Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,348
    Location:
    U.S.A. (South)
    Try this: *executable's name.exe in your Whitelist. That was the solution when the Blacklist rules had that same folder protected. However this is on a single drive so i can't comment the same on Bouncer's behavior with external drive letters.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    That's correct, although just restarting the driver is fine as well. If you make a change to the Lethal status, rules, etc., just use the Admin Tool to restart the driver. Or reboot as well but that takes longer.

    I'm going to reply to all of these comments later in the day when I have more time and will reply with more detail.

    But in short, blacklist takes priority over whitelist.

    You don't need to make a rule to blacklist I:\* because technically it would already be blocked by default. Bouncer, by default, blocks anything that is not specifically whitelisted. The blacklist is more to refine blocking within a directory that has been whitelisted, for the most part. For your I: drive, you would just need to whitelist either individual executables that are safe, or individual folders. In my case, I use my D: drive for a lot of extra backup, etc. But I only whitelist D:\Tools\* to allow certain portable executables to run. Anything else on D: is blocked by default since it is not on whitelist.

    I'll go over your other comments in a few hours with more detail. But in short, Bouncer doesn't scan individual text files and also should not log executables that are not actually attempting to execute. So I am not 100% sure what was going on earlier for you. But I would be more than happy to look at your bouncer.ini and bouncer.log files from C:\Windows\ if you would like. That would give me a much better understanding of what might be happening. Feel free to PM me if you would like.
     
    Last edited: May 26, 2015
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thanks. Now I have a better idea on what Quietzone does, or at least a basic idea. So it essentially wipes out the entire session so that no changes are made. I can see now why that would affect Bouncer. I can only assume that, in that case, Bouncer would likely have to be installed prior to installing/configuring Quietzone. But I've never used Quietzone before, just read about it briefly now.
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Yup it does wipe out the entire session of all drives and partitions including and USB sitcks you have in your machine. I knew Bouncer would be gone after reboot but the error occurs before rebooting. There is one other program talked about here on Wilders that I can not install in Quietzone but can't remember it right now. And of course any program that requires a reboot to load a driver or work doesn't work for me. Oh well, right?
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    True enough, I respect that.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,348
    Location:
    U.S.A. (South)
    What is it that distinguishes Bouncer to say Secure Folders? The same somewhat similar manner of protection? I understand that Secure Folders is already a finished work whereas Bouncer is in some development currently. In my simple testings yesterday of Bouncer **DEMO** it was effective yes but i did find it a bit clumsy in having to STOP (add/remove rule) START again etc. Also even after i performed STOP the Bouncer driver AND after a full reboot this morning, i encountered an issue where the protection didn't release (maybe a DLL locking issue?) (BouncerLogEvent.DLL?) so had to completely uninstall and remove references to recover the %UserProfile% areas via Admin again. I will want to repeat yesterdays steps again to make certain no other app was interfering. Secure Folders was disengaged and off while testing Bouncer so i don't really know what exactly caused the issue of it not releasing fully even after shutting off the driver AND a reboot. However the lil issue with Blacklist overriding the Whitelist was solved (in my case) by first entering the syntax wildcard character *name.exe in the Whitelist. I'm determined to realize the full benefits of this **DEMO** so to find enough interest to go for the PLUS version when ready.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The combination of pairing Bouncer together with Secure Folders was an idea and suggestion of Kees which turned out to be a pretty good combination. Kees would be able to answer better then myself on this. But I believe there is more history to Kees' Safe_Admin concept, although I haven't been at Wilders as long and don't recall the history of it. Secure Folders and Bouncer share the anti-exec functionality. But I believe what Secure Folders adds well to the combination is utilizing ACL (Access Control Lists) in an easy to manage way along with some anti-ransomware functionality by allowing certain directories to be read-only. And I'm sure that there are more functions of Secure Folders as well that I am not familiar with.

    The honest answer is, you would be perfectly fine with just Secure Folders, just as you would be perfectly fine with just Bouncer. Or, of course, any combination of a layered setup is always good as well. For somebody that is new to both Secure Folders and Bouncer, I would probably recommend to become familiar with them separately (individually) first for some time before combining. That way the user would have a very good understanding of what is going on behind the scenes with both and also be able to understand where there might be some overlap or conflict.

