Bouncer (previously Tuersteher Light)

Good news. Will Pumpernickel get an English name (e.g. like FileProtect)?

 

I asked Florian: It will be renamed. The English (international) name will be FIDES, it is acronym for something. The word fides itself is latin and stands for protection.

He also told me that Ev cert dongle arrived. Needs to be unlocked/registred or something than he can use cert to registr to Microsoft Driver Center (do not really understand what this is all about), then he will be able to sign drivers for Windows 10 AU.

 

No, they are different sections. You can only set priority rules for same section: [WHITELIST] and [BLACKLIST], they only affect each other in this section, not for the others. Doing this would otherwise end in chaos.

If you use priority rule in whitelist it can overwrite rules from blacklist. Beware: priority rule from blacklist will beat all priority rules in whitelist. Also ensure that priority rules always stay on top of each section. If you have

Code:

[WHITELIST]
C:\Windows\*
!C:\Windows\Temp\AvUpdater.exe
[BLACKLIST]
C:\Windows\Temp\*

Then the priority rule will no catch if you call AvUpdate.exe, because C:\Windows\* is valid rule and before the priority rule. You need to do

Code:

[WHITELIST]
!C:\Windows\Temp\AvUpdater.exe
C:\Windows\*
[BLACKLIST]
C:\Windows\Temp\*

This is important to understand - tricked me out at the beginning. So I like to share this, maybe others had same problems to understand...

 

Great thx

 

Thanks 4Shizzle for your detailed explanation. That's helped alot, as I am new to bouncer the priority rule has frustrated me a times.

Thanks once again for sharing.

 

Sorry, for the late reply. I have major Microsoft issues I have been trying to figure out. I have 8 Windows 7X64 Machines, and none of them are able to connect to Microsoft update server.

Yes, step b is blocked, and whitelisting the tray application does not fix the problem. AG thinks the write attempt to Bouncer's registry key is coming from the Guarded App instead of from Bouncer.

 

Sorry, for the late reply. I have major Microsoft issues I have been trying to figure out. I have 8 Windows 7X64 Machines, and none of them are able to connect to Microsoft update server.

Whitelisting the tray application does not fix the problem. AG thinks the write attempt to Bouncer's registry key is coming from the Guarded App instead of from Bouncer.

 

I attempted to test Memprotect blocking task manager from closing calculator, but all I see is the systemtray icon turning red and the following line appearing repeatedly for longer than a page:

*** excubits.com demo ***: 2016/07/23_23:11 > C:\Windows\System32\taskmgr.exe > C:\Windows\System32\calc.exe

OTOH Memprotect does block plugin-container if I don't whitelist it, so I at least know it's functioning.

Can someone let me know what I'm doing wrong? This is the config I've made, using the supplied blacklist entry for taskmgr:

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
*>*
!palemoon.exe>*\Pale Moon\*
!palemoon.exe>*\C:\Program Files (x86)\Malwarebytes Anti-Exploit\*
!C:\Program Files (x86)\Malwarebytes Anti-Exploit\*>*
[BLACKLIST]
*taskmgr.exe>*calc.exe
palemoon.exe>*
[EOF]

 

@RJK3 This has got my curiosity. A little risky though, but that makes it more fun. I will give this a solid attempt over the next few hours in a VM and will get back to you later if I can figure out anything interesting or a specific config. By the way, which version of Windows are you running?

 

Code:

[BLACKLIST]
!*taskmgr.exe>*calc.exe

You were on the right track there. The only thing required in this config to protect calc.exe from being killed by task manager was a priority symbol (see above). The priority symbol was required to override the *>* from whitelist section.

 

Oh, that makes sense! Cheers Wild for checking that for me. I was using Windows 7 FWIW.

 

Just revisiting this, if whitelisted items have priority over blacklisted items, do I also need to use a priority symbol on palemoon.exe in the blacklisted section:

Code:

[LETHAL]
[LOGGING]
[WHITELIST]
*>*
!palemoon.exe>*\Pale Moon\*
!palemoon.exe>*\C:\Program Files (x86)\Malwarebytes Anti-Exploit\*
!C:\Program Files (x86)\Malwarebytes Anti-Exploit\*>*
[BLACKLIST]
!*taskmgr.exe>*calc.exe
!palemoon.exe>*
[EOF]

Does this mean that the priority from most important to least important is:
(1) !whitelist (2)!blacklist (2) whitelist (4) blacklist

Is there a way to switch the priority system around?

 

priority is !blacklist, !whitelist, blacklist, whitelist

 

If normal blacklist is priority over normal whitelist, wouldn't this work:

Code:

[WHITELIST]
*>*
[BLACKLIST]
*taskmgr.exe>*calc.exe

As WildByDesign suggested, the blacklisted code only took priority when I used the priority symbol.

