Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Haven't tried silent rules yet. Just want your approval guys.

    Code:
    [BLACKLISTREAD]
    $*explorer.exe>T:*
    $*wininit.exe>T:*
    $*svchost.exe>T:*
    $*SearchIndexer.exe>T:*
    $*360WangPan.exe>T:*
    $*Cloud.exe>T:*
    $*chrome.exe>T:*
    $*HDSentinel.exe>T:*
    Edit:
    I've been testing above rules and they seem to work, yet a line still showing in the log file:

    Code:
    *** excubits.com beta ***: 2016/08/02_10:26 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:26 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:26 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:27 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:27 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:27 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    *** excubits.com beta ***: 2016/08/02_10:37 > C:\Windows\System32\SearchIndexer.exe > T:\System Volume Information
    
     
    Last edited: Aug 2, 2016
  2. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Maybe SearchIndexer.exe is also tryin to do write operation. Try to add a Silent Rule for blacklist write operation.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Thank you very much, it worked.
     
  4. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    You're welcome. I think logs should better show what was logged, write or read operation. It is difficult to distinguish difference here. Besinde that Pumpernickel works mint on my machine. Well, I think about a scenario where I just use Bitlocker and Pumpernickel, so I do not need TrueCrypt anymore. External backup drives could be made writeable only for my backup tool.
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    I thought about it yesterday too.
    Maybe an added R or W for indication of Read / Write-attemps.
    MZWriteScanner for example is adding an W: for writing of executables in the log:
    Code:
    *** excubits.com demo ***: 2016/08/02_04:12 > W:C:\Windows\System32\taskhost.exe > ...
    It would be much clearer if Pumpernickel can add such an indication.
     
  6. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    here my ruleset that i get from 700 mb logo_O:eek:
    but will not fit in demo version:(:thumbd:


    post edited
     

    Attached Files:

    Last edited: Aug 3, 2016
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @co22 Some of those can be condensed a bit as well as still being secure and strict. For example:
    Code:
    [WHITELISTMODIFY]
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
    Code:
    [WHITELISTMODIFY]
    C:\Windows\explorer.exe>C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_??*.db
    
    Anyway, I am in a hurry at the moment so I just took a brief look at the top of your rules, but I am sure that there are other areas that can be condensed a bit more. I will have a more thorough look later in the day to find some more ways to help condense your rules with wildcards while still remaining strict and secure control over the system. Your rule set is fantastic, by the way.
     
  8. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    thank you for looking in to it.also i think must of rule in whitelist need Priority rule
    since i added *>* at the end of blacklist rule
    myself tried to condensed it but it still need many more to fit in demo
    thank you

    edit:some other log that iforgot to add
    C:\Windows\System32\svchost.exe > C:\PROGRA~1
    C:\Windows\System32\svchost.exe > \\?\Volume*
    C:\Windows\System32\svchost.exe > \Device\HarddiskVolumeShadowCopy*\
    C:\Windows\System32\svchost.exe > C:\$Extend\$ObjId
    C:\Windows\System32\svchost.exe > C:\System Volume Information\tracking.log
    C:\Windows\System32\svchost.exe > C:\Windows\debug\WIA\wiatrace.log
    C:\Windows\System32\svchost.exe > C:\Windows\inf\setupapi.ev1
    C:\Windows\System32\svchost.exe > C:\Windows\inf\setupapi.ev2
    C:\Windows\System32\svchost.exe > C:\Windows\inf\setupapi.ev3
    C:\Windows\System32\svchost.exe > C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    C:\Windows\System32\svchost.exe > C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    C:\Windows\System32\svchost.exe > C:\Windows\servicing\Packages
    C:\Windows\System32\svchost.exe > C:\Windows\setupact.log
    C:\Windows\System32\svchost.exe > C:\Windows\setuperr.log
     
