Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I wanted to follow up on this one. I tried this again just now and removed the ! priority symbol and calc.exe was still protected from being killed by task manager. I'm not certain why it did work as expected for you initially. I'm wondering if maybe you had an older version of MemProtect since your .ini example was missing [#DEFAULTALLOW] switch and I'm wondering if that switch was missing, it could potentially explain why it was not working as expected.

    EDIT: Although having *>* in your whitelist section would be almost identical to having [DEFAULTALLOW] enabled.
    You are correct, normal blacklist rule is sufficient.
     
  2. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    My pleasure, glad to pass it on :)
     
  3. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Yes, it looks like the absence of the [DEFAULTALLOW] switch (whether commented out or not) was the issue. Thanks for clearing that up for me, much appreciated. :)

    I have the latest version (from April). I'd considered the DEFAULTALLOW switch optional as it wasn't in all the example configs I'd seen.
     
  4. Schorg

    Schorg Guest

    I have no issues with SpyShelter Firewall and bouncer, but I would recommend disabling Action 53 - Execution of an application. To prevent conflict.

    Sorry, @co22 your using Pumpernickel. I am not familiar with Pumpernickel, so I don't know.
     
  5. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    I need to block anything from read/write a USB stick: T:\
    Except two programs which can have read/write access:
    1. C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe
    2. C:\Program Files\Jotta\jotta.exe

    Any help to define rules for ini file. Please?
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Mister X Try something like this:

    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTMODIFY]
    *>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTREAD]
    *>T:*
    [EOF]
    
    Go non-lethal for a while first to ensure that it's sufficient. It is quite possible that those apps could potentially use other helper .dll's or even built-in Windows components for part of their work, I just don't know for sure because I am not familiar with them. Best thing is to test like that for now and see what turns up in the logs and so on. Switch to lethal once you feel like it is sufficient.
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    @WildByDesign
    Thanks a lot for your help. Gonna try it right away!:thumb:

    How auto-start driver and PumpernickelSignalCheck at boot time?
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    I got this when attempting to start the driver:
    Code:
    C:\Windows\system32>net start pumpernickel
    System error 87 has occurred.
    
    The parameter is incorrect.
    
    
    C:\Windows\system32>pause
    Press any key to continue . . .
     
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    Did you right-click the .inf and Install?

    I ask - because that was my problem also. Forgot to RTFM :)
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    Yes I did.
    Now I have it in this path "C:\Windows\System32\drivers\Pumpernickel.sys"
     
  11. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    @Mister X ensure that the config file is in correct formating. Also ensure that last entry [EOF] ends with an line feed, so a blank line comes after [EOF].
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    Yessss. L0L
    That did that trick... Oh my ... Thank you very much.
    I mean the blank line feed did the trick.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    How to handle these lines on ini file:
    Code:
    *** excubits.com beta ***: 2016/07/26_12:56 > C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > T:\
    *** excubits.com beta ***: 2016/07/26_12:56 > C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > T:\
    My ini file:
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTMODIFY]
    *>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTREAD]
    *>T:*
    [EOF]
    I guess AppGuard only needs read access to accomplish its tasks or protection routines.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Mister X Try this:
    Code:
    [#LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\*>T:*
    [BLACKLISTMODIFY]
    *>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\*>T:*
    [BLACKLISTREAD]
    *>T:*
    [EOF]
    
    It looks as though the AppGuard program needs access to the external drive likely as a way of providing it's own protection, etc. So that is necessary to allow it to do it's job.

    EDIT: Corrected code to \AppGuard\* instead of specific executables to narrow down and allow AppGuard to do what it needs to do.
     
  15. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    Thanks. I guess AppGuard needs read permission only right? I don't believe it needs write access so I can add the line to [WHITELISTREAD] only.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. You are quite likely right, yes. Give that a try and see how it goes. You can always adjust if necessary now that you have a better understanding. Feel free to ask any questions, anytime, as always. Same likely goes for other security programs or antivirus.
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    From the FIDES log file:

