Advice Request Excubit Bouncer Questions/Comments

Please provide comments and solutions that are helpful to the author of this topic.

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
On the advice of hjlbx I installed the trial version of Bouncer by Excubits. It's a limited trial that the developer says limits only the size of the configuration file. However, I can't seem to save the configuration, so it seems maybe that is a limitation, too, but I am not sure.

On the program, I like what I see in that there is the potential for 100% custom behavior control. This opens a new door for me, but I have some questions about what Bouncer is reporting in the log. Here are some entries that I couldn't explain. These are parent>child blocks:

Code:
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > H:\Configs\PortableApps\PortableApps.com\PortableAppsUpdater.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\privatefirewall.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\AppData\Local\id Software\quakelive\quakelive.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\LibreOfficePortable\App\libreoffice\program\soffice.bin
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\LibreOfficePortable\App\libreoffice\program\soffice.exe

In the downloads folder I am keeping a number of installers for various reasons, but none of them are dangerous. The question is why is svchost.exe seeking to access these files? Does this have some remote connection to the a-v making use of svchost somehow? I use 360 TS, and there are a number of associated services. I was curious if this was an attempted scan by the a-v.

Whatever it is, I like what I am seeing in concept from Bouncer. If a program uses Windows somehow to accomplish things, there is the opportunity to see first hand what is actually happening...or at least enough so to preempt a problem.

There are issues, since by default Bouncer allows Windows to do anything with any other component of Windows. Also, programs are allowed to do anything with Windows. This can be tailored with blacklisting of behaviors, but that means knowing the potential dangers in advance. If all of the program files areas are pre-allowed to use Windows processes at will, there isn't any reason to believe that Bouncer will catch much of anything in its default state.

Wildcards are the ace in the hole, and I will be studying hard to see how I can use them to blacklist behaviors that occur between programs and Windows processes.

Not sure, but I think Bouncer opens a Pandora's box of security issues. The example I can think of is that of a process that opens a process under without intervention from Bouncer, and then the second process by some design opens a third process that is somehow configured in Bouncer to be blocked. Well, then Bouncer reports only the activity of the 2nd process (or does it skip everything inbetween?). The actual initiator of the "string" of activity is never revealed, because the log will only show the activity of the 2nd process. The biggest problem with this is that Bouncer's testing mode would not be as revealing as it could otherwise be. Running Bouncer only to report in the log without taking any action, wouldn't actually reveal the real nature of an issue. So if I want to block everything in a folder somewhere in a program files area and then I test to see what will happen, I'm not sure I will even be able to see 100% accurately what is happening. That could mean that I am not able to make firm deny commitments without risk of breaking programs and maybe even Windows functionality with Bouncer in normal protection mode.

I still think this could be very useful. Thanks for the information, and I will be working with it at least for a week or two. I'm kind of addicted already.

BTW, for anyone using the program, this is not easy to learn to work with, and there seem to be very inconvenient aspects to the DEMO. That said, I am sticking to Allow rules until I understand more about how Bouncer works. The blacklist (Deny) rules override all Allow rules, so they are super powerful. Gonna try to soak it all in...
 
Last edited:
  • Like
Reactions: bribon77
H

hjlbx

@AtlBo

Bouncer is restriction policy-based security soft.

The demo's only limitation is the number of rules you can create. I believe it is 10.

You have to create the rules yourself.

You have to experiment with it. You must be patient and stick with it for longer than a week or two.

You will see what I mean...
 
  • Applause
Reactions: Handsome Recluse

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
In the more recent versions, there is no limit on the number of rules, but there is a size limit of 5 kb on the config file. That can contain a lot of rules, if you write them concisely. It comes with a default set of rules to get you started out.
 

dinosaur07

Level 12
Verified
Top Poster
Well-known
Aug 5, 2012
572
This software cought my attention some time ago but the lack of the GUI made me postpone an analysis for it. I find it interesting but i am curios to know how much time and patience one need to configure it well. :)
 
