Hi!

Is there any sense to protect my F-secure, Prevx1 and Winpatrol Plus with
Processguard free? (What other tools there are for this?)
Or is such an action pure paranoia? :)

ako

I don't know if it is pure paranoia but, for one, I am protecting my resident protection to be terminate from nasties...
Other than Process Guard, there is Prosecurity and, if I am not mistaken, the next version (2.0) of Online armor.

SSM free can protect apps against termination.

-{ Quote: " if I am not mistaken, the next version (2.0) of Online armor." }-

No Atomas, you are not mistaken :P

If they can protect themself, it's better to protect them from nasty things trying to kill them and then open widely the door for their bad friends.

MaB

-{ Quote: "SSM free can protect apps against termination." }-

Does it do it better than PG (PG fails Darkspy)? What about Online armour?

-{ Quote: "What about Online armour?" }-

Soon, OA will protect progs from termination but not in the current beta build

MaB

-{ Quote: "Does it do it better than PG (PG fails Darkspy)? What about Online armour?" }-

Hi ako,

What is Darkspy? Is it a spy software or something like that?

As for Online Armour, version 2.0 who got the function you are looking for ("process guard") still in beta...

But why not give a spin to Prosecurity and SSM to see wich you like the best and work the best on your system and than give us your impression?

Personnally, I have chosen to replace my Process Guard with Prosecurity :)

Best regards,
Atomas31

-{ Quote: "

What is Darkspy? Is it a spy software or something like that?

" }-

An antirootkit

More information here (http://www.fyyre.net/~cardmagic/index_en.html)

Regards,

MaB

So, if Darkspy is an Anti-Rookit (wich mean a security program) when Ako say that PG fails Darkspy what does that mean???

Best regards,
Atomas31

Protecting the processes for firewalls, AVs, etc makes good sense. SSM for example can "keep a process in memory", restarting an app if it's terminated as well as requiring other apps to ask permission to terminate a process. Many of the better HIPS apps can defend themselves against most process termination methods. It's true that the most advanced process termination apps can be used to eventually kill or disable many HIPS or firewall suites. What gets overlooked here is that the user had to give that process killer permission to run in the first place, and often had to respond to other prompts for that app as well. While this is fine for testing, it doesn't reflect normal usage. In a real life situation, where would these advanced termination commands come from? How did the app responsible for them get onto the PC and get permission to run? To even get to this situation, the rest of the security-ware and the users judgement would have needed to fail. The AV has to miss it. Either the user chose to download it, the browser was exploited, or the firewall failed to control traffic. When the HIPS alerted to the new process, the user had to permit it. If enough if this can happen for a user to end up in that position, they have far more serious problems to address than adding additional protection for the HIPS process.
Adding another application to monitor or defend the HIPS process is an overkill. Little would be gained, and if this appliaction is another HIPS or process control application, it could create the potential for software conflicts that could kill the apps for you.
Rick

-{ Quote: "Protecting the processes for firewalls, AVs, etc makes good sense. SSM for example can "keep a process in memory", restarting an app if it's terminated as well as requiring other apps to ask permission to terminate a process." }-

Indeed! Compliments for this interesting topic and posts. Even though more & more security apps (HIPS) and AV's are exercising new methods for protecting themselves from terminations, adding to SSM's "keep a process in memory", for instance as herbalist mentioned, in my case would be the vital processes of AntiVir AV and the Firewall, along with other choice selections. For any end user concerned about keeping their system's SECURITY up and ACTIVE, that adds even another layer of protection and thus confidence.

It's a highly welcome & favored feature of SSM and i expect more safety apps would follow similar techniques as they can.

-{ Quote: "Is there any sense to protect my F-secure, Prevx1 and Winpatrol Plus with
Processguard free? (What other tools there are for this?)
Or is such an action pure paranoia?" }-

SSM will protect them "ALL", in fact "ANY" process, if it gets hit by some stretch of the imagination or a determined malware prevayer, it will "Restart" the app as aforementioned "immediately" and continue as often as it gets terminated, if they are so inclined.

Everyone of course keeps to their own preferences, what they will live with when it comes to PC "FULL" Protection, so my answer to that would be "no paranoia", just good prudent sense.

-{ Quote: "So, if Darkspy is an Anti-Rookit (wich mean a security program) when Ako say that PG fails Darkspy what does that mean???