    I just wanted to confirm that you can modify the bouncer.ini config file while the driver is still running, you don't have to stop Bouncer while modifying rules. But you do have to restart the driver after rule changes. You can use the Restart button within Admin Tool to have that done within one button click. Or alternatively, you can also use the following command lines with administrative CMD:
    Code:
    net stop bouncer
    
    net start bouncer
    sc query bouncer
    Personally, I like to use Notepad++ to edit my Bouncer rules. Since bouncer.ini config is within the Windows directory, you need administrative privileges. You have to right-click on Notepad++ and choose Run as Administrator. That way, you can modify/edit/save Bouncer rules still while the driver is running. After making all of your rule changes, either use Admin Tool to Restart the driver or with command prompt. Also, always a good idea to keep a copy of bouncer.ini config rules elsewhere on your drive so that you have a backup of your favourite config(s).

    Can you explain this part more clearly? I apologize, but I'm just trying to get an understanding of what you mean here.

    Do you mean that you stopped the Bouncer driver, restarted Windows, and Bouncer was still blocking executables from running even after a reboot? If that is what you mean, that is on purpose. Bouncer driver always starts up again when Windows is restarted (like after installing Windows Updates, for example). If you want to disable protection of Bouncer to persist through several restarts, for example, the best option would be to remove the LETHAL mode checkbox. That way it will continue to log what executables would normally be blocked based on your config, but they would still be allowed to execute. Then when you are wanting to enable protection again, enable LETHAL mode again.

    The only purpose for BouncerLogEvent.DLL is to deal with logging Bouncer events (blocked executable attempts) to Event Viewer.

    I hope that covered your question appropriately. But if I have completely misunderstood that part of your question, I apologize. Feel free to explain a bit more and feel free to ask whatever questions you would like.

    I was initially concerned about how the blacklist was taking priority over the whitelist about a week ago when I ran into my first conflict in my config. I spoke with the developer about it and the blacklist taking priority is the purpose/intended behaviour and the way that he explained it to me made good sense. Personally, I'm not always good at explaining things. But anyway, I made appropriate changes to my config and everything is working great and I love it. I'm exploring deeper now into Windows directory and also ProgramData to have more control over things individually. I will share my config later as I test it some more. As always, please feel free to ask any questions here and I am always happy to help answer. Or you can always email the developer as well and he's a good person to have a conversation with regarding security in general.
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,348
    Location:
    U.S.A. (South)
    Wow WildByDesign. Do allow me some time to digest all of this.

    Fantastic answers! and thanks for your timely and concise response.

    And it most definitely addresses my earlier experience why it was persisting thru restarts = Design Feature! Nice.

    I'll make a special note of #Lethal next time :thumb:
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,348
    Location:
    U.S.A. (South)
    (1) You most certainly have and i thank you for that.

    (2) Seems i'm right back to experiencing the same concern as you mentioned in your own experience beforehand and also CuttingEdge most recently when it comes to individually trying to whitelist programs whilst the directory is under Blacklist control. I had thought that i had that solved with the wildcard syntax but the blacklist continues (at least for awhile anyway) to override the Whitelist. I suspect it just needs some fine tuning and look forward to seeing how the developer updates to the next release.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome, anytime.

    That's what I mean by Blacklist taking priority over Whitelist.

    The idea is to simply just whitelist what you would like to allow. Anything that is not whitelisted will automatically be blocked, without even needing to add a blacklist rule.

    Blacklist rule is mostly for blacklisting certain folders within an area that has been whitelisted. If you want specific help with your bouncer.ini file, feel free to PM me or let me know the specifics of what you are trying to achieve, like the folder/directory structure, etc.
     
  11. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    173
    Location:
    Europe
    Thanks to @MrBrian and @WildByDesign for introducing and sharing all the information on Türsteher/Bouncer. Since I have learned much from here, it is time to give something back. Let me contribute to this discussion.

    My system: Windows 7 and 8.1 (32/64-bit) works very well here (I am using German version - Türsteher). I don't have issues with stopping and starting the driver. Sometimes Türsteher blocks updates of applications, but this is okay for me. Then I stop Türsteher, install the update(s) and then start Türsteher again. I have everything right in place, my rules seems to be complete and there is little I have to adjust now. I like Türsteher's speed and simple design. It also changed my behavior on just clicking and installing stuff etc. It was also very helpful for USB-sticks plugged into my machines on conferences. It was worth to deal with this tool and its installation. Sometimes I think Türsteher is like a teacher or the bad conscience that catches you ;-) I use it together with MS Defender.

