Hi all,

A general "archetectural" question:

Suppose I install ProcessGuard and RegDend on a clean machine and thereafter always deny permission to all programs that PG and RegDefend alert on (this is theoretical of course). Is it possible for trojans, spyware, keyloggers, rootkits, etc. to ever me installed on my machine?

What I am trying to understand are all of the known ways for malware to install (infest) a machine, and what guards are needed. Thanks for any insights.

Rich

As I understand things, since virtually any installation would have to originate at a user mode level, and you have said that you would deny them at kernel mode, I would say no. Attempts to get around this (call from a numerically higher to a lower ring level, e.g. 3 -> 0), should generate a CPU based protection fault.

I'm of the never say never school, but lets label this one as an unlikely scenario at present. Virtually every scenario that I can build a concept around should generate a flag that you've already posited as denied from the outset.

Blue

Thanks Blue.

I am positing this theoretical scenario in order to better understand the type of threats that I might face and whether my security theoretically takes care of everything. I realize that I might always make a mistake, which is why I continue a layered defense, a la KAV, but it appears that PG + RegDend is an extermely strong defense - which has been my experiences to date.

I would welcome any additional comments. Thanks, as always, for your very helpful replies.

Regards,
Rich

Rich,

At least right now I would view the likelihood of erroneously answering one of the PG/RD pop-ups as much greater than either of these applications failing in a way to yield a vulnerability (as opposed to a simple protection fault restart). If a measure of protection could be added in this regard - and I'm not sure precisely what I mean here - maybe some indication beyond a simple statement of this application is attempting to do whatever to include some type of "seriousness factor" (now there's a technical term if I ever met on), I think that would help. However, I can see the pragmatic issues this would involve and it is likely beyond the scope of commercial product development.

Also, for both product some level of recovery is possible except for an embedded compromise of the kernel mode layer. But that's true of all scenarios since the only solution there is nuke and pave.

Blue

I'll just say that there are individuals working very hard right now on ways to defeat these programs. Whether they have been successful or not, you may never know, because not all who work on ways to defeat these programs will ever make it publicly known. These are the real serious threats, the ones who hide in the shadows, the ones who could have compromised your machine already, and you don't even know about it. Just be aware that it can be done and may have already been done to you. No security program, or combination thereof, is immune from compromise by ring0. ;)

-{ Quote: "I'll just say that there are individuals working very hard right now on ways to defeat these programs. Whether they have been successful or not, you may never know, because not all who work on ways to defeat these programs will ever make it publicly known. These are the real serious threats, the ones who hide in the shadows, the ones who could have compromised your machine already, and you don't even know about it. Just be aware that it can be done and may have already been done to you. No security program, or combination thereof, is immune from compromise by ring0. ;)" }-

How incredibly lame. Okay, "ring0", I'm sitting here at snip~~~snip . All you have to do is get past everything I've got on here and I'll believe you. Not some lame-ass DoS, but something concrete (open and close my CD tray; put me a message up on my screen: "Pete's 0wn3d" ) - IOW, DO something I can see so that I'll know beyond a doubt that I've been breached and that all of these defensive programs don't work.

THEN I'll believe you. Pete

-{ Quote: "THEN I'll believe you. Pete" }-Pete,

While you're waiting, have a quick read (http://www.broadbandreports.com/forum/remark,13247346), the link in post #1 obviously.

Blue

lol! Yes, that was good alright! I'm not implying the same level of stupidity to "ring0" (whoever or whatever that is) - I simply believe that this particular statement - "No security program, or combination thereof, is immune from compromise by ring0." is a crock of (fill-in-the-blank).

I'm quite willing to change my tune should I be proven wrong - but not until then. His whole post sounded like some drama queen 16-year-old who still lives at home with Mommy trying to intimidate people.

