Bouncer (previously Tuersteher Light)

Recieved a reply from Conny of Exubits and can confirm FIDES and Memprotect are
10 EUR each.

 

All drivers have left beta stage and are now released today (as some mentioned over in MemProtect thread) and all are released with EV Certs, sha256 signing for executables as well, Install Mode, Silent Rules, quick Exchange Config File, etc., etc., etc.

Brief news link: https://excubits.com/content/en/news.html

The goods:

Bouncer: https://excubits.com/content/en/products_bouncer.html
MZWriteScanner: https://excubits.com/content/en/products_mzwritescanner.html
CommandLineScanner: https://excubits.com/content/en/products_commandlinescanner.html
Pumpernickel (FIDES): https://excubits.com/content/en/products_pumpernickelfides.html
MemProtect: https://excubits.com/content/en/products_memprotect.html (discuss MemProtect in other thread)

 

I purchased FIDES (10 EUR) but the download is pumpernickel_demo.exe?

Should I expect a proper download link and / or a license key?

Also I have an existing (old) beta version running ... how do I properly update to the new version? Do I need to save the existing .ini, stop the existing driver and then right-click install the new driver? Not being a techie, I would appreciate detailed instruction, I don't see a manual ...

 

You will receives a download link to full version. Normally needs some time, Florian manage order by hand, no auto-shop system. If you hav concerns/question just e-mail him, he will answer.

Just

Code:

net stop pumpernickel
sc delete pumpernickel

in admin consoles. Keep ini file in C:\Windows\pumpernickel.ini. Install full version like: right click on -inf file for your system (if you have WIndows x86 then use 32-bit version, if x64 then use 64-bit version). Now just

Code:

net start pumpernickel

in admin consoles. This should work i guess.

Theres a readme-file. But basicaly it works like I described here. You simply copy ini file to c:\Windows\, then install driver with right-click in inf-file, hit install, then can use the scripts provided or open cmd.exe consoles using net start, stop, etc. Or just ask Florian, normally he respond to questions and is very customer friendly, nothing to fear. Or ask in Wilders Forum we are happy to help here, too.

 

Just make sure that you stopped and deleted the service before you install the new driver.
4 steps: stop service / delete service / install new driver / start service - and you're done

 

Regard FIDES, has anyone noticed Admin Tool.exe does not work?

 

I noticed it too after i updated all tools yesterday.
"Admin Tool.exe" can be started, but right after that it quits.

 

I had to make use of PumpernickelSignalCheck.exe from previous beta. It worked but now it loads new icons found in this release.

 

if we have bellow code in bouncer

Code:

[WHITELIST]

C:\Windows\System32\wbem\WMIADAP.exe

[PARENTWHITELIST]
C:\Windows\System32\wbem\WMIADAP.exe>C:\Windows\System32\loadperf.dll

then driver just generate this log

Code:

LSTCHECK > C:\Windows\System32\wbem\WMIADAP.exe > C:\Windows\System32\loadperf.dll

it should log only

Code:

C:\Windows\System32\loadperf.dll

for adding to white list
as

Code:

C:\Windows\System32\wbem\WMIADAP.exe > C:\Windows\System32\loadperf.dll

already in PARENTWHITELIST

 

Isn't "Tray.exe" the same as "PumpernickelSignalCheck.exe", but as an enhanced version?
You can open/exchange the config-file, start/stop/restart Pumpernickel and switch to Install Mode with Tray.exe. You have more options available.

 

Yes it is an enhanced version. Problem is didn't realize that was an application. Thank you @mood

 

I just wanted to clarify briefly regarding Admin Tool.exe, as I can understand why it would cause confusion. Admin Tool.exe used to represent the basic GUI that Bouncer had previously. Now Admin Tool.exe has no UI functionality and therefore cannot be started on it's own. The purpose for Admin Tool.exe now (for Bouncer and for all the other tools) is simply like a background helper application. So what happens is BouncerTray.exe (or Tray.exe for the other tools) essentially passes some command lines back and forth to Admin Tool.exe in the background which is uses to process some of the command. So I suppose Admin Tool.exe would be seen as a child process to BouncerTray.exe (or Tray.exe). I'm not familiar with all of the command lines which the tray tool passes to it, but it's something that any of us could certainly run some logging quite easily to see every detail of the interactions between BouncerTray (or Tray.exe) and Admin Tool.exe.

If Bouncer, MemProtect, etc. continue to grow, maybe Florian can consider hiring someone to design a GUI tool which could work for all of his drivers. Similar to how the Tray tool is now consistent across all drivers, I believe that a simple GUI tool could be possible and used with a drivers. I would definitely love to see that some day, for sure. Although I am very happy now with all of the functionality that the tray tool provides.

 

Yes it is. I noticed when NVT ERP notified me:

Code:

"C:\Program Files\FIDES\Admin Tool.exe" stop-driver
"C:\Program Files\FIDES\Admin Tool.exe" start-driver
"C:\Program Files\FIDES\Admin Tool.exe" restart-driver
"C:\Program Files\FIDES\Admin Tool.exe" edit-inifile
"C:\Program Files\FIDES\Admin Tool.exe" clear-log

 

Under FIDES protection, why File Explorer can still showing the blue line showing used/free space on a drive?



then I free around 100 MB,




I recall when using SecureFolders this didn't happened.

