Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    Thanks. The "set" command returns:
    HOMEDRIVE=C:
    That sounds right.

    @paulderdash: Not sure if it is image guardian or CBT. All I know is that it gave me a lot of grief with MZWriteScanner until I figured out the conflict.
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    UPDATE: Macrium Reflect was not the culprit.
    I still get a corrupted initial config upon installation, which is weird, but after it is corrected, Bouncer seems to be working right. :)
    Although I mistakenly reported otherwise, this was because of truncated log entries. There were temp binaries with a path including PROGRA~ and apparently this is referring to Programdata.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    I want to monitor rundll32.
    On CMDBLACKLIST I have: *>*rundll32.exe*
    On CMDWHITELIST I have: !*svchost.exe>*rundll32.exe*C:\Windows\*

    Any comments? Is this a wise way to whitelist Windows command lines, or not really?
    I am on Windows 10 x64
    AdminByPass is enabled.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    My whitelist rule is not working for some reason, because I am getting blocks such as this:
    Code:
    C:\Windows\System32\svchost.exe    C:\Windows\system32\rundll32.exe Startupscan.dll,SusRunTask
     
  5. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    My command line blacklist is

    Code:
    [CMDBLACKLIST]
    *>*rundll32*cmd*/c*
    *>*rundll32*
    *>*cmd*/c*
    *>*cmd*/v*
    *>*powershell*
    Ensure you have your priority rule befor final *>*. I have my rules like

    Code:
    [CMDWHITELIST]
    !C:\Windows\*svchost.exe>C:\Windows\*rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {*} -Embedding
    !C:\Windows\*svchost.exe>C:\*rundll32.exe C:\Windows\system32\invagent.dll,RunUpdate
    !C:\Windows\*svchost.exe>C:\*rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
    ...
    *>*
    [CMDBLACKLIST]
    ...
    
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    Thanks.
    Since you have a general block rule for rundll32, why did you add
    *>*rundll32*cmd*/c*
     
  7. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    Oh thanks. you are right, I guess it is artefact from an older config. I should delete it, doesnt make sense here. :) Thanks.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    The real thanks goes to you for all your help.
    Are you running it on Windows 10?
    I am having a general problem with dlls -- they don't seem to respect their proper paths. In order to get a whitelist rule to work for dlls, I need to make the path very general.
     
  9. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    No, Win10 is not my daily driver. I have Win10 machine, but dont use it often and have very generic rule for this machine. so I thinks I'm not good to give advice for Win10 configuration at moment. My plan is to switch to Win10 soon, so I hav to re-do my rules then :)
     
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    I moved to Win10 last weekend and just copy my existing türsteher.ini (should equal to bouncer) to this blank Win10 machine. Just have to modify some little rules, but it looks good until now. I will do some more tests, then I can share my ini file - maybe it helps you and gives you hint. Currently my system is very clean: Just Win10, needed drivers for printer, scanner, Google Chrome, and LibreOffice and 7-zip. Have tools from PortableApps and it all looks good until now, but will test a little bit more.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    Thanks.
    The trick I found to make dll rules work was to truncate the path. For instance, here are some of my whitelist rules:
    !*explorer.exe>*shdocvw.dll
    !*SettingSyncHost.exe>*shdocvw.dll
    !*googledrivesync.exe>*.dll
     
  12. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    Some time ago I switched to Windows 10 and re-wrote my rules from scratch. Currently Im on Windows 10 10.0.18362.175 and here is my plain Bouncer/Türsteher configuration. Change <YOUR_USERNAME_HERE> to your user-name. Im happy with this configuration, works very well on my Windows 10 systems now (2 of them). Any hint/suggestion is welcome.

