- Dec 29, 2014
- 1,716
On the advice of hjlbx I installed the trial version of Bouncer by Excubits. It's a limited trial that the developer says limits only the size of the configuration file. However, I can't seem to save the configuration, so it seems maybe that is a limitation, too, but I am not sure.
On the program, I like what I see in that there is the potential for 100% custom behavior control. This opens a new door for me, but I have some questions about what Bouncer is reporting in the log. Here are some entries that I couldn't explain. These are parent>child blocks:
In the downloads folder I am keeping a number of installers for various reasons, but none of them are dangerous. The question is why is svchost.exe seeking to access these files? Does this have some remote connection to the a-v making use of svchost somehow? I use 360 TS, and there are a number of associated services. I was curious if this was an attempted scan by the a-v.
Whatever it is, I like what I am seeing in concept from Bouncer. If a program uses Windows somehow to accomplish things, there is the opportunity to see first hand what is actually happening...or at least enough so to preempt a problem.
There are issues, since by default Bouncer allows Windows to do anything with any other component of Windows. Also, programs are allowed to do anything with Windows. This can be tailored with blacklisting of behaviors, but that means knowing the potential dangers in advance. If all of the program files areas are pre-allowed to use Windows processes at will, there isn't any reason to believe that Bouncer will catch much of anything in its default state.
Wildcards are the ace in the hole, and I will be studying hard to see how I can use them to blacklist behaviors that occur between programs and Windows processes.
Not sure, but I think Bouncer opens a Pandora's box of security issues. The example I can think of is that of a process that opens a process under without intervention from Bouncer, and then the second process by some design opens a third process that is somehow configured in Bouncer to be blocked. Well, then Bouncer reports only the activity of the 2nd process (or does it skip everything inbetween?). The actual initiator of the "string" of activity is never revealed, because the log will only show the activity of the 2nd process. The biggest problem with this is that Bouncer's testing mode would not be as revealing as it could otherwise be. Running Bouncer only to report in the log without taking any action, wouldn't actually reveal the real nature of an issue. So if I want to block everything in a folder somewhere in a program files area and then I test to see what will happen, I'm not sure I will even be able to see 100% accurately what is happening. That could mean that I am not able to make firm deny commitments without risk of breaking programs and maybe even Windows functionality with Bouncer in normal protection mode.
I still think this could be very useful. Thanks for the information, and I will be working with it at least for a week or two. I'm kind of addicted already.
BTW, for anyone using the program, this is not easy to learn to work with, and there seem to be very inconvenient aspects to the DEMO. That said, I am sticking to Allow rules until I understand more about how Bouncer works. The blacklist (Deny) rules override all Allow rules, so they are super powerful. Gonna try to soak it all in...
On the program, I like what I see in that there is the potential for 100% custom behavior control. This opens a new door for me, but I have some questions about what Bouncer is reporting in the log. Here are some entries that I couldn't explain. These are parent>child blocks:
Code:
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > H:\Configs\PortableApps\PortableApps.com\PortableAppsUpdater.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\privatefirewall.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\AppData\Local\id Software\quakelive\quakelive.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\LibreOfficePortable\App\libreoffice\program\soffice.bin
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\LibreOfficePortable\App\libreoffice\program\soffice.exeIn the downloads folder I am keeping a number of installers for various reasons, but none of them are dangerous. The question is why is svchost.exe seeking to access these files? Does this have some remote connection to the a-v making use of svchost somehow? I use 360 TS, and there are a number of associated services. I was curious if this was an attempted scan by the a-v.
Whatever it is, I like what I am seeing in concept from Bouncer. If a program uses Windows somehow to accomplish things, there is the opportunity to see first hand what is actually happening...or at least enough so to preempt a problem.
There are issues, since by default Bouncer allows Windows to do anything with any other component of Windows. Also, programs are allowed to do anything with Windows. This can be tailored with blacklisting of behaviors, but that means knowing the potential dangers in advance. If all of the program files areas are pre-allowed to use Windows processes at will, there isn't any reason to believe that Bouncer will catch much of anything in its default state.
Wildcards are the ace in the hole, and I will be studying hard to see how I can use them to blacklist behaviors that occur between programs and Windows processes.
Not sure, but I think Bouncer opens a Pandora's box of security issues. The example I can think of is that of a process that opens a process under without intervention from Bouncer, and then the second process by some design opens a third process that is somehow configured in Bouncer to be blocked. Well, then Bouncer reports only the activity of the 2nd process (or does it skip everything inbetween?). The actual initiator of the "string" of activity is never revealed, because the log will only show the activity of the 2nd process. The biggest problem with this is that Bouncer's testing mode would not be as revealing as it could otherwise be. Running Bouncer only to report in the log without taking any action, wouldn't actually reveal the real nature of an issue. So if I want to block everything in a folder somewhere in a program files area and then I test to see what will happen, I'm not sure I will even be able to see 100% accurately what is happening. That could mean that I am not able to make firm deny commitments without risk of breaking programs and maybe even Windows functionality with Bouncer in normal protection mode.
I still think this could be very useful. Thanks for the information, and I will be working with it at least for a week or two. I'm kind of addicted already.
BTW, for anyone using the program, this is not easy to learn to work with, and there seem to be very inconvenient aspects to the DEMO. That said, I am sticking to Allow rules until I understand more about how Bouncer works. The blacklist (Deny) rules override all Allow rules, so they are super powerful. Gonna try to soak it all in...
Last edited:
