I am running Online-Armor V1.1.0.542 as part of my security protection. When an upgrade to OA is released, OA downloads and installs the update. Then it requires a reboot to bring in the new software update. AppDefend does not detect the change on the reboot and any subsequent reboot. If I manually shutdown OA totally and then restart it, AppDefend issues its MD5 change alert at that point.

This seems to me to be a substantial security hole in AppDefend.

hi siliconman01,

Could this be the same issue Disciple posted in this thread:
http://www.wilderssecurity.com/showpost.php?p=612570&postcount=2

I have exactly the same issue as Disciple, i.e. several of my startup apps are not detected by AppDefend. Hope Jason will fix this issue.

Hi, I'm sure that Jason will get around to addressing these points in a later beta. Though Jason will be able to give you a more definitive answer I am sure :)
BTW Siliconeman AD uses SHA256 not MD5, I am sure that was just a typo on your part ;)

Pilli

-{ Quote: "I am running Online-Armor V1.1.0.542 as part of my security protection. When an upgrade to OA is released, OA downloads and installs the update. Then it requires a reboot to bring in the new software update. AppDefend does not detect the change on the reboot and any subsequent reboot. If I manually shutdown OA totally and then restart it, AppDefend issues its MD5 change alert at that point.

This seems to me to be a substantial security hole in AppDefend." }-

The reason it "gets past" AppDefend, is due to the .Default rule which has "Ask User / Allow" for executions. When the hash changes, AppDefend uses the .Default rule to make a decision on what to do , and since the GUI wasn't available to ask the user, it then allowed it. In the log it will be changed to make this clear that a hash has changed (at the moment it isn't obvious at all).

If the default rule had "Ask User / Block" then Online Armour would have been stopped from executing.

-{ Quote: "The reason it "gets past" AppDefend, is due to the .Default rule which has "Ask User / Allow" for executions. When the hash changes, AppDefend uses the .Default rule to make a decision on what to do , and since the GUI wasn't available to ask the user, it then allowed it. In the log it will be changed to make this clear that a hash has changed (at the moment it isn't obvious at all).

If the default rule had "Ask User / Block" then Online Armour would have been stopped from executing." }-
Thanks, Jason, you confirmed my assumption. But wouldn't it make sense, then, to change the .Default rule for Rootkit Drivers to "Ask User/Block" since the installation of "normal" drivers is covered by RegDefend as pointed out by you some time ago?

-{ Quote: "Thanks, Jason, you confirmed my assumption. But wouldn't it make sense, then, to change the .Default rule for Rootkit Drivers to "Ask User/Block" since the installation of "normal" drivers is covered by RegDefend as pointed out by you some time ago?" }-

Hi tlu,

Yes you are correct, such alterations in how the .Default rules work will be tweaked before the final release. At this moment in time the .Defaults are lax just to ensure compatibility and allow beta testers to tweak how they want.

Is there a mechanism that can load AppDefend/RegDefend/GSS at the "top of the heap" on system boot? This would permit a user alert to be issued when a valid "changed" service/program/registry entry is detected.

On my system when I boot up, Ewido's icon is the first icon to show up in the systray. Then others straggle in. GSS shows up after Spy Sweeper and a few others pop in. It doesn't seem practical to me to set "ask user/block" for such programs as Online-Armor and Spy Sweeper which have their realtime monitors established as services. These programs would not start up at boot time with this option selected in AppDefend for them. However, with the "ask user/allow" option selected and the inability for AppDefend/GSS to alert until long after these services have loaded and are executing, such programs as OA and SS seem quite vulnerable to malicious changes potentially getting through.

At least that's the way it seems to me....

-{ Quote: "Is there a mechanism that can load AppDefend/RegDefend/GSS at the "top of the heap" on system boot? This would permit a user alert to be issued when a valid "changed" service/program/registry entry is detected.

On my system when I boot up, Ewido's icon is the first icon to show up in the systray. Then others straggle in. GSS shows up after Spy Sweeper and a few others pop in. It doesn't seem practical to me to set "ask user/block" for such programs as Online-Armor and Spy Sweeper which have their realtime monitors established as services. These programs would not start up at boot time with this option selected in AppDefend for them. However, with the "ask user/allow" option selected and the inability for AppDefend/GSS to alert until long after these services have loaded and are executing, such programs as OA and SS seem quite vulnerable to malicious changes potentially getting through.

At least that's the way it seems to me...." }-

Hi Siliconman,

I will be working on improving the way AppDefend works with Windows to ensure it is #1, not only driver based but also GUI based. It will most likely have to wait as a point release after the final, but research has been underway for a while.

Thanks Jason for the feedback. Sounds great to me. Plus it sounds like it will be a significant competitive advantage once implemented.