Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    I may have missed something, but is there any reason to use PARENTCHECK if I already use MemProtect?

    If my apps already have a whitelist of where/what they can inject memory I believe it would be redundant to use Bouncer with this setting, right?
     
  2. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    Please, somebody help me, because I can not make my rules work:

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [#CMDCHECK]
    [WHITELIST]
    #    [Windows and Softwares - Base Rules]
    C:\Windows\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\ProgramData\Microsoft\*
    D:\Programas\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
    C:\ProgramData\MEGAsync\MEGAsync.exe
    [BLACKLIST]
    [PARENTWHITELIST]
    #    [Windows and Softwares - Base Rules]
    C:\Windows\*>*
    C:\Program Files (x86)\*>*
    C:\Program Files\*>*
    C:\ProgramData\Microsoft\*>*
    D:\Programas\*>*
    #    [AppData - Base Rules]
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\bin\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\ProgramData\MEGAsync\*
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\Windows\SysWOW64\*
    [PARENTBLACKLIST]
    [CMDWHITELIST]
    [CMDBLACKLIST]
    [EOF]
    

    When I test MEGAsync:

    Code:
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libeay32.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\cares.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libcurl.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\ssleay32.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\libsodium.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Widgets.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Gui.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Core.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Network.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\msvcp140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\vcruntime140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\msvcp140.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\platforms\qwindows.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qdds.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qgif.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qicns.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qico.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qjpeg.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qsvg.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\Qt5Svg.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qtga.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qtiff.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qwbmp.dll
    *** excubits.com demo ***: 2017/06/20_16:32 > LSTCHECK > C:\ProgramData\MEGAsync\MEGAsync.exe > C:\ProgramData\MEGAsync\imageformats\qwebp.dll
    

    I have experience with MemProtect and Fides, but Bouncer is really annoying me.

    Is there any way to disable notifications? I much prefer the simplicity of the icon only change color, as it does with MemProtect and Fides.

    Thanks!
     
  3. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    379
    Location:
    router
    you have allow all dll in MEGAsync folder like bellow or one by one
    C:\ProgramData\MEGAsync\*

    you only allowed C:\ProgramData\MEGAsync\MEGAsync.exe in [WHITELIST]
    for disable notifications create shortcut from BouncerTray.exe then get properties of file and add bellow to target
    Code:
    "C:\Program Files\Excubits\Bouncer_Demo\Tools\BouncerTray.exe" nopopups
    i prefer all driver manageable by one Tray tool
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I will look into your rules and stuff in a couple of hours. But for now, there is a better flag that I use for starting BouncerTray tool. So whether you have a startup via a shortcut or schedule task or registry, you can make this same modification either way.

    Code:
    BouncerTray.exe nopopups
    So for example if you had a shortcut or registry startup entry, simply add the nopopups part at the end. That will essentially stop any operating system toasts or balloon tips from occurring.
     
  5. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    Thanks, man! This worked perfectly!

    How can I do this?

    Thanks, everything is working now!
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @ExtremeGamerBR You're welcome. i'm glad to hear that all is good now.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Updated Blacklist:

     
  8. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,977
    Location:
    Under a bushel ...
    I didn't find any new entries added via MS Device Guard Team list on my primary machine, maybe because I don't have Device Guard on my version of Win10?

    But thanks to Florian maintaining a consolidated list.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Quite likely the base, yes. I believe that you have to enable (therefore install) Device Guard via "Turn Windows features on and off" and therefore the binaries likely would not be on your machine unless installed.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,977
    Location:
    Under a bushel ...
    OK. Not available yet in Win 10 Pro x64 v1703 15063.413.
     
  11. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    Well, kind of answering my own question, if I copy my rules from MemProtect with [#DEFAULTALLOW] to Bouncer they do exactly the same thing.

    If I knew that, I would have bought just Bouncer. Now I will have to buy Bouncer and appears to make no sense at all to keep MemProtect in my system. Maybe someone is seeing something that I'm not?
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,528
    Location:
    U.S.A. (South)
    Looks like another new topic for discussion on this will surface at some point.

    I happen to have that setting and done some poking around (looks formidable enough) but I don't want to get too ahead of things.

    There are still a few of these cool Excubits drivers to deal with also. Bouncer was the first one I tested and found to liking when it was released beta.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The rules filtering engine between Bouncer and MemProtect is very similar (specifically just for parent process control). So the rules structure is the same. But Bouncer deals specifically with process execution, whereas MemProtect deals specifically with blocking process memory to process memory communications. So different levels. Bouncer blocks initial execution and parent process to child process execution control as well. Try to think of MemProtect as if the "sh!t has already hit the fan". Let's assume either no rules were in place to block execution (inadequate rules) or as if you had no application whitelisting / anti-exec software in place or if something like a browser became exploited.

