Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,710
    Thanks. I have never tried out Bouncer at least not yet, but want to look into it. Been on the hunt for testing security apps again. It has been a long while since doing so for me.
     
  2. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    The only objects on the list that some people will find on their system are:
    • bash.exe
    • lxssmanager.dll
    The others, like bginfo.exe, will not be found unless you have installed them. bginfo.exe, for example, is a SysInternals utility.

    Unless one is using Microsoft's Device Guard (Enterprise hardware-software feature), then I would not worry about creating policies.

    Here is some infos on Device Guard:

    https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
     
  3. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Thanks for sharing info here.

    The only?! I guessing that most people will also find cscript.exe, wscript.exe, csi.exe and some others.

    Building own blacklist with this informations and the blacklist from excubits is easy task. In bouncer just a matter of max. 2-3 minutes. I gave hint to Florian to update his blacklist soon with this informations from @WildByDesign post.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    I think @Lockdown meant the only new ones, not already on Florian's list.
     
  5. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    Precisely.

    There are various "vulnerable process" lists from Florian, Casey Smith, US CERT, Japan CERT, Microsoft, the NSA, and other agencies that have been floating around on the forums. Most people that are inclined to pay any attention to the vulnerable process lists already know full-well that interpreters such as cscript, wscript, etc are on most of the lists.
     
    Last edited: Jun 16, 2017
  6. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    I may have missed something, but is there any reason to use PARENTCHECK if I already use MemProtect?

    If my apps already have a whitelist of where/what they can inject memory I believe it would be redundant to use Bouncer with this setting, right?
     
  7. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Please, somebody help me, because I can not make my rules work:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [#CMDCHECK]
    [WHITELIST]
    #    [Windows and Softwares - Base Rules]
    C:\Windows\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\ProgramData\Microsoft\*
    D:\Programas\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    C:\ProgramData\MEGAsync\MEGAsync.exe
    [BLACKLIST]
    [PARENTWHITELIST]
    #    [Windows and Softwares - Base Rules]
    C:\Windows\*>*
    C:\Program Files (x86)\*>*
    C:\Program Files\*>*
    C:\ProgramData\Microsoft\*>*
    D:\Programas\*>*
    #    [AppData - Base Rules]
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\bin\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\ProgramData\MEGAsync\*
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\Windows\SysWOW64\*
    [PARENTBLACKLIST]
    [CMDWHITELIST]
    [CMDBLACKLIST]
    [EOF]
    

    When I test MEGAsync:

    Code:
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libeay32.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\cares.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libcurl.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\ssleay32.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libsodium.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Widgets.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Gui.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Core.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Network.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\msvcp140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\msvcp140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\platforms\qwindows.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qdds.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qgif.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qicns.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qico.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qjpeg.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qsvg.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Svg.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qtga.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qtiff.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qwbmp.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qwebp.dll
    

    I have experience with MemProtect and Fides, but Bouncer is really annoying me.

    Is there any way to disable notifications? I much prefer the simplicity of the icon only change color, as it does with MemProtect and Fides.

    Thanks!
     
  8. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    you have allow all dll in MEGAsync folder like bellow or one by one
    C:\ProgramData\MEGAsync\*

    you only allowed C:\ProgramData\MEGAsync\MEGAsync.exe in [WHITELIST]
    for disable notifications create shortcut from BouncerTray.exe then get properties of file and add bellow to target
    Code:
    "C:\Program Files\Excubits\Bouncer_Demo\Tools\BouncerTray.exe" nopopups
    i prefer all driver manageable by one Tray tool
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I will look into your rules and stuff in a couple of hours. But for now, there is a better flag that I use for starting BouncerTray tool. So whether you have a startup via a shortcut or schedule task or registry, you can make this same modification either way.

    Code:
    BouncerTray.exe nopopups
    So for example if you had a shortcut or registry startup entry, simply add the nopopups part at the end. That will essentially stop any operating system toasts or balloon tips from occurring.
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Thanks, man! This worked perfectly!

    How can I do this?

    Thanks, everything is working now!
     
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @ExtremeGamerBR You're welcome. i'm glad to hear that all is good now.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Updated Blacklist:

     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    I didn't find any new entries added via MS Device Guard Team list on my primary machine, maybe because I don't have Device Guard on my version of Win10?

    But thanks to Florian maintaining a consolidated list.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Quite likely the base, yes. I believe that you have to enable (therefore install) Device Guard via "Turn Windows features on and off" and therefore the binaries likely would not be on your machine unless installed.
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    OK. Not available yet in Win 10 Pro x64 v1703 15063.413.
     
