Bouncer (previously Tuersteher Light)

I should be good then since I have the paid version. Disregard my previous post. I was just seeing if I got the same warning as Kid Shamrock did for testing purposes.

 

Same with my Chrome. Seem to be false positive, the executable signature is vaild, no changes in binary. Also chcked the content of the RARed file: seems to be the same content as a demo version I downloaded some moth ago.

 

It appears as though Florian has now compiled an updated build of the Bouncer Demo which was being falsely flagged by AV. According to the product page "Binaries last updated on 2017/07/01".

Download: https://excubits.com/content/en/products_bouncer.html

I can confirm that it is no longer blocked by Google's safe browsing mechanisms.

EDIT: Paid Bouncer build updated as well.

EDIT2: It appears that Florian has had to rewrite the installer binary and the uninstaller binary that is included within the overall install package. I assume that it what was causing the AV false flags. So whatever the issue, it has been resolved.

 

There are much less detections with the new release. These files were changed (in comparison with the last release):

Code:

Install.exe
License.html
Manual.pdf
Uninstall.exe

Btw.: The manual is brandnew - Version 2.5.0 (June 2017)

 

@WildByDesign and @mood thanks for the update!

 

Haven't really used Excubits products (currently use SpyShelter Firewall and NVT ERP), but am going to take a look. I understand wht the various drivers do, but can't see the point of CommandLineScanner, given that Bouncer seems to do the same and more. Can someone list the differences between Bouncer and CommandLineScanner ?

Given that the drivers don't have an Allow/Deny alert dialog that pops up, is the best way to configure them to run in loging mode for a week or so, and then analyse the logs for rule creation ?

@WildByDesign - as you seem to be one of the original adopters and advocate of Excubit products, can I ask why you don't use Pumpernickel (FIDES) ? I'm considering using Bouncer, MemProtect and FIDES.

 

CommandLineScanner is for people who only need the scanning of command-lines.
Bouncer can achieve the same, but it has more features ("Bouncer seems to do the same and more.")
So, if the user need "more features", Bouncer can be installed. If only scanning of command-lines is needed, CommandLineScanner can be used (which also costs less)

CommandLineScanner wasn't always a part of Bouncer. It has been integrated into Bouncer in Jan/Feb 2016

 

64-bit versions of the Tray and Admin Tool are available in the Beta Camp:

 

This is great. Working well like the others beta drivers.

 

Blocking Windows 10 Fall Creators Update App Installations with Bouncer
*referring to the junk such as Candy Crush, Facebook, Twitter, etc.

With RS3, all of the previous tools such as Winaero Tweaker and OOShutUp10 no longer work to block the auto-installation of junk apps that come into your user account after installing Windows 10 Fall Creators Update. I've tried everything to block it, including registry tweaks and group policy changes. Nothing work. But thankfully, Bouncer has saved the day!

Code:

[BLACKLIST]
#   Content Delivery Manager
C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*
[PARENTBLACKLIST]
#   Content Delivery Manager
$C:\Windows\System32\backgroundTaskHost.exe>C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ContentDeliveryManager.Background.dll
C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*>*
*>C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*
[CMDBLACKLIST]
#   Content Delivery Manager
*C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*>*
*>*C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*

 

64-bit version of Bouncer TrayApp and AdminApp are released fully signed and can be used along with full-version and demo. Also additional option in tray menu B->Bouncer->Stop-Click-Start which can be used to stop & start bouncer faster´.

 

Is this junk automatically started on Win10? So, only way to block is to set on blacklist?

 

Regarding all Excubits tools and the Fall Creators Update, there are no issues to expect.
But it is recommended to disable the drivers temporarily before the system is updated:

Windows 10 Update
Excubits Tools und the Windows 10 Fall Creators Update

 

64-bit Tray Apps for Bouncer, Türsteher, MZWriteScanner and CommandLineScanner
https://excubits.com/content/en/news.html

 

One recent technique which I have been doing differently with Bouncer compared to before is by implementing Florian's Blacklist as [PARENTBLACKLIST] instead of [BLACKLIST]. This has allowed for me to have a more tidy overall configuration combined with much easier control for overriding blockages for specific programs. Previously, I had to comment out certain entries from the blacklist entirely.

