Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yeah, I have the #lethal set so it should be in active

    I don't have an activity report as Appguard is not at all active

    Bottom line is I can't even boot to the desktop
     
  2. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Peter, see post #1131 for detailed install instructions for MemProtect. Sounds like you didn't actually install the driver, same thing I had trouble with. I've been running MemProtect alongside AppGuard for the past three months with no issues. Don't know why you would be unable to boot your machineo_O
     
  3. hjlbx

    hjlbx Guest

    I observed a conflict between Bouncer and AppGuard - even with AppGuard completely disabled.

    It appears to be the same with MemProtect.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,699
    What kind of conflict?
    I'm running several excubits-products and have no problems :cautious:
    If [#LETHAL] is set, the driver is not blocking and shouldn't cause any conflict.:doubt:
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well with Appguard disabled I was just seeing a hang at log on. Once I uninstalled Appguard completely, I got past log on, and was welcomed by a blue screen. Oh well enough of that.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,699
    Ok, then MemProtect is definitely the culprit.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Peter2150 Just out of curiosity, do you run any light virtualization software on your machine(s)?
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep I have ShadowDefender on the system, although I wasn't trying to run it.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Ok, thanks for letting me know. I can't say for certain, but I do recall some users having significant issues between light-virtualization software and Bouncer previously and so I assume that could be similar with MemProtect. Likely something to do with the way in which the underlying kernel-mode drivers are conflicting. I recall users mentioning issues with QuietZone and also ShadowDefender before. It's possible that, due to the way in which they all work, they may simply not be compatible due to conflict or it may also be possible to make exceptions on both sides to prevent conflict. But either way, it can be difficult to narrow down and troubleshoot when kernel drivers conflict so early after kernel initialization.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi WildbyDesign

    Thanks for the answer. It may just be my system is a bit much for Memprotect. Hopefully down the road. Anytime someone things it is worth a shot, I'll give it a try.

    Pete
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,653
    Location:
    USA
    I see discussion about using MemProtect, and Bouncer with AppGuard. I can not comment on MemProtect since I have not used it for a while, but there is an incompatibility between AppGuard, and Bouncer. AppGuard blocks Bouncer from writing to it's own registry key. This occurs when the user guards an application with AG, and also guards the same application with Bouncer using it's parent check feature. If Bouncer blocks the child process of an application guarded by AG using it's parent check feature then AG will block Bouncer from writing to it's own registry key which in turn prevents Bouncer from blinking it's tray icon, and changing from green to red. This also sometimes causes Bouncer's tray icon to be a little slow to respond when trying to access the log, and.ini file by the tray icon. I have used them together quite a lot, and that's the only issue I have had on my Windows 7x64 Ultimate machines.
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,699
    a) The driver MemProtect/Bouncer blocked something
    b) the driver then writes to the registry
    c) the tray-Icon is reading the registry and is now blinking
    But AppGuard blocks step b), right?
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Here is the latest vulnerable Microsoft built-in binary blacklist per Florian's latest research:
    (by the way, he will blog about this soon and explain in more detail)

    Code:
    *runonce.exe
    ?:\$Recycle.Bin\*
    *regsvr32.exe
    *InstallUtil*
    *Regsvcs*
    *RegAsm*
    C:\Windows\ADFS\*
    C:\Windows\Fonts\*
    C:\Windows\Minidump\*
    C:\Windows\Offline Web Pages\*
    C:\Windows\tracing\*
    C:\Windows\Tasks\*
    *InstallUtil.exe
    *IEExec.exe
    *DFsvc.exe
    *PresentationHost.exe
    *reg.exe
    *vssadmin.exe
    *aspnet_compiler.exe
    *csc.exe
    *ilasm.exe
    *jsc.exe
    *MSBuild.exe
    *vbc.exe
    *script.exe
    *iexplore.exe
    *journal.exe
    *bitsadmin*
    *iexpress.exe
    *mshta.exe
    *systemreset.exe
    *bcdedit.exe
    *mstsc.exe
    *powershell.exe
    *powershell_ise.exe
    *hh.exe
    *set.exe
    *setx.exe
    *\at.exe
    *mrsa.exe
    *bcdedit.exe
    *bcdboot.exe
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *debug.exe
    *diskpart.exe
    *regini.exe
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *UserAccountControlSettings.exe
    C:\Users\Public\*
    *\Temp\rar*\*.exe
    *\Temp\7z*\*.exe
    *\Temp\wz*\*.exe
    *\Temp\*.zip\*.exe
    *\Temp\*sfx\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.sys
     
  14. hjlbx

    hjlbx Guest

  15. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Yepp, this is what happens with AppGuard enabled. AppGuard should be whitelist tray application, so this can't happen.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I couldn't get memprotect to run even with Appguard totally disabled.
     
  17. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Thanks, that is mint!

    Hmmm, sounds strange. What is your configuration like: Windows version, type: 32bit? 64bit?, specila drivers installed, other 3rd party apps/protection drives that can cause the problem?
     
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    By the way: It seems new version of Pumpernickel is out now :cool:
     
  19. hjlbx

    hjlbx Guest

    There is incompatibility between Bouncer\MemProtect and AppGuard on my stock W10 Home system. AppGuard causes both programs to mis-behave\quirky un-expected behaviors - even with both turned off.

    Any how... that's what I have observed.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    How did you turn Appguard off. I used autoruns and turned off the GUI,service and driver. Still no love
     
  21. hjlbx

    hjlbx Guest

    I just disabled it via the GUI.

    Things only worked after complete removal of AppGuard.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,699
    Yes, but it's only test-signed at the moment. :(
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,769
    Location:
    U.S.A. (South)
    :(
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @EASTER @mood The good news is that the HSM dongle has reached the border at Germany and therefore should be in Florian's hands during this week, I would assume. At that point, he will be able to digitally sign all of the current (and previous) binaries with SHA-256 and likely cross-signed per Microsoft's latest signing requirements. This will now make the drivers compatible with the upcoming Windows 10 Anniversary Update along with the changes to Windows 7/8.x in 2017 when Microsoft enforces the signing requirements there as well. So while this was an expensive investment on Florian's part, it should open up more potential for Bouncer/Excubits in general going forward. I'm hoping that we will see a re-signed stable build of Bouncer soon as well.
     
  25. Schorg

    Schorg Guest

    Hello all, new to bouncer is priority rule (!) global rule, can it override any rule entered into either the blacklist,parentblacklist,cmdblacklist rule or is it limited to where the rule is placed?

    For example if I place *regedit.exe into [BLACKLIST] can the priority rule placed in the [PARENTWHITELIST]
    !C:\users\*\appdata\local\privazer installation\privazer.exe>c:\windows \syswow64\regedit.exe

    Can the priority rule in [PARENTWHITELIST]
    override the [BLACKLIST] rule.

    Edit - I don't believe priority rule from [PARENTWHITELIST] can override a rule from [BLACKLIST], shame could be useful to allow some trusted apps to run vulnerable processes which are blacklisted.
     
    Last edited by a moderator: Jul 20, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.