    MemProtect can take an already pawned process, exploited or otherwise, and contain it's memory. So they are quite different. Yet, any of the Excubits drivers on their own right could provide significant protection to a system on their own as long as good rules are set. Personally, I think that Bouncer and MemProtect compliment eachother very well. It's something like having app whitelisting /anti-exec combined with anti-exploit. MemProtect is more toward the anti-exploit spectrum but blocks memory access entirely.
     
  14. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    You are the man! This explains perfectly what I was not understanding.

    Thanks!
     
  15. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    Hi guys, I need a little help again.

    Code:
    [#INSTALLMODE]
    [#LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [CMDCHECK]
    [WHITELIST]
    #    [Windows and Softwares - Base Rules]
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\*.dll
    !C:\Users\*\AppData\Local\Temp\*\lib\*.so
    !C:\Users\*\AppData\Local\Temp\*\src\*.so
    C:\Windows\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\ProgramData\Microsoft\*
    C:\ProgramData\MEGAsync\*
    D:\Programas\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    [BLACKLIST]
    D:\Programas\Chromium\*\profile
    #
    # Last Updated: 2017/06/19
    #
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.cmd
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.cmd
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
    *\at.exe
    *\Temp\*.zip*\*.exe
    *\Temp\*7z*\*.exe
    *\Temp\*rar*\*.exe
    *\Temp\*sfx\*.exe
    *\Temp\*wz*\*.exe
    *aspnet_compiler.exe
    *attrib.exe
    *auditpol.exe
    *bash.exe
    *bcdboot.exe
    *bcdedit.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *cdb.exe
    *csi.exe
    *debug.exe
    *DFsvc.exe
    *diskpart.exe
    *dnx.exe
    *eventvwr.exe
    *fsi.exe
    *hh.exe
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *jsc.exe
    *kd.exe
    *lxssmanager.dll
    *mmc.exe
    *mrsa.exe
    *MSBuild.exe
    *mshta.exe
    *mstsc.exe
    *netstat.exe
    *ntsd.exe
    *odbcconf.exe
    *powershell.exe
    *powershell_ise.exe
    *PresentationHost.exe
    *quser.exe
    *rcsi.exe
    *RegAsm*
    *regini.exe
    *Regsvcs*
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *scrcons.exe
    *script.exe
    *sdbinst.exe
    *set.exe
    *setx.exe
    *Stash*
    *syskey.exe
    *systemreset.exe
    *takeown.exe
    *UserAccountControlSettings.exe
    *utilman.exe
    *vbc.exe
    *vssadmin.exe
    *windbg.exe
    *wmic.exe
    *xcacls.exe
    ?:\$Recycle.Bin\*
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    C:\Users\Public\*
    C:\Windows\ADFS\*
    C:\Windows\debug\WIA\*
    C:\Windows\Fonts\*
    C:\Windows\PLA\Reports\*
    C:\Windows\PLA\Reports\de-DE\*
    C:\Windows\PLA\Rules\*
    C:\Windows\PLA\Rules\de-DE\*
    C:\Windows\PLA\Templates\*
    C:\Windows\Registration\CRMLog\*
    C:\Windows\servicing\Packages\*
    C:\Windows\servicing\Sessions\*
    C:\Windows\System32\Com\dmp\*
    C:\Windows\System32\FxsTmp\*
    C:\Windows\System32\LogFiles\WMI\*
    C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\spool\SERVERS\*
    C:\Windows\System32\Tasks\*
    C:\Windows\System32\Tasks_Migrated\*
    C:\Windows\SysWOW64\Com\dmp\*
    C:\Windows\SysWOW64\FxsTmp\*
    C:\Windows\SysWOW64\Tasks\*
    C:\Windows\Tasks\*
    C:\Windows\Temp\*
    C:\Windows\tracing\*
    [PARENTWHITELIST]
    #    [Softwares and Windows - Base Rules]
    !C:\Program Files\Cryptomator\Cryptomator.exe>C:\Windows\System32\reg.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\taskkill.exe
    !C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\netsh.exe
    !D:\Programas\CUETools 2.1.5\CUETools.exe>C:\Windows\Microsoft.NET\Framework64\*\csc.exe
    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe
    C:\Program Files\pia_manager\pia_manager.exe>C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\pia_manager.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\pia_tray_bin\nw-win\pia_nw.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Program Files\pia_manager\openvpn.exe
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\bin\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\lib\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Users\*\AppData\Local\Temp\*\src\*
    C:\Users\*\AppData\Local\Temp\*\bin\rubyw.exe>C:\Windows\SysWOW64\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*>C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*>C:\Windows\SysWOW64\*
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Windows\WinSxS\*\comctl32.dll
    C:\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe>C:\Windows\WinSxS\*\GdiPlus.dll
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\ProgramData\MEGAsync\*
    C:\ProgramData\MEGAsync\MEGAsync.exe>C:\Windows\SysWOW64\*
    C:\Windows\*>*
    C:\Program Files (x86)\*>*
    C:\Program Files\*>*
    C:\ProgramData\Microsoft\*>*
    D:\Programas\*>*
    [PARENTBLACKLIST]
    #    [Block Execution of Windows and Softwares - Base Rules]
    *>*reg.exe
    *>*taskkill.exe
    *>*netsh.exe
    *>*csc.exe

