Hi,

Is it possible to make PG scan all of the running processes at startup and then will notify you that some applications/services or not yet protected? Because I totally forgot to add protection for two apps that I´m running all the time.

So that means that a trojan could modify the two apps that weren´t protected yet, and all of my defence is kind of useless right? I mean know you have to keep track of all the apps that need protection yourself. ::)

PG will not scan for anything, tho it does have a default list of protected apps. u can run learning mode and if i needs permission like global hooks it will be added to teh protected list. otherwise ull just have to add teh apps manually.

Learning Mode should pick these programs up during a reboot. If not, the next new version might do better at detecting them anyway, even without additions to Learning Mode.

We are planning on including a slight addition to Learning Mode for the new version, it will check all current processes and add them too I believe. We are still making sure it's designed right and working right before including it in this upcoming version.

A few extra Windows services are also being added to the default list.

I never used the learning-mode, I didn´t know it added basic protection to each application you run. And I assume "basic protection" means protection from modification right? Because know that I think of it, my request in the first post wasn´t that smart, it´s not just about processes that you run on startup, but also about new applications that you start, they need protection too.

But shouldn´t PG just protect all processes from suspicious/malicious behaviour, without you having to add certain rules? And if PG gives protection to a malicious process it isn´t a problem right? Because all of your anti malware tools should of course have the option to modify-terminate-read other processes, am I correct? ???

like i said, PG's learning mode will first add processes to the security list and then if the process need hooks or pther permissions, it will also be added to the protection list. PG would first block processes from modifying another unless it has permission to modify apps, so its not terribly crucial to have every executable protected. also if PG protected malware then ur security software should remove it (it may need permissions from PG to terminate apps) and then PG will remove the nonexistent (malware) file from its list.

OK so let me get this straight, even if a process has no specific protection rule, it is still being protected by PG?

For me it seems logical that only certain services/apps that need to be able to do stuff, need certain privileges. And all other processes must not be allowed to do stuff of course.

So what I basically don´t understand is why I need to protect for example IE.exe from modification, I mean it should have been protected anyway right? ???

Nothing is protected unless it is in the list. This is why PG starts in learning mode and adds protection for Windows services and the programs you use.

Nothing OUTSIDE the list can interfere with PROTECTED programs. Only something on the list with ALLOW modify or ALLOW terminate for instance.

Something TRUSTED however, could still need to modify a protected program, hence the ALLOW options. Iexplore.exe might need to install a global hook, SMSS.EXE will need to modify another process.. sometimes these things happen.

Just a little additional info - the default list in the next version is a bit bigger, but most importantly we've verified all the places where REMOVING allow access for a critical process could cause a problem. PG now doesn't allow the removing of certain volatile ALLOW options for some Windows services, meaning no chance of blocking something Windows needs to start or for the user to login.

Oh.. and the one which might catch you out:

ANY PROCESS can modify any OTHER process, if neither are on the list. Put simply, ALLOW access is only needed if something wants to modify a PROTECTED process. As I said, something needs to be on the list to be protected.. otherwise anything can modify it for example.

Its all logical, right? :)

Well, it´s a bit confusing. ::)

Shouldn´t all processes be protected even though they are not on the protectionlist? Check out this scenario: I have 30 processes running, now I open fileBX.exe, this app isn´t being protected. And let´s say I get malware on my system, it keeps trying to inject code into other processes, finally it manages to do so in fileBX.exe, so now I´m compromised.

It seems logical to me that only your anti-malware tools and some Windows Services should be allowed to modify/terminate other processes (protected or not). Any other process should not be able to modify/terminate stuff, even if that stuff is not protected. So basically, I´m not seeing the point of the "protected from" column. Or am I missing something? :lurking:

-{ Quote: "I´m not seeing the point of the "protected from" column." }-This is the way I understand it.

The protection list should contain important windows files which need to be protected from termination so malware can't mess with them and lock up your system. These files also need special privileges which allow them to access physical memory and install global hooks etc, so they also need to be protected from modification.