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [#SHA256]
    [CMDCHECK]
    [#ADMINBYPASS]
    [GUIDLOGGING]
    [WHITELIST]
    !C:\Windows\System32\Windows.Data.Pdf.dll
    !C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\*
    !C:\Windows\Temp\CR_?????.tmp\*
    !C:\Windows\Temp\????????-????-????-????-????????????\MPGEAR.DLL
    !C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL
    !C:\Windows\Temp\????????-????-????-????-????????????\Dism*
    !C:\Windows\Temp\????????-????-????-????-????????????\Dism*
    !C:\Windows\Temp\????????-????-????-????-????????????\OSProvider.dll
    !C:\Windows\Temp\????????-????-????-????-????????????\LogProvider.dll
    !C:\Windows\Temp\????????-????-????-????-????????????\CbsProvider.dll
    !C:\Windows\Temp\????????-????-????-????-????????????\DmiProvider.dll
    !C:\Users\*\AppData\Local\Temp\mpam-*.exe
    !C:\Users\*\AppData\Local\Temp\{????????-????-????-????-????????????}\MPSigStub.exe
    !C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\MpSigStub.exe
    !C:\Windows\*services.exe>C:\Windows\*msiexec.exe
    # Default configuration
    C:\Windows\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\ProgramData\Microsoft\*
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Google\Chrome*flash*
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Google\Chrome\User Data\SwReporter\*.*.*\software_reporter_tool.exe
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Google\Chrome\User Data\SwReporter\*.*.*\edls_64.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Google\Chrome\User Data\SwReporter\*.*.*\edls_32.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Google\Chrome\User Data\SwReporter\*.*.*\em*_*.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\ns????.tmp\*
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\ns?????.tmp\*
    D:\Downloads\Notepad++\*
    D:\Downloads\InkscapePortable\*
    D:\Downloads\VeraCrypt\*
    D:\Downloads\IrfanViewPortable\*
    D:\Downloads\inkscape\*
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
    #DISM GET_BEGIN
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\MsiProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\IntlProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\IBSProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\DmiProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\UnattendProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\Wow64Provider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\SmiProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\AppxProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\AssocProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\GenericProvider.dll
    C:\Users\<YOUR_USERNAME_HERE>\AppData\Local\Temp\????????-????-????-????-????????????\TransmogProvider.dll
    #DISM GET_END
    [BLACKLIST]
    $*chrome.exe>*mshtml.dll
    $*wordpad.exe>*mshtml.dll
    $*SearchFilterHost.exe>*html.dll
    $*SearchFilterHost.exe>*script.dll
    # MS Office Macros disabled
    *vba?.dll
    *vbe?.dll
    *msvbvm*.dll
    *msword.olb
    *stdole2.tlb
    # Blocking the regsvr32 application whitelisting bypass techniques
    *regsvr32.exe>*scrobj.dll
    *regsvr32.exe>*scrrun.dll
    *regsvr32.exe>*mshtml.dll
    *regsvr32.exe>*jscript*.dll
    # Blocking the rundll32 application whitelisting bypass techniques