    Code:
    *** excubits.com beta ***: 2016/07/26_20:58 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_20:58 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:04 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:04 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:05 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:07 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:07 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:07 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:07 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:08 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:08 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:08 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:08 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:38 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:38 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:38 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:38 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:38 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:38 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:39 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:39 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:39 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:39 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:41 > C:\Windows\System32\svchost.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:42 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/26_21:42 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/26_21:42 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/26_21:42 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/26_21:42 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/26_21:42 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/26_21:57 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:57 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:57 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:57 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:57 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:57 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_21:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:00 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:00 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:00 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:00 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:00 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:00 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:01 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:02 > C:\Windows\System32\wininit.exe > T:\
    *** excubits.com beta ***: 2016/07/26_22:02 > C:\Windows\System32\wininit.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:15 > C:\Windows\System32\svchost.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:16 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:17 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:17 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:17 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:17 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:44 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:46 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:46 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:46 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:46 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:46 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:46 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:48 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:48 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:49 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:49 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:53 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:53 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:53 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:53 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:54 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:54 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:57 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:57 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:58 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:58 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:58 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:58 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_08:59 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:01 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:01 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:01 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:01 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:02 > C:\Program Files (x86)\Google\Chrome\Application\chrome.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:03 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:03 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:27 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:27 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:27 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:27 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:27 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:27 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:29 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:53 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:53 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:55 > C:\Windows\explorer.exe > T:\
    *** excubits.com beta ***: 2016/07/27_09:55 > C:\Windows\explorer.exe > T:\
    
    Pumpernickel.ini:
    Code:
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTMODIFY]
    *>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
    [BLACKLISTREAD]
    *>T:*
    [EOF]
    
    Is there a way to stop logging those specific lines sans shutting down full logging system? Problem is the tray icon turning to red everytime an attempt of accessing T:\ is made by those programs.
     
    Last edited: Jul 27, 2016
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,324
    a) Maybe delete *>T:* from [BLACKLISTREAD] and place only "private folders" in it, which should not be seen from applications.
    = General modifying of files not allowed, but they can be read. Except "private folders"
    => This should lead to less prompts from security apps, and less prompts from c:\Windows\-files. (e.g.: explorer.exe)
    b) What happens if you replace T:* with T:\* ? I think you'll get fewer prompts with that too.
     
  19. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I talked with Florian: He is working on a new feature for all drivers. Calls it silent rules, you can set special character before rule and make it a silent rule. As far as I understanding those blacklist rules will still be blocking but they will not be logged. In your example you can make C:\Windows\explorer.exe>T:* a silent rule and it will never showing up in log anymore. I do not understand exactly what he means with silent rule and what if it is really needed, but somehow makes sense (with your example in my mind).
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @4Shizzle That is fantastic news and will be quite beneficial for some users who want and/or need to ignore certain specified rules that show up in their logs. This is what I love about community effort, participation, and when developers open their minds to useful user suggestions such as this. Florian has always been great at taking in user suggestions and following through with it with regards to development, particularly as long as it follows along with his principle design aspects and design goals for his security tools. Excellent! :thumb:
     
  21. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
    As @WildByDesign said, this is really fantastic. See my scenario: I'm working on my PC and suddenly green icon turns to red. I know most likely is a line logged by the driver about a harmless program like explorer.exe or searchindexer.exe. Then I pretend to ignore the red alert but curiosity is stronger L0L, then I go to open the log... Nothing harmful as expected but I get distracted anyway from my work.
    Thank you you guys and Florian for making this changes possible.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,324
    Very good.
    If *>T:* is used at [BLACKLISTREAD], there can be a lot of messages from explorer.exe
    But with this coming version it can be made quiet without turning logging completely off. :thumb:
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Internal testing builds of Bouncer which myself (and likely a few others users have for testing now who had requested the feature) now have Silent Rules feature which is working great so far. As requested by some users, this feature allows you to add the $ character to the start of any rule which you don't want showing up in the logs. This allows you to silence specific blocked events from showing up in the log or changing the tray icon and thus not alert the user. So far this is being added to Bouncer first, then Pumpernickel/Fides, etc.

    Example:
    Code:
    [BLACKLIST]
    $D:\TESTING\no_log\*
    
    So in that example, execution would be denied and it would also remain silent to the user, no logs or alert.
     
    Last edited: Jul 31, 2016
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Pumpernickel/Fides has Silent Rules feature now in Beta Camp.

    Link: https://excubits.com/content/en/news.html
    Download: beta.excubits.com

     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,062
    Location:
    Mexico
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.