All I'm saying is - bring it on. Pete

AND I WANT MY IP ADDRESS PUT BACK IN TO THAT FIRST POST, PLEASE

Thank you all!!!
If we can stick to the topic in question without going off in various direction's like the posting of ISP Address's and using praise's like bring it on it would be much appreciated I'm sure by all
It is a interesting topic so please lets keep this way as i have no wish to lock it
Thank you

I think that the issues of getting past security products and these 2 security products in particular center around the safety and reliability of software that you install on your computer

Lets just say that some malware targets a broad spectrum of products and these 2 are included (as part of a shotgun effect), there are what seem to be fairly obvious ways of engaging in the startup race to have a chance of stripping the layers of protection out

Thankfully, due to the differences in peoples protection setups it would take someone(s) very dedicated with a high level of skill to have analyzed many different security programs and come up with ways to subvert all of them
The likelyhood is that something would be missed somewhere and the malware would be submitted for analysis and then its game over for the "clever" hacker

In addidtion to gottadoit's arguments. I would also add that such a hacker tool would be a little larger than your avarage virus or worm, it would have to be run (allowed) and it would have to run perfectly at the kernel level ie. set to install it's driver /service very early in the boot process. This in itself would be an onerous task because of the driver race making it highly improbable that the malware would win evertime, so the first time it fails it will be caught and then be identified and it's abilities known.

Agreed there is no such thing as 100% security and there never will be but by making your PC a hard target to crack it is far easier for the hackers to target the vast majority of insecure machines.

Pilli :)

Note to "ring0" - Since they're not going to allow me to post my IP, you can simply do a "Search" through all my posts if you want it - I've posted it a bunch of times before and it wasn't a problem. Later. Pete

Hi Pete, Can you try and stay on topic re. the initial post.
If you wish to, please post your challenge elsewhere but Wilders is not the place to do it.

Thank you. Pilli

You're quite welcome! ;D Pete

maybe Mr Rovermatic Internalized Nerve Ganglia knows people who reverse engineer security apps? Maybe malware has been embedded into "full.version" ProcessGuard?? Imagine, someone downloads a really sweet security program from unofficial source and BANG! they get rooted and never know it. LOL

Anyway, in PG forum there are unanswered reports of apps executing without permission. Make of it what you will....

McCartn3y,

I think the general concensus is that if you actively allow malware to install, you'll have a problem. The outcome of someone downloading a piece of malware masquerading as PG, not having the savvy to know the difference, and having that piece of malware control the system is completely different from the scenario that is the subject of this thread.

With respect to PG allowing apps to execute without permission, in at least the most recent example that I can see there, the information is so vague that I have absolutely no idea what did and did not occur. Some additional, detailed, and more objective information would certainly help detemine whether the initial interpretation provided is correct or not.

Blue

Hi everyone,

Thanks for the replies so far.

The "strawman" that I set up was:

1) The ProcessGuard and RegDefend are installed on a clean machine. Let's say installed when the system is first put together by the manufacturer.

2) That no other programs are installed after that. I realize that this is theoretical, but I am pushing the case just to see if there are "holes" in such a defense. Clearly, this can be relaxed a bit by installing only programs from trusted sources, and so on.

Given this, it would appear that a "race" would never occur. I understand that the malware would always have to win the race, in the case where it did some how get on the system. But, if programs are either never installed or only installed from trusted sources, then it would seem that the malware would never have a chance to even get into a race. Please correct me if I am wrong.

Windows is a complicated piece of software to protect. So, I am suggesting tactics that may greatly limit the perimeter of defense, and have two good progams (as an example) guarding this limited perimeter. I think this might be handy, for people who have just purchased a new system, and are looking for a way to provide themselves with the maximum amount of protection, e.g.

1) One top rated AV/AT/AS
2) ProcessGuard
3) RegDefend

This is just a strawman, but since I am relatively uninformed about the nature of malware, I thought that this type of defense might be an excellent place to start.

Thanks again for all of the comments.

Rich

Hi,

As an addendum, there is the issue of giving rundll.exe "permit once" or "permit always", which is amply covered here. Certainly, something that has to be addressed in some way by new PG users..

http://www.wilderssecurity.com/showthread.php?t=59185&highlight=rundll+processguard

It would seem that a layered defense, as in my strawman, which includes a top-rated AV/AT/AS along with PG and RegDefend (which is watching the registry over and above PG's mechanisms) somewhat mitigates the rundll "always issue", especially if rundll is not given extra privileges.



Rich

-{ Quote: "...Given this, it would appear that a "race" would never occur. I understand that the malware would always have to win the race, in the case where it did some how get on the system. But, if programs are either never installed or only installed from trusted sources, then it would seem that the malware would never have a chance to even get into a race. Please correct me if I am wrong.