Spoiler: Bouncer.ini

Code:

[PARENTWHITELIST]
#   Some example parentblacklist overrides below:
#
#   Override Blacklist - Hyper-V Switch
!*\Hyper-V Switch\*>C:\Windows\System32\bcdedit.exe
#   Override Blacklist
!C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\SysWOW64\reg.exe
!C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\System32\reg.exe
!C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
[PARENTBLACKLIST]
# Excubits Blacklist - Source: https://excubits.com/content/files/blacklist.txt
# Converted for use with [PARENTBLACKLIST] instead of [BLACKLIST] for granular override control
# Last Updated: 2017/06/19
#
*>*\AppData\Local\Temp\*.bat
*>*\AppData\Local\Temp\*.cmd
*>*\AppData\Local\Temp\*.com
*>*\AppData\Local\Temp\*.exe
*>*\AppData\Local\Temp\*.scr
*>*\AppData\Local\Temp\*.sys
*>*\AppData\Roaming\*.bat
*>*\AppData\Roaming\*.cmd
*>*\AppData\Roaming\*.com
*>*\AppData\Roaming\*.exe
*>*\AppData\Roaming\*.scr
*>*\AppData\Roaming\*.sys
*>*\at.exe
*>*\Temp\*.zip*\*.exe
*>*\Temp\*7z*\*.exe
*>*\Temp\*rar*\*.exe
*>*\Temp\*sfx\*.exe
*>*\Temp\*wz*\*.exe
*>*aspnet_compiler.exe
*>*attrib.exe
*>*auditpol.exe
*>*bash.exe
*>*bcdboot.exe
*>*bcdedit.exe
*>*bitsadmin*
*>*bootcfg.exe
*>*bootim.exe
*>*bootsect.exe
*>*ByteCodeGenerator.exe
*>*cacls.exe
*>*cdb.exe
*>*csc.exe
*>*csi.exe
*>*debug.exe
*>*DFsvc.exe
*>*diskpart.exe
*>*dnx.exe
*>*eventvwr.exe
*>*fsi.exe
*>*hh.exe
*>*IEExec.exe
*>*iexplore.exe
*>*iexpress.exe
*>*ilasm.exe
*>*InstallUtil*
*>*InstallUtil.exe
*>*journal.exe
*>*jsc.exe
*>*kd.exe
*>*lxssmanager.dll
*>*mmc.exe
*>*mrsa.exe
*>*MSBuild.exe
*>*mshta.exe
*>*mstsc.exe
*>*netsh.exe
*>*netstat.exe
*>*ntsd.exe
*>*odbcconf.exe
*>*powershell.exe
*>*powershell_ise.exe
*>*PresentationHost.exe
*>*quser.exe
*>*rcsi.exe
*>*reg.exe
*>*RegAsm*
*>*regini.exe
*>*Regsvcs*
*>*regsvr32.exe
*>*RunLegacyCPLElevated.exe
*>*runonce.exe
*>*scrcons.exe
*>*script.exe
*>*sdbinst.exe
*>*set.exe
*>*setx.exe
*>*Stash*
*>*syskey.exe
*>*systemreset.exe
*>*takeown.exe
*>*taskkill.exe
*>*UserAccountControlSettings.exe
*>*utilman.exe
*>*vbc.exe
*>*vssadmin.exe
*>*windbg.exe
*>*wmic.exe
*>*xcacls.exe
*>?:\$Recycle.Bin\*
*>C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
*>C:\Users\Public\*
*>C:\Windows\ADFS\*
*>C:\Windows\debug\WIA\*
*>C:\Windows\Fonts\*
*>C:\Windows\PLA\Reports\*
*>C:\Windows\PLA\Reports\de-DE\*
*>C:\Windows\PLA\Rules\*
*>C:\Windows\PLA\Rules\de-DE\*
*>C:\Windows\PLA\Templates\*
*>C:\Windows\Registration\CRMLog\*
*>C:\Windows\servicing\Packages\*
*>C:\Windows\servicing\Sessions\*
*>C:\Windows\System32\Com\dmp\*
*>C:\Windows\System32\FxsTmp\*
*>C:\Windows\System32\LogFiles\WMI\*
*>C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
*>C:\Windows\System32\spool\drivers\color\*
*>C:\Windows\System32\spool\PRINTERS\*
*>C:\Windows\System32\spool\SERVERS\*
*>C:\Windows\System32\Tasks\*
*>C:\Windows\System32\Tasks_Migrated\*
*>C:\Windows\SysWOW64\Com\dmp\*
*>C:\Windows\SysWOW64\FxsTmp\*
*>C:\Windows\SysWOW64\Tasks\*
*>C:\Windows\Tasks\*
*>C:\Windows\Temp\*
*>C:\Windows\tracing\*
#    Additional Blacklisted Binaries
*>*sdclt.exe
*>*scrobj.dll
*>*scrrun.dll

Therefore, I no longer have Florian's Blacklist in my actual [BLACKLIST] section and therefore my main [WHITELIST] section is quite minimal. Although I've kept my "Base System Rules" for whitelist and parentwhitelist sections out of this example just to keep the example smaller.