    *rundll32.exe>*scrobj.dll
    *rundll32.exe>*scrrun.dll
    *rundll32.exe>*mshtml.dll
    *rundll32.exe>*jscript*.dll
    # Blocking rundll32 from loading PowerShell
    *rundll32.exe>*System.Management.Automation*.dll
    # https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
    #
    # Excubits Backlist - Last Updated: 2018/08/16
    #
    *\at.exe
    *\Temp\*7z*\*
    *\Temp\*rar*\*
    *\Temp\*sfx\*
    *\Temp\*wz*\*
    *\Temp\*zip*\*
    *aac.*
    *aspnet_compiler.exe
    *attrib.exe
    *auditpol.exe
    *avi.*
    *bash.exe
    *bcdboot.exe
    *bcdedit.exe
    *bginfo.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *cdb.exe
    *csc.exe
    *csi.exe
    *csv.*
    *cvtres.exe
    *dbghost.exe
    *dbgsvc.exe
    *debug.exe
    *DFsvc.exe
    *dif.*
    *diskpart.exe
    *divx.*
    *dnx.exe
    *doc.*
    *docm.*
    *docx.*
    *dotm.*
    *dotx.*
    *eventvwr.exe
    *fsi.exe
    *fsiAnyCpu.exe
    *hh.exe
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *infdefaultinstall.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *js.bat
    *js.cmd
    *js.com
    *js.exe
    *jsc.exe
    *kd.exe
    *lpkinstall*
    *LxssManager.dll
    *mmc.exe
    *mp3.*
    *mp4.*
    *MSBuild.exe
    *mshta.exe
    *msiexec.exe
    *MSPUB.EXE
    *msra.exe
    *mstsc.exe
    *netsh.exe
    *netstat.exe
    *ntkd.exe
    *ntsd.exe
    *odbcconf.exe
    *ods.*
    *odt.*
    *pdf.*
    *potm.*
    *potx.*
    *powershell.exe
    *powershell_ise.exe
    *ppam.*
    *ppsm.*
    *ppsx.*
    *pptm.*
    *pptx.*
    *PresentationHost.exe
    *quser.exe
    *.rar.*
    *rcsi.exe
    *reg.exe
    *RegAsm*
    *regini.exe
    *Regsvcs*
    *regsvr32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *runscripthelper.exe
    *scrcons.exe
    *script.exe
    *sdbinst.exe
    *sdclt.exe
    *set.exe
    *setx.exe
    *slk.*
    *Stash*
    *syskey.exe
    *systemreset.exe
    *takeown.exe
    *taskkill.exe
    *thmx.*
    *txt.*
    *UserAccountControlSettings.exe
    *utilman.exe
    *vba.*
    *vbc.exe
    *vbs.*
    *visualuiaverifynative.exe
    *vssadmin.exe
    *wbemtest.exe
    *windbg.exe
    *wma.*
    *wmic.exe
    *xcacls.exe
    *xlam.*
    *xls.*
    *xlsb.*
    *xlsm.*
    *xlsx.*
    *xlt.*
    *xltm.*
    *xltx.*
    *xps.*
    *xvid.*
    *zip.exe
    *zip.com
    *zip.cmd
    *zip.bat
    ?:\$Recycle.Bin\*
    C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\*
    C:\Users\Public\*
    C:\Windows\$FORENSICS\*
    C:\Windows\ADFS\*
    C:\Windows\debug\WIA\*
    C:\Windows\Fonts\*
    C:\Windows\PLA\Reports\*
    C:\Windows\PLA\Reports\de-DE\*
    C:\Windows\PLA\Rules\*
    C:\Windows\PLA\Rules\de-DE\*
    C:\Windows\PLA\Templates\*
    C:\Windows\Registration\CRMLog\*
    C:\Windows\servicing\Packages\*
    C:\Windows\servicing\Sessions\*
    C:\Windows\System32\Com\dmp\*
    C:\Windows\System32\FxsTmp\*
    C:\Windows\System32\LogFiles\WMI\*
    C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\spool\SERVERS\*
    C:\Windows\System32\Tasks\*
    C:\Windows\System32\Tasks_Migrated\*
    C:\Windows\SysWOW64\Com\dmp\*
    C:\Windows\SysWOW64\FxsTmp\*
    C:\Windows\SysWOW64\Tasks\*
    C:\Windows\Tasks\*
    C:\Windows\Temp\*
    C:\Windows\tracing\*
    [CMDWHITELIST]
    !C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe*
