Bouncer (previously Tuersteher Light)

I may have missed something, but is there any reason to use PARENTCHECK if I already use MemProtect?

If my apps already have a whitelist of where/what they can inject memory I believe it would be redundant to use Bouncer with this setting, right?

 

Please, somebody help me, because I can not make my rules work:

Spoiler: bouncer.ini

Code:

[#INSTALLMODE]
[#LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[#CMDCHECK]
[WHITELIST]
#    [Windows and Softwares - Base Rules]
C:\Windows\*
C:\Program Files (x86)\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
D:\Programas\*
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\ProgramData\MEGAsync\MEGAsync.exe
[BLACKLIST]
[PARENTWHITELIST]
#    [Windows and Softwares - Base Rules]
C:\Windows\*>*
C:\Program Files (x86)\*>*
C:\Program Files\*>*
C:\ProgramData\Microsoft\*>*
D:\Programas\*>*
#    [AppData - Base Rules]
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\bin\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Users\*\AppData\Local\Microsoft\OneDrive\*
C:\ProgramData\MEGAsync\MEGAsync.exe>C:\ProgramData\MEGAsync\*
C:\ProgramData\MEGAsync\MEGAsync.exe>C:\Windows\SysWOW64\*
[PARENTBLACKLIST]
[CMDWHITELIST]
[CMDBLACKLIST]
[EOF]

When I test MEGAsync:

Spoiler: bouncer.log

Code:

*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libeay32.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\cares.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libcurl.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\ssleay32.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libsodium.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Widgets.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Gui.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Core.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Network.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\msvcp140.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\msvcp140.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\platforms\qwindows.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qdds.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qgif.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qicns.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qico.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qjpeg.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qsvg.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Svg.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qtga.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qtiff.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qwbmp.dll
*** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qwebp.dll

I have experience with MemProtect and Fides, but Bouncer is really annoying me.

Is there any way to disable notifications? I much prefer the simplicity of the icon only change color, as it does with MemProtect and Fides.

Thanks!

 

you have allow all dll in MEGAsync folder like bellow or one by one
C:\ProgramData\MEGAsync\*

you only allowed C:\ProgramData\MEGAsync\MEGAsync.exe in [WHITELIST]
for disable notifications create shortcut from BouncerTray.exe then get properties of file and add bellow to target

Code:

"C:\Program Files\Excubits\Bouncer_Demo\Tools\BouncerTray.exe" nopopups

i prefer all driver manageable by one Tray tool

 

I will look into your rules and stuff in a couple of hours. But for now, there is a better flag that I use for starting BouncerTray tool. So whether you have a startup via a shortcut or schedule task or registry, you can make this same modification either way.

Code:

BouncerTray.exe nopopups

So for example if you had a shortcut or registry startup entry, simply add the nopopups part at the end. That will essentially stop any operating system toasts or balloon tips from occurring.

 

Thanks, man! This worked perfectly!

How can I do this?

Thanks, everything is working now!

 

@ExtremeGamerBR You're welcome. i'm glad to hear that all is good now.

 

Updated Blacklist:

 

I didn't find any new entries added via MS Device Guard Team list on my primary machine, maybe because I don't have Device Guard on my version of Win10?

But thanks to Florian maintaining a consolidated list.

 

Quite likely the base, yes. I believe that you have to enable (therefore install) Device Guard via "Turn Windows features on and off" and therefore the binaries likely would not be on your machine unless installed.

 

OK. Not available yet in Win 10 Pro x64 v1703 15063.413.

 

Well, kind of answering my own question, if I copy my rules from MemProtect with [#DEFAULTALLOW] to Bouncer they do exactly the same thing.

If I knew that, I would have bought just Bouncer. Now I will have to buy Bouncer and appears to make no sense at all to keep MemProtect in my system. Maybe someone is seeing something that I'm not?

 

Looks like another new topic for discussion on this will surface at some point.

I happen to have that setting and done some poking around (looks formidable enough) but I don't want to get too ahead of things.

There are still a few of these cool Excubits drivers to deal with also. Bouncer was the first one I tested and found to liking when it was released beta.

 

The rules filtering engine between Bouncer and MemProtect is very similar (specifically just for parent process control). So the rules structure is the same. But Bouncer deals specifically with process execution, whereas MemProtect deals specifically with blocking process memory to process memory communications. So different levels. Bouncer blocks initial execution and parent process to child process execution control as well. Try to think of MemProtect as if the "sh!t has already hit the fan". Let's assume either no rules were in place to block execution (inadequate rules) or as if you had no application whitelisting / anti-exec software in place or if something like a browser became exploited.

MemProtect can take an already pawned process, exploited or otherwise, and contain it's memory. So they are quite different. Yet, any of the Excubits drivers on their own right could provide significant protection to a system on their own as long as good rules are set. Personally, I think that Bouncer and MemProtect compliment eachother very well. It's something like having app whitelisting /anti-exec combined with anti-exploit. MemProtect is more toward the anti-exploit spectrum but blocks memory access entirely.