Then you have security applications protected so malware can't terminate them and stop them from doing their job. These programmes also have special privileges like the ability to terminate processes and so they also need to be protected from modification.

Next on my list come applications which need special privileges in order to operate properly e.g. web browsers seem to need to install global hooks.

Rightly or wrongly (I don't know which), I then add applications which have access to the internet. I protect these so malware can't mess with them.

It's a bit of a read but it's all explained much better by Andreas (see this thread: http://www.wilderssecurity.com/showthread.php?t=56848).

-{ Quote: "ANY PROCESS can modify any OTHER process, if neither are on the list. ... needs to be on the list to be protected.. otherwise anything can modify it for example. Its all logical, right? :)" }- One can grasp the logic of the process easily enough. It is the reasoning behind it that eludes. How can this possibly be a good idea. Allowed free modification rights by default, malware is allowed full access to any inadvertently unlisted program. This limits the protection provided by PG to only listed programs.-{ Quote: "As I said, something needs to be on the list to be protected.. otherwise anything can modify it for example." }-This change in method forces an attempt to put EVERYTHING on the list to achieve the level of control currently provided. Is that not so? ???

It is more desirable that a process get permission to modify others and yet another to modify protected. THAT would be an improvement rather than a step back.
Modify processes -
Modify protected -

It is pouring rain and one is safely dry beneath an umbrella (currently). Now you come along and take the umbrella and hand over gloves (allow unless on list). You say, "At least your hands are still dry. And if you want your head dry put a hat on!"(add another to the list) ;)

You do not need to put all your processes on the protection tab.

If you tick all the Global Protection Options on the Main tab then no process can access physical memory or create global hooks etc.

The primary reason you add a process to the Protection tab is because it needs extra privileges to overide the Global Protection Options. For example, the process may need to access physical memory in order to run correctly. To allow it to access physical memory, you add it to the Protection tab and give it permission to access physical memory.

This process now has extra privileges which allow it to do things on your system that other processes can't. If this process becomes modifed by malware, then the malware also gains these extra privileges.

That is the reason why you need to protect your process from modification. So that the malware cannot modify it and gain the extra privileges.

Spikey don't be mistaken the ability to access physical memory does not map exactly to from the ability to modify processes (such as dll injection) or to terminate them

-{ Quote: "The primary reason you add a process to the Protection tab is because it needs extra privileges to overide the Global Protection Options. For example, the process may need to access physical memory in order to run correctly. To allow it to access physical memory, you add it to the Protection tab and give it permission to access physical memory.

This process now has extra privileges which allow it to do things on your system that other processes can't. If this process becomes modifed by malware, then the malware also gains these extra privileges.
" }-

Yet, processes don't need "extra privileges" as defined by you to terminate processes or to modify them. Hence if you are worried about any/all processes from being terminated or otherwise modified, you will need to put them all in.

justpassingthru

I agree with you. If I don't put, for example notepad.exe on my protection list, then it can be terminated or modified. I don't see that as a problem though because I can't see how anything particularly bad can come from that.

However, I would put my antivirus on the protection list because it could be bad if it was terminated or modified.

I was just trying to explain why you would put applications on the Protection tab and why you don't need to put all your applications on it.

-{ Quote: "justpassingthru

I agree with you. If I don't put, for example notepad.exe on my protection list, then it can be terminated or modified. I don't see that as a problem though because I can't see how anything particularly bad can come from that.

However, I would put my antivirus on the protection list because it could be bad if it was terminated or modified.

I was just trying to explain why you would put applications on the Protection tab and why you don't need to put all your applications on it." }-

I disagree. As we all know, default deny is definitely safer than default allow. To expect people to know which apps to protect and to take time to do it is not a very good idea.

At the very least, I think any program that has wide unrestricted default allow rules in the personal firewall should be protected by PG. That can be a pretty long list.

I'm glad we are in agreement.