    !C:\Windows\System32\wininit.exe>C:\Windows\System32\bootim.exe
    !C:\Windows\*svchost.exe>C:\Windows\*rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {*} -Embedding
    !C:\Windows\*svchost.exe>C:\Windows\*rundll32.exe shell32.dll,SHCreateLocalServerRunDll {*} -Embedding
    !C:\Windows\*svchost.exe>C:\*rundll32.exe C:\Windows\system32\invagent.dll,RunUpdate
    !C:\Windows\*svchost.exe>C:\*rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
    !C:\Windows\*svchost.exe>*rundll32.exe WSClient.dll,WSpTLR licensing
    !C:\Windows\*wermgr.exe>"*runDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -responsepester
    !C:\Windows\*svchost.exe>*rundll32.exe /d acproxy.dll,PerformAutochkOperations
    !C:\Windows\*CompatTelRunner.exe>*rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry  -OutputFile "C:\Windows\appcompat\appraiser\Telemetry\Appraiser_GenTelOutput.xml"  -cV * -SendFullTelemetry -ThrottleUtc
    !C:\Windows\*CompatTelRunner.exe>*rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry  -cV * -SendFullTelemetry -ThrottleUtc
    !C:\Windows\*CompatTelRunner.exe>*rundll32.exe C:\Windows\system32\GeneralTel.dll,RunGeneralTelemetry  -cV * -ThrottleUtc -OnesettingsNotAllowed
    !C:\Windows\*CompatTelRunner.exe>*rundll32.exe*GeneralTel.dll,RunGeneralTelemetry * -cV * -SendFullTelemetry -ThrottleUtc -OnesettingsNotAllowed
    !C:\Windows\*svchost.exe>*rundll32.exe WSClient.dll,RefreshBannedAppsList
    !C:\Windows\*rundll32.exe>*rundll32* C:\Windows\system32\GeneralTel.dll,RunInUserCxt * IsAdmin*
    !C:\Windows\*svchost.exe>*rundll32.exe Startupscan.dll,SusRunTask
    !C:\Windows\*svchost.exe>*rundll32* AppXDeploymentExtensions.dll,ShellRefresh
    !C:\Windows\explorer.exe>"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER *
    !C:\Windows\explorer.exe>"C:\Windows\System32\RunDll32.exe" C:\Windows\system32\hotplug.dll,HotPlugSafeRemovalDriveNotification *
    !C:\Windows\*wermgr.exe>"C:\Windows\*runDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereporting
    !C:\Windows\*svchost.exe>C:\Windows\system32\rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
    !C:\Windows\explorer.exe>"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,@ScreenSaver
    !C:\Windows\System32\wermgr.exe>"C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereportingconsentedonly
    !C:\Windows\System32\svchost.exe>rundll32.exe aeinv.dll,UpdateSoftwareInventory
    !C:\Windows\System32\svchost.exe>C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART
    !C:\Windows\System32\LogonUI.exe>"C:\Windows\system32\rundll32.exe" -localserver *-*-*-*-*
    !C:\Windows\explorer.exe>"C:\Windows\System32\rundll32.exe" C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess*
    !C:\Windows\System32\CompatTelRunner.exe>rundll32 C:\Windows\system32\generaltel.dll,RunInUserCxt*Census
    !C:\Windows\System32\svchost.exe>C:\Windows\system32\rundll32.exe C:\Windows\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask
    !C:\Windows\System32\svchost.exe>C:\Windows\system32\rundll32.exe C:\Windows\system32\Windows.StateRepositoryClient.dll,StateRepositoryDoMaintenanceTasks
    !C:\Windows\System32\svchost.exe>rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh
    *>*
    [CMDBLACKLIST]
    *>*rundll32*cmd*/c*
    *>*rundll32*
    *>*cmd*/c*
    *>*cmd*/v*
    *>*powershell*
    [EOF]
    