 

How can that be Shouldn't be a "normal" blacklist-rule without priority enough to block it?

 

If anyone was interested in a different way to have an easy, unobtrusive shortcut to editing the .ini files for Excubit software. I've setup the right-click/context menu of the Power button in System tray to open an elevated notepad for memprotect.ini like this:

https://s32.postimg.org/7pvuee7w5/edit_memprotect.png
Instructions are for Windows 7. Since it uses changes to the registry, then as always this is at your own risk.

First step: Create a normal shortcut
(a) Nothing special in this step. Create a new shortcut with the Target "C:\Windows\notepad.exe C:\Windows\MemProtect.ini" and call it what you like, e.g. "edit.lnk".
(b) Set it to start as admin (right click, Properties, in 'Shortcut' tab click Advanced, 'Run as Administrator')
(c) Put the shortcut in whatever folder you want.

Second step: Edit the registry
Locate the following in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\ContextMenu\

There are numbered sub-folders 1-6 for 6 context items, each with blank Expandable String Values (REG_EXPAND_SZ) items, "Application", "ItemName" & "Parameters". Select one of these sub-folders.

Set "Application" to point to the shortcut itself, e.g. "c:\portable\memprotect\edit.lnk"
Set "ItemName" to whatever you want to describe it as, e.g. "Edit Memprotect.ini"
Leave Parameters blank.

Right click on the Power icon and look for the new option. To remove a context menu entry, then just set those REG_EXPAND_SZ items to blank again.

 

Digitally Signed Pumpernickel/FIDES is available now on the redesigned Beta Camp page (https://excubits.com/content/en/products_beta.html). This is the build which has more finely grained control over write access and read access.

 

Very nice.
Especially the "read access-protection" is interesting.

 

Can I just download and extract over the existing one? And will it preserve .ini settings?
Or do I have to stop the driver and redo the .ini?

 

Thank you so much. I've learn something totally new here, absolut great idea and hint!!!

Fully agree. It works mint on my Windows 8.1 and seems to be rock solid (like @WildByDesign already said). Will go deeper into configuration, seems now worth and it is great idea for additional protection.

No, you can re-use but you canot overwrite driver binary and using old/existing pumpernickel.ini. There are two new section, at least you can do:

[LETHAL]
[LOGGING]
[WHITELISTMODIFY]
<PUT YOUR OLD WHITELIST HERE>
[BLACKLISTMODIFY]
<PUT YOUR OLD BLACKLIST HERE>
[WHITELISTREAD]
*>*
[BLACKLISTREAD]
[EOF]

This should then work for you. But I recommend to you to also add some read-section rules...

Has anyone clue what FIDES stands for? It is acronym, but for what?

 

Fides = acronym for good faith, trust and reliability
I think this should be the correct meaning, because i couldn't find other definitions for it.

 

https://en.wikipedia.org/wiki/Fides_(deity)

the goddess of trust and bona fides (good faith)

 

i have bsod even in [#LETHAL] mode.conflict is with spyshelter firewall
anyone else have this problem?
i send email about it to Florian.

 

I think it's recommended to upgrade to the new version of Pumpernickel (FIDES), because it has additional protection (see at the end of this post)
But before upgrading some changes has to be made in the pumpernickel.ini
a) Rename [WHITELIST] to [WHITELISTMODIFY]
a) Rename [BLACKLIST] to [BLACKLISTMODIFY]
c) Then add (before [EOF]):

Code:

[WHITELISTREAD]
*>*
[BLACKLISTREAD]

I did a quick test of the new read-protection:

Code:

[WHITELISTREAD]
*>*
[BLACKLISTREAD]
*>e:\read1*
*>e:\read2\*

e:\read1*
If you want to enter the directory e:\read1 the access to it is blocked.
No files and folders within this directory can be seen.
e:\read1 = Access denied

e:\read2\*
you can enter this directory, but you are not able to read files/folders in it (and files/folders within all subfolders)
you can "see" folders in e:\read2\ but you can't enter these folders (=Access denied).
e:\read2 = Access allowed
e:\read2\folder1 = Access denied
e:\read2\file1.txt = Access denied

If you are a user of the program Everything you can "see" all files and folders (Filename/Path/Size/Date, ...) but the read-protection is still active
But the main job of Pumpernickel (now: FIDES) is not to hide files/folders, but to read and write-protect them.
And it is doing it as advertised

---------
With the previous version it was possible to modify file-attributes and ACL in blacklisted folders.
This new version now has additional protection.
Blacklisted files/folders:
Modifying file-attributes = Denied
Modifying ACL = Denied

 

thank you for detailed information
i used latest Pumpernickel and ini file.