    Specifying and applying new rules:

    As far as I understood the German manual (maybe the English differs) on the rules: You can edit them directly in the .ini or you use the Admin Tool. Changes are not applied until you *restarted* the driver (in other words: use stop, then start button or hit the restart-button). In short: (1) specify/change rules, (2) then stop the driver, then (3) start the driver. Done. I had the feeling that some users think they have to restart the computer if they apply new rules: No, you don't. Just stop and start the driver, this is what is meant by restart.

    I tested it quite a lot and it always worked for me. Tried it just a few minutes ago with a black- and whitelist rule, worked out great, also with the restart button. Let us know your configuration if you have any problems, so we can try to find the issue with the stop/start or restart.

    The black- and whitelist:

    I ran into the same misunderstanding and contacted the developer. Well, the "solution" seems to be simple: By default Bouncer/Türsteher blocks everything, this also includes external drives. Hence if you have a drive "I:" it is already blacklisted by default. There is nothing to do, no extra blacklist rule for "I:". Hence you can simply add whitelist rule for your applications on I:. Lets assume it was I:\MyGames\ABCSchool.exe, then you do a whitelist rule: I:\MyGames\ABCSchool.exe. You don't have to add a blacklist rule for I:\*. Having I:\MyGames\ABCSchool.exe in the whitelist only allows this application, everything else is still blocked by the driver. For example, I:\autostart.exe or I:\CuteCatsPicture.jpg.exe will be blocked by default, too. Nothing to worry here. Just whitelist the application on your drive, nothing additional rule to add.

    Blacklist overrules Whitelist:

    As far as I understood the developer a blacklist rule *will always* overrule a whitelist's rule. For example, if you have whitelisted X:\Temp\Tools\npp.exe, but you have also blacklisted X:\Temp\*, this blacklist rule will overrule the whitelist's rule.

    From a logical aspect this makes sense. If you blacklist X:\Temp\* you cannot allow X:\Temp\Tools\npp.exe. Doing so would break the rules, especially kind of binary logic as far as I understand those things. The developer told me that exceptions to this logic could lead into flaws, because how should you tell the driver what to accept and what to block? For us "humans" this is easy to see, but machine only understands sound logical statements. For me, it makes sense (somehow). I had difficulties with the rules in the beginning, too.




    My next steps:

    Using it together with EMET. Has anyone experience with this combo (MS Defender, Türsteher/Bouncer and MS EMET)? Would be great to hear from you.


    many greetings.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    The dropdown box does not show .dll files unless it is switched to all. Is this a Windows OS bug, or a Bouncer bug? I was thinking Microsoft would not have let something like this go unnoticed for this long.
     

    Attached Files:

  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Good catch, CE. I will bring that up with the developer, unless you have reported it. I'm not sure if it's a Windows bug or Bouncer bug, but the developer will know for sure. Thanks.
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I'm going to report that with some of the other issues I have encountered. I already sent the developer a message about one of the issues I have encountered, but I want be able to send him the info he needs until I get an email address from him.
     
  15. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Excellent, thank you for reporting those issues to the developer. That will be beneficial for all of us in the long run.

    I was thinking about the stuff that came up the last few days regarding making rule changes and having to Restart the driver. Do you think that the driver should automatically be restarted when the user presses the Save Config button? I think that probably makes sense and is certainly possible to do.
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. I love Bouncer for the simplicity and efficiency as well. Thank you for contributing to the discussion as well.

    Also, I wanted to say that everything you wrote regarding Specifying and applying new rules, The black- and whitelist, and Blacklist overrules Whitelist are 100% correct. As a matter of fact, you have explained it in such a way that makes it much easier to understand and I think that will be very beneficial for users to better understand how Bouncer rules work.

    Regarding using EMET together with Bouncer, absolutely. I don't use Windows Defender though. But I do always recommend users to combine Bouncer with an anti-exploit like EMET. Malwarebytes Anti-Exploit or HitmanPro.Alert would likely be fine as well, although I haven't tested HitmanPro.Alert together with Bouncer so I don't know if there would be any conflicts. Malwarebytes Anti-Exploit works great with Bouncer from my testing. But primarily, the majority of my testing is Bouncer together with EMET. They compliment eachother very well and provide two completely different layers in a layered setup. It's a very efficient and solid combination.
     
  17. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    1.
    2.
    So, neither of these has been fixed in the latest version...

