Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,361
    Location:
    U.S.A. (South)
    I been testing running Bouncer with NVT-ERP and it also alerts to cmd.exe (although i could make a ALLOW rule) i just allow it for each separate instance because it's good to know when and why the command prompt is making a move on my pc. I'm using Windows 8.0 64 bit. So far for me the pair runs just fine together. It's Secure Folders that i think has some issues but not quite sure yet since ERT plus Bouncer seem ok for the time being.

    I sure hope the Bouncer developer releases another new one soon.

    I have seen the bouncer driver behave rather haphazardly at times. Probably just needs some rewriting/testing etc. to get it more stable.
     
    Last edited: May 27, 2015
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    It's just not possible for me to allow each separate instance of CMD.exe with VoodooShield because Bouncer sometimes alerts me to unknown code execution several times a minute. It would drive me insane. I sure hope Florian can figure out a way to record what is triggering this on my machine. I uninstalled AppGuard, and that did not have any affect. I will uninstall Eset Smart Security next, and see if that helps.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Personally, I am thankful and appreciative that you are taking your time to remove certain programs one at a time to narrow down where the conflicts may be. It's one of those things where testing can and will take time out of your day, but in the long run it should be time worth while and beneficial to any user interested in Bouncer going forward. It can be very tricky when it comes to security software since the majority of them use multiple kernel-mode drivers at their core and conflict is unfortunately going to happen. But if we can collectively figure out where these conflicts are, we can at least warn users for the time being, find temporary workarounds, and also hopefully provide details to the developer to see if anything can be done under the hood. So I just wanted to say that your time is very much appreciated, CE. Thank you.
     
  4. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Testing the latest version:

    Turns out, it doesn't.

    Also:

    upload_2015-5-28_15-53-12.png

    That's 10 minutes right after i installed Bouncer - without trying to execute any of these files - there are other files in that folder that haven't been filtered/logged yet (30 minutes post installation) - TF is off.

    PS @Cutting_Edgetech: Are you, by any chance, using light virtualization program + Chrome? (just to narrow it down).
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I see what you mean now, CGuard. I apologize if I had misunderstood initially. That is definitely strange and unexpected behaviour. I'm going to try a few of these different programs today as well that users have mentioned to see if I can reproduce the same results. Hopefully we can narrow this down and report it accordingly.


    @Cutting_Edgetech: I recall that you mentioned having issues between VoodooShield and Bouncer and I was thinking about the earlier today. I remember testing VS together with Bouncer quite thoroughly a while back. I don't remember the exact version of VS but I do remember that the testing went very well with no issues. That was when VS was very stable and before it went through a number of beta versions to do with the Parent Process feature and also the Anti-Exploit type of feature that VS added as well. So those two features were not present at the time that I was testing the two programs together. I have a feeling that the conflict between VS and Bouncer that you were talking about likely has some relation to one of those new features. And to be quite honest, I'm not entirely sure how the Parent Process or Anti-Exploit features in VS work behind the scenes. I understand roughly what they do, but not so much the behind the scenes mechanics of it. I'm going to try to test that later today as well and if I come up with anything interesting, I'll let you know.
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I don't think that using two anti-executable/app whitelisting programs is a good idea, similar to using to anti-virus at the same time. There would be quite a bit of overlap in functionality, so the benefit of running two wouldn't be very significant. But more specifically, you have to think about what they would both be doing within the kernel. ERP uses kernel-mode drivers as well. Both programs follow documented Windows API techniques that deal with intercepting specific calls that are made within the kernel. So that is almost guaranteed to cause conflicts and unpredictable behaviour. And who knows, it's hard to say if using two programs using similar kernel-mode operations could potentially cause problems or even make overall security less than what it might be if you were only running one.

    I don't know as much about Secure Folders. But I do know that some users are using Bouncer together with Secure Folders and that it's working well for them. So it may just come down to the specific configuration of each program that determines whether or not the two programs would step on eachother's toes, so to speak, or get along smoothly.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I use Shadow Defender, but i'm not running in Shadow Mode when the problem occurs. I don't use Chrome. My log file is many pages long of unknown executable code detections. Florian said he is working on a build that will not alert the user to unexecutable code.
     
