Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    170
    Location:
    Australian Capital Territory
    Yeah, when I downloaded it last week Chrome blocked it and there were 10 detections on VT. I assumed they were false positives and installed it anyway. No problems - so far ;)
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    The digital certificate (EV cert) seems to be OK based on dates and such. But I do recall Florian telling me the other day in an email that he needs to update his EV certificate and update all binaries. So I assume it has something to do with the EV cert. He wrote me yesterday telling me that he's been especially busy in the past few weeks but is hoping to update the EV cert and release updated binaries as soon as possible.

    EDIT: I just tested downloading the paid versions and they were not flagged. But it seems that the EV cert dates are newer on the paid versions. So it looks as though he does need to update the EV cert and release new binaries for the demo versions.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    I have tried to download all available tools, but only Bouncer (bouncer_demo.exe) has been flagged by Chrome :cautious:
    All tools are signed with the same certificate (valid until 19 July 2017)
     
  4. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    229
    Received a reply from Florian. He confirmed the Bouncer demo detection is a false positive. He's tried to contact the AV vendors to correct this but has had no response.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    Humm.. I tried downloading the Bouncer Demo, and Firefox also blocked the download saying it contains a Virus. I took a screenshot of warning prompt.
     

    Attached Files:

  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,238
    Location:
    USA
    I should be good then since I have the paid version. Disregard my previous post. I was just seeing if I got the same warning as Kid Shamrock did for testing purposes.
     
  7. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Same with my Chrome. Seem to be false positive, the executable signature is vaild, no changes in binary. Also chcked the content of the RARed file: seems to be the same content as a demo version I downloaded some moth ago.
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    It appears as though Florian has now compiled an updated build of the Bouncer Demo which was being falsely flagged by AV. According to the product page "Binaries last updated on 2017/07/01".

    Download: https://excubits.com/content/en/products_bouncer.html

    I can confirm that it is no longer blocked by Google's safe browsing mechanisms. :thumb:

    EDIT: Paid Bouncer build updated as well.

    EDIT2: It appears that Florian has had to rewrite the installer binary and the uninstaller binary that is included within the overall install package. I assume that it what was causing the AV false flags. So whatever the issue, it has been resolved.
     
    Last edited: Jul 3, 2017
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    There are much less detections with the new release. These files were changed (in comparison with the last release):
    Code:
    Install.exe
    License.html
    Manual.pdf
    Uninstall.exe
    Btw.: The manual is brandnew - Version 2.5.0 (June 2017)
    :thumb:
     
  10. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
  11. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,091
    Haven't really used Excubits products (currently use SpyShelter Firewall and NVT ERP), but am going to take a look. I understand wht the various drivers do, but can't see the point of CommandLineScanner, given that Bouncer seems to do the same and more. Can someone list the differences between Bouncer and CommandLineScanner ?

    Given that the drivers don't have an Allow/Deny alert dialog that pops up, is the best way to configure them to run in loging mode for a week or so, and then analyse the logs for rule creation ?

    @WildByDesign - as you seem to be one of the original adopters and advocate of Excubit products, can I ask why you don't use Pumpernickel (FIDES) ? I'm considering using Bouncer, MemProtect and FIDES.
     
    Last edited: Jul 8, 2017
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    CommandLineScanner is for people who only need the scanning of command-lines.
    Bouncer can achieve the same, but it has more features ("Bouncer seems to do the same and more.")
    So, if the user need "more features", Bouncer can be installed. If only scanning of command-lines is needed, CommandLineScanner can be used (which also costs less)

    CommandLineScanner wasn't always a part of Bouncer. It has been integrated into Bouncer in Jan/Feb 2016
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    64-bit versions of the Tray and Admin Tool are available in the Beta Camp:
     
  14. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    This is great. Working well like the others beta drivers.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Blocking Windows 10 Fall Creators Update App Installations with Bouncer
    *referring to the junk such as Candy Crush, Facebook, Twitter, etc.

    With RS3, all of the previous tools such as Winaero Tweaker and OOShutUp10 no longer work to block the auto-installation of junk apps that come into your user account after installing Windows 10 Fall Creators Update. I've tried everything to block it, including registry tweaks and group policy changes. Nothing work. But thankfully, Bouncer has saved the day! :thumb:

    Code:
    [BLACKLIST]
    #   Content Delivery Manager
    C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*
    [PARENTBLACKLIST]
    #   Content Delivery Manager
    $C:\Windows\System32\backgroundTaskHost.exe>C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ContentDeliveryManager.Background.dll
    C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*>*
    *>C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*
    [CMDBLACKLIST]
    #   Content Delivery Manager
    *C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*>*
    *>*C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\*
     
  16. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    64-bit version of Bouncer TrayApp and AdminApp are released fully signed and can be used along with full-version and demo. Also additional option in tray menu B->Bouncer->Stop-Click-Start which can be used to stop & start bouncer faster´.
     
  17. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Is this junk automatically started on Win10? So, only way to block is to set on blacklist?
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    Regarding all Excubits tools and the Fall Creators Update, there are no issues to expect.
    But it is recommended to disable the drivers temporarily before the system is updated:

    Windows 10 Update
    Excubits Tools und the Windows 10 Fall Creators Update
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    64-bit Tray Apps for Bouncer, Türsteher, MZWriteScanner and CommandLineScanner
    https://excubits.com/content/en/news.html
     
  20. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    One recent technique which I have been doing differently with Bouncer compared to before is by implementing Florian's Blacklist as [PARENTBLACKLIST] instead of [BLACKLIST]. This has allowed for me to have a more tidy overall configuration combined with much easier control for overriding blockages for specific programs. Previously, I had to comment out certain entries from the blacklist entirely.

    Code:
    [PARENTWHITELIST]
    #   Some example parentblacklist overrides below:
    #
    #   Override Blacklist - Hyper-V Switch
    !*\Hyper-V Switch\*>C:\Windows\System32\bcdedit.exe
    #   Override Blacklist
    !C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\System32\reg.exe
    !C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
    [PARENTBLACKLIST]
    # Excubits Blacklist - Source: https://excubits.com/content/files/blacklist.txt
    # Converted for use with [PARENTBLACKLIST] instead of [BLACKLIST] for granular override control
    # Last Updated: 2017/06/19
    #
    *>*\AppData\Local\Temp\*.bat
    *>*\AppData\Local\Temp\*.cmd
    *>*\AppData\Local\Temp\*.com
    *>*\AppData\Local\Temp\*.exe
    *>*\AppData\Local\Temp\*.scr
    *>*\AppData\Local\Temp\*.sys
    *>*\AppData\Roaming\*.bat
    *>*\AppData\Roaming\*.cmd
    *>*\AppData\Roaming\*.com
    *>*\AppData\Roaming\*.exe
    *>*\AppData\Roaming\*.scr
    *>*\AppData\Roaming\*.sys
    *>*\at.exe
    *>*\Temp\*.zip*\*.exe
    *>*\Temp\*7z*\*.exe
    *>*\Temp\*rar*\*.exe
    *>*\Temp\*sfx\*.exe
    *>*\Temp\*wz*\*.exe
    *>*aspnet_compiler.exe
    *>*attrib.exe
    *>*auditpol.exe
    *>*bash.exe
    *>*bcdboot.exe
    *>*bcdedit.exe
    *>*bitsadmin*
    *>*bootcfg.exe
    *>*bootim.exe
    *>*bootsect.exe
    *>*ByteCodeGenerator.exe
    *>*cacls.exe
    *>*cdb.exe
    *>*csc.exe
    *>*csi.exe
    *>*debug.exe
    *>*DFsvc.exe
    *>*diskpart.exe
    *>*dnx.exe
    *>*eventvwr.exe
    *>*fsi.exe
    *>*hh.exe
    *>*IEExec.exe
    *>*iexplore.exe
    *>*iexpress.exe
    *>*ilasm.exe
    *>*InstallUtil*
    *>*InstallUtil.exe
    *>*journal.exe
    *>*jsc.exe
    *>*kd.exe
    *>*lxssmanager.dll
    *>*mmc.exe
    *>*mrsa.exe
    *>*MSBuild.exe
    *>*mshta.exe
    *>*mstsc.exe
    *>*netsh.exe
    *>*netstat.exe
    *>*ntsd.exe
    *>*odbcconf.exe
    *>*powershell.exe
    *>*powershell_ise.exe
    *>*PresentationHost.exe
    *>*quser.exe
    *>*rcsi.exe
    *>*reg.exe
    *>*RegAsm*
    *>*regini.exe
    *>*Regsvcs*
    *>*regsvr32.exe
    *>*RunLegacyCPLElevated.exe
    *>*runonce.exe
    *>*scrcons.exe
    *>*script.exe
    *>*sdbinst.exe
    *>*set.exe
    *>*setx.exe
    *>*Stash*
    *>*syskey.exe
    *>*systemreset.exe
    *>*takeown.exe
    *>*taskkill.exe
    *>*UserAccountControlSettings.exe
    *>*utilman.exe
    *>*vbc.exe
    *>*vssadmin.exe
    *>*windbg.exe
    *>*wmic.exe
    *>*xcacls.exe
    *>?:\$Recycle.Bin\*
    *>C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    *>C:\Users\Public\*
    *>C:\Windows\ADFS\*
    *>C:\Windows\debug\WIA\*
    *>C:\Windows\Fonts\*
    *>C:\Windows\PLA\Reports\*
    *>C:\Windows\PLA\Reports\de-DE\*
    *>C:\Windows\PLA\Rules\*
    *>C:\Windows\PLA\Rules\de-DE\*
    *>C:\Windows\PLA\Templates\*
    *>C:\Windows\Registration\CRMLog\*
    *>C:\Windows\servicing\Packages\*
    *>C:\Windows\servicing\Sessions\*
    *>C:\Windows\System32\Com\dmp\*
    *>C:\Windows\System32\FxsTmp\*
    *>C:\Windows\System32\LogFiles\WMI\*
    *>C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    *>C:\Windows\System32\spool\drivers\color\*
    *>C:\Windows\System32\spool\PRINTERS\*
    *>C:\Windows\System32\spool\SERVERS\*
    *>C:\Windows\System32\Tasks\*
    *>C:\Windows\System32\Tasks_Migrated\*
    *>C:\Windows\SysWOW64\Com\dmp\*
    *>C:\Windows\SysWOW64\FxsTmp\*
    *>C:\Windows\SysWOW64\Tasks\*
    *>C:\Windows\Tasks\*
    *>C:\Windows\Temp\*
    *>C:\Windows\tracing\*
    #    Additional Blacklisted Binaries
    *>*sdclt.exe
    *>*scrobj.dll
    *>*scrrun.dll

    Therefore, I no longer have Florian's Blacklist in my actual [BLACKLIST] section and therefore my main [WHITELIST] section is quite minimal. Although I've kept my "Base System Rules" for whitelist and parentwhitelist sections out of this example just to keep the example smaller.
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,575
    Location:
    The etherlands
    Interesting, this may make Bouncer more usable by a noob (like me). ;)

    It would still be interesting to see your now 'minimal' [WHITELIST] ...
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Much easier now, in general, to make any exceptions while still keeping security tight.

    This is just based on my recent testing, therefore not entirely set in stone yet.

    Code:
    [WHITELIST]
    #   Base System Rules
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\Windows\*
    #    Trusted Process - The Toolbox
    D:\Tools\*
    #    DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe
    !??*\Temp\????????-????-????-????-????????????\*.dll
    #   Google Chrome - updates
    !C:\Windows\Temp\CR_?????.tmp\setup.exe

    Code:
    [PARENTWHITELIST]
    #    Override Blacklist - Hyper-V Switch
    !*\Hyper-V Switch\*>C:\Windows\System32\bcdedit.exe
    #    Override Blacklist
    !C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Program Files\Microsoft VS Code*\Code*.exe>C:\Windows\System32\reg.exe
    !C:\Program Files (x86)\Stardock\Fences\Fences.exe>C:\Windows\System32\icacls.exe
    #   VS Code
    C:\Program Files*\Microsoft VS Code*\*>C:\Users\*\AppData\Local\Temp\vscode-update-???\*
    C:\Users\*\AppData\Local\Temp\vscode-update-???\*>*
    C:\Users\*\AppData\Local\Temp\vscode-update-???\*>C:\Users\*\AppData\Local\Temp\??-?????.tmp\CodeSetup*.tmp
    C:\Users\*\AppData\Local\Temp\??-?????.tmp\CodeSetup*.tmp>C:\Windows\*
    C:\Users\*\AppData\Local\Temp\??-?????.tmp\CodeSetup*.tmp>C:\Program Files*\*
    #   Base System Rules
    C:\Program Files (x86)\*>C:\Program Files (x86)\*
    C:\Program Files\*>C:\Program Files\*
    C:\Program Files\*>C:\Program Files (x86)\*
    C:\Program Files (x86)\*>C:\Program Files\*
    C:\Windows\*>C:\Windows\*
    C:\Windows\*>C:\Program Files (x86)\*
    C:\Windows\*>C:\Program Files\*
    C:\Program Files (x86)\*>C:\Windows\*
    C:\Program Files\*>C:\Windows\*
    #    Trusted Process - The Toolbox
    D:\Tools\*>*
    C:\Windows\explorer.exe>D:\Tools\*
    C:\Windows\System32\*>D:\Tools\*
    #    DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
    !C:\Windows\System32\*>??*\Temp\????????-????-????-????-????????????\DismHost.exe
    #   Google Chrome
    !C:\Program Files (x86)\Google\*>C:\Windows\Temp\CR_?????.tmp\setup.exe
    !C:\Windows\Temp\CR_?????.tmp\setup.exe>C:\Windows\Temp\CR_?????.tmp\setup.exe

    Keep in mind that my blacklist has a rule to block C:\Windows\Temp\* but also with the changes to my parent process control also allows me to easily create more granular parentwhitelist allow/exception rules and parentblacklist specific/targeted blockages.

    Basically, I had a super large, elaborate Bouncer.ini for quite some time and had no need to make any changes based on my usage. But recently, I decided to start my Bouncer.ini from scratch, keeping things more simple (hopefully) and then at some point when it's more complete I can share the ruleset with others once I do more testing. So I am still in the beginning stages and have more parentwhitelist rules to add.
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,575
    Location:
    The etherlands
    @WildByDesign This is surely not entirely unrelated to what @Windows_Security (Kees) had in mind (discussed on MT), though I think he was thinking a common ruleset using several of Florian's drivers, not just Bouncer?
     
  25. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @paulderdash Indeed, Kees was thinking about a common ruleset that would work across many users systems with three or four of the Excubits' drivers combined.