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    Thanks for sharing
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,349
    Location:
    U.S.A. (South)
    Yes thanks for sharing. I ceased any and all Windows 10 operations until such time they come out with Windows 11 but this may come in handy if the lone Win 10 sitting in my HDD storage closet ever sees the light of day again.

    Bouncer is awesome and it helps seals up Windows 8.1 like a padlock.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    Question about these:
    Code:
    !C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\*
    !C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe*!C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\*
    
    Does the version change?
    Another question: are you using OneDrive at all?
     
  16. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    I think it can change. Until now I didnt change.
    No, I have uninstalled OneDrive. It was annoying becaus auto starts and executables running.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,352
    Thanks for the answers, now another question. I see MZWriteScanner on your signature. I understand that Bouncer can detect and block DLLs with false extensions that make them look like non-binaries. Can MZW do that?
     
  18. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Thanks from me too for sharing your Bouncer rules. In that same spirit of sharing here are my rules for Windows 10 1903. I have only recently updated to the November 2018 Excubits Blacklist, so there may still be some unwanted surprises lurking. I think the November Blacklist is quite restrictive and I haven't had time to troubleshoot all the blockages, therefore I've disabled some of them for now.

    Code:
    [#INSTALLMODE]
    [LETHAL]
    [LOGGING]
    [#SHA256]
    [#CMDCHECK]
    [WHITELIST]
    #    Google Chrome - Updates
    !C:\Windows\Temp\????????.tmp\setup.exe
    !C:\Windows\Temp\??????.tmp
    #    Malicious Software Removal Tool
    !C:\Windows\Temp\????????-????-????-????-????????????\MPGEAR.DLL
    !C:\Windows\Temp\????????-????-????-????-????????????\MPENGINE.DLL
    #    Windows Defender Program Update
    !C:\Windows\SoftwareDistribution\Download\Install\UpdatePlatform.exe>C:\Windows\Temp\????????-????-????-????-????????????\MpSigStub.exe
    !C:\ProgramData\Microsoft\Windows Defender\*>C:\Windows\Temp\????????-????-????-????-????????????\MpUpdate.dll
    #    Karaoke Builder
    !C:\Program Files (x86)\Karaoke Builder Audio Toolkit\AudioToolkit.exe>C:\Users\*\AppData\Local\Microsoft\MmsEngines\*.dll
    !C:\Program Files (x86)\Karaoke Builder Studio 5.0\kbplayer.exe>C:\Users\*\AppData\Local\Microsoft\MmsEngines\*.dll
    !C:\Program Files (x86)\Karaoke Builder Studio 5.0\kbpro.exe>C:\Users\*\AppData\Local\Microsoft\MmsEngines\*.dll
    #    ATBROKER  (Excubits Blacklist Override)
    !C:\Windows\System32\winlogon.exe>C:\Windows\System32\AtBroker.exe
    #    BOOTIM (Excubits Blacklist Override)
    !C:\Windows\System32\winlogon.exe>C:\Windows\System32\bootim.exe
    #    BYTECODEGENERATOR (Excubits Blacklist Override)
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\ByteCodeGenerator.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\SysWOW64\ByteCodeGenerator.exe
    #    CONTROL (Excubits Blacklist Override)
    !C:\Windows\explorer.exe>C:\Windows\System32\control.exe
    #    EVENTVWR (Excubits Blacklist Override)
    !C:\Windows\explorer.exe>C:\Windows\System32\eventvwr.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\eventvwr.exe
    #    HH (Excubits Blacklist Override)
    !C:\Program Files (x86)\Karaoke Builder Studio 5.0\kbpro.exe>C:\Windows\hh.exe
    #    *JSCRIPT*.DLL* (Excubits Blacklist Override)