  8. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I will respond to the other post, and pm's that I got later this evening. I have to take my car to the garage before they close.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I spent a good portion of the day today trying to use Bouncer alongside some of the other programs that were thought to be causing conflicts with Bouncer.

    Returnil Quietzone (latest version from official site)

    I could not reproduce any significant issues or weirdness between this program and Bouncer. I tried numerous reboots, restarting after any changes in Bouncer and/or this program. Everything worked as expected, yet no weirdness in Bouncer logs/blocks.

    Toolwiz TimeFreeze (latest version from official site)

    Same as above with Quietzone, I was not able to reproduce any issues with TimeFreeze either. Again, numerous reboots, lots of changes between this program and also Bouncer, restarting after different changes, etc. No weirdness with this one either.

    VoodooShield (latest beta 2.71 from VS thread on Wilders)

    I was not able to reproduce any significant issues with VoodooShield either, no strange logs or strange blocking from Bouncer. Nothing got through to VoodooShield though because Bouncer intercepted and blocked first, so no blockages from VS.


    I was actually a bit disappointed that I couldn't find any issues or reproduce any of the mentioned conflicts. I put quite a bit of effort and time into making changes, restarting dozens of times, etc. And I really was hoping to narrow this down. Now, after the fact, I'm wondering if it would have made any difference if I had these other programs installed first, and installed Bouncer afterward. In my case, Bouncer was already installed and configured. Or, I also wonder if it may come down to specific configuration, since mine is already quite fine tuned. I really don't know. But hopefully the developer will figure something out and determine where this is coming from. From what I can tell, the issue has nothing to do with Bouncer, but has to do with a combination of another kernel level program together with Bouncer. I just hope that the root cause can be determined. I'll try again another day when I have some more time.
     
  10. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    I have an idea. It's a long shot, i'm trying to recognize a pattern, here.

    @WildByDesign, can you please place, either the Bouncer setup file or an older version's extracted folder, at your Desktop (or, even better, inside a test folder like C:\Users\WildbyDesign\Desktop\Test) -> reboot -> give it 15+ minutes -> see if there is any strange log entry?

    Rationale: IIRC, regardless of Bouncer's version, the only executables that get erroneously "detected" were/are the ones that are located inside the same folder/directory/level where Bouncer's extracted folder/setup file (new version) resides. Not sure about it, about worth the try, IMO.

    PS. Please, no need for apologies. Thank you for your interest and invested time.
     
  11. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Thanks for replying.

    Neither do I -actually it occurs regardless of TF's mode.

    I see you are facing an additional problem (unexecutable code). Mind if i ask what's Florian's explain on that?
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. And sure, absolutely I am happy to give it a try and see if that makes a difference.

    Just to clarify though, do you want me to also have the tray app (bouncertray.exe) and Admin Tool executable also running from this Test directory on the Desktop? Or just extracted folder/installer, but not actually running?

    I just wanted to get an idea of that first before I test it. And I will give it a try later today and report back.
     
  13. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    Just place either the Bouncer_Demo.exe or an extracted folder of a pre-installer version to a Desktop folder. Nothing else.

    Come to think of it, probably it won't work. Do you remember where did you launch Bouncer_Demo.exe from (or right-clicked its .inf file - if you are, by any chance, using a previous version)?

    My soon-to-be-busted theory ( :D ) is that Bouncer, for some reason, keeps filtering exes located in the directory where its installer/inf file got launched/installed. I know... Strange theory (caused by Bouncer's strange behavior).
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    What OS did you try to reproduce the conflict with? I' used a build of VoodooShield that has not been released on Wilders yet. The build I used is suppose to fix a bug in the blacklist feature for CMD.exe. VoodooShield blacklist CMD.exe by default, and that is what is causing the conflict. It's possible that the bug in the build of VS you used prevented the conflict from occurring since VS was allowing CMD.exe in that build when it was suppose to be blocking it.
     