 

You are the man! This explains perfectly what I was not understanding.

Thanks!

 

Hi guys, I need a little help again.

Spoiler: bouncer.ini

Code:

[#INSTALLMODE]
[#LETHAL]
[LOGGING]
[#SHA256]
[PARENTCHECK]
[CMDCHECK]
[WHITELIST]
#    [Windows and Softwares - Base Rules]
!C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
!C:\Users\*\AppData\Local\Temp\*\bin\*.dll
!C:\Users\*\AppData\Local\Temp\*\lib\*.so
!C:\Users\*\AppData\Local\Temp\*\src\*.so
C:\Windows\*
C:\Program Files (x86)\*
C:\Program Files\*
C:\ProgramData\Microsoft\*
C:\ProgramData\MEGAsync\*
D:\Programas\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*
[BLACKLIST]
D:\Programas\Chromium\*\profile
#
# Last Updated: 2017/06/19
#
*\AppData\Local\Temp\*.bat
*\AppData\Local\Temp\*.cmd
*\AppData\Local\Temp\*.com
*\AppData\Local\Temp\*.exe
*\AppData\Local\Temp\*.scr
*\AppData\Local\Temp\*.sys
*\AppData\Roaming\*.bat
*\AppData\Roaming\*.cmd
*\AppData\Roaming\*.com
*\AppData\Roaming\*.exe
*\AppData\Roaming\*.scr
*\AppData\Roaming\*.sys
*\at.exe
*\Temp\*.zip*\*.exe
*\Temp\*7z*\*.exe
*\Temp\*rar*\*.exe
*\Temp\*sfx\*.exe
*\Temp\*wz*\*.exe
*aspnet_compiler.exe
*attrib.exe
*auditpol.exe
*bash.exe
*bcdboot.exe
*bcdedit.exe
*bitsadmin*
*bootcfg.exe
*bootim.exe
*bootsect.exe
*ByteCodeGenerator.exe
*cacls.exe
*cdb.exe
*csi.exe
*debug.exe
*DFsvc.exe
*diskpart.exe
*dnx.exe
*eventvwr.exe
*fsi.exe
*hh.exe
*IEExec.exe
*iexplore.exe
*iexpress.exe
*ilasm.exe
*InstallUtil*
*InstallUtil.exe
*journal.exe
*jsc.exe
*kd.exe
*lxssmanager.dll
*mmc.exe
*mrsa.exe
*MSBuild.exe
*mshta.exe
*mstsc.exe
*netstat.exe
*ntsd.exe
*odbcconf.exe
*powershell.exe
*powershell_ise.exe
*PresentationHost.exe
*quser.exe
*rcsi.exe
*RegAsm*
*regini.exe
*Regsvcs*
*regsvr32.exe
*RunLegacyCPLElevated.exe
*runonce.exe
*scrcons.exe
*script.exe
*sdbinst.exe
*set.exe
*setx.exe
*Stash*
*syskey.exe
*systemreset.exe
*takeown.exe
*UserAccountControlSettings.exe
*utilman.exe
*vbc.exe
*vssadmin.exe
*windbg.exe
*wmic.exe
*xcacls.exe
?:\$Recycle.Bin\*
C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
C:\Users\Public\*
C:\Windows\ADFS\*
C:\Windows\debug\WIA\*
C:\Windows\Fonts\*
C:\Windows\PLA\Reports\*
C:\Windows\PLA\Reports\de-DE\*
C:\Windows\PLA\Rules\*
C:\Windows\PLA\Rules\de-DE\*
C:\Windows\PLA\Templates\*
C:\Windows\Registration\CRMLog\*
C:\Windows\servicing\Packages\*
C:\Windows\servicing\Sessions\*
C:\Windows\System32\Com\dmp\*
C:\Windows\System32\FxsTmp\*
C:\Windows\System32\LogFiles\WMI\*
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
C:\Windows\System32\spool\drivers\color\*
C:\Windows\System32\spool\PRINTERS\*
C:\Windows\System32\spool\SERVERS\*
C:\Windows\System32\Tasks\*
C:\Windows\System32\Tasks_Migrated\*
C:\Windows\SysWOW64\Com\dmp\*
C:\Windows\SysWOW64\FxsTmp\*
C:\Windows\SysWOW64\Tasks\*
C:\Windows\Tasks\*
C:\Windows\Temp\*
C:\Windows\tracing\*
[PARENTWHITELIST]
#    [Softwares and Windows - Base Rules]
!C:\Program Files\Cryptomator\Cryptomator.exe>C:\Windows\System32\reg.exe
!C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\reg.exe
!C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\taskkill.exe
!C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\netsh.exe
!D:\Programas\CUETools 2.1.5\CUETools.exe>C:\Windows\Microsoft.NET\Framework64\*\csc.exe
!D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe
C:\Program Files\pia_manager\pia_manager.exe>C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\pia_manager.exe
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\pia_tray_bin\nw-win\pia_nw.exe
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\openvpn.exe
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\bin\*
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\lib\*
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\src\*
C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*>C:\Users\*\AppData\Local\Microsoft\OneDrive\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\*>C:\Windows\SysWOW64\*
C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Windows\WinSxS\*\comctl32.dll
C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Windows\WinSxS\*\GdiPlus.dll
C:\ProgramData\MEGAsync\MEGAsync.exe>C:\ProgramData\MEGAsync\*
C:\ProgramData\MEGAsync\MEGAsync.exe>C:\Windows\SysWOW64\*
C:\Windows\*>*
C:\Program Files (x86)\*>*
C:\Program Files\*>*
C:\ProgramData\Microsoft\*>*
D:\Programas\*>*
[PARENTBLACKLIST]
#    [Block Execution of Windows and Softwares - Base Rules]
*>*reg.exe
*>*taskkill.exe
*>*netsh.exe
*>*csc.exe