    Last edited: Aug 3, 2016
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    The blacklist has more priority than the whitelist.
    If you blacklist all with *>* , your whitelist has no effect without priority rules.
    :eek:
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    I spoke too soon. Either one or the other won't work, FIDES keeps logging block events:

    Pumpernickel.ini
    Code:
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTMODIFY]
    *>T:*
    $*SearchIndexer.exe>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
    [BLACKLISTREAD]
    *>T:*
    $*explorer.exe>T:*
    $*wininit.exe>T:*
    $*svchost.exe>T:*
    $*SearchIndexer.exe>T:*
    $*360WangPan.exe>T:*
    $*Cloud.exe>T:*
    $*chrome.exe>T:*
    $*HDSentinel.exe>T:*
    [EOF]
    
    Code:
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTMODIFY]
    *>T:*
    !$*SearchIndexer.exe>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
    [BLACKLISTREAD]
    *>T:*
    !$*explorer.exe>T:*
    !$*wininit.exe>T:*
    !$*svchost.exe>T:*
    !$*SearchIndexer.exe>T:*
    !$*360WangPan.exe>T:*
    !$*Cloud.exe>T:*
    !$*chrome.exe>T:*
    !$*HDSentinel.exe>T:*
    [EOF]
    
     
  11. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    I asked Florian about. There is order, you must first set $, then !. So silent rule char $ must be before priority rule char !. Also the more general rules with *>* must be after the specific priority rules (from what I have understood from Tuersteher Manual). I think it should look like:

    Code:
    [LETHAL]
    [LOGGING]
    [WHITELISTMODIFY]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    [BLACKLISTMODIFY]
    $!*SearchIndexer.exe>T:*
    *>T:*
    [WHITELISTREAD]
    !C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
    !C:\Program Files\Jotta\jotta.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
    !C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
    *>T:*
    [BLACKLISTREAD]
    $!*explorer.exe>T:*
    $!*wininit.exe>T:*
    $!*svchost.exe>T:*
    $!*SearchIndexer.exe>T:*
    $!*360WangPan.exe>T:*
    $!*Cloud.exe>T:*
    $!*chrome.exe>T:*
    $!*HDSentinel.exe>T:*
    *>T:*
    [EOF]
    
    Dont have the time to fully test it. Will do more tests tomorrow...

    Btw, what is "360WangPan.exe" ? All I can find on google is malware related, makes me curious.... :)
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    You don't have to. I'm quite grateful with your kind help... That said I can run tests due it is my problem. Thank you very much.
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    If the silent rules are at the end, Pumpernickel never reaches them because of the previous block-rule *>T:*
     
  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Got it. Thanks once again.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Bouncer is officially (or at least internal build) future proof! Or I suppose I should say Anniversary Update compatible, etc. Bouncer with SHA-256 Microsoft Windows cert along with Silent Rules should be released as stable build within the next week or so as long as internal testing continues to be solid. I am able to successfully run Bouncer with Windows 10 Anniversary Update and keep Secure Boot on. This will likely land on the other drivers soon as well depending on whatever additional costs Microsoft adds, still a little bit murky there.

    Bouncer-Cert.png
     
  16. @WildByDesign

    Thx, good news. Do you have any info when MemProtect and Pumpernickel will come out of Beta.

    I have been running MemProtect since March this year without issues (I am playing with Pumpernickel my desktop occasionaly, because it is on a test image).
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Windows_Security You're welcome. That's a very good question and I actually spoke to Florian recently about that. I've been running MemProtect as well for many months and have experienced zero issues with it and it's proven itself to be very efficient and stable. Without a doubt, I would suggest that MemProtect moves forward as a stable build. Pumpernickel/FIDES has proven it's stability as well, although it's still in development with the addition of features here and there.