    !C:\Program Files\CCleaner\CCleaner64.exe>C:\Windows\System32\jscript9.dll
    !C:\Program Files\Macrium\Reflect\reflectbin.exe>C:\Windows\System32\jscript9.dll
    !C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE>C:\Windows\System32\jscript9.dll
    !C:\Program Files\Microsoft Office\Office14\CLVIEW.EXE>C:\Windows\System32\jscript9.dll
    !C:\Program Files (x86)\Sysinternals\ProcessExplorer\procexp64.exe>C:\Windows\System32\jscript9.dll
    !C:\Program Files (x86)\TeamViewer\TeamViewer.exe>C:\Windows\SysWOW64\jscript9.dll
    !C:\Program Files (x86)\PatchMyPC\PatchMyPC.exe>C:\Windows\System32\jscript9.dll
    !C:\Windows\hh.exe>C:\Windows\System32\jscript9.dll
    !C:\Windows\System32\mmc.exe>C:\Windows\System32\jscript9.dll
    !C:\Windows\System32\mmc.exe>C:\Windows\System32\jscript.dll
    !C:\Windows\System32\spoolsv.exe>C:\Windows\System32\jscript.dll
    !C:\Windows\System32\wbem\WmiPrvSE.exe>C:\Windows\System32\jscript.dll
    #    MAKECAB  (Excubits Blacklist Override)
    !C:\Windows\WinSxS\*\TiWorker.exe>C:\Windows\System32\makecab.exe
    #    MMC (Excubits Blacklist Override)
    !C:\Windows\explorer.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\control.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\eventvwr.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\System32\mmc.exe
    !C:\Windows\System32\Taskmgr.exe>C:\Windows\System32\mmc.exe
    #    MSHTML  (Excubits Blacklist Override)
    !C:\Program Files\Macrium\Reflect\reflectbin.exe>C:\Windows\System32\mshtml.dll
    !C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE>C:\Windows\System32\mshtml.dll
    !C:\Program Files\Microsoft Office\Office14\WINWORD.EXE>C:\Windows\System32\mshtml.dll
    !C:\Windows\explorer.exe>C:\Windows\System32\mshtml.dll
    !C:\Windows\System32\mmc.exe>C:\Windows\System32\mshtml.dll
    !C:\Windows\System32\taskhostw.exe>C:\Windows\System32\mshtml.dll
    #    MSIEXEC (Excubits Blacklist Override)
    !C:\Windows\System32\services.exe>C:\Windows\System32\msiexec.exe
    !C:\Windows\System32\msiexec.exe>C:\Windows\System32\msiexec.exe
    !C:\Windows\System32\msiexec.exe>C:\Windows\SysWOW64\msiexec.exe
    !C:\Windows\System32\msiexec.exe>C:\Windows\SysWOW64\reg.exe
    !C:\Windows\System32\msiexec.exe>C:\Windows\Temp\*
    !C:\Windows\System32\msiexec.exe>C:\Windows\Installer\*
    #    REGEDIT  (Excubits Blacklist Override)
    !C:\Windows\explorer.exe>C:\Windows\regedit.exe
    !C:\Windows\System32\svchost.exe>C:\Windows\regedit.exe
    #    REGSVR32 (Excubits Blacklist Override)
    !C:\Program Files (x86)\Karaoke Builder Studio 5.0\kbplayer.exe>C:\Windows\SysWOW64\regsvr32.exe
    !C:\Windows\System32\spoolsv.exe>C:\Windows\System32\regsvr32.exe
    #    SC  (Excubits Blacklist Override)
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\sc.exe
    #    SHDOCVW  (Excubits Blacklist Override)
    !C:\Program Files (x86)\Google\Chrome\Application\chrome.exe>C:\Windows\System32\shdocvw.dll
    !C:\Windows\explorer.exe>C:\Windows\System32\shdocvw.dll
    !C:\Windows\System32\dllhost.exe>C:\Windows\System32\shdocvw.dll
    !C:\Windows\System32\OpenWith.exe>C:\Windows\System32\shdocvw.dll
    !C:\Windows\System32\SearchProtocolHost.exe>C:\Windows\System32\shdocvw.dll
    #    SYSTEM.MANAGEMENT.AUTOMATION (Excubits Blacklist Override)
    !C:\Windows\System32\mmc.exe>*System.Management.Automation*
    !C:\Windows\System32\sdiagnhost.exe>*System.Management.Automation*
    !C:\Windows\Microsoft.NET\Framework64\*\mscorsvw.exe>*System.Management.Automation*
    #    ZIPFLDR  (Excubits Blacklist Override)
    !C:\Program Files (x86)\Exact Audio Copy\EAC.exe>C:\Windows\SysWOW64\zipfldr.dll
