Hi all,
like with a similar thread over at the CryptoSuite forum, I thought it would maybe be a good idea to start collecting ideas how to further postpone TDS4 ...errrr to further enhance PG i mean ;D

Officially on the list is - AFAIU
- SetWindowHook(Ex) support
- Monitor installation of other drivers

Here's what I have in my notes:
- Import and Export lists of protected applications and their settings (also import a plaintext listing of files/paths with default flags)
- Fix removal of all entries when none is selected and the user presses "remove" (i haven't confirmed this myself, but it has been reported in one thread over here)
- hash exes that have allowances on them (even the MS File-Integrity-protected ones - i don't trust it as much as i would trust PG ;D).
- also hash and keep track of dlls that are being loaded into processes with allowances. Prompt for dlls being loaded for the first time or with a different checksum
(- allow for a more differentiated tweaking of how and which windows messages are handled by CMH ::) )

Possibly some of the items (the hashing and dll monitoring) would introduce quite some ressource strain, what do you think? Worth it? How much of it?

CU,
Andreas

Some nice suggestions there Andreas ;D

For DLL injection monitoring it would conflicts with any Application Monitoring sotware, and with firewalls too, i don't think it's the purpose of PG.
PG currently prevent DLL injection and Code injection into protected processes as well as termination, you want in addition that it checks which DLL protected processes with allowed privileges loads ? why ?
If a trojan want to inject a malicious DLL into a protected process it can't, so i see no need of such feature.

But to check processes by a hash sounds ok for me, a simple MD5 would be enought.

Hi gkweb,

{QUOTE-> quoting: gkweb link=board=40;threadid=17732;start=0#msg109380 date=1071166615]
For DLL injection monitoring it would conflicts with any Application Monitoring sotware, and with firewalls too, i don't think it's the purpose of PG.
PG currently prevent DLL injection and Code injection into protected processes as well as termination, you want in addition that it checks which DLL protected processes with allowed privileges loads ? why ?
If a trojan want to inject a malicious DLL into a protected process it can't, so i see no need of such feature.

But to check processes by a hash sounds ok for me, a simple MD5 would be enought.
<-QUOTE}

The reason I'm asking for is this: In PG - and IMHO quite reasonably so - the allowances take precedence over the blocking flags. Thus, if you allow write/termination/SetInfo or Suspend access to any application, this application has a PC at its disposal that is almost (except for general protection options) bare of PG's protection. Okay, provided you have protected that application in turn, then there's no way that some malevolent code can sneak in that process, hijack it and exploit the allowances granted to it.

But, what if the so-privileged application isn't running at all? As long as the exe is just idling on the harddisk, any other process can come along and plant its own code into it. Thus, when the privileged application is then launched, it goes through PG like through butter, but has changed functionality in a way which probably isn't to our liking. That's why I was asking to hash-verify exes with allowances only.

But the problem doesn't stop there. Suppose one of your privileged applications is known to load a certain dll. Then the malware can change that dll-file while the privileged app isn't loaded and when it's launched, the modified dll gets loaded and can execute with the privileges of the privileged app, again bypassing much of PG's protection. That's not Dll injection, because the privileged application itself is requesting the dll to be loaded, only it has a different content by now. So you have to monitor and hash dlls that get loaded into privileged applications as well - a bit more complicated since this is often flexibly done at runtime...


In short: the allow flags introduce a window of exposition (namely modification of the files that make up the running process associated with the flag while this process isn't running at all (yet)), and this should be countered with a hash-verification that the allowed exe is still what we meant to be allowed and that it only loads what was meant to be loaded. It's actually the inverse of the advantage that you don't have to protect dlls from being terminated/unloaded or modified because they "inherit" the protection from the process that loads them.


Also, I would think these hashes could be a bit stronger than MD5.


Finally, I for one do think this feature fits better to an application like PG than to a firewall. IMHO, it's not a firewall's task to check if my TaskManager has been modified or not. One can certainly debate whether this should be PG's task instead (or maybe even better that of some file-integrity-checker, they spezialize in this after all)... and probably one can even contest that it's not a firewall's task.
I'd simply like to hear some feedback by PG users and by DCS about what aspects should be considered with this...