    Last edited: May 28, 2015
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I did install Bouncer from my external drive which is K:\, and that is were most of the unknown executable code alerts are coming from. I have another external drive which is I:\ on the same computer though, and I am getting a few alerts from it as well. I will test your theory though, and install Bouncer from C drive next time instead of my external drive.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Yes, I am facing the same problem. If you have time please report it to Florian because he thinks there is something odd happening on my machine. He is still trying to make sense of it, but he said he is making a build that will check the MZ header that will filter out alerts for code that is not executable. I'm trying to find the email from him now that explained one of his theories. If more people report it then there will be a greater chance of him locating what is causing the issue. He thinks it's a rare case since no one else is reporting it, and he can not reproduce it.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Florian confirmed the bug with the Admin Tool not showing .dll files when it should be. He said he has already fixed it in an internal build.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I rolled my computer back to an image before ever installing Bouncer. Then I installed Bouncer from my desktop instead of my external drive. Bouncer immediately starting logging unknown code executions for my files on my external drive. I guess we can exclude your theory as being a possible cause. Are you using Eset Smart Security, or NOD 32 by any chance?
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,361
    Location:
    U.S.A. (South)
    Good deal and nice catch on that. As well as alerting the dev. Like his response and pretty good bet he likes any potentisal issues being brought up so he can correct them.

    I may wait until the next version to test again since As-Is it does seem to run stable enough so any bug fixes etc will be welcome. I want to get enough of Secure Folders out of my system in the interim.
     
  20. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Thank you to those who found the .dll issue in the Admin Tool file selector and for reporting. As already mentioned, it is fixed in internal builds and there will be an updated release this weekend. The release will fix the .dll selector issue in Admin Tool and also the Admin Tool selector will have the ability to select multiple folders or multiple files at a time as well which will be quite handy.

    I will take responsibility for the .dll issue in Admin Tool's file selector for slipping through during testing. I thought that I had tested it from every angle possible for months. I had tested Admin Tool many times for adding executables and folders as well, yet somehow did not test adding individual .dll files. I have still always preferred editing my config with Notepadd++ and that is what I used most often, so likely why I let this one slip through.

    The good thing is that with more users running Bouncer now, more bugs can be found and Florian is pretty quick to fix things and this will be good for everyone.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've got some details from the developer regarding CE's issue, and as I understand it CE has also been communicating with Florian as well. So CE probably has similar detail from him. The interesting thing is, although CE's issue seems to related to .txt and .jpg files, there may be a similar connection to your problem as well although yours is affecting .exe, despite those executables are not even being run. I'm assuming there may be some similarities here.

    Anyway, from the developer (specific to CE's problem, but may relate to you):

    Florian understands things from a kernel perspective and he's always been a brutally honest person. I personally don't understand how things work specifically within the kernel, so I can only assume. But this looks like a scary thought, which other kernel level program would be putting these files up for execution, and why. And whichever program that is doing that, I'm wondering if that is expected behaviour for that particular program or if maybe that is a bug that is potentially putting users at risk.

    Regardless, I am still hoping that we can narrow this down and figure out the source(s) of conflict.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Most of the files that bouncer is alerting me to for unknown code execution are .exe files that are installers located on my external drive. I have pages of alerts in the log files for my .exe installers on my external drive. It's literally inventories about half the files on my drive. I'm also getting unknown code execution alerts for .txt, and jpg also. Florian seemed more puzzled about why this would occur. I have not uninstalled Eset Smart Security yet. I will try that next. The only other thing I know to do is reformat completely, and it takes forever to get one's machine back the way they like it after reformatting. Downloading all the updates takes considerable time alone with my slow internet connection.

    It might help me narrow down the problem if Florian makes Bouncer log the time, and date for each log entry. I could run a few monitoring tools, and see if I can capture anything matching up with the times the events occurred.
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I just sent Florian an email recommending that Bouncer log the date, and time in the log for each event. I think it would be very helpful when troubleshooting.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Wild

    So you were able to install bouncer with Quietzone enabled? With no driver error?
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    I don't think Bouncer has alerted me to any unknown executable code since I turned my computer on about 30 minutes ago. I would normally already have received 60-100 events in the log by now. The only thing I did was unplug my drives USB cords from my computer while it was shut down over night, and boot my computer without them plugged in. I plugged them back in about 5 minutes after the desktop loaded. I did one reboot, and no alerts so far. I will report back when/if the alerts begin to flood me again.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.