Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    182
    Location:
    Australian Capital Territory
    Thanks for the reply. See my sig: 64-bit Win10 Pro, Win Defender, Pumpernickel - I like to keep things simple. The warnings occur in both standard user account and admin account. All other balloons and functions are operating as expected.

    I converted the new tray tools for use with Pumpernickel and the same behaviour occurred with it too. If I can't figure things out I'll send Florian an email and see what he says.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I personally have not seen this or heard of it before.

    When you upgraded your tray tools, did you remove/delete all of the previous files of the older tray tool first? (Just ensuring you have a clean start with the new one).

    Aside from this incorrect state error, does the tray tool still function correctly to Start, Stop, Install Mode, etc.?

    One temporary solution, as long as everything else is working correctly, might be to use the "nopopups" (without quotes) command line argument in your startup shortcut or scheduled task (whichever you use to start the tray tool) for now until Florian gets back to you.
     
  3. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    182
    Location:
    Australian Capital Territory
    I've uninstalled, re-booted, then re-installed and re-booted several times, using the provided uninstall utility as well as doing it manually. All other tray functions work correctly and Bouncer itself works correctly. No lives are being lost, it is just an annoyance to have this balloon pop-up every 30 minutes!

    Thanks for your suggestions, but I've gone back to the old tools for now and will contact Florian for further advice.
     
  4. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    there is string in locales file
    Code:
    notifyNonLethalTitlePart1|Attention:
    notifyNonLethalTitlePart2|in simulation mode
    notifyNonLethalText|has been in simulation mode for some time. You are not protected!
     
  5. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe

    Have you reported it to Excubits? They have released new version and mentioned your bug in their newsletter. :)
     
  6. guest

    guest Guest

    Updated installer and tray application
    New binaries for Bouncer and Türsteher
    https://excubits.com/content/en/news.html
     
  7. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    182
    Location:
    Australian Capital Territory
    Woo-hoo! - I'm famous :D I reported it on the 16th, so for it to be fixed by the 21st is excellent. Thank you Florian if you are listening :thumb:
     
  8. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    My current Bouncer Demo config:

    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [#SHA256]
    [#CMDCHECK]
    [WHITELIST]
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Windows\System32\*.dll
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Windows\System32\*.drv
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Windows\WinSxS\amd64_microsoft.windows.comm*\comctl32.dll
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Windows\WinSxS\amd64_microsoft.vc90.crt*\msvcr90.dll
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Program Files\*\*.dll
    !C:\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe>C:\Program Files (x86)\*\*.dll
    !C:\Program Files (x86)\SpeedFan\speedfan.exe>C:\Users\User\AppData\Local\Temp\sfa*00001.dll
    !C:\Program Files (x86)\Skype\Phone\Skype.exe>C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\WINDOWS\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\Program Files (x86)\Excubits\Bouncer\*
    C:\Windows\explorer.exe>*\Start SpeedFan.bat
    [BLACKLIST]
    *chrome.exe>*
    *Mailbird.exe>*
    *Skype.exe>*
    *SkypeBrowserHost.exe>*
    !*.lib
    !*.lnk
    !*~*.*
    !C:\Program Files\UNP\Logs\*
    !C:\Program Files (x86)\Google\Chrom*\Application\SetupMetrics\*
    !*bitsadmin*
    !*Regsvcs*
    !*RegAsm*
    !*InstallUtil*
    !*lpkinstall*
    !*LxssManager.dll
    !*Stash*
    !*system.management.automation.dll
    !?:\$Recycle.Bin\*
    !C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    !C:\Users\Public\*
    !C:\Windows\$FORENSICS\*
    !C:\Windows\ADFS\*
    !C:\Windows\debug\WIA\*
    !C:\Windows\Fonts\*
    !C:\Windows\PLA\Reports\*
    !C:\Windows\PLA\Reports\de-DE\*
    !C:\Windows\PLA\Rules\*
    !C:\Windows\PLA\Rules\de-DE\*
    !C:\Windows\PLA\Templates\*
    !C:\Windows\Registration\CRMLog\*
    !C:\Windows\servicing\Packages\*
    !C:\Windows\servicing\Sessions\*
    !C:\Windows\System32\Com\dmp\*
    !C:\Windows\System32\FxsTmp\*
    !C:\Windows\System32\LogFiles\WMI\*
    !C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    !C:\Windows\System32\spool\drivers\color\*
    !C:\Windows\System32\spool\PRINTERS\*
    !C:\Windows\System32\spool\SERVERS\*
    !C:\Windows\System32\Tasks\*
    !C:\Windows\System32\Tasks_Migrated\*
    !C:\Windows\SysWOW64\Com\dmp\*
    !C:\Windows\SysWOW64\FxsTmp\*
    !C:\Windows\SysWOW64\Tasks\*
    !C:\Windows\Tasks\*
    !C:\Windows\Temp\*
    !C:\Windows\tracing\*
    [CMDWHITELIST]
    [CMDBLACKLIST]
    [EOF]