For hashing executable i totally agree.

But, even if i understood your point about DLL, the possibilies to hijack a trusted process by this kind of ways isn't it a never ending ?

I explain : ok, you do a hash of all DLL used by PG trusted processes, but a DLL can load another DLL, which in his turn can call also another one.
So, you have to hash all dependencies when a trusted process start (to ensure his integrity) which could results in my opinion to a huge number of files (all the system DLLs can be involved).
If you do that, you must check too all dependencies, even drivers.
If i am not really right on this point and that an executable only load "few" DLLs, i will just say that with "TaskInfo 2003" i can see that "explorer.exe" loads 90+ DLL, i don't say it's the case for any executable, but imagine 50 protected processes loading each a high number of DLL ( i counted 79 DLLs loaded by "ccapp.exe" from NAV, and 54 by my browser)

So this is not that i really disagree of the need of this feature since the risk is real, but i doubt it would be doable (not sure of this word) ensuring 100% integrity (i mean all the ways covered) without eatting a lot of ressources.

In fact, i agree with the idea, but not in this way and not by PG.
I should cross post the following to "CryptoSuite feature request thread".
If in the future CS can add a "tripwire like" feature, which means to have a database of vital files or any chose files with their fingerprint, you can be warned when a file is modified.
A better feature would be to have in addition of the "on demand scanner" a real time scanner which would run with the lowest process priority to permanently beeing checking system files.

As you said the possibility to hijack trusted PG processes exists, but which way is the better to handle that i don't know.
If what you suggested is possible in a proper way, so i second your whish :)
But if so, you would have in fact to check even other trusted processes without allowances, since they can via modified DLL be shutdowned.
Indeed, as you noticed, PG protects of injecting DLLs but can't do nothing if the process isn't started.

At the end, we could "may be" supposed that usually used DLLs are also used by many others processes, so even if our particular trusted process isn't running, chance is probably that his DLLs are nevertheless is use.

EDIT : another feature request would be a check box enable us if checked to have a popup when an entry is added in the log window.

EDIT2 : i had to edit my post i don't remember how many time to correct english errors (don't laught in seeing the thousand i missed...)

Hi again,
{QUOTE-> quoting: gkweb link=board=40;threadid=17732;start=0#msg109463 date=1071188168]
But if so, you would have in fact to check even other trusted processes without allowances, since they can via modified DLL be shutdowned.
<-QUOTE}

Good point. I didn't think of that.
Also I get the impression that this sort of checks is better handled by another service after all. A pity. Well, maybe one day we can have a ss3 script that will be run from TDS4 and coordinate CSE and PG so to achieve this functionality. ;)

CU,
Andreas

yes may be :)

it's to DCS to play now ;)

Look at this another way: if you have a list of approved and guarded applications and PG checks every process before being executed, you don't have ho have an AT,FW,AV or any security program loaded anymore, because any unapproved executable will not be able to load.
By then it would be a must to integrate PG as a part of Windows. Goodbye, back/white hats, no more work left
DCS sells PG to Microsoft and they will be able to spend their lifetime on producing nice games, freeware utilities, and enhancing CS. ;D
Dolf

But PG isn't a "System Safety Monitor" or an "Abstrusion Protector", it is just meant to prevent chose processes to be attacked i think :)

gkweb, You have to get used to Dolf's rather good "droll" humour

Droll : Amusing in a facetious sort of way

{QUOTE-> quoting: Pilli link=board=40;threadid=17732;start=0#msg109702 date=1071256501]
gkweb, You have to get used to Dolf's rather good "droll" humour
<-QUOTE}
I was serious :'(
Because this is about a wishlist I mentioned those possibilities. Adding SSM like features, you're not having only active processes guarded but also prevent unauthorized executables from being executed, so no trojan, virus or worm will have any chance to do any damage because they are not listed in the "approved list"
Dolf

Ih thaat case I am sorry. :) Wayne has often said his fight is mainly against Trojans.
If this new technology can be harnessed using your possiblities (wishlist) it would be rather interesting to see the reactions of the big AV players let alone MS. Let's just hope that any DCS copywrite on this technology is watertight!

thanks for the explanation Pilli ;D

@Dollefie

For the following, "Application Monitoring" means software like SSM or AP.

Application Monitoring and Process Protection _should_ be two different features in my opinion.
Indeed, you seems to believe that to allow only trusted executables to launch is 100% secure, but in fact, it is only if you never do mistakes :)
The example i always give, is that you could allow mistakenly something to load believing it's a screen saver or a game, and then, this malicious program which is in fact a trojan (let's say "the beast") will inject itself into your processes.
Another example, even in runing an application monitoring software, spywares or malicious scripts which are triggered from your browser itself (which is trusted) can attempts why not too to access your process (i think it's possible with so many browsers vulnerabilities, that it was IE or another one).

This is why to have two layer of security is better than just one, application monitoring software does their job, PG does his own ;)

Just my point of view on the subject.

gkweb you are right, human error causes most security to fail. Sure, a lot of things have to be resolved, but I think it must be possible.
Why not use a global "approved application database", for example.
I know, this is only a thought and I'm sure there are better ways. Just start thinking this way.... ;)
Dolf

{QUOTE->
Why not use a global "approved application database", for example.
<-QUOTE}

This is what "Pest Patrol" does, but it sounds unsufficient alone to my developpers hears :)
Indeed each day i have different executables on my hardrive that can't be in any database.
Moreover, do you really think that a database could have all executables that you can download on the Internet ?
What if i download lastest driver for my network card of the lastest Matrix screen saver ? :)

This is why i always end to the same fact : a good security is a multi layered security, one software alone will never be able to ensure your computer security to 100% by handling _alone_ all possible ways that can be used to damaged your computer.

I know this kind of "super mega security software" would be a dream but i don't think it's possible.

BTW, i think by using DCS products plus few others like application monitoring
(that TDS or WormGuard does in a kind of way) and firewall you can reach the security of your dream, it is just less easy to configure than a single product :)

{QUOTE->
I know, this is only a thought and I'm sure there are better ways. Just start thinking this way....
<-QUOTE}

keep going, who knows, may be you'll have the idea of the century ^^

{QUOTE-> quoting: gkweb link=board=40;threadid=17732;start=0#msg109779 date=1071266961]
Indeed each day i have different executables on my hardrive that can't be in any database.
<-QUOTE}
what about a (guarded) developers area without restrictions?
{QUOTE->
Moreover, do you really think that a database could have all executables that you can download on the Internet ?
<-QUOTE}
everyone, who makes a program available can send a copy to the "database maintainers" for evaluation. More developers use certificates these days.
{QUOTE->
I know this kind of "super mega security software" would be a dream but i don't think it's possible.
<-QUOTE}
hmmm ::)

lol

you make me remember a movie where two person disagree about a subject, and where the discussion is :

- I said No
- No it's Yes
- No
- Yes
- No !
- Yes !!!
- Nooooooo
- Yessssss

etc... ;D

;D
I make the presumption that PG is already a part of Windows and that the "database maintainers" will be a trusted company where a couple of hundred Gavins are working.
What about the cost? Not important. Think about the savings!
I'm sure a lot of major companies will sponsor this thing
Still dreaming on.... ;D

{QUOTE-> quoting: gkweb link=board=40;threadid=17732;start=0#msg109779 date=1071266961]
{QUOTE->
Why not use a global "approved application database", for example.
<-QUOTE}

This is what "Pest Patrol" does, but it sounds unsufficient alone to my developpers hears :)
Indeed each day i have different executables on my hardrive that can't be in any database.
Moreover, do you really think that a database could have all executables that you can download on the Internet ?
What if i download lastest driver for my network card of the lastest Matrix screen saver ? :)

This is why i always end to the same fact : a good security is a multi layered security, one software alone will never be able to ensure your computer security to 100% by handling _alone_ all possible ways that can be used to damaged your computer.

I know this kind of "super mega security software" would be a dream but i don't think it's possible.

BTW, i think by using DCS products plus few others like application monitoring
(that TDS or WormGuard does in a kind of way) and firewall you can reach the security of your dream, it is just less easy to configure than a single product :)

{QUOTE->
I know, this is only a thought and I'm sure there are better ways. Just start thinking this way....
<-QUOTE}

keep going, who knows, may be you'll have the idea of the century ^^
<-QUOTE}

I like the way you think sir ! ;D ;D

do you laugh at me ? :'(

or is it really you like ? :D

I like ! :) Just noticed your webpage too from another thread, very good work !