Best regards,
Atomas31" }-

PG can be killed by darkspy easilly.

Any process can be easilly destroyed from kernel mode. Nobody will not help in this case.

-{ Quote: "Any process can be easilly destroyed from kernel mode. Nobody will not help in this case." }-

Unless your HIPS blocks the service installation. ;)

-{ Quote: "Unless your HIPS blocks the service installation. ;)" }-

My F-secure IS 2007 stopped Darkspy killing processes (forced kill) by its new HIPS called Deepguard. ;D

But PG failed. :(

-{ Quote: "My F-secure IS 2007 stopped Darkspy killing processes (forced kill) by its new HIPS called Deepguard. ;D

But PG failed. :(" }-

Can you please post a screenshot of Deepguard stopping the attack?

-{ Quote: "Can you please post a screenshot of Deepguard stopping the attack?" }-

There was nothing special in the dialog. DG just warned that darkspy was trying to kill the process by a fancy way. :D

Hello,

I see no point in this. It means baddies are running on your machine already, which means you have executed something. Horrible. And now you want to protect the AV? How about protecting the documents? If they get irrecoverably deleted? What is more important? You can always re-download the AV, what about your private stuff?

Protecting processes means you don't trust yourself. If that's the case, switch to Linux.

Mrk

the way I see it is this,
if a malware maker makes something that disables your av and then sends any malware to your pc then your infected.
an av with the lastest defs is useless if someone sends something that can disable the av.
if av's havent got self protection its in production.
if you make a program that detects what av they got then disables it then send an old RAT then the malware writer wins and has full control
lodore

-{ Quote: "...
if a malware maker makes something that disables your av and then sends any malware to your pc then your infected...
" }-

Hello,
No, it goes like this: if YOU download malware and YOU execute it THEN you're infected. Things don't happen by themselves, the user actually has to do something - except IE, but even then you must visit a 'special' website.
Mrk

true but as you say with ActiveX you just need to visit one dodgy website and bam yoru infected.
self protection is mainly intended for people who dont have a clue and dont care where they visit on the web and stops there av from being terminated during the dangerous surfing that the user doesnt know is dangerous.
microsoft should stop using activez then there would be less infections.
sure the people on this forum know the facts about you dont just click random links from msn or email etc.
secure IE
or use firefox/opera
but most users just install norton internet security eiether came with the pc or reccomended by pc world and expect it to block all the dangerous stuff which we know that 100percent detection rate with no false possitives is impossible.
I know this because I used to belive this myself intill i got the pc im currently using and my das friends introduced us to spysweeper 3.0
which was the version at the time.
i ran it on the old poc and found over 200 infections and was like whoa thats alot no wonder scandisk never got going=D
plus the av's I installed on that pc found like 20-30 trojans.
so mainly protection from the user that doesnt have know whats what with secuirty or dont give a damn about it.
and the so called special websites are not rare and easy to come across with comman searchs for warez and cracks which quite alot of home users search for to avoid paying say £60 for nero etc.
i have learned my lesson and now a very safe surfer but there is still tons of high risk surfers out there.
what i fear is a teenager using a pc to download warez gets a RAT or a password stealing trojan that nicks money out of there parents account when they do online banking.
not all parents know what there kids do on the pc.
lodore

The approach of SSM sounds interesting. However, it might be risky business to try it with FS 2007 and prevx1.

PG has worked nicely with them. No conflicts.

Hello,
lodore, if you use IE and set unsigned ActiveX to prompt, they will not download. The problem is with active scripting and high inherent insecurity of the IE.
Mrk

microsoft should made the defaults even safe than they did with ie7 since it still has tons of ways of exploiting it on those settings.
its not like its hard to send out windows updates with high default setttings.
lodore