    Details:

    File size is 5008 bytes, 5118 is max size for demo version

    I've removed all .exe blacklist rules since I also use NVT Exe Radar Pro, also all appdata blacklist folders since C:\Users\X\Appdata is not allowed by default

    C:\Program Files (x86)\Excubits\Bouncer\* can be also be removed since C:\Program Files (x86)\* is already included, I've left it cuz it was included by default

    I use accesschk and I've added
    !C:\Program Files\UNP\Logs\*
    !C:\Program Files (x86)\Google\Chrom*\Application\SetupMetrics\*
    as writable folders, Chrom* works for both Chrome and Chrome Beta folders, as I use a standard user account for daily activities

    !C:\Windows\$FORENSICS\*
    !C:\Windows\ADFS\*
    !C:\Windows\debug\WIA\*
    !C:\Windows\PLA\Reports\*
    !C:\Windows\PLA\Reports\de-DE\*
    !C:\Windows\PLA\Rules\*
    !C:\Windows\PLA\Rules\de-DE\*
    !C:\Windows\PLA\Templates\*
    folders are not writable by Users | Everyone | Authenticated Users | INTERACTIVE, or my user account is not CREATOR OWNER, or don't exist on my pc so they'll be the first rules to get removed if I need space for something else

    If I had unlimited space, I'd add every single even-remotely-possible exploitable .exe (like chrome.exe and Skype.exe) and only let it access processes and drivers (.dll/.drv/.sys) that it needs. Even with chrome I haven't explicitly defined everything, for example chrome checks winspool.drv, wdmaud.drv and msacm32.drv in the system32 folder, but I've written the rule as c:\windows\system32\*.drv to conserve space

    !*.lib
    !*.lnk
    I don't use these file extensions often so I block them (my shortcuts on the desktop work fine) but I might need them so I've left them associated just in case, which brings me to my unassociated file extension list (assoc .xxx=)
    Files with these extensions are incapable of doing anything since they're unassociated

    A3X
    ACTION
    ADE
    ADP
    APK
    APP
    BAS
    BIN
    CHM
    COM
    COMMAND
    CSC
    CSH
    DP
    GADGET
    HLP
    HTA
    INS
    INX
    IPA
    ISU
    ISP
    JAR
    JOB
    JS
    JSE
    KSH
    MDB
    MDE
    MST
    OCX
    OTF
    OUT
    PAF
    PCD
    PIF
    PRG
    PS1
    PS1XML
    PSC1
    PS2
    PS2XML
    PSC2
    REG
    RGS
    RUN
    SCR
    SCT
    SHB
    SHS
    SO
    U3P
    URL
    VB
    VBA
    VBC
    VBE
    VBS
    VBSCRIPT
    WS
    WSC
    WSF
    WSH
    XPI

    And here's a list of dangerous file extensions that are still associated:
    .application | (rundll32.exe)
    .bat | (cmd.exe)
    .cmd | (cmd.exe)
    .dll | Bouncer
    .drv | Bouncer
    .exe | EXE Radar Pro
    .cpl | (control.exe) (rundll32.exe)
    .crt | (rundll32.exe)?
    .inf | (notepad++.exe)
    .lib | Bouncer
    .lnk | Bouncer
    .msc | (mmc.exe)
    .msi | (msiexec.exe)
    .msp | (msiexec.exe)
    .sys | Bouncer

    Bouncer stops .dll/.drv/.sys from being used outside of C:\Windows, C:\Program Files and C:\Program Files (x86) , Bouncer blocks .lib and .lnk, while the other file extensions all need .exe to run which NVT Exe Radar Pro is monitoring

    The above 2 lists is my collection of dangerous file extensions for Windows, have I missed something?

    !C:\Program Files (x86)\SpeedFan\speedfan.exe>C:\Users\User\AppData\Local\Temp\sfa*00001.dll
    required for speedfan to work

    C:\Windows\explorer.exe>*\Start SpeedFan.bat
    Start SpeedFan.bat is a simple .bat file in C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup that starts SpeedFan on start up, explorer.exe needs to be able to access it in order for it to start, I use *\ instead of specifying folder since if another Start SpeedFan.bat somewhere else tries to run, it will use cmd.exe and NVT Exe Radar Pro will alert me, no security hole here and saving space

    !*~*.*
    this rule blocks 8.3 file names, only Revo Uninstaller Pro uses that on my pc which I turn off Bouncer for anyway

