Bouncer (previously Tuersteher Light)

Nice.

On another note. Are both of those drivers signed and ready to install? I always have some difficulty with the workaround as to do with patchguard on my windows 8. Thanks

 

I agree, it would be great to see the functionality combined into one driver, one config to keep things simple. I know for sure that the command line scanning functionality will be added to Bouncer and actually has been added to internal testing builds. But I'm not sure about MZWriteScanner. I'm sure that the functionality could be added to the Bouncer driver and be turned On/Off within the config file. I am actually testing MZWriteScanner right now and it's quite impressive. I will talk with Florian about that once I have tested this a bit more.

MZWriteScanner is free for private use and the 32-bit and 64-bit drivers are both digitally signed and the tray icon tool is also signed. It is not a true installer like the one with Bouncer. It's more of a self extracting executable at the moment. The self extracting executables are also signed.

• Run self extracting program
• Copy mzwritescanner.log from mzwritescanner_demo folder to the Windows directory
• Depending on system architecture, go to 32-bit or 64-bit folder
• Right-click on MZWriteScanner.inf and select Install
• Use the start driver script or use admin cmd prompt to start/stop driver
• Run the registrySignalCheck.exe program, this is tray icon tool

Developer has future plans to add blocking to stop executables from actually writing to disk based on how your configure it and also plans to add whitelisting engine as well. So this has the potential to become extremely powerful.

From my understanding, the CommandLineScanner on the other hand, is also free for private use but only 32-bit. The 32-bit driver is digitally signed. I believe that he initially had plans to licence to 64-bit users for around $10 lifetime licence. But this functionality is supposed to be coming to Bouncer as well, so we will have to see. CommandLineScanner is able to control interpreters like scripting for Powershell, Python, Java, etc.

Anyway, back to my MZWriteScanner testing. I am enjoying it so far. When I download an executable within Chrome, the tray icon for MZWriteScanner alerts me immediately. Or when I copy an executable (or .sys, .dll, etc) from one drive to another. It's wickedly fast at alerting. I can see a lot of potential here, especially when the whitelisting engine gets added and the functionality for blocking executables from writing to disk in the first place. I assume MZWriteScanner is similar to that EXE Watch program that has a discussion thread here at Wilder's as well. Although that program is not digitally signed and I have no idea if it utilizes user mode hooks. So far I am really liking the combination of Bouncer and MZWriteScanner and I can imagine MZWriteScanner functionality making Bouncer even stronger as it develops.

 

@WildByDesign
Thank you for your efforts and interesting comments.

 

Interesting. So far from my initial brief testings the tray ICON turns red color when alerting, on say (in my case) creating/moving a sys file into the drivers directory. It seems it turns back GREEN when you delete that same newly introduced (and alerted on) file. Same with any exe's so yes it's somewhat similar to the EXE Watch program. In addition to Bouncer i can see potential also should the developer decide to offer it separately too and add blocking of writing to disk w/white-blacklist functionality as well as a nicely designed popup taskbar toast notification (maybe with some useful details, origin path etc.)

UPDATE: Per the tray icon current alert method. It turns GREEN upon AFTER checking the SHOW LOG.

Also i discovered a BUG. My right click Context Menu sports a MOVE TO.... COPY TO... function. On COPY TO..... when using copy function mzwritescanner picks up on it and the alert goes red of course. HOWEVER, using the MOVE TO.... action, mzwritescanner FAILS to alert or log on the new introduction into the DRIVERS folder and the file is easily landed without notice.

This is on my Windows 8 OEM 64bit. Can anyone else confirm? I use FileChangeAlarm and it picks up and alerts to ANY file being either copied or moved to system directories and is what i used to confirm the MOVE TO.... context function that mzwritescanner fell silent on.

 

Just to confirm, do you mean that you are right-clicking on a driver file, and while holding the right-click down dragging the file to the Drivers folder, and when you let go of the right-click, the context menu that shows with Move To, Copy To?

I tried my best to reproduce that but it keeps alerting me, whether I choose Move To or Copy To. I will try a few different methods and will update my post if I can reproduce.

EDIT: It is alerting me immediately, even before the UAC prompt comes up to confirm the file move. I will try some more things.