    For whatever reason, Florian had suggested to me that MemProtect is complete as far as development goes and said that it is released "as is". In my opinion, I think that MemProtect deserves more attention. And I don't necessarily mean development attention specifically, but more like recognition that a stable/final release would signify. I just think that it has so much potential.
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,053
    Location:
    Mexico
    Oh I missed this one... It's a cloud service where I backup important files for me, you know software related only as I am a PC technician. That's the main exe and this is the website: yunpan.360.cn
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Will MemProtect get support for silent rules?
    I always get the same messages over and over again (sometimes 50 messages in a row), but with silent rules i could reduce it to a minimum.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I believe so, yes. But I will talk to Florian to confirm. Generally once he's developed something new with regard to kernel level filtering in one driver, it is relatively easy for him to make those same changes across his other kernel drivers since they follow a similar coding structure.
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Pumpernickel: Indicator of Read/Write-Attemps in the logfile
    I emailed them about it and this functionality will be added in a future version.
    Because many users requested it and they (Excubits) find it useful.

    Maybe this is old news :cautious::
    As you already know, the beta-version of Bouncer is limited (even for those who paid for Bouncer)
    But if the user requested an unlimited beta, he may get one.
    Now, "unlimited beta's" are further restricted. They are time-limited, and after a few thousand events it is switching to [#LETHAL] and is not protecting anymore.
    Edit: If the user has a licensed version of Bouncer, the user can get an unrestricted beta.
     
    Last edited: Aug 8, 2016
  22. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    :) I can confirm, they also told me.

    Have you paid for Bouncer? I always got unlimited beta version from Florian. No restriction for people who licensed.

    From what I know this is true for version for people who do not paying for a full version, but want to test more details of drivers and need more space in ini-file. As said above: as far as I know: if you have licensed full version, Florian always provides great customer support. I thinking it is normal to support the people who paid for full license more, and those who just want free editions must live with restrictions, otherwise it would be not fair for the customers who paid.
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    I asked them explicitly about beta-versions for users who paid for Bouncer. Then they told me that the beta-version (for paid users) is restricted o_O
    "Yes, we offered unlimited beta's of Bouncer in the last time. But now if we create an unlimited beta (if the user wishes one), it is restricted"
    Maybe they changed their mind and don't provide unlimited beta's (without any restriction) anymore :doubt:
    Edit: If the user has a licensed version of Bouncer, the user can get an unrestricted beta.
     
    Last edited: Aug 8, 2016
  24. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    Would anyone be so kind to explain to me, what Bouncer, Pumpernickel and MemProtect can do for me?
    Going through ~1400 posts is a bit heavy, for me....
    What advantage would there be over HMP.A, if any?
     
  25. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Bouncer/Türsteher: is an lightwise anti exe supporting sha256 hashing, parent process checking (who want to start which exe), and command line filtering (for example you can limit wscript only executing scriptin files from locations you trusting).

    Pumpernickel: is something like SecureFolders tool, you can protect files and folders from access from applications. For example you can tell Pumpernickel to allow only MS Word to open .doc/.docx files, no other application is able to open (read or write) doc anymore. So you can protect against spyware or trojan trying to access (and manipulate) your files, etc. Should also protect against pesky cryptolockers if you configurate the tool right.

    MemProtect: secures memory access from and to processes. You can limit what web browser is allowed to access, so it is possible to block exploits to spread and inject code into other running processes.

    For all of Excubit's solution: they are extremely small, fast and no Ads or spyware in there. on the other side (call it drawback) they are a bit raw in using. You need to be expert and know what you are doing, because this tools are configurated using simple .ini files. I thinks this can be drawback and closes out some users, who like to do all configuration using GUIs. Not the case with Excubit's Tools, but on the other side they are beautifully small, and fast as hell. And as they note on their web-page free of telemetry stuff (backlink to Excubits or other severs). If you a dataprotection lover, Excubits is the right company I guess ;):cool:

    But as you are use HMP.A 3.5 build 548-beta, Sandboxie 5.12 I think you already have good protection barrier. Another additional tool may be too much (overkill) - my opinion if you ask.
     
    Last edited: Aug 8, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.