Thanks you Gavin ;)

@DolleFie
{QUOTE->
I make the presumption that PG is already a part of Windows and that the "database maintainers" will be a trusted company where a couple of hundred Gavins are working.
<-QUOTE}

I think the cost to "clone" Gavin would be too much expensive and in addition, to clone humans is prohibited :-\
Besides that it's a good idea ;)

Would it be possible to add the date to the Window and PGlog.log file. I don't open these frequently, since I can rely on DiamondCS software to preform as expected, but it would help to see when an event entry was made.

Congratulations on another very fine product.

another thing:

whatcha think of this: once the computer is set up fine, remove PG.exe. Then nothing and no one can mess with pguard.dat - only you won't get logs (how about adding eventlog support to PG?).
If you keep it on a floppy, you can bring it back when you really want to change something. (now it's getting even more crazy: If pg.sys and pg.exe would share some authentifiation secret, only your personal copy of pg.exe would have access to the configuration. Right now you have the keyfile, but if you take that away, pg.sys won't work either...)

Maybe just for the paranoid. After all, the most essential options in PG are protected - but that protection only verifies that it's a human and not a program that makes changes, not if that human should be allowed to do so, and changing options of programs in the list of protected programs - or even removing them completely - isn't protected this way.

Anyway: whatcha think?

Andreas

{QUOTE-> but that protection only verifies that it's a human and not a program that makes changes, not if that human should be allowed to do so,]but that protection only verifies that it's a human and not a program that makes changes, not if that human should be allowed to do so, <-QUOTE}

Password protect the HIDs? No, no it's driving me crazy! ;D

don't forget to set a human verification to the password of human verification to check it isn't a program which is entering a password !

In fact, i poll to add "eye optical nerd recognition" to add a true human verification and that only _you_ can disable PG ;D

The driver doesn't actually check/read the keyfile. So the keyfile doesn't need to be present for the driver to work.

Some interesting ideas here, to say the least! :)

-Jason-

my wish list is, for one thing, that the PG systray icon would function in a more typical fashion, where you could rightclick the icon to bring up a menu with options to open PG, exit PG, and an option to ."disable (or enable) protection". also, when Procguard.exe is set to autostart, the PG screen pops up for an instant, and then minimizes.. i wish that it would not "flash" like that. if possible, i would also like to see the settings in PG simplified.. if all of the protected processes are to use the first four black flags, just have that for the default setting without the options. and with the white flags, if it doesn't make any difference if all of the protected processes have all of the white flags checked, then that could be a default setting without the options. also, the little "control panel" that pops up when you highlight a process could be continuously displayed. i think the help files are good, but i would like it stated in them if processes like av's and at's, their active scanners, should have all of the "white flags" checked.. :)

i would like it if PG could be engineered to not have the "close message handling" authentication box activated by splash screens (if you can understand what i am saying), (i know, there shouldn't be splash screens with etrust ez av and kerio 2.15) i have a similar issue with ssm's windows opening and shutting, when ssm ask to allow or block processes..

I don't think PG "knows" which box wants to be closed
Dolf

Analysing all the layers of windows that can occur could take a mini calculator working overtime :) Not sure if its viable yet, we dont really want to go that far. The fact that PG CAN protect any window from being shut down should at least deter attackers to bother trying. Here to hoping none ever bother attack our PG protected machines :)

may be a date for 1.200 version ? ::)

No date for 1.200 yet, still need to iron out SetWindowsHook protection and other niggly things.

The problem with detecting "splash screens" and other windows like it, is then you have the issue of a trojan making a normal window looking like a splash screen and closing it. The Window protection needs to be very very generic to even work at all, the reason for this is the way Windows is coded and how all the programs written for it work.

-Jason-

Ok here another one:
Will it be possible to have a learning mode in PG, e.g. when PG logs another block, a pop-up will show asking to permit this action, avoiding the need to manual change the configuration?
Dolf