 

Is Florian working on, or is there a 64bit version of Command Line Scanner? The only one contained in the download was for 32bit machines.

 

Does this mean he has already completed the CommandLineScanner for 64bit machines, or is he still working on it?

 

I just sent a quick note to Florian to confirm. I will let you know.

 

I got some more details from Florian.


The first part, I was asking about when Command Line Scanner functionality will be added to Bouncer driver. So the good news is that is still the plan. But it may take some time.

The second part, I was asking about pricing for 64-bit Command Line Scanner driver only. So for consumer use, if a user wants to use Command Line Scanner on 64-bit systems right now, it's $15/€15 which would be lifetime. This would be for more hardcore users. Alternatively, we can wait until the functionality makes its way to Bouncer.

I have been talking with Florian recently about having some sort of "community" approach behind Bouncer to help take some of the weight off of his shoulders so that he can focus more on development, since documentation and other things take away quite a bit of time. I have always seen a tremendous amount of potential behind his various drivers. Especially with all of the crypto malware and things like that lately. I'm not sure if a Wiki or anything like that would be beneficial. I have some ideas anyway but I have to plan things out a bit more with more of a strategy before I put too much into it.

 

@WildByDesign
Thank you once again for your support, this is great news sir.

 

@Mister X
You're welcome, anytime.

 

Thank you for checking with Florian for me! Dan has the same problem with XP, he can't get the command lines for XP without having to use a work around that sometimes causes high resource usage. Maybe Florian, and Dan can work together to figure that one out.

 

I received a reply from Florian for the debug logs I sent him for the unknown executable code alerts. Below was his reply. For everyone's information the Drive Florian is talking about is not a network drive.

Well, I installed Bouncer on another Windows 7X64 machine, and I have the same problem on that machine as well. Many unknown executable code alerts for installers I have stored on an external hard drive. It has a different external hard drive connected to it, and this computer was recently reformated. It could possibly be some firmware for my ASUS mobo. I don't know what else to think.

 

If you stop Bouncer driver when the Shield is Green, and then clear the log then Bouncer Shield turns Red when you start Bouncer again. It does on my machine anyways. Maybe it's a small bug.

 

Thanks for that confirmation Cutting_Edgetech. Small bug yes, rather insignificant at this stage of it's development going forward.

I almost can't wait for that new day when Bouncer incorporates all the extras that will most certainly refine and polish this piece of good work for windows security.

 

I hope Florian removes the restart button in the Admin Tool. I don't understand why it is needed. Start, and Stop should work fine. What is the difference in Start, and Restart?

 

I went ahead, and reported the possible GUI bug with the shield turning red to Florian.

 

I'm confident I figured out the unknown executable code alerts I was getting also. It took many hours of research to figure it out. I thought I was going to become a Windows System Expert before I discovered the problem. If I still do not receive anymore alerts by tomorrow then I will let Florian, and the Community know what was causing the alerts. I don't want to say anything yet in case i'm wrong, but i'm confident I discovered the cause.

 

Thank you for your findings CE.

 

No Problem!

 

Good job. Thanks for sharing

 

Probably not a bug, if you read the dialog it say's "log out of sync" right click shield, open log then close, shield returns to green.

 

Maybe Florian can change this behavior. I think it's worth reporting anyways in case it is a bug.

 

The Restart is essentially the same as Stop and Start as far as command lines go under the hood.

Code:

Start is:
net start bouncer

Stop is:
net stop bouncer

Restart is:
net stop bouncer
net start bouncer

The problem is, a lot of people were not happy with having to Stop and then Start. So Restart came in to please those users as one button that essentially just did both. I see the redundancy there as well. I recall one user who had a good idea as well to combine the Start and Stop into one button, which would act depending on the current status of the driver which seems like a good idea as well.

 

True, maybe there is a way to delay the amount of time in which it reports this. Normally this "log out of sync" type of message is there in case the driver is installed without a log file or if, for example, someone or some program delete the log file from within the Windows directory. So it alerts the user that there is a problem syncing to the log file. One program, CCleaner, occasionally deletes log files from within the Windows directory. But anyway, with regard to that error happening when you stop Bouncer, clear the log, and start the Bouncer driver again quickly there may be something that can be done with the timing of how often the program checks in with the log file status which might help alleviate this error under that particular circumstance.