 

Interesting, this may make Bouncer more usable by a noob (like me).

It would still be interesting to see your now 'minimal' [WHITELIST] ...

 

Much easier now, in general, to make any exceptions while still keeping security tight.

This is just based on my recent testing, therefore not entirely set in stone yet.

Spoiler: Bouncer.ini whitelist section

Code:

[WHITELIST]
#   Base System Rules
C:\Program Files (x86)\*
C:\Program Files\*
C:\Windows\*
#    Trusted Process - The Toolbox
D:\Tools\*
#    DISM
!??*\Temp\????????-????-????-????-????????????\DismHost.exe
!??*\Temp\????????-????-????-????-????????????\*.dll
#   Google Chrome - updates
!C:\Windows\Temp\CR_?????.tmp\setup.exe

Spoiler: Bouncer.ini parentwhitelist section

Code:

[PARENTWHITELIST]
#    Override Blacklist - Hyper-V Switch
!*\Hyper-V Switch\*>C:\Windows\System32\bcdedit.exe
#    Override Blacklist
!C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\SysWOW64\reg.exe
!C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\System32\reg.exe
!C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
#   VS Code
C:\Program Files*\Microsoft VS Code*\*>C:\Users\*\AppData\Local\Temp\vscode-update-???\*
C:\Users\*\AppData\Local\Temp\vscode-update-???\*>*
C:\Users\*\AppData\Local\Temp\vscode-update-???\*>C:\Users\*\AppData\Local\Temp\??-?????.tmp\CodeSetup*.tmp
C:\Users\*\AppData\Local\Temp\??-?????.tmp\CodeSetup*.tmp>C:\Windows\*
C:\Users\*\AppData\Local\Temp\??-?????.tmp\CodeSetup*.tmp>C:\Program Files*\*
#   Base System Rules
C:\Program Files (x86)\*>C:\Program Files (x86)\*
C:\Program Files\*>C:\Program Files\*
C:\Program Files\*>C:\Program Files (x86)\*
C:\Program Files (x86)\*>C:\Program Files\*
C:\Windows\*>C:\Windows\*
C:\Windows\*>C:\Program Files (x86)\*
C:\Windows\*>C:\Program Files\*
C:\Program Files (x86)\*>C:\Windows\*
C:\Program Files\*>C:\Windows\*
#    Trusted Process - The Toolbox
D:\Tools\*>*
C:\Windows\explorer.exe>D:\Tools\*
C:\Windows\System32\*>D:\Tools\*
#    DISM
!??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
!??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
!C:\Windows\System32\*>??*\Temp\????????-????-????-????-????????????\DismHost.exe
#   Google Chrome
!C:\Program Files (x86)\Google\*>C:\Windows\Temp\CR_?????.tmp\setup.exe
!C:\Windows\Temp\CR_?????.tmp\setup.exe>C:\Windows\Temp\CR_?????.tmp\setup.exe

Keep in mind that my blacklist has a rule to block C:\Windows\Temp\* but also with the changes to my parent process control also allows me to easily create more granular parentwhitelist allow/exception rules and parentblacklist specific/targeted blockages.

Basically, I had a super large, elaborate Bouncer.ini for quite some time and had no need to make any changes based on my usage. But recently, I decided to start my Bouncer.ini from scratch, keeping things more simple (hopefully) and then at some point when it's more complete I can share the ruleset with others once I do more testing. So I am still in the beginning stages and have more parentwhitelist rules to add.

 

@WildByDesign This is surely not entirely unrelated to what @Windows_Security (Kees) had in mind (discussed on MT), though I think he was thinking a common ruleset using several of Florian's drivers, not just Bouncer?

 

@paulderdash Indeed, Kees was thinking about a common ruleset that would work across many users systems with three or four of the Excubits' drivers combined.

 

New version work fine. Also the Stop-Click-Start button is nice feature and absolutely makes sense in some of my scenarios. Not a big feature, but nice.

Btw: I currently encounter log entry for this often

Code:

C:\Windows\System32\CompatTelRunner.exe > C:\Windows\system32\rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry 

Does anyone knows what this GeneralTel.dll,RunGeneralTelemetry is?

 

The dll "GeneralTel.dll" has 8 Exports, and one exported function is RunGeneralTelemetry and this function is executed.
Iit is doing "telemetry related things" or something similar.

CompatTelRunner.exe (File Desc.: Microsoft Compatibility Telemetry)
GeneralTel.dll (File Desc.: General Telemetry)

 

Updated blacklist for Bouncer (Last Updated: 2017/11/19)

Code:

https://excubits.com/content/en/files/blacklist.txt