacklist cmd and PARENTBLACKLIST, Is it OK ?
*>*rundll32*
*>*regsvr32*
*>*script*
*>*cmd*/c*
[PARENTBLACKLIST]
C:\Program Files (x86)\Internet Explorer\iexplore.exe>C:\Users\*\AppData\Local\Temp\Low\*.*
C:\Program Files\Internet Explorer\iexplore.exe>C:\Users\*\AppData\Local\Temp\Low\*.*
C:\Users\*\AppData\Local\Temp\Low\*.*>C:\Windows\*
C:\Users\*\AppData\Local\Temp\Low\*.*>C:\Program Files\*
C:\Users\*\AppData\Local\Temp\Low\*.*>C:\Program Files (x86)\*
C:\Users\*\AppData\Local\Temp\Low\*.*>C:\ProgramData\Microsoft\*
C:\Windows\SysWOW64\explorer.exe>C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\explorer.exe>C:\Users\*\Downloads\*.*

And I'm confused with *cmd*/c* , I mean "/c*" !

 

As far as I know, .NET applications do not need an interpreter like java.exe as the entry point of execution. In such case, how could CommandLineScanner control the execution of .NET applications?

@WildByDesign , could you test this feature with .NET applications (for example, with the C# program that I sent to you)? Currently, I cannot test it by myself, since I am at my hometown for holiday, and the computer in my hand is not good enough to run a virtual machine...

@Tomin2009:

A line starting with "#" would be omitted by Bouncer. You can use this symbol to add comments.

You can use the argument "/c" and "/d" to execute a command line with cmd.exe. To try it, you need to first press WIN + R, then input the following command:

Code:

cmd.exe /c pause

You can replace "pause" here with any other command lines that you want to execute. For example, when you execute the following command, you would shutdown your computer: