Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Updated blacklist:

     
  2. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome
     
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Exclusions in Bouncer are about to get a lot easier. Overall configurations will also get slightly easier and more compact as well. These new developments are already available in the latest Beta build.

    Link: https://excubits.com/content/en/products_beta.html

    The main difference here is that the [PARENTWHITELIST] and [PARENTBLACKLIST] sections will be entirely removed. Parent and Child rules can both be used and combined in any way that you like and both will be placed in the regular [WHITELIST] and [BLACKLIST] sections. The Bouncer rules engine will know what to do with all of the rules and in my testing everything has worked too perfectly.


    From the Excubits blog just prior to the new year.
    Link: https://excubits.com/content/en/news_006.html

    What really got me interested here was the fact that I could use entirely ALL parent rules. You could use all child rules, all parent rules, or any combination in between. But I really wanted to use ALL parent rules to have good granular control and make it easy to override blockages.

    There was one thing that caught my eye during testing though. With an ALL parent rules config, everything worked wonderfully with the exception of "NULL > smss.exe" blockages and all NULL > any kernel drivers (.sys) blockages.

    So I was able to use an ALL parent rules config, with the exception of smss.exe and kernel drivers (.sys). Florian explained this to me and it was simply because smss.exe and all kernel drivers are all initiated from within the kernel. Therefore, that explained the NULL entry as the parent process. So that is something to keep in mind. I will show an example config.

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [#SHA256]
    [PARENTCHECK]
    [CMDCHECK]
    [WHITELIST]
    #   Drivers (.sys) and smss.exe are started in kernel-mode; therefore no parent process
    C:\Windows\System32\smss.exe
    C:\Windows\System32\*.sys
    !C:\Users\*\AppData\Local\Temp\ALSysIO64.sys
    *\Process Hacker\*kprocesshacker.sys
    #    Trusted Process - The Toolbox
    !D:\Tools\*>*
    !*>D:\Tools\*
    #   Canon Printer
    !C:\ProgramData\CanonBJ\*
    #   Blacklist Override
    !*\Hyper-V Switch\HyperVSwitch.exe>C:\Windows\System32\bcdedit.exe
    !C:\Program Files\Microsoft VS Code\Code.exe>C:\Windows\System32\reg.exe
    !C:\Program Files (x86)\Microsoft Visual Studio\2017\*>*
    #    Blacklist Override - Hyper-V Manager, Event Viewer, etc.
    !C:\Windows\explorer.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\control.exe>C:\Windows\System32\mmc.exe
    #    Blacklist Override - DISM
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>??*\Temp\????????-????-????-????-????????????\*.dll
    !??*\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
    !C:\Windows\System32\*>??*\Temp\????????-????-????-????-????????????\DismHost.exe
    #   Base System Rules
    C:\Program Files (x86)\*>C:\Program Files (x86)\*
    C:\Program Files\*>C:\Program Files\*
    C:\Program Files\*>C:\Program Files (x86)\*
    C:\Program Files (x86)\*>C:\Program Files\*
    C:\Windows\*>C:\Windows\*
    C:\Windows\*>C:\Program Files (x86)\*
    C:\Windows\*>C:\Program Files\*
    C:\Program Files (x86)\*>C:\Windows\*
    C:\Program Files\*>C:\Windows\*
    [BLACKLIST]
    #   Excubits Blacklist - Source: https://excubits.com/content/files/blacklist.txt
    #   Last Updated: 2018/02/03
    #
    *\AppData\Local\Temp\*.bat
    *\AppData\Local\Temp\*.cmd
    *\AppData\Local\Temp\*.com
    *\AppData\Local\Temp\*.exe
    *\AppData\Local\Temp\*.scr
    *\AppData\Local\Temp\*.sys
    *\AppData\Roaming\*.bat
    *\AppData\Roaming\*.cmd
    *\AppData\Roaming\*.com
    *\AppData\Roaming\*.exe
    *\AppData\Roaming\*.scr
    *\AppData\Roaming\*.sys
    *\at.exe
    *\Temp\*.zip\*.exe
    *\Temp\*7z*\*.exe
    *\Temp\*rar*\*.exe
    *\Temp\*sfx\*.exe
    *\Temp\*wz*\*.exe
    *\Temp\*zip*\*.exe
    *\Temp\7z*\*.exe
    *\Temp\rar*\*.exe
    *\Temp\wz*\*.exe
    *aspnet_compiler.exe
    *attrib.exe
    *auditpol.exe
    *bash.exe
    *bcdboot.exe
    *bcdedit.exe
    *bginfo.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *cdb.exe
    *csc.exe
    *csi.exe
    *dbghost.exe
    *dbgsvc.exe
    *debug.exe
    *DFsvc.exe
    *diskpart.exe
    *dnx.exe
    *eventvwr.exe
    *fsi.exe
    *fsiAnyCpu.exe
    *hh.exe
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *infdefaultinstall.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *jsc.exe
    *kd.exe
    *lpkinstall*
    *LxssManager.dll
    *mmc.exe
    *msra.exe
    *MSBuild.exe
    *mshta.exe
    *msiexec.exe
    *mstsc.exe
    *netsh.exe
    *netstat.exe
    *ntkd.exe
    *ntsd.exe
    *odbcconf.exe
    *powershell.exe
    *powershell_ise.exe
    *PresentationHost.exe
    *quser.exe
    *rcsi.exe
    *reg.exe
    *RegAsm*
    *regini.exe
    *Regsvcs*
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *runscripthelper.exe
    *schtasks.exe
    *scrcons.exe
    *script.exe
    *sdbinst.exe
    *sdclt.exe
    *set.exe
    *setx.exe
    *Stash*
    *syskey.exe
    *system.management.automation.dll
    *systemreset.exe
    *takeown.exe
    *taskkill.exe
    *UserAccountControlSettings.exe
    *utilman.exe
    *vbc.exe
    *visualuiaverifynative.exe
    *vssadmin.exe
    *wbemtest.exe
    *windbg.exe
    *wmic.exe
    *xcacls.exe
    ?:\$Recycle.Bin\*
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    C:\Users\Public\*
    C:\Windows\$FORENSICS\*
    C:\Windows\ADFS\*
    C:\Windows\debug\WIA\*
    C:\Windows\Fonts\*
    C:\Windows\PLA\Reports\*
    C:\Windows\PLA\Reports\de-DE\*
    C:\Windows\PLA\Rules\*
    C:\Windows\PLA\Rules\de-DE\*
    C:\Windows\PLA\Templates\*
    C:\Windows\Registration\CRMLog\*
    C:\Windows\servicing\Packages\*
    C:\Windows\servicing\Sessions\*
    C:\Windows\System32\Com\dmp\*
    C:\Windows\System32\FxsTmp\*
    C:\Windows\System32\LogFiles\WMI\*
    C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\spool\SERVERS\*
    C:\Windows\System32\Tasks\*
    C:\Windows\System32\Tasks_Migrated\*
    C:\Windows\SysWOW64\Com\dmp\*
    C:\Windows\SysWOW64\FxsTmp\*
    C:\Windows\SysWOW64\Tasks\*
    C:\Windows\Tasks\*
    C:\Windows\Temp\*
    C:\Windows\tracing\*
    [CMDWHITELIST]
    #   Default Allow
    *>*
    [CMDBLACKLIST]
    [EOF]
    


    Anyway, so this is just a basic example showing mostly parent rules with the exception of the smss.exe and drivers. I was able copy in Florian's Blacklist.txt blacklist rules as-is. I used to have to convert them to parent rules for this to work correctly. But with Bouncer beta, I can copy as-is and then use whitelist rules to write parent exclusions that will override the Blacklist.txt child entries.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    My goal is to block system.management.automation.dll and related processes.
    Did I do this right?

    [LETHAL]
    [LOGGING]
    [#SHA256]
    [#PARENTCHECK]
    [#CMDCHECK]
    [WHITELIST]
    ?:\*
    [BLACKLIST]
    [PARENTWHITELIST]
    ?:\*system.management.automation*
    [PARENTBLACKLIST]
    [CMDWHITELIST]
    [CMDBLACKLIST]
    [EOF]
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    These newest (and much more useful IMO) developments in bouncer have reignited my attention to it.

    Thanks all above for the latest.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    My super-short config here is for the stable version. It is basically a one-trick pony.
    I would appreciate if someone could tell me if I am doing this right...
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    No, it was wrong. The entry to be blocked should be under [BLACKLIST] and above [PARENTWHITELIST]
     
  9. guest

    guest Guest

    An updated build (beta) of Bouncer/Tuersteher is available ("compiler-stamp: Wed Apr 04 16:47:03 2018")
    Download (BetaCamp)
    or: https://excubits.com/content/files/bncr_trsthr.7z
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    1 Has anyone compiled a whitelist for Windows 10, to allow standard Windows processes and command lines?

    2 It seems that rundll32 is not on the blacklist.txt, I assume because it would cause too much blocking?

    3 Is there anything else notable that is absent from blacklist.txt?
     
  11. guest

    guest Guest

    A new blog-entry has been published:
    Newsblog: Demo and Beta Updates (2018/04/08)

    Excerpt (Bouncer related info):
     
  12. 142395

    142395 Guest

    1. Just allow Program Files and Windows folder except those writable places by other than admin, and you rarely need whitelist, but there're some exception. If you use Windows Defender, you need to allow some exes and dlls on ProgramData. I also whitelist these as I blacklisted Temp folder:

    C:\Windows\Temp\mpam-*.exe
    C:\Windows\Temp\*\MPSigStub.exe
    C:\Windows\Temp\CR_*.tmp\setup.exe

    The first 2 seems to be related to WD, the last is needed to update Chrome. If you use other programs you may need to allow more.

    2. Yes, blocking rundll32 will most likely cause problems. Also depending on what program you use, others listed on the list can make trouble.

    3. Maybe these recently added in NVT-Syshardener?
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Particularly of note:
    Just playing around with the new tray tool right now and I like the ability to change localization details and the blue icon color for non-lethal mode.

    Link: https://excubits.com/content/en/news.html
    Beta: https://excubits.com/content/en/products_beta.html
     
  14. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    New version of Bouncer/Türsteher is available :) Full versions and beta version is available. Beta is gone from beta-camp.

    Funny sidenote: following blog post, you can change filename of tray-app and it will work with other driver from excubits, too. cool :cool: You can also use own icons, and more important (for me): change localization of all text values for own language. that is huge imporvement.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This latest version of Bouncer is working incredibly and the customization of the tray tool is great plus the minor functionality changes of the tray tool are nice too (not as many prompts and such). I've re-done the tray tool so that it works now for Bouncer, MemProtect, Pumpernickel/FIDES and MZWriteScanner (separately, though). I'm really pleased with this release. Also the parent control of kernel (NULL) over drivers is nice too.
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    How to do that?
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The binaries have to be renamed (example):
    Code:
    BouncerTray.exe
    BouncerTrayHelper.exe
    to
    MemProtectTray.exe
    MemProtectTrayHelper.exe
    * for each driver accordingly, MZWriteScanner, etc.

    Also the localization files too (example):
    Code:
    bouncer.EN.locales
    bouncer.locales
    to
    memprotect.EN.locales
    memprotect.locales
    * same for other drivers accordingly

    Also within each (all of them) of the localization files you need to use a text editor such as Visual Studio Code or Notepad++ and do a quick "search and replace" to automatically replace all instances of the word "Bouncer" with "MemProtect" or similar with other drivers.

    It does take a bit of time to do this. I have already done this for Bouncer, MemProtect, MZWriteScanner, and Pumpernickel/FIDES for all 64-bit binaries. I did not do the 32-bit binaries since I don't use them. Maybe if this is useful and others may find it beneficial, I could upload the completed and working updated tray tools for Bouncer, MemProtect, MZWriteScanner, and Pumpernickel/FIDES. Please let me know if anyone needs this.
     
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I, for one, would be happy to get them. :)
    What path to put them in?
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Sure thing, no problem.
    Personally, I run them from D:\Tools\Excubits\ and within their own folders there. But you can extract and run from anywhere.

    I use Task Scheduler to create scheduled tasks to run each of them (only the ones I use) at Windows logon. Personally, I add the "nopopups" command line argument to each of those scheduled tasks to ensure that the tray tools are quiet with no toasts/balloon popups, just simple color changes to indicate a problem. You can also choose if you want the scheduled task to "Run with Highest Privilege" to skip the UAC popups, but that is up to you.


    Remember, no 32-bit binaries included here. Just the 64-bit binaries renamed accordingly.

    Cheers! :thumb:

    EDIT: Feel free to share the link with the folks over at MT forum as well if anyone there needs it.
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks, @WildByDesign
    Currently, I get the trays for memprotect and FIDES to autostart by putting a shortcut to them in the Startup folder.
    Will that work with these new tray files?
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yup, it works.
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @shmu26 You're welcome. Glad you've got them working. :thumb:
     
  23. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    182
    Location:
    Australian Capital Territory
    I'm experiencing a minor bug with the new tray tool. I keep getting warnings that Bouncer has been in simulation mode for some time and that I'm not protected. However Bouncer isn't in simulation mode and the tray icon is green.

    Anyone else seeing this? If so, any ideas how to stop it, or is it actually a bug?
     
  24. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    No, did explicitly test this during last 2h with balloon notify enabled, nothing weird happens here. Seems to work as intended.

    What OS do you use? 32/64 bit edition?

    Have you other security tool installed? Does TrayApplication has access to .ini file and .log file?
     
  25. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Does anyone here has other icons? I mean more beautiful looking icons for the tray. I do not want to disrespect excubits, but their icons could being better.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.