    Re the 2nd issue, check out the file-type-filtering. Bouncer is searching for *.*.dll files.

    Re the 1st issue, i consider it a serious one. I hope it will finally get fixed in the next version.
     
  18. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    BTW, if anyone is in the mood (currently, i haven't Bouncer installed), can he/she check if the no-differentiation-between-files-and-folders SRP bypass (=whitelisting an example.exe, allows execution from the \example.exe\ folder) applies to Bouncer as well?

    It shouldn't, since Bouncer is checking for executable code, but still...

    EDIT

    It also shouldn't because of its syntax, but still if anyone is on the mood...
     
  19. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    What other security programs do you have running? I'm curious, since you and CE both experienced the same type of issue.
    By change, do you have AppGuard and/or VoodooShield running?

    I would certainly like to help track down the source of conflict and see if we can narrow this down.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I have got an answer back from the developer for you on this question. It will be added to the F.A.Q. section of the developer's web site in a few days as well. This answer has to do with file types filtered by Bouncer.

    I wrote:
    Developer's response:
     
    Last edited: May 28, 2015
  21. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    As i mentioned on my previous post, currently i haven't got Bouncer on my system, but i have tried different older versions of it, including the previous one.

    In all other instances, i tried Bouncer on a dedicated, fully patched, slightly hardened, pure Win7 Ultimate 32-bit, just restored system image, with nothing 3rd-party installed but Process Hacker (for educational reasons), Toolwiz Time Freeze (for convenience) and Chrome. (<-same procedure/environment for every new tested security app)

    BTW, are you (or anyone else, for that matter) able to whitelist .dll files using the Admin Tool? I'm curious as i thought that the *.*.dll bug would be something everyone had experienced.

    Anyway, thanks for your help.

    PS. Long shot, but both English and German versions are identical, right?
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I don't think so, but I just started using Bouncer. I would leave it the way it is for now.
     
  23. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I can't say for sure, but if I had to guess I would say the conflict is probably between Bouncer and Toolwiz Time Freeze. There was another user mentioning an issue between Bouncer and Quietzone, a program similar to Toolwiz Time Freeze. I will let the developer know and see if he can test several of these types of programs and see if there is a way to fix it. Or at least know for certain so that users can be warned of the conflict.

    I have this bug as well using the English version. I believe another user has just recently reported this to the developer in the last day or two. I will check with the developer as well to see what can be done.

    The English and German versions should be identical.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,348
    Location:
    U.S.A. (South)
    iRefreshing and interesting developer's perspective. With every new Microsoft O/S release it's like having to reinvent the wheel all over again. Once upon an XP time there were several pretty nice script blockers that (good for the geeks anyway) exhibited a pop up alert with details similar to classical hips operations. All you needed do was enter your extensions into a WATCH-LIST *.vbs, .*reg etc. and the end user could let it auto-deflect on-the-fly launches of potential issue-ladened script files.

    I especially like Bouncer's developer's view on this:

    Bouncer does not scan
    for file extensions. The driver is able to catch memory calls that are
    subject to be called if someone (or the OS itself) tries to load executable
    code into memory. Meaning: a process tries to allocate memory marked as
    executable for a specific file. This is where the driver gets notified and
    rings an alert if something is wrong. Indeed someone can also call image
    files or text files with the executable flag. At the end this will also
    result in an alert.


    I think that i'm seriously warming up to this particular technique of Bouncer utilizing a kernel driver to better ensure sound results as intended for security. It looks like this app could become fertile ground going forward for even more additions as they become identified as worthwhile.
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I just tried using Bouncer with VoodooShield, and they are incompatible on my machine. Bouncer is always alerting me saying most of the files I have stored on my external drive contain unknown executable code (even without VoodooShield installed). The files are installers, .txt files (containing notes, and URL's), and jpg files. Each time Bouncer detects unknown executable code VoodooShield Blocks CMD.exe which disables Bouncer turning it's tray icon gray. Someone else just informed me they tried ERP with Bouncer, and they said they are not compatible either. I have not tried them together myself though. Is Bouncer informing anyone else that the files they have stored on an external drive contain unknown executable code? I'm using Windows 7X64 Ultimate. The developer said he thinks something else is accessing those files. It sounds like what Easter posted above in Red.

    Edited 5/27/15 @10:00: VoodooShield Blacklist CMD.exe by default. I could allow CMD.exe in the settings, but it would lower the level of Security that VS provides.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.