-{ Quote: "Rightly or wrongly (I don't know which), I then add applications which have access to the internet. I protect these so malware can't mess with them." }-
-{ Quote: "At the very least, I think any program that has wide unrestricted default allow rules in the personal firewall should be protected by PG. That can be a pretty long list." }-

-{ Quote: "You do not need to put all your processes on the protection tab." }--{ Quote: "As I said, something needs to be on the list to be protected.. otherwise anything can modify it for example." }-If one wishes to prevent modification of processes(it is PROCESS guard) they MUST be placed on the list. There is no desire to reinstall or restore programs modified simply because they needed no "special" permissions.

-{ Quote: "If one wishes to prevent modification of processes(it is PROCESS guard) they MUST be placed on the list. There is no desire to reinstall or restore programs modified simply because they needed no "special" permissions." }-It doesn't matter whether the process is on the Protection list or not. The file itself can still be modified on the hard drive. Although PG will alert you to the fact it has changed, you will still need to reinstall or restore.

I'm happy to concede the point on whether or not it's best to add all your programmes to the Protection tab but I'm not yet convinced of my error.

-{ Quote: "Oh.. and the one which might catch you out:

ANY PROCESS can modify any OTHER process, if neither are on the list. Put simply, ALLOW access is only needed if something wants to modify a PROTECTED process. As I said, something needs to be on the list to be protected.. otherwise anything can modify it for example.

Its all logical, right? :)" }-
i thought pg would block any process from modifying another unless u gave it permission?

-{ Quote: "i thought pg would block any process from modifying another unless u gave it permission?" }-You see the point I was making.

-{ Quote: "Although PG will alert you to the fact it has changed," }-No. Actually it will not unless it is on the list. We are talking about the NEW version which changed things. Read what Gavin is saying again.

-{ Quote: "I'm happy to concede the point on whether or not it's best to add all your programmes to the Protection tab but I'm not yet convinced of my error." }-Do not concede. ;) I agree that putting all the programs on the list is ridiculous. Your error is arguing the wrong point perhaps. To get the same level of protection as now, you HAVE to put everything in the list with the change Gavin mentioned.

Okay... I was arguing the wrong point. Thank you for the clarification ;)

There is no change, this is how it has always been ???

You only really need to protect applications which can be terminated, or might be modified in order to cause harm (like injection into a process to bypass your firewall)

Notepad.exe is the classic example. There is no reason to protect it at all. It wont have internet access, terminating it in memory will have no effect on your machine except notepad closes.

This is about security - stopping injection trojans, rootkits, and other malware which is far too easily modified or privately built to avoid detection by antivirus/antitrojan scanners.

Follow the step by step setup guide in the help file, you should then have all running processes protected, all Windows services, your firewall and antivirus, other security programs.

An OUTSIDE influence is the risk - some unknown, untrusted program. It cannot mess with your security programs, it cannot inject into your browser. Protecting this UNKNOWN file is the OPPOSITE of what you want!

OK, so you don´t need to protect all running processes from modification? I understand that termination of certain processes isn´t a big deal but I thought that malware could still do damage by injecting code into other processes. But only apps with access to the internet should be protected from modification, I assume.

And while we´re at it, can someone perhaps explain to me what "process modification" exactly means? Because it seems that I don´t quite understand the concept of it. I assume that trojans will not try to hide in just any process, but only in processes where they can achieve something, like hiding from the firewall to gain Internet access? ???

And about: "An OUTSIDE influence is the risk - some unknown, untrusted program. It cannot mess with your security programs, it cannot inject into your browser. Protecting this UNKNOWN file is the OPPOSITE of what you want!"

I thought that this wouldn´t be a big deal since your anti malware tools should be able to terminate/modify/read all other processes, right?

Which is why you wouldn't want to protect "every" program..

Modification means use of certain functionality to change a process in memory. Changing one byte can mean the program behaves differently, this is modification. Injecting a whole new thread (program) into the space of another and then starting it, is also modification.

You can protect more if you like, but trojans don't inject into notepad (for example). For that matter, if someone had notepad ALLOWED to access the internet.. then they have more problems than understanding PG, they need to secure other areas of their machine first.