    And my log:

    Code:
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:55 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:24:56 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:32:53 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    2017/06/26_13:32:53 > LSTCHECK > D:\Programas\foobar2000\foobar2000.exe > C:\Windows\SysWOW64\cscript.exe
    In my WHITELIST, I have:

    D:\Programas\*

    In my PARENTWHITELIST, I have:

    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe
    D:\Programas\*>*

    I think the first rule is redundant, since I don't have cscript.exe in my PARENTBLACKLIST or BLACKLIST, but anyway I still get that entry in my log.

    How this is possible?

    Thanks!
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @ExtremeGamerBR Does your main WHITELIST have a rule to allow execution within: C:\Windows\SysWOW64\*

    If you don't want to allow the entire SysWOW64 directory you could try:
    Code:
    [WHITELIST]
    C:\Windows\SysWOW64\cscript.exe
    Just to see what happens. Ensure that you restart the Bouncer driver after any config changes as well. Otherwise the rules look great, I don't see any specific issue.
     
  17. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,348
    Thanks!

    But even when I added:

    C:\Windows\SysWOW64\cscript.exe

    in my WHITELIST Bouncer still blocking cscript.exe oO

    As I always exchange my config file (instead of editing the one in C:\Windows) it automatically restarts the driver.

    Maybe cscript.exe has other name that is inside my blacklist?

    EDIT: Well, I just solved the issue.

    This is the one that was causing the problem:

    BLACKLIST:
    *script.exe

    So I removed *script.exe from my BLACKLIST and then I added it to my PARENTBLACKLIST as:
    *>*script.exe

    Then added these lines to my PARENTWHITELIST:
    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\script.exe
    !D:\Programas\foobar2000\foobar2000.exe>C:\Windows\SysWOW64\cscript.exe

    The funny thing is that if I allow only script.exe, Bouncer still blocking cscript.exe and if I allow only cscript.exe, Bouncer still block cscript.exe.

    In another words, I have to let Foobar2000.exe execute both script.exe and cscript.exe, even if only script.exe is in my blacklist.

    Maybe a bug?
     
    Last edited: Jun 27, 2017
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @ExtremeGamerBR I have to read into this a bit more later. But you can try adding a \

    Code:
    *\script.exe
    Or
    Code:
    *>*\script.exe
    The * variable was accounting for cscript.exe and anything else that ends with script.exe

    So you can be as precise as you wish. Or for example:

    Code:
    *\?script.exe
    Or
    Code:
    *>*\?script.exe
    This would account for one character variable at the beginning, as opposed to * allowing any number of characters. I know this is not specifically what you were intending here, but I wanted to explain a bit about variables * or ? because there are lots of options.
     
  19. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    I think It's a little bit difficult to create commandline rules in Bouncer for users.

    Could someone show me more about it?

    Thanks
     
  20. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Just tried downloading Bouncer demo from Excubits website, Chrome is flagging it as dangerous. I looked through my old downloads folder and found a copy of the demo I had downloaded probably a month ago. Hitman Pro is flagging it as infected with Trojan-Dropper.Win32.Dinwod.acsc. VT shows 14 detections as infected. Anyone else see this?

    Edit: I sent a message to Excubits asking them to check this as well.
     
    Last edited: Jun 28, 2017
  21. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Yeah, when I downloaded it last week Chrome blocked it and there were 10 detections on VT. I assumed they were false positives and installed it anyway. No problems - so far ;)
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The digital certificate (EV cert) seems to be OK based on dates and such. But I do recall Florian telling me the other day in an email that he needs to update his EV certificate and update all binaries. So I assume it has something to do with the EV cert. He wrote me yesterday telling me that he's been especially busy in the past few weeks but is hoping to update the EV cert and release updated binaries as soon as possible.

    EDIT: I just tested downloading the paid versions and they were not flagged. But it seems that the EV cert dates are newer on the paid versions. So it looks as though he does need to update the EV cert and release new binaries for the demo versions.
     
  23. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    29,336
    I have tried to download all available tools, but only Bouncer (bouncer_demo.exe) has been flagged by Chrome :cautious:
    All tools are signed with the same certificate (valid until 19 July 2017)
     
  24. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Received a reply from Florian. He confirmed the Bouncer demo detection is a false positive. He's tried to contact the AV vendors to correct this but has had no response.
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Humm.. I tried downloading the Bouncer Demo, and Firefox also blocked the download saying it contains a Virus. I took a screenshot of warning prompt.
     

    Attached Files:

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.