    !C:\Program Files (x86)\Google\Chrome\Application\chrome.exe>C:\Windows\System32\zipfldr.dll
    !C:\Windows\explorer.exe>C:\Windows\System32\zipfldr.dll
    !C:\Windows\System32\dllhost.exe>C:\Windows\System32\zipfldr.dll
    !C:\Windows\System32\RuntimeBroker.exe>C:\Windows\System32\zipfldr.dll
    !C:\Windows\System32\sihost.exe>C:\Windows\System32\zipfldr.dll
    #    *PDF.* (Excubits Blacklist Override)
    !C:\Windows\System32\SearchFilterHost.exe>C:\Windows\System32\Windows.Data.Pdf.dll
    !C:\Windows\System32\MicrosoftEdgeCP.exe>C:\Windows\System32\Windows.Data.Pdf.dll
    !C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe>C:\Windows\System32\Windows.Data.Pdf.dll
    !C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe>C:\Windows\System32\Windows.Data.Pdf.dll
    #    *RAR.* (Excubits Blacklist Override)
    !C:\Windows\System32\svchost.exe>C:\Windows\System32\audioresourceregistrar.dll
    #    DISM
    !C:\ProgramData\Microsoft\Windows Defender\*>C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
    !C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\Temp\????????-????-????-????-????????????\*.dll
    !C:\Windows\System32\*>C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
    C:\Windows\System32\*>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
    C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
    #    Google Chrome - Flash Player
    C:\Users\*\AppData\Local\Google\Chrome\User Data\PepperFlash\??.?.?.???\pepflashplayer.dll
    #    Google Chrome - Software Reporter Tool
    C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.exe
    C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*\software_reporter_tool.exe>C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\*.dll
    #    HitmanPro - Updates
    C:\Program Files\HitmanPro\HitmanPro.exe>C:\Users\PCAdmin\AppData\Local\Temp\HitmanPro.exe
    #    OneDrive
    C:\Users\*\AppData\Local\Microsoft\OneDrive\*
    #    Process Monitor
    C:\Users\*\AppData\Local\Temp\Procmon64.exe
    #    Taskhostw
    C:\Windows\System32\taskhostw.exe>C:\Windows.old\$WINDOWS.~BT\Sources\setupplatform.dll
    #    Windows Defender
    C:\ProgramData\Microsoft\Windows Defender\*
    #    WinX HD Video Converter
    C:\Program Files (x86)\Digiarty\WinX_HD_Video_Converter_Deluxe\WinX_HD_Video_Converter_Deluxe.exe>C:\Users\*\AppData\Roaming\Digiarty\WinX HD Video Converter Deluxe\package\ytb.exe
    C:\Users\*\AppData\Roaming\Digiarty\WinX HD Video Converter Deluxe\package\ytb.exe>C:\Users\*\AppData\Roaming\Digiarty\WinX HD Video Converter Deluxe\package\*
    #    Basic System Rules
    C:\WINDOWS\*
    C:\Program Files (x86)\*
    C:\Program Files\*
    C:\PROGRA~1\*
    C:\PROGRA~2\*
    C:\Program Files\Excubits\Bouncer\*
    #    Thumbdrive Portable Apps
    ?:\My Portable Apps\*
    [BLACKLIST]
    #    Excubits Blacklist
    *\at.exe
    *\Temp\*7z*\*
    *\Temp\*rar*\*
    *\Temp\*sfx\*
    *\Temp\*wz*\*
    *\Temp\*zip*\*
    *aac.*
    *Advpack.dll
    *Appvlp.exe
    *aspnet_compiler.exe
    *Atbroker.exe
    *attrib.exe
    *auditpol.exe
    *avi.*
    *bash.exe
    *bcdboot.exe
    *bcdedit.exe
    *bginfo.exe
    *bitsadmin*
    *bootcfg.exe
    *bootim.exe
    *bootsect.exe
    *ByteCodeGenerator.exe
    *cacls.exe
    *cdb.exe
    *Certutil.exe
    *CL_Invocation.ps1*
    *CL_Mutexverifiers.ps1*
    *Cmdkey.exe
    *Cmstp.exe
    *Control.exe
    *csc.exe
    *Cscript.exe
    *csi.exe
    *csv.*
    *cvtres.exe
    *dbghost.exe
    *dbgsvc.exe
    *debug.exe
    *DFsvc.exe
    *dif.*
    *diskpart.exe
    *Diskshadow.exe
    *divx.*
    *Dnscmd.exe
    *dnx.exe
    *doc.*
    *docm.*
    *docx.*
    *dotm.*
    *dotx.*
    *Dxcap.exe
    *Esentutl.exe
    *eventvwr.exe
    *Expand.exe
    *Extexport.exe
    *Extrac32.exe
