vertigo

Level 2
As far as the random detections, I made the mistake of testing out the VIPRE Rescue Tool (I won't ever use anything from that company after that except as a last resort) which quarantined many files while leaving other, similar ones alone. For example, I had a bunch of Android .apk files from old backups, and it would say one version of an app was infected while another version or two it would ignore. I thought that was quite strange.

And I'm in agreement with Opcode: it wouldn't surprise me if some of the AV companies are intentionally flagging it for competitive reasons, but I doubt that's the case for most of them. I doubt this program is a big enough presence for them to care at all about, especially the bigger companies. I could be entirely incorrect, but I suspect it has to do with their software thinking Bouncer is malware based on what it does and how it does it, not taking into consideration the reasoning for it. In fact, Bouncer being such a low-profile program probably not only means it doesn't get attention from the big players for competitive reasons, but also that it most likely doesn't get attention for making sure it's white-listed to prevent being flagged for what would be suspicious coding and behavior if not for its purpose. Similarly, I suspect the reason many/most AV programs aren't flagged by most of the others due to their nature is due to white-listing. And Bouncer probably just didn't make the list.
 

shmu26

Level 76
Content Creator
Trusted
Verified
Bouncer came out with a new version a short while ago, it has a new feature called AdminByPass. When enabled, the rules will not apply to processes running at admin or system privileges. (Similar to SRP.) So you don't have to worry that you are messing up Windows processes and updates etc.

The free demo version allows up to 5 KB of text in the config file, as usual. That's a lot, if you know how to cut out the fat.


I had a weird issue that the automatically installed config was mysteriously missing C: at the beginning of the path, in a couple places, but it was easy to see and easy to fix. After that, it worked right.

For those unfamiliar with Bouncer, it is a powerful anti-exe program that runs totally as a kernel driver. It doesn't run exe files or services, other than the optional system tray icon. If you want it to do more than the default config, which is kinda minimal, you just write whatever rules you want, in the config file.
Bouncer controls not just exe files but also dlls and drivers. That's unique.
You can add any number of lol bins. You can use the famous Excubits list.
This program has a learning curve. It needs patience to set it up and get the hang of it. It's not for people who want to click a few buttons and say goodbye.
 

shmu26

Level 76
Content Creator
Trusted
Verified
Anyone have rundll32 on the CMDBLACKLIST ?
If so, what rule do you use, and how do you whitelist Windows command lines?
 

Deckard

Level 1
Anyone have rundll32 on the CMDBLACKLIST ?
If so, what rule do you use, and how do you whitelist Windows command lines?
I can't help.
I don't use CMDCHECK. It decreases responsiveness on my PC, brings latency when launching applications. Not dramatically but still. So I did not even try to work with. Without (and without SHA256), Bouncer has virtually no impact.
 
  • Like
Reactions: shmu26

shmu26

Level 76
Content Creator
Trusted
Verified
I can't help.
I don't use CMDCHECK. It decreases responsiveness on my PC, brings latency when launching applications. Not dramatically but still. So I did not even try to work with. Without (and without SHA256), Bouncer has virtually no impact.
Thanks for the info, I didn't realize it has that kind of impact.
I was using bouncer last week, and in fact, I did feel a performance penalty.
This week I ran it with
Code:
*>*
in the whitelist and nothing in the blacklist, because I am using Hard_Configurator (SRP). But I had entries in the cmdblacklist.
This week, it felt lighter than last week.
Perhaps the combination of the two types of protection is the problem?
 

Deckard

Level 1
...
Perhaps the combination of the two types of protection is the problem?
Maybe you know AppTimer ?
If you don't know this app, I recommend you to test with several very different applications to get a good overview concerning the perfs. For example, an image viewer, a pdf editor and a video viewer, or other apps following your most common and significant use.
Apptimer will save the data to a log file and you will be able to compare.
Today, I bought AppGuard Solo. I had not used AppGuard for years. The app has become very expensive but it's a good app (someone think that ALL app sucks but it does not matter :D ).
Like Bouncer in some conditions (heavy config file, with SHA256 ans CdnLineCheck), AppGuard is so light in memory and CPU but could bring latency (measured with AppTimer), more than many Antivirus sometimes, however, these latencies occurs only when lauching apps and for the rest of the time, the OS is like a feather.

Ex, for PDF-XChange Editor, on my i7 with a NVMe Samsung 950 Pro.

With Cylance, around 0.4840 second
With DrWeb, around 0.5305 second
With AppGuard Solo, around 0.5610 second
BUT, with Sophos Home Premium, around 0.5805 second

Not a big deal, yes, but if we speak in percentage and not in seconds, well, we see that near any security application bring its heaviness.
For Bouncer, it varies according to the configuration file.
 

shmu26

Level 76
Content Creator
Trusted
Verified
I think that the dll monitoring is what makes Bouncer slow sometimes. If you monitor exe files, and whitelist the other file types, it seems to perform much better.
 
  • Like
Reactions: Andy Ful

Glashouse

Level 4
Verified
I think that the dll monitoring is what makes Bouncer slow sometimes. If you monitor exe files, and whitelist the other file types, it seems to perform much better
I can just second this, it really depends on your config. Using the full version and having a big config file with parent checking and all the other stuff active adds delay to every app start.
In the past, I played with Bouncer + Memprotect + Pumpernickel and the delay was pretty heavy (measured with AppTimer)
 
  • Like
Reactions: shmu26

shmu26

Level 76
Content Creator
Trusted
Verified
Right now, I am running Bouncer with all modules enabled, but I am blocking dlls only in temp folders
*\temp\*.dll
I don't have a noticeable delay when launching apps.
 
  • Like
Reactions: Glashouse

shmu26

Level 76
Content Creator
Trusted
Verified
I have most of the paid excubits apps and like them but currently, I am using H_C and it works quite well, so I don't see the need for bouncer now.
Yes, H_C does it. Great tool. I am using H_C also. I use Bouncer just to satisfy my paranoid side, so I can block a few LOL bins that H_C doesn't cover, and also to monitor rundll32. I can't say I truly need it, but it makes me happy. :)
 

Glashouse

Level 4
Verified
I don't have a noticeable delay when launching apps.
I just tried it on my main system which is a fast i7 ...
for me it adds 0.5 seconds to the start of Brave Browser , which is a lot.
Active are commandline checks and everything is whitelisted except a bunch of LOLs...

Strange that you are not noticing delays....
 
  • Like
Reactions: shmu26

shmu26

Level 76
Content Creator
Trusted
Verified
I just tried it on my main system which is a fast i7 ...
for me it adds 0.5 seconds to the start of Brave Browser , which is a lot.
Active are commandline checks and everything is whitelisted except a bunch of LOLs...

Strange that you are not noticing delays....
If half a second is a lot to you, then that's the answer. My system is not as fast as yours in the first place, so I don't count split seconds.
 
  • Like
Reactions: Glashouse

SHvFl

Level 35
Content Creator
Trusted
Verified
People don't want to use srp let alone type the rules in a txt without a gui. This tool is not for 99.99% (a lot more 9 I didn't want to type) of home users. People wouldn't use it even if it was free but at €39 for a year of updates it sounds like a joke to even debate it.
 
  • Like
Reactions: shmu26

Glashouse

Level 4
Verified
It is always up to you to decide if 39€ is worth it or not, I would never debate on this :)
In MT there are lots of people very happy with free AVs and other free tools. Myself, I don't hesitate to pay for software that fits my needs!
 
  • Like
Reactions: shmu26