And my log:

Code:

2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
2017/06/26_13:24:56 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
2017/06/26_13:32:53 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
2017/06/26_13:32:53 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe

In my WHITELIST, I have:

D:\Programas\*

In my PARENTWHITELIST, I have:

!D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe
D:\Programas\*>*

I think the first rule is redundant, since I don't have cscript.exe in my PARENTBLACKLIST or BLACKLIST, but anyway I still get that entry in my log.

How this is possible?

Thanks!

 

@ExtremeGamerBR Does your main WHITELIST have a rule to allow execution within: C:\Windows\SysWOW64\*

If you don't want to allow the entire SysWOW64 directory you could try:

Code:

[WHITELIST]
C:\Windows\SysWOW64\cscript.exe

Just to see what happens. Ensure that you restart the Bouncer driver after any config changes as well. Otherwise the rules look great, I don't see any specific issue.

 

Thanks!

But even when I added:

C:\Windows\SysWOW64\cscript.exe

in my WHITELIST Bouncer still blocking cscript.exe oO

As I always exchange my config file (instead of editing the one in C:\Windows) it automatically restarts the driver.

Maybe cscript.exe has other name that is inside my blacklist?

EDIT: Well, I just solved the issue.

This is the one that was causing the problem:

BLACKLIST:
*script.exe

So I removed *script.exe from my BLACKLIST and then I added it to my PARENTBLACKLIST as:
*>*script.exe

Then added these lines to my PARENTWHITELIST:
!D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\script.exe
!D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe

The funny thing is that if I allow only script.exe, Bouncer still blocking cscript.exe and if I allow only cscript.exe, Bouncer still block cscript.exe.

In another words, I have to let Foobar2000.exe execute both script.exe and cscript.exe, even if only script.exe is in my blacklist.

Maybe a bug?

 

@ExtremeGamerBR I have to read into this a bit more later. But you can try adding a \

Code:

*\script.exe

Or

Code:

*>*\script.exe

The * variable was accounting for cscript.exe and anything else that ends with script.exe

So you can be as precise as you wish. Or for example:

Code:

*\?script.exe

Or

Code:

*>*\?script.exe

This would account for one character variable at the beginning, as opposed to * allowing any number of characters. I know this is not specifically what you were intending here, but I wanted to explain a bit about variables * or ? because there are lots of options.

 

I think It's a little bit difficult to create commandline rules in Bouncer for users.

Could someone show me more about it?

Thanks

 

Just tried downloading Bouncer demo from Excubits website, Chrome is flagging it as dangerous. I looked through my old downloads folder and found a copy of the demo I had downloaded probably a month ago. Hitman Pro is flagging it as infected with Trojan-Dropper.Win32.Dinwod.acsc. VT shows 14 detections as infected. Anyone else see this?

Edit: I sent a message to Excubits asking them to check this as well.

 

Yeah, when I downloaded it last week Chrome blocked it and there were 10 detections on VT. I assumed they were false positives and installed it anyway. No problems - so far

 

The digital certificate (EV cert) seems to be OK based on dates and such. But I do recall Florian telling me the other day in an email that he needs to update his EV certificate and update all binaries. So I assume it has something to do with the EV cert. He wrote me yesterday telling me that he's been especially busy in the past few weeks but is hoping to update the EV cert and release updated binaries as soon as possible.

EDIT: I just tested downloading the paid versions and they were not flagged. But it seems that the EV cert dates are newer on the paid versions. So it looks as though he does need to update the EV cert and release new binaries for the demo versions.

 

I have tried to download all available tools, but only Bouncer (bouncer_demo.exe) has been flagged by Chrome
All tools are signed with the same certificate (valid until 19 July 2017)

 

Received a reply from Florian. He confirmed the Bouncer demo detection is a false positive. He's tried to contact the AV vendors to correct this but has had no response.

 

Humm.. I tried downloading the Bouncer Demo, and Firefox also blocked the download saying it contains a Virus. I took a screenshot of warning prompt.