  16. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Well, kind of answering my own question, if I copy my rules from MemProtect with [#DEFAULTALLOW] to Bouncer they do exactly the same thing.

    If I knew that, I would have bought just Bouncer. Now I will have to buy Bouncer and appears to make no sense at all to keep MemProtect in my system. Maybe someone is seeing something that I'm not?
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,528
    Location:
    U.S.A. (South)
    Looks like another new topic for discussion on this will surface at some point.

    I happen to have that setting and done some poking around (looks formidable enough) but I don't want to get too ahead of things.

    There are still a few of these cool Excubits drivers to deal with also. Bouncer was the first one I tested and found to liking when it was released beta.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    The rules filtering engine between Bouncer and MemProtect is very similar (specifically just for parent process control). So the rules structure is the same. But Bouncer deals specifically with process execution, whereas MemProtect deals specifically with blocking process memory to process memory communications. So different levels. Bouncer blocks initial execution and parent process to child process execution control as well. Try to think of MemProtect as if the "sh!t has already hit the fan". Let's assume either no rules were in place to block execution (inadequate rules) or as if you had no application whitelisting / anti-exec software in place or if something like a browser became exploited.

    MemProtect can take an already pawned process, exploited or otherwise, and contain it's memory. So they are quite different. Yet, any of the Excubits drivers on their own right could provide significant protection to a system on their own as long as good rules are set. Personally, I think that Bouncer and MemProtect compliment eachother very well. It's something like having app whitelisting /anti-exec combined with anti-exploit. MemProtect is more toward the anti-exploit spectrum but blocks memory access entirely.
     
  19. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    You are the man! This explains perfectly what I was not understanding.

    Thanks!
     
  20. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Hi guys, I need a little help again.

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [CMDCHECK]
    [WHITELIST]
    #    [Windows and Softwares - Base Rules]
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\*.dll
    !C:\Users\*\AppData\Local\Temp\*\lib\*.so
    !C:\Users\*\AppData\Local\Temp\*\src\*.so
    C:\Windows\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\ProgramData\Microsoft\*
    C:\ProgramData\MEGAsync\*
    D:\Programas\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    [BLACKLIST]
    D:\Programas\Chromium\*\profile
    #
    # Last Updated: 2017/06/19
    #
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.cmd
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.cmd
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
    *\at.exe
    *\Temp\*.zip*\*.exe
    *\Temp\*7z*\*.exe
    *\Temp\*rar*\*.exe
    *\Temp\*sfx\*.exe
    *\Temp\*wz*\*.exe
    *aspnet_compiler.exe
    *attrib.exe
    *auditpol.exe
    *bash.exe
    *bcdboot.exe
    *bcdedit.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *cdb.exe
    *csi.exe
    *debug.exe
    *DFsvc.exe
    *diskpart.exe
    *dnx.exe
    *eventvwr.exe
    *fsi.exe
    *hh.exe
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *jsc.exe
    *kd.exe
    *lxssmanager.dll
    *mmc.exe
    *mrsa.exe
    *MSBuild.exe
    *mshta.exe
    *mstsc.exe
    *netstat.exe
    *ntsd.exe
    *odbcconf.exe
    *powershell.exe
    *powershell_ise.exe
    *PresentationHost.exe
    *quser.exe
    *rcsi.exe
    *RegAsm*
    *regini.exe
    *Regsvcs*
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *scrcons.exe
    *script.exe
    *sdbinst.exe
    *set.exe
    *setx.exe
    *Stash*
    *syskey.exe
    *systemreset.exe
    *takeown.exe
    *UserAccountControlSettings.exe
    *utilman.exe
    *vbc.exe
    *vssadmin.exe
    *windbg.exe
    *wmic.exe
    *xcacls.exe
    ?:\$Recycle.Bin\*
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    C:\Users\Public\*
    C:\Windows\ADFS\*
    C:\Windows\debug\WIA\*
    C:\Windows\Fonts\*
    C:\Windows\PLA\Reports\*
    C:\Windows\PLA\Reports\de-DE\*
    C:\Windows\PLA\Rules\*
    C:\Windows\PLA\Rules\de-DE\*
    C:\Windows\PLA\Templates\*
    C:\Windows\Registration\CRMLog\*
    C:\Windows\servicing\Packages\*
    C:\Windows\servicing\Sessions\*
    C:\Windows\System32\Com\dmp\*
    C:\Windows\System32\FxsTmp\*
    C:\Windows\System32\LogFiles\WMI\*
    C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\spool\SERVERS\*
    C:\Windows\System32\Tasks\*
    C:\Windows\System32\Tasks_Migrated\*
    C:\Windows\SysWOW64\Com\dmp\*
    C:\Windows\SysWOW64\FxsTmp\*
    C:\Windows\SysWOW64\Tasks\*
    C:\Windows\Tasks\*
    C:\Windows\Temp\*
    C:\Windows\tracing\*
    [PARENTWHITELIST]
    #    [Softwares and Windows - Base Rules]
    !C:\Program Files\Cryptomator\Cryptomator.exe>C:\Windows\System32\reg.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\taskkill.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\netsh.exe
    !D:\Programas\CUETools 2.1.5\CUETools.exe>C:\Windows\Microsoft.NET\Framework64\*\csc.exe
    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe
    C:\Program Files\pia_manager\pia_manager.exe>C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\pia_manager.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\pia_tray_bin\nw-win\pia_nw.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\openvpn.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\bin\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\lib\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\src\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*>C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*>C:\Windows\SysWOW64\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Windows\WinSxS\*\comctl32.dll
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Windows\WinSxS\*\GdiPlus.dll
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\ProgramData\MEGAsync\*
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\Windows\SysWOW64\*
    C:\Windows\*>*
    C:\Program Files (x86)\*>*
    C:\Program Files\*>*
    C:\ProgramData\Microsoft\*>*
    D:\Programas\*>*
    [PARENTBLACKLIST]
    #    [Block Execution of Windows and Softwares - Base Rules]
    *>*reg.exe
    *>*taskkill.exe
    *>*netsh.exe
    *>*csc.exe

