Bouncer (previously Tuersteher Light)

Haven't tried silent rules yet. Just want your approval guys.

Code:

[BLACKLISTREAD]
$*explorer.exe>T:*
$*wininit.exe>T:*
$*svchost.exe>T:*
$*SearchIndexer.exe>T:*
$*360WangPan.exe>T:*
$*Cloud.exe>T:*
$*chrome.exe>T:*
$*HDSentinel.exe>T:*

Edit:
I've been testing above rules and they seem to work, yet a line still showing in the log file:

Code:

*** excubits.com beta ***: 2016/08/02_10:26 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:26 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:26 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:27 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:27 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:27 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
*** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information

 

Maybe SearchIndexer.exe is also tryin to do write operation. Try to add a Silent Rule for blacklist write operation.

 

Thank you very much, it worked.

 

You're welcome. I think logs should better show what was logged, write or read operation. It is difficult to distinguish difference here. Besinde that Pumpernickel works mint on my machine. Well, I think about a scenario where I just use Bitlocker and Pumpernickel, so I do not need TrueCrypt anymore. External backup drives could be made writeable only for my backup tool.

 

I thought about it yesterday too.
Maybe an added R or W for indication of Read / Write-attemps.
MZWriteScanner for example is adding an W: for writing of executables in the log:

Code:

*** excubits.com demo ***: 2016/08/02_04:12 > W:C:\Windows\System32\taskhost.exe > ...

It would be much clearer if Pumpernickel can add such an indication.

 

here my ruleset that i get from 700 mb log
but will not fit in demo version


post edited

 

@co22 Some of those can be condensed a bit as well as still being secure and strict. For example:

Code:

[WHITELISTMODIFY]
C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Code:

[WHITELISTMODIFY]
C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_??*.db

Anyway, I am in a hurry at the moment so I just took a brief look at the top of your rules, but I am sure that there are other areas that can be condensed a bit more. I will have a more thorough look later in the day to find some more ways to help condense your rules with wildcards while still remaining strict and secure control over the system. Your rule set is fantastic, by the way.

 

thank you for looking in to it.also i think must of rule in whitelist need Priority rule
since i added *>* at the end of blacklist rule
myself tried to condensed it but it still need many more to fit in demo
thank you

edit:some other log that iforgot to add

Spoiler: other

C:\Windows\System32\svchost.exe > C:\PROGRA~1
C:\Windows\System32\svchost.exe > \\?\Volume*
C:\Windows\System32\svchost.exe > \Device\HarddiskVolumeShadowCopy*\
C:\Windows\System32\svchost.exe > C:\$Extend\$ObjId
C:\Windows\System32\svchost.exe > C:\System Volume Information\tracking.log
C:\Windows\System32\svchost.exe > C:\Windows\debug\WIA\wiatrace.log
C:\Windows\System32\svchost.exe > C:\Windows\inf\setupapi.ev1
C:\Windows\System32\svchost.exe > C:\Windows\inf\setupapi.ev2
C:\Windows\System32\svchost.exe > C:\Windows\inf\setupapi.ev3
C:\Windows\System32\svchost.exe > C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
C:\Windows\System32\svchost.exe > C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
C:\Windows\System32\svchost.exe > C:\Windows\servicing\Packages
C:\Windows\System32\svchost.exe > C:\Windows\setupact.log
C:\Windows\System32\svchost.exe > C:\Windows\setuperr.log

 

The blacklist has more priority than the whitelist.
If you blacklist all with *>* , your whitelist has no effect without priority rules.

 

I spoke too soon. Either one or the other won't work, FIDES keeps logging block events:

Pumpernickel.ini

Code:

[LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
*>T:*
$*SearchIndexer.exe>T:*
[WHITELISTREAD]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
[BLACKLISTREAD]
*>T:*
$*explorer.exe>T:*
$*wininit.exe>T:*
$*svchost.exe>T:*
$*SearchIndexer.exe>T:*
$*360WangPan.exe>T:*
$*Cloud.exe>T:*
$*chrome.exe>T:*
$*HDSentinel.exe>T:*
[EOF]

Code:

[LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
*>T:*
!$*SearchIndexer.exe>T:*
[WHITELISTREAD]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
[BLACKLISTREAD]
*>T:*
!$*explorer.exe>T:*
!$*wininit.exe>T:*
!$*svchost.exe>T:*
!$*SearchIndexer.exe>T:*
!$*360WangPan.exe>T:*
!$*Cloud.exe>T:*
!$*chrome.exe>T:*
!$*HDSentinel.exe>T:*
[EOF]

 

I asked Florian about. There is order, you must first set $, then !. So silent rule char $ must be before priority rule char !. Also the more general rules with *>* must be after the specific priority rules (from what I have understood from Tuersteher Manual). I think it should look like:

Code:

[LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
$!*SearchIndexer.exe>T:*
*>T:*
[WHITELISTREAD]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
*>T:*
[BLACKLISTREAD]
$!*explorer.exe>T:*
$!*wininit.exe>T:*
$!*svchost.exe>T:*
$!*SearchIndexer.exe>T:*
$!*360WangPan.exe>T:*
$!*Cloud.exe>T:*
$!*chrome.exe>T:*
$!*HDSentinel.exe>T:*
*>T:*
[EOF]

Dont have the time to fully test it. Will do more tests tomorrow...