Pumpernickel.ini

Code:

[LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
$!*SearchIndexer.exe>T:*
*>T:*
[WHITELISTREAD]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
*>T:*
[BLACKLISTREAD]
$!*explorer.exe>T:*
$!*wininit.exe>T:*
$!*svchost.exe>T:*
$!*SearchIndexer.exe>T:*
$!*360WangPan.exe>T:*
$!*Cloud.exe>T:*
$!*chrome.exe>T:*
$!*HDSentinel.exe>T:*
*>T:*
[EOF]

 

Exactly. "Admin Tool.exe" is called by Tray.exe. You must start Tray.exe and use this. As far as Im understanding "Admin Tool.exe" is responible for admin-request dialog.

Why not? What is security impact here, dont understand what is the problem? Pumpernickel controls read/write/modify/rename to files and folders. Drive Information is something different Im guessing, so it shows up. Again, what security impact would this hav to user? (I think none). So attacker knows you have 4.46GB, then 4.56 not much attacker can do with this, honest.

OK, but Pumpernickel IS NOT SecureFolders, no one here said it is a SecureFolders-Clone. Pumpernickel is some other tool.

 

If [PARENTCHECK] is enabled the driver always logs parent process trying to call child. It has been discussed here some times ago: start with simple configuration, do not enable [PARENTCHECK], [CMDCHECK], [SHA256] at beginning, start with simple [WHITELIST] and [BLACKLIST]. Practice a with different drives and paths, try for example whitelist application from external drive etc. If you fully understand what is going on, move to [PARENTCHECK] and do the same. Dont mix up everything in beginning it makes all too complicated. also be careful with priority rules and generic rules like * or *>*, if such rule is at beginning of section it beats all others, so beware. general rules * or *>* should be last rule in a section.

 

thanks 4Shizzle. if i already talked sorry about.thanks for helps

 

From a security perspective, there are no worries here. From a privacy perspective, very minimal issue if any. Any attackers would still not be able to see any files or folders on that drive. At the moment, FIDES does a solid job with regard to blocking read/write to protected files/folders. There is one step further, as I understand it, where SecureFolders had the ability to add some sort of "hidden" attribute as well. Blocking read/write as a priority is certainly the most important aspect. Hiding things would really be secondary, but I can understand some users needs for this as well. I recall speaking with Florian about this hidden attribute and it is something that may be possible with future versions and it is something that he has added to his To-Do list but with lesser priority. Now that he has reached some bigger milestones with the refactoring of all drivers and releasing as stable, it could be possible to achieve some of these lesser priority goals.

Depending upon how many users would like to see this hidden file/folder attribute feature in FIDES, we could give Florian the momentum to move this feature priority up a bit.

 

Protecting the size of the volume is not under the control of FIDES.
The job of FIDES is to protect the reading and modifying of files and folders, but programs are still able to retrieve information about the amount of space available from the protected volume (with functions like "GetDiskFreeSpaceEx" or similar functions)

 

Wow! You tried to make me look like a stupid or what? Pretty obvious your answer, no?
Of course I know FIDES it's different, I just mentioned SecureFolders for the sake of comparison, that's it. I liked and "feel" more secure when nothing could access the drive, not even drive information like in SecureFolders.

The sec. impact here is what I'm asking, if exists. That's the problem I want to understand, if exists LOL
I am no expert at all and apparently you either when you say "drive info is something different I am guessing". Well I don't want to guess, perhaps someone could give accurate and certain infos.
Until we know certain answers we don't know for sure what impact a user could have.

Above all, I'm certainly not the brightest mind in here so I'd ask anytime I am in doubt...

 

Now this is a insightful and helpful from Mr. @WildByDesign
This leaves me more convinced, it leaves me out of a limbo of doubts.
Thanks @WildByDesign

 

Now this is more technical and accurate answer which I appreciate a lot. I need to learn a lot as usual LOL
According to @WildByDesign this type of functions should not negatively affect security whatsoever but privacy. I don't care for the latter so much, still would be a good thing Florian could address that hidden attribute @WildByDesign has been talking about.
Thanks a lot @mood

 

Im sorry, it was not my intention. Ok then, I'll will compare and test it SecureFolders.

On software levels this seems difficult, because when drive plugged in, it is always visible somewhere due to driver who manages communication from and to drive. I dont thinks that you can make it totally invisible to others just using documented functions like Excubits tools do. Im guessing this is only possible using dirty API hooking like: set application on blacklist and then it is hooked with some sandbox that filtering the drive out, so for application it is not there. Technically its always there when USBStorage.sys-Driver started and detect a drive, from there on you cannot make it invisibe.

 

Thanks a lot. Now, this is a very helpful and technical answer that I was looking for.

No problem at all, really. Thanks in advance for test and compare SecureFolders.

 

Thanks @4Shizzle
There was a hiccup with my download link being caught by spam filters.
But up to date now. Thanks for your help.