    NVT Exe Radar Pro also monitors command lines which is why
    [CMDWHITELIST]
    [CMDBLACKLIST]
    is empty, also any .exe that is running on my system is whitelisted by hash (as well as other criteria) so no need to use SHA256 in Bouncer, if the file changes NVT Exe Radar Pro will alert me

    I use OSArmor with everything checked including Advanced options, except cmd.exe and .bat scripts execution, just in case I missed something in Bouncer and NVT Exe Radar Pro (I doubt but you never know)

    I may post my MemProtect and Pumpernickel configs at a later time, to provide TRUE Lockdown (good luck malware)
     
    Last edited: Aug 26, 2018
  9. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    182
    Location:
    Australian Capital Territory
    Excubits have updated their blacklist:

     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Awesome. Thanks.

    Congrats on your security config combo too! Nice.
     
  11. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    I'm not sure what's the point of all the *xxx.* rules, is it to not trick a user to run something like InnocentSong.mp3.exe ? Or is there actually a security hole somehow? After all, florian's explanation on the appdata blacklist rules, even though it isn't whitelisted by default, is essentially that his customers are monkeys (can also be interpreted as "not-so-knowledgeable people") who don't know anything about temp folders - https://www.wilderssecurity.com/thr...-tuersteher-light.359127/page-72#post-2727663
    so it makes sense he'd add more "monkey-protection" to the blacklist. But this doesn't make much sense cuz there's the *txt.* rule, so I'm really curious about it. Perhaps I'll email him again about this as well

    For now, I'll rename *System.Management.Automation*.dll (I had already changed this rule by adding a *) to *System.Management.Automation* , I'll add *jscript*.dll* to the blacklist as well. Tlb extension is unassociated for me. I'll add MSPUB.exe as a vulnerable process in NVT Exe Radar Pro, which it already was in a sense, since I hadn't explicitly allowed it in the whitelist, whether it's added as a vulnerable process or not (action = ask) it would still ask me to run since it's not in the whitelist

    Also here's a comparison of the two lists, left is old one:
    https://i.lensdump.com/i/AA6dsA.png
    https://i.lensdump.com/i/AA6quM.png
    https://i.lensdump.com/i/AA6pTx.png
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Zorak Excellent, thank you for sharing.

    Here are a couple that I added recently to the blacklist that don't seem to be on the list yet.

    Code:
    *certutil.exe
    *Microsoft.Workflow.Compiler.exe

    I haven't shared any of my configs for a few months now. But the reason for that and why I love Bouncer, MemProtect, etc. so much is that I rarely ever have to make changes to my configs. I make changes maybe every 5-6 months. I've found that my own personal productivity has gone up significantly since I haven't had to play around with different security software or configurations for a long time now. It can be a very quiet (and efficient) setup as well once you've got your rules done properly based on your own system usage.
     
  13. guest

    guest Guest

    would be nice if the new ones are bolded. So i don't have to do a lengthy comparison...
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
  15. guest

    guest Guest

  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I don't even use this yet, but am making and taking notes for when it comes onboard. Oh it's been tinkered here and there with releases but am at completely liberty to slowly layout a pace/add each Excubits driver/program once all things else applied are rule set.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    +1
     
  18. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    So, I asked Florian yesterday and he answered me today, I guess cuz it's Sunday he rushed the answer, which is why it was literally half-german half-english (which is interesting considering his other emails were in good english, not google-translator-translated english or "I barely know" english but like "I can speak almost fluently" english) so it's quite hard to understand what he meant since I don't speak german and it was mixed with english, like 3 words english then 2 words german then another 3 english etc. but basically he confirmed that those new *xxx.* rules are made to protect the user against tricks, like *txt.* rule would be against something like InnocentTextFile.txt.exe , he also mentioned something about youtube (perhaps files downloaded from youtube downloaders or something like that?) but I couldn't translate what he meant, neither could the translator, so I guess it must be that. The new file extensions rules seems just like what you'd get from those downloader sites or "convert pdf to doc" sites etc. So as long as "Hide extensions for known file types" is unchecked in Folder Options, we should be good to go

    Funnily enough, I thought bouncer was an advanced product. I'd expect such "monkey-protection" rules to be included in something like Voodoo Shield where the software is meant for all kinds of users, not in Bouncer. At the very least, if not the users, at least the person setting up the bouncer rules should have enough knowledge to configure the rules in such a way that those silly rules aren't needed, but I guess Florian's observations are different

    The new *System.Management.Automation* and *jscript*.dll* have blocked a few things for me in the logs, so I added/changed a few more rules here and there. I have to stop Bouncer now if I want to use mmc.exe for something like services.msc, otherwise I get C:\Windows\System32\mmc.exe > C:\Windows\System32\jscript.dll and C:\Windows\System32\mmc.exe > C:\Windows\System32\jscript9.dll in the logs, for example. Another example, when you go afk and the ngen things start working, I got a few logs from mscorsvw into C:\Windows\assembly\NativeImages_v4.0.30319_32, such as C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe > C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\77e6d3e88fdeab615e328e8d2d4e5b2d\System.Management.Automation.ni.dll
     
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The rule for *System.Management.Automation* will definitely produce blocks when Windows runs its regular scheduled maintenance tasks.
    And so it is with many other rules. Rules are meant to be complemented with exceptions, that's how it works.
    As for what you call "monkey protection", please keep in mind that the ideal use for advanced security products like this is setting up a policy that protects unskilled users.
    Imagine you are the IT guy in the company, and you want to set up a policy that will work for the secretaries.
    Alternatively, you are the computer guru in your family, and you want a policy that works for your children and your grandma. :)
     
  20. guest

    guest Guest

    Living Off The Land Binaries And Scripts
    System hardening by blocking LOLBins- and Scripts
    https://excubits.com/content/en/news.html
     
  21. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I' currently using this additional rules to block Macros in Word:

    Code:
    # MS Macros disabled
    *vba?.DLL
    *vbe?.dll
    *msvbvm*.dll
    *msword.olb
    *stdole2.tlb
    I know, disabling Macros general is better and what I already did. But this rules just in case :) Maybe it is helpful for others.
     
  22. guest

    guest Guest

    The blacklist has been updated. Mentioned in a new blog entry (2018/11/16)
    https://excubits.com/content/files/blacklist2.1.txt
    New processes, nothing else has changed:
    Code:
    *Advpack.dll
    *Appvlp.exe
    *Atbroker.exe
    *Bitsadmin.exe
    *Certutil.exe
    *CL_Invocation.ps1*
    *CL_Mutexverifiers.ps1*
    *Cmdkey.exe
    *Cmstp.exe
    *Control.exe
    *Cscript.exe
    *Diskshadow.exe
    *Dnscmd.exe
    *Dxcap.exe
    *Esentutl.exe
    *Expand.exe
    *Extexport.exe
    *Extrac32.exe
    *Findstr.exe
    *Forfiles.exe
    *Gpscript.exe
    *Ie4unit.exe
    *Ieadvpack.dll
    *Ieaframe.dll
    *Makecab.exe
    *Manage-bde.wsf*
    *Mavinject.exe
    *Mftrace.exe
    *Microsoft.Workflow.r.exe
    *Msconfig.exe
    *Msdeploy.exe
    *Msdt.exe
    *Mshtml.dll
    *msxsl.exe
    *Pcalua.exe
    *Pcwrun.exe
    *Pcwutl.dll
    *Pester.bat
    *Print.exe
    *Pubprn.vbs*
    *Regasm.exe
    *Regedit.exe
    *Register-cimprovider.exe
    *Regsvcs.exe
    *Replace.exe
    *Rpcping.exe
    *Rundll32.exe
    *Sc.exe
    *Schtasks.exe
    *Scriptrunner.exe
    *Setupapi.dll
    *Shdocvw.dll
    *Shell32.dll
    *Slmgr.vbs*
    *Sqldumper.exe
    *Sqlps.exe
    *SQLToolsPS.exe
    *SyncAppvPublishingServer.exe
    *Syncappvpublishingserver.vbs*
    *Syssetup.dll
    *te.exe
    *Tracker.exe
    *Url.dll
    *vsjitdebugger.exe
    *Wab.exe
    *Wscript.exe
    *Xwizard.exe
    *Zipfldr.dll
    
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,794
    Location:
    .
    @mood
    Thank you so much for doing a differences list. It's very useful.
     
  24. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,296
    Location:
    Europe
    The new additions are all taken from https://lolbas-project.github.io and https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md

    Microsoft.Workflow.r.exe should be Microsoft.Workflow.Compiler.exe

    It's also missing explorer.exe, Nltest.exe, OpenWith.exe, Psr.exe, Robocopy.exe and Winword.exe from the 2nd link above, as well as a ton of other exes that I've gathered from various sources, just so I can add them to my collection of vulnerable exes list. Which I don't use cuz with ERP and my settings every non-allowed exe is required to be allowed explicitly before running, thus everything is "vulnerable" so to speak, but nonetheless I cherish my collection
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    New blog post regarding Bouncer (and potentially other drivers in future)
    Link: https://excubits.com/content/en/news.html

    So it looks like this feature will hit Beta Camp soon and is quite interesting. This should make configuration much easier as well. This is something that other users had suggested and not something that I had ever personally thought of. But I really like the idea and look forward to it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.