Btw, what is "360WangPan.exe" ? All I can find on google is malware related, makes me curious....

 

You don't have to. I'm quite grateful with your kind help... That said I can run tests due it is my problem. Thank you very much.

 

If the silent rules are at the end, Pumpernickel never reaches them because of the previous block-rule *>T:*

 

Got it. Thanks once again.

 

Bouncer is officially (or at least internal build) future proof! Or I suppose I should say Anniversary Update compatible, etc. Bouncer with SHA-256 Microsoft Windows cert along with Silent Rules should be released as stable build within the next week or so as long as internal testing continues to be solid. I am able to successfully run Bouncer with Windows 10 Anniversary Update and keep Secure Boot on. This will likely land on the other drivers soon as well depending on whatever additional costs Microsoft adds, still a little bit murky there.

 

@WildByDesign

Thx, good news. Do you have any info when MemProtect and Pumpernickel will come out of Beta.

I have been running MemProtect since March this year without issues (I am playing with Pumpernickel my desktop occasionaly, because it is on a test image).

 

@Windows_Security You're welcome. That's a very good question and I actually spoke to Florian recently about that. I've been running MemProtect as well for many months and have experienced zero issues with it and it's proven itself to be very efficient and stable. Without a doubt, I would suggest that MemProtect moves forward as a stable build. Pumpernickel/FIDES has proven it's stability as well, although it's still in development with the addition of features here and there.

For whatever reason, Florian had suggested to me that MemProtect is complete as far as development goes and said that it is released "as is". In my opinion, I think that MemProtect deserves more attention. And I don't necessarily mean development attention specifically, but more like recognition that a stable/final release would signify. I just think that it has so much potential.

 

Oh I missed this one... It's a cloud service where I backup important files for me, you know software related only as I am a PC technician. That's the main exe and this is the website: yunpan.360.cn

 

Will MemProtect get support for silent rules?
I always get the same messages over and over again (sometimes 50 messages in a row), but with silent rules i could reduce it to a minimum.

 

I believe so, yes. But I will talk to Florian to confirm. Generally once he's developed something new with regard to kernel level filtering in one driver, it is relatively easy for him to make those same changes across his other kernel drivers since they follow a similar coding structure.

 

Pumpernickel: Indicator of Read/Write-Attemps in the logfile
I emailed them about it and this functionality will be added in a future version.
Because many users requested it and they (Excubits) find it useful.

Maybe this is old news :
As you already know, the beta-version of Bouncer is limited (even for those who paid for Bouncer)
But if the user requested an unlimited beta, he may get one.
Now, "unlimited beta's" are further restricted. They are time-limited, and after a few thousand events it is switching to [#LETHAL] and is not protecting anymore.
Edit: If the user has a licensed version of Bouncer, the user can get an unrestricted beta.

 

I can confirm, they also told me.

Have you paid for Bouncer? I always got unlimited beta version from Florian. No restriction for people who licensed.

From what I know this is true for version for people who do not paying for a full version, but want to test more details of drivers and need more space in ini-file. As said above: as far as I know: if you have licensed full version, Florian always provides great customer support. I thinking it is normal to support the people who paid for full license more, and those who just want free editions must live with restrictions, otherwise it would be not fair for the customers who paid.

 

I asked them explicitly about beta-versions for users who paid for Bouncer. Then they told me that the beta-version (for paid users) is restricted
"Yes, we offered unlimited beta's of Bouncer in the last time. But now if we create an unlimited beta (if the user wishes one), it is restricted"

Maybe they changed their mind and don't provide unlimited beta's (without any restriction) anymore
Edit: If the user has a licensed version of Bouncer, the user can get an unrestricted beta.

 

Would anyone be so kind to explain to me, what Bouncer, Pumpernickel and MemProtect can do for me?
Going through ~1400 posts is a bit heavy, for me....
What advantage would there be over HMP.A, if any?

 

Bouncer/Türsteher: is an lightwise anti exe supporting sha256 hashing, parent process checking (who want to start which exe), and command line filtering (for example you can limit wscript only executing scriptin files from locations you trusting).

Pumpernickel: is something like SecureFolders tool, you can protect files and folders from access from applications. For example you can tell Pumpernickel to allow only MS Word to open .doc/.docx files, no other application is able to open (read or write) doc anymore. So you can protect against spyware or trojan trying to access (and manipulate) your files, etc. Should also protect against pesky cryptolockers if you configurate the tool right.

MemProtect: secures memory access from and to processes. You can limit what web browser is allowed to access, so it is possible to block exploits to spread and inject code into other running processes.

For all of Excubit's solution: they are extremely small, fast and no Ads or spyware in there. on the other side (call it drawback) they are a bit raw in using. You need to be expert and know what you are doing, because this tools are configurated using simple .ini files. I thinks this can be drawback and closes out some users, who like to do all configuration using GUIs. Not the case with Excubit's Tools, but on the other side they are beautifully small, and fast as hell. And as they note on their web-page free of telemetry stuff (backlink to Excubits or other severs). If you a dataprotection lover, Excubits is the right company I guess

But as you are use HMP.A 3.5 build 548-beta, Sandboxie 5.12 I think you already have good protection barrier. Another additional tool may be too much (overkill) - my opinion if you ask.