    *Findstr.exe
    *Forfiles.exe
    *fsi.exe
    *fsiAnyCpu.exe
    *Gpscript.exe
    *hh.exe
    *Ie4unit.exe
    *Ieadvpack.dll
    *Ieaframe.dll
    *IEExec.exe
    *iexplore.exe
    *iexpress.exe
    *ilasm.exe
    *infdefaultinstall.exe
    *InstallUtil*
    *InstallUtil.exe
    *journal.exe
    *js.bat
    *js.cmd
    *js.com
    *js.exe
    *jsc.exe
    *jscript*.dll*
    *jscript*.tlb*
    *kd.exe
    *lpkinstall*
    *LxssManager.dll
    *Makecab.exe
    *Manage-bde.wsf*
    *Mavinject.exe
    *Mftrace.exe
    *Microsoft.Workflow.Compiler.exe
    *mmc.exe
    *mp3.*
    *mp4.*
    *MSBuild.exe
    *Msconfig.exe
    *Msdeploy.exe
    *Msdt.exe
    *mshta.exe
    *Mshtml.dll
    *msiexec.exe
    *MSPUB.EXE
    *msra.exe
    *mstsc.exe
    *msxsl.exe
    *netsh.exe
    *netstat.exe
    *ntkd.exe
    *ntsd.exe
    *odbcconf.exe
    *ods.*
    *odt.*
    *Pcalua.exe
    *Pcwrun.exe
    *Pcwutl.dll
    *pdf.*
    *Pester.bat
    *potm.*
    *potx.*
    *powershell.exe
    *powershell_ise.exe
    *ppam.*
    *ppsm.*
    *ppsx.*
    *pptm.*
    *pptx.*
    *PresentationHost.exe
    *Print.exe
    *Pubprn.vbs*
    *quser.exe
    *rar.*
    *rcsi.exe
    *reg.exe
    *RegAsm*
    *Regedit.exe
    *regini.exe
    *Register-cimprovider.exe
    *Regsvcs*
    *regsvr32.exe
    *Replace.exe
    *Rpcping.exe
    #*Rundll32.exe
    *RunLegacyCPLElevated.exe
    *runonce.exe
    *runscripthelper.exe
    *Sc.exe
    *Schtasks.exe
    *scrcons.exe
    *script.exe
    *Scriptrunner.exe
    *sdbinst.exe
    *sdclt.exe
    *set.exe
    #*Setupapi.dll
    *setx.exe
    *Shdocvw.dll
    #*Shell32.dll
    *slk.*
    *Slmgr.vbs*
    *Sqldumper.exe
    *Sqlps.exe
    *SQLToolsPS.exe
    *Stash*
    *SyncAppvPublishingServer.exe
    *Syncappvpublishingserver.vbs*
    *syskey.exe
    *Syssetup.dll
    *System.Management.Automation*
    *systemreset.exe
    *takeown.exe
    *taskkill.exe
    #*te.exe
    *thmx.*
    *Tracker.exe
    *txt.*
    *Url.dll
    *UserAccountControlSettings.exe
    *Utilman.exe
    *vba.*
    *vbc.exe
    *vbs.*
    *visualuiaverifynative.exe
    *vsjitdebugger.exe
    *vssadmin.exe
    *Wab.exe
    *wbemtest.exe
    *windbg.exe
    *wma.*
    *wmic.exe
    *Wscript.exe
    *xcacls.exe
    *xlam.*
    *xls.*
    *xlsb.*
    *xlsm.*
    *xlsx.*
    *xlt.*
    *xltm.*
    *xltx.*
    *xps.*
    *xvid.*
    *Xwizard.exe
    *zip.exe
    *zip.com
    *zip.cmd
    *zip.bat
    *Zipfldr.dll
    ?:\$Recycle.Bin\*
    C:\Users\Public\*
    C:\Windows\debug\WIA\*
    C:\Windows\Fonts\*
    C:\Windows\PLA\Reports\*
    C:\Windows\PLA\Rules\*
    C:\Windows\PLA\Templates\*
    C:\Windows\Registration\CRMLog\*
    C:\Windows\servicing\Packages\*
    C:\Windows\servicing\Sessions\*
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\*
    C:\Windows\System32\Com\dmp\*
    C:\Windows\System32\LogFiles\WMI\*
    C:\Windows\System32\spool\drivers\color\*
    C:\Windows\System32\spool\PRINTERS\*
    C:\Windows\System32\spool\SERVERS\*
    C:\Windows\System32\Tasks\*
    C:\Windows\System32\Tasks_Migrated\*
    C:\Windows\SysWOW64\Com\dmp\*
    C:\Windows\SysWOW64\FxsTmp\*
    C:\Windows\SysWOW64\Tasks\*
    C:\Windows\Tasks\*
    C:\Windows\Temp\*
    C:\Windows\tracing\*
    #    Block Specified Apps From Launching CMD
    *excel.exe>*cmd.exe
    *outlook.exe>*cmd.exe
    *powerpnt.exe>*cmd.exe
    *winword.exe>*cmd.exe
    C:\Program Files (x86)\Google\*>*cmd.exe
    [CMDWHITELIST]
    [CMDBLACKLIST]
    [EOF]
    
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    19,011
    No matter what file extension. As long as the MZ-header is at the beginning of a file, MZWritescanner will detect and block the file accordingly.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.