  • Like
Reactions: bribon77 and shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
This software cought my attention some time ago but the lack of the GUI made me postpone an analysis for it. I find it interesting but i am curios to know how much time and patience one need to configure it well. :)
If you have never actually used an Excubits product before, you will need to read the manual and get the basic concepts under your belt. You can't just jump in and start swimming.
It is kind of painstaking, and you might even say frustrating, to configure it properly. There are certain details that you need to do exactly right, or they won't work at all. But once you understand it, you will love it.
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
I have read something about this program but I do not understand it, someone has done some good tutorial?:giggle:
 
  • Like
Reactions: Nevi

Deckard

Level 1
Verified
Feb 20, 2019
41
I have read something about this program but I do not understand it, someone has done some good tutorial?:giggle:
I don't know if they are a tutorial on it.
You have a thread on another forum, with 75 pages on the subject.
The whole thing is to go there step by step, with patience. Do not activate the Lethal mode as long as you have alerts and therefore lines in the Log file. Once things stabilize, we will say 3 days without alert so there, you can consider activate the Lethal mode.
Each time you have a new line on the log file, you must search why, which and what modification/add should be done in the configuration file.
DismHost.exe is annoying but once this is settled, the rest is rather amusing and informative. You could have fun customizing your rules according to your desires, to be more or less restrictive, more or less optimized. As often, a simple and not too heavy configuration file is the best solution imo.

fully agree with shmu26. Read the manual and re-read it during your configuration work, as the things indicated will seem clearer to you.
 

Deckard

Level 1
Verified
Feb 20, 2019
41
...
Here are some entries that I couldn't explain. These are parent>child blocks:

Code:
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > H:\Configs\PortableApps\PortableApps.com\PortableAppsUpdater.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\privatefirewall.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\AppData\Local\id Software\quakelive\quakelive.exe
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\LibreOfficePortable\App\libreoffice\program\soffice.bin
*** excubits.com demo ***: C:\Windows\System32\svchost.exe > C:\Users\########\Downloads\LibreOfficePortable\App\libreoffice\program\soffice.exe

In the downloads folder I am keeping a number of installers for various reasons, but none of them are dangerous. The question is why is svchost.exe seeking to access these files? Does this have some remote connection to the a-v making use of svchost somehow? I use 360 TS, and there are a number of associated services. I was curious if this was an attempted scan by the a-v.

...
Maybe yes. Maybe you have an app which use svchost.exe and this app access others app.
svchost is like a spider in Windows.
If you have in your [WHITELIST]
C:\Windows\*
H:\Configs\PortableApps\*
(or H:\Configs\PortableApps\PortableApps.com\PortableAppsUpdater.exe)

Your first line is solved and you can tackle the next one :)
Good luck.
 
  • Like
Reactions: shmu26 and bribon77

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
If you enable AdminByPass (new feature!) you don't need to run it for 3 days in non-lethal mode. Just do a couple restarts and run your basic software, and if the log is empty, go lethal. The rest of the stuff you can deal with as you go along.
With AdminByPass it is unlikely that critical processes will break.
 

Deckard

Level 1
Verified
Feb 20, 2019
41
If you enable AdminByPass (new feature!) you don't need to run it for 3 days in non-lethal mode. Just do a couple restarts and run your basic software, and if the log is empty, go lethal. The rest of the stuff you can deal with as you go along.
With AdminByPass it is unlikely that critical processes will break.
Thank you for the information. I had read a few lines on the subject but without dwelling on it. It is indeed interesting !
Even with the latest version, in the original configuration file, [ADMINBYPASS] is not visible and we have to add it manually, apparently. It's the same thing for you? (paid version, with the Bouncer driver signed on March 10, 2019).
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thank you for the information. I had read a few lines on the subject but without dwelling on it. It is indeed interesting !
Even with the latest version, in the original configuration file, [ADMINBYPASS] is not visible and we have to add it manually, apparently. It's the same thing for you? (paid version, with the Bouncer driver signed on March 10, 2019).
Right. I downloaded the newest version of the free demo, and I did not find it in the config file, but it was mentioned in the manual.
 
  • Thanks
Reactions: Deckard

yarr

Level 2
Verified
Jul 5, 2018
52
I have a friend that somehow always messes up one of our guest PCs. Can bouncer be used in a sense like kiosk mode? I'd like to black list everything but games, OS/game/security updates. Basically turn those PCs into gaming consoles lol
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top