    And my log:

    Code:
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:56 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:32:53 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:32:53 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    In my WHITELIST, I have:

    D:\Programas\*

    In my PARENTWHITELIST, I have:

    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe
    D:\Programas\*>*

    I think the first rule is redundant, since I don't have cscript.exe in my PARENTBLACKLIST or BLACKLIST, but anyway I still get that entry in my log.

    How this is possible?

    Thanks!
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @ExtremeGamerBR Does your main WHITELIST have a rule to allow execution within: C:\Windows\SysWOW64\*

    If you don't want to allow the entire SysWOW64 directory you could try:
    Code:
    [WHITELIST]
    C:\Windows\SysWOW64\cscript.exe
    Just to see what happens. Ensure that you restart the Bouncer driver after any config changes as well. Otherwise the rules look great, I don't see any specific issue.
     
  22. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Thanks!

    But even when I added:

    C:\Windows\SysWOW64\cscript.exe

    in my WHITELIST Bouncer still blocking cscript.exe oO

    As I always exchange my config file (instead of editing the one in C:\Windows) it automatically restarts the driver.

    Maybe cscript.exe has other name that is inside my blacklist?

    EDIT: Well, I just solved the issue.

    This is the one that was causing the problem:

    BLACKLIST:
    *script.exe

    So I removed *script.exe from my BLACKLIST and then I added it to my PARENTBLACKLIST as:
    *>*script.exe

    Then added these lines to my PARENTWHITELIST:
    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\script.exe
    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe

    The funny thing is that if I allow only script.exe, Bouncer still blocking cscript.exe and if I allow only cscript.exe, Bouncer still block cscript.exe.

    In another words, I have to let Foobar2000.exe execute both script.exe and cscript.exe, even if only script.exe is in my blacklist.

    Maybe a bug?
     
    Last edited: Jun 27, 2017
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @ExtremeGamerBR I have to read into this a bit more later. But you can try adding a \

    Code:
    *\script.exe
    Or
    Code:
    *>*\script.exe
    The * variable was accounting for cscript.exe and anything else that ends with script.exe

    So you can be as precise as you wish. Or for example:

    Code:
    *\?script.exe
    Or
    Code:
    *>*\?script.exe
    This would account for one character variable at the beginning, as opposed to * allowing any number of characters. I know this is not specifically what you were intending here, but I wanted to explain a bit about variables * or ? because there are lots of options.
     
  24. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    83
    I think It's a little bit difficult to create commandline rules in Bouncer for users.

    Could someone show me more about it?

    Thanks
     
  25. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Just tried downloading Bouncer demo from Excubits website, Chrome is flagging it as dangerous. I looked through my old downloads folder and found a copy of the demo I had downloaded probably a month ago. Hitman Pro is flagging it as infected with Trojan-Dropper.Win32.Dinwod.acsc. VT shows 14 detections as infected. Anyone else see this?

    Edit: I sent a message to Excubits asking them to check this as well.
     
    Last edited: Jun 28, 2017