-{ Quote: "true but as you say with ActiveX you just need to visit one dodgy website and bam yoru infected." }-
If you run IE6 on its default settings, a malicious site can easily exploit it. As installed, it's security settings are horrible. Fortunately, its settings can be tightened a lot. Start with disabling activeX for the internet zone and putting the sites used for windows update into the trusted zone, assuming they can be called trusted after the WGA fiasco. If you really want to protect Internet Explorer, run it thru Proxomitron and filter out the exploitable content, and the banner ads, popups, etc, including scripts.
-{ Quote: "if a malware maker makes something that disables your av and then sends any malware to your pc then your infected.
an av with the lastest defs is useless if someone sends something that can disable the av.
if av's havent got self protection its in production." }-
Malware doesn't just appear on your PC. Malware writers don't just send it out and make it enter your system. The vast majority of the time, the user chose to download or open the infected material. Yes, malicious sites can exploit a browser with a specially made page, usually until the exploit used gets patched. Sometimes a malicious individual can get past a firewall, more often the fault of the firewall rules than the firewall itself. When compared to number of malicious files users chose to download or infected e-mails they chose to open, exploited browsers and firewalls represent small percentage of the problem. Users are exploited more than all software combined, including windows and IE6. Browser settings can be tightened. Internet content can be filtered. Firewall rules can be tightened enough to stop most any malware from slipping in.
Most of the AV killer malware I've seen were e-mail attachments. FYI, an AV with up to date defs will detect and stop most of the AV killing malware. This kind of malware can be nasty when first released, but once the AVs recognize it, it mainly a problem for those who run outdated AVs. They're no a magic bullet that kills AVs by their presence. They're running processes like any other software, and like any other running process, HIPS can prevent them from running, unless the user allows it to run.
Process protection for AVs has to be treated a bit differently than it would be for a firewall or HIPS. AVs often need to be shut down during updating. Using a separate app to protect against shutdown or auto-restarting an AV can interfere with updating it unless the user is going to be updating it manually. Trying to make an AV that can't be shut down by anything except its own updater would open up a big can of worms, starting with malware that attacks the updaters. Process protection is better reserved for firewalls, which don't need to be shut down. Even this is not that critical if you've taken the time to close the open ports on your system.
Trying to use one HIPS to protect another or using HIPS to protect a firewall suite with a HIPS component gains little and can cause conflicts and configuration headaches. Running 2 process controlling programs only shows that the user doesn't trust either one to do the job. Process killers, whether they're legitimate apps or security app killing malware are processes themselves, which any decent HIPS will prevent from running. If one is running, the user allowed it. A second process control app would only mean the user had to allow it twice.
-{ Quote: "self protection is mainly intended for people who dont have a clue and dont care where they visit on the web and stops there av from being terminated during the dangerous surfing that the user doesnt know is dangerous." }-
No amount of software is going to protect a clueless or typical user if it's being configured by that same user. Someone else has to secure that PC if it's going to see any real security. It either needs to be done by a person or the user needs to turn control over to an application that can make the decisions for them. Conventional HIPS and firewalls mix with typical users about as well as oil and water mix. I've pretty much concluded that educating the typical user is an excercise in futility. This might have been an option when an AV was all that was necessary and a firewall could be treated as an option, but not anymore. It might be possible to teach some users safe behavior, but when you get to the average teenage user, there's no substitute for good security-ware, configured by someone who can do it properly, and that isn't the average parent.
Rick

I have an ancient Excite.com service that will only function on IE with the privacy settings at lowest level :(

I use Firefox for 99.9% but keep Internet Explorer inside a BufferZone (http://www.trustware.com/) for the few times that it is needed.

When I used Sandboxie, (after about fifth page on excite.com) saw the AntiVir Umbrella close and Guard Service shutdown,
just did a hard shutdown and used GoBack on next boot to restore to a prior point in time and that was the end of that.

Looking in Control Panel; Administrative Tools, Component Services noticed that AntiVir PersonalEdition Classic Service (the Guard)
Properties setting for "Select the computer's response if this service fails:

First failure: [was Take No Action] changed to [Restart the Service]

Second failure: {same default and changed to restart...)

Subsequent failures: [was Take No Action] changed to [Restart the Computer]

Reset fail count after: [1] days?/?

Restart service after: [was 1] reset to [0] minutes
_______________________________________________________________

The above action first brought up a permission box from ZoneAlarm to allow Microsoft Management and this was followed by a Windows Security asking the same.

Would like the EXPERT's Opinions on the above settings???

-{ Quote: "
Protecting processes means you don't trust yourself. If that's the case, switch to Linux.
" }- That's too simplistic. I am also using Linux and considering to completely switch to this OS - but:
Even Linux can be compromised by installing software from untrustworthy sources.
Windows can be considerably more secure by using a restricted user account - that's a basic cornerstone of Linux security. AFAIR from other threads here, you're one of those users who don't follow this important principle in Windows although it also works here - that's inconsequent, sorry. (Vista might offer an improvement in that area for those users accustomed to restricted accounts in 2000/XP. However, many users, who are only used to work as admin, will probably disable this feature in Vista thus undermining an important part of its improved security concept.) Other measures are the replacement of IE and OE as already mentioned in this thread.

Hello,

Don't let them blind you with propaganda. Linux can be compromised. Maybe. The likelihood? Very, very tiny. And if you can follow 5 simple principles, you're set - strong password for root, firewall, no ssh, download from trusted sources, update regularly, there's nothing to worry about.

I have yet to read about a Linux user getting hijacked. All Linux advisaries are PoC code by geeks at universities who use their discoveries to get extra scholarships.

Windows LUA is a joke. It does not work. It restricts not only privileges but usage also. Unlike Linux, which actually works.

Vista = improvement in security? More propaganda. All about money. Don't listen.

Mrk

-{ Quote: "Hello,

Don't let them blind you with propaganda. Linux can be compromised. Maybe. The likelihood? Very, very tiny. And if you can follow 5 simple principles, you're set - strong password for root, firewall, no ssh, download from trusted sources, update regularly, there's nothing to worry about." }- Mrk, I like Linux and I'm convinced that it's pretty safe. But in the end, it's the user sitting in front of the computer who matters. Imagine, you miss a special codec not contained in the official repositories. So you add an unofficial repository like PLF as everyone does. Do you know the people running them? Are you sure that they look into the source code of every software they put in (provided they have the knowledge to do this)? I agree that the risk is probably low right now, but I'm afraid that with Linux becoming more popular these unofficial repositories will more and more become a target for malware writers. That's no problem for you if you are disciplined enough to only stay with the official repositories - but will you?

-{ Quote: " I have yet to read about a Linux user getting hijacked. All Linux advisaries are PoC code by geeks at universities who use their discoveries to get extra scholarships." }- Again agreed. On the other hand, SELinux or AppArmor aren't developed by the Linux community just for fun. There seem to be at least potential weaknesses, otherwise they wouldn't do it.

-{ Quote: " Windows LUA is a joke. It does not work. It restricts not only privileges but usage also. " }- It has worked for me for many years. Granted - I'm not a player. And Linux has the better approach. But it works in Windows, even for my children.

-{ Quote: " Vista = improvement in security? More propaganda. All about money. Don't listen.
" }- I disagree. From what I've read in my favourite magazine c't (which is rather Microsoft-critical, by the way) there are some remarkable improvements (like User Account Control (UAC), Windows Resource Protection (WRP), Address Space Randomization) that make it very difficult for malware to compromise Vista. And regarding LUA, c't writes that UAC is a remarkable easement for all users who have already used restricted accounts in the past.

Hello,

Sticking to tested / verified / official sources is part of the game - no different than download a trojan and executing it.

SELinux and AppArmor are mainly for enterprise and not home user.

Windows LUA, from the perspective of a gamer, with lots of p2p, sharing, testing etc, it is completely unusable. For browsing the net? You don't need more than a live CD like Puppy. Windows LUA works, just not enough.

I have tried Vista. Its security concept is mainly two more clicks for everything you do, compared to XP. Nothing special about it - nothing that a user won't defeat by just a few more clicks.

But security aside, the major problems with Vista are moral.

Mrk

-{ Quote: "But security aside, the major problems with Vista are moral." }-
That's one way to describe it. IMO, DRM+"locked" kernel=spyware. Propaganda fits as well, especially when the topic is security. I'm actually glad that they don't support my "insecure" OS anymore. I don't have to worry about something like WGA being disguised as a critical update.
-{ Quote: "Protecting processes means you don't trust yourself. If that's the case, switch to Linux." }-
I can't agree with your reasoning. I trust my judgement, but I still protect my firewall executable with SSM. It's Windows I don't trust. Microsoft has never been very open in regards to vulnerabilities, especially ones that aren't fixed. How do we know that there aren't more undiscovered vulnerabilities in the OS itself that allow for the injection of system commands?
All software is vulnerable in some way. Protecting the firewall executable is recognizing that fact and doing what you can to offset such a vulnerability should one be found. On mine, SSM defends and if necessary, restarts Kerio so Kerio can keep attacks from the web off of SSM. Protecting security-ware processes like the firewall is completely in line with layered security. No matter how good an apps self protection may be, if it stands alone, it can probably be taken down, but when several are interlocked and defending each other, they're much harder to attack. This is the same tactic used by some of the nastiest malware. App "A" defends and restarts app "B", which defends and restarts app "A". Ask an experienced malware fighter how tough some of the malware that does this can be.
Rick

-{ Quote: "
Protecting processes means you don't trust yourself. If that's the case, switch to Linux.
" }-

You must have expected a volley of criticism with that statement?

Hello,

herbalist, all of the attacks you mention happen AFTER you execute something on your PC. External vectors are through firewall, browser etc. As long as you keep bad stuff on thither side, it can do nothing at all. You're talking about protecting the system once it gets infected. That's like a divorce settlement - who gets more - but in the end, you have still lost.

cprtech, no. The only thing worth protecting is personal stuff. Making sure some trojan does not havoc your AV? Why? Simply unplug the line and reformat / reimage. Of course, it's best not to get yourself infected in the first place. But if you don't trust yourself, Linux is definitely the answer. Or no Internet. If someone needed special appliance to monitor one's driving, because one's not sure what's one doing, would you still recommend that person to drive - or take a bus?

Mrk

No, I use a HIPS for pretty much the same reasons Herbalist explains in his last post.

-{ Quote: "Simply unplug the line and reformat / reimage. " }-

My goodness, you know how drastic reformatting is for many? For myself and many others, I'm sure, in this forum, it is not such a traumatic step because I have all my valuable data backed up (usually two-a-month), with one copy securely stored off-site, and I use Acronis TI so I can re-image as well, if need be. Unfortunately, many beginners and inexperienced have not learned how crucial it is to backup their treasured data, so that in case of a reformat, it is a disheartening experience for them, not to mention the required drivers for some hardware, all the programs to be re-installed, email configuration, personal account settings. No, I'm not shedding tears for them, but reformatting is usually a last resort for those who have not yet learned the concept of regular backups.

The layered approach to security, including the use of HIPS to support other security apps, is one that I fully embrace. It does not mean I don't trust myself. Nor does it mean I stop learning as much as I can about Windoze, networking, and Windoze/networking security :)

Hello,

I'm not many - I'm me. For me, reformat is nothing more than a fun afternoon. And if people actually bothered to learn how to format instead of uselessly intercept system calls with messages like 'gtrs.exe is trying to modify lsass.exe', then perhaps they would feel better about their computer usage.

If you use the 'many' as standard, then we should all run NIS 2012 and use IE, right? But we are not mainstream. And therefore, we all have our little dogmas.

Mine is one of user = everything. Format = good. Trying to remove malware once infected is:

Trying to outtrick the OS to sappuku itself.
Trying to patch a wound with toilet paper.
Never be sure if your cleaning really worked 100%
Avoid admit the failure as a user of getting infected.

Got infected? Tough. Now you pay the price of reformat. That simple.

Reformat is not the last resort and should not be the last resort. The fact most people have hard time switching their computers on does not really make me consider my own doctrine as 'overkill.'

I see it this way - if you wish to control the OS for these reasons:

You don't trust it.
You wish to contain malware when it happens.

It means you are missing the real fun of the Internet usage.

Malware should not happen.
You should use an operating system that you trust.

Mrk

-{ Quote: "You wish to contain malware when it happens.
" }-

Actually, before it happens ;)

In a perfect, anal-retentive computing world we would never make the mistake of allowing malware onto our machines. Afterall, we are human; we fatigue, stress out, forget, overlook details, get distracted. The security package is simply there as some added insurance to help prevent the possibility of malware invasions. Besides, I also like the HIPS as a learning tool. It nicely reveals in its alerts and logs just how much influence common Micro$oft processes have on the system.

BTW, I do agree with formatting or re-imaging to eradicate malware, but it is a difficult step for “many”. Just take a look at the number of victims in the Castlecops forum on the long waiting list to have their machines disinfected by the malware experts...because formatting is, regretably, a last resort for them. It’s kinda' disturbing :)

i hate formating on my own pc.
sure it means the pc is faster but its a pain in the ass for me.
i just want to get home after a long day at college and all the long bus journey and use the pc.
i dont wanna have to reformat tons.
i could reformat and get all the drivers and make sure its all backed up.
the only thing i fear is having to re import all the atrac3 music for sonicstage
lodore