-{ Quote: "There is no change, this is how it has always been ???" }-

Indeed.

-{ Quote: "
You only really need to protect applications which can be terminated, or might be modified in order to cause harm (like injection into a process to bypass your firewall)
" }-

True, but this relies on the user to be aware what types of applications require protection. For example, anything that can connect outwards through the firewall certainly needs to be protected. This means anything from browsers to Instant messangers to Email clients. Security type programs too.
It seems to me for the novice, a protect all applications is easier for them.

-{ Quote: "
An OUTSIDE influence is the risk - some unknown, untrusted program. It cannot mess with your security programs, it cannot inject into your browser. Protecting this UNKNOWN file is the OPPOSITE of what you want!" }-

I think protecting these unknown files so that they are protected from modification or termination is harmless, as long as your security programs have the correct previlages to terminate/modify them.

By using the block new processes option, it would essentially also remind you to choose protection (and/or permissions) for every process you forgot about.

Or am I mistaken? The block new processes option intrigues me. (Aren't almost all attacks process-based anyway? Even if you get a virus or something, this would protect you until you can disinfect with an antivirus.)

-{ Quote: "By using the block new processes option, it would essentially also remind you to choose protection (and/or permissions) for every process you forgot about.

Or am I mistaken? The block new processes option intrigues me. (Aren't almost all attacks process-based anyway? Even if you get a virus or something, this would protect you until you can disinfect with an antivirus.)" }-
From the PG help file, section Features Overview > Protections Settings:
3. Block new and changed applications
Any application which you haven't allowed to always start will be blocked from running without a user confirmation when this option is enabled. (Some emphasis added by me)
This is useful on a system:

that NEVER changes
in a controlled environment were administration is not in the users control (corporate)
the user has a thorough understanding of what this feature will do (i.e. block with out a warning)
If I could ever learn to quit tweaking my systems :o , I would probably enable this setting.

So the the best way to setup PG is:

1 Allow only certain processes (Windows OS services and anti malware) to modify/terminate/read protected apps and (if necessary) allow them to install global hooks, services/drivers (+access physical RAM).

2 Protect important apps (Internet apps + services/anti malware) from termination/modification.

Btw, personally I would never use the "execution protection" feature because I don´t want to be bothered with a lot of popups. ;)

And isn´t this correct, I would like to get a reaction from the developers TIA :):

"I think protecting these unknown files so that they are protected from modification or termination is harmless, as long as your security programs have the correct previlages to terminate/modify them."

-{ Quote: ""I think protecting these unknown files so that they are protected from modification or termination is harmless, as long as your security programs have the correct previlages to terminate/modify them."" }-Sorry I'm not a developer.

The fact that you have an unknown file on your protection list means that it must also be unknown to your security apps (otherwise they would have alerted you to it's presence already). So the debate over which files have which permisions is irrelevant. Your security apps (whatever their permissions) will not do anything to the unknown file (whatever its permissions) because your security apps don't know what it is.

The problem becomes is this unknown file legitimate or not? If not, then it shouldn't be on your computer, let alone in your protection list. If it is legitimate, then you can decide if it should be on the protection list and what permissions to give it.

Spikeyb. It's easy to think that all apps come in 2 versions, obvious bad, obviously good, but in reality things are not so clear. Also it's not clear cut that your antivirus will immediately detect something has being bad. For example you could have a browser that is initally clean but will try to download a virus say on your 40th execution of it.

In any case, any app that is classed as probably good with small chance of being evil, does not gain anything from being protected from modification/ termination if it does turn out to be evil latter, if all other "good" software that might have handled it are given the permission to modify/terminate it.

You do not however want to give them other previlages though such as access to physical memory, or rights to modify, terminate other protected apps though.

Hi ~~~~

I think you are probably right with a small chance of being wrong :) .

Well if you look at appdefend, it is exactly based on that model.

All applications are "protected", or rather, other applications need the rights before it can terminates any other program.