Windows is a complicated piece of software to protect. So, I am suggesting tactics that may greatly limit the perimeter of defense, and have two good progams (as an example) guarding this limited perimeter..." }-
If your last line of defense is a lock-down program such as ShadowUser or Deep Freeze, a reboot will remove any malware, so you can just enjoy your computing and not waste time worrying about it.

Regards,

---
Rmus

Hi Rmus,

I have considered DeepFreeze and Shadow-user lock-down defenses, but it would seem that they are most appropriate for systems that are relatively static. Of course, your point is well taken. If one is not allowing programs to download, then this would infer a relatively static system, in which case these lock-down defenses make all of the sense in the world. A top-rated AV (and possibly PG and RegDefend) would provide necessary intra-day protection.

Thanks for the additional idea. I certainly will keep it in mind.

Rich

-{ Quote: "While you're waiting, have a quick read (http://www.broadbandreports.com/forum/remark,13247346), the link in post #1 obviously." }-ROFLMAO here Blue, what a classic ;D

;D ;D ;D

-{ Quote: "With respect to PG allowing apps to execute without permission, in at least the most recent example that I can see there, the information is so vague that I have absolutely no idea what did and did not occur. Some additional, detailed, and more objective information would certainly help detemine whether the initial interpretation provided is correct or not.
Blue" }-

I totally concur with that, Blue.

-{ Quote: "I have considered DeepFreeze and Shadow-user lock-down defenses, but it would seem that they are most appropriate for systems that are relatively static." }-

It depends on how you use ShadowUser (in my case, anyway). This system is anything but "static" - but in my case, all my defensive programs are still running within ShadowMode because everything I've got is on my "C" drive. This eliminates the threat of being un-aware of becoming "infected" by something during a Shadow-session (with the subsequent possible loss of data, passwords, etc., etc. ) while you're still within that session (which is the only true, current vulnerability of programs such as ShadowUser or DeepFreeze).

Even when I'm not in ShadowMode, I still have PG set to "Block new and changed applications" and locked - and I'll trust that condition every day of the week to keep my computer secure.

IOW, the only time that PG isn't "cocked and locked" is when I'm installing new software or updating (even while in ShadowMode). Pete

-{ Quote: "Hi Pete, Can you try and stay on topic re. the initial post.
If you wish to, please post your challenge elsewhere but Wilders is not the place to do it.

Thank you. Pilli" }-

You see Pete, only loves to post such challenges in places like this, which to put it frankly is merely a wading pool for beginners to intermediate, the chances of someone who is truly skilled coming across this is slim to zero.

In any case, even if Pete issued his challenge is the right place (eg usenet), the truly skilled will be unlikely to be willing to tip their hand just to put a foolish user like Spy1 (who has way too much faith in software despite having no clue at all about how it works) in his place, when they have much more juicier targets.

As we all know, unreleased useable windows exploits are worth at least 5 figures, and are meant to be sold to the highest bidder, to waste it on Spy1, would be crazy. (Though whether Pete would be smart enough to figure out how he got hacked is doubtful)

Still it would be fun to see what happens, if Pete issues his challenge on usenet. I could be wrong of course.

lol! Another cowardly un-registered user heard from.

Interesting opinion of this site and the people who work here you have: "which to put it frankly is merely a wading pool for beginners to intermediate, the chances of someone who is truly skilled coming across this is slim to zero."

Have a nice day. Pete

Would registering the alias 'cluessnewbie' suddenly endow my posts with more truth?

Your failure to address my points speaks volumes , registered or not.

Good day.

@ clueless... you must be the smartest and the coolest guy alive he??

being unregistered and commenting on people and doubting the skills....rock on clueless, you're my idol!

p.s. no matter if you register or not: the admins/mods/... do have all the ip's anyway lol... talking about being clueless :)

<g> No, it wouldn't (in your case anyway).

Look, since you're obviously not a hacker yourself ( a 'wanabee' or a "groupie" at best), why don't you simply go crying to them yourself and point them at this thread? Or, would you simply like to keep attempting to take this thread off-track - something I was trying not to do after being warned about it? Pete

*Mods - If I'm attacked, I'm going to respond, okay? That's just the way I am and always have been. This last posts are exactly the reason I brought up the un-registered posters issue again.

Hi clueless,

I think your primary point is that valuable exploits cannot be wasted on a single person. I think this is a point well taken, that truly valuable information will be kept hidden in order to realize its full value.

However, five figures is not valuable. Something has to be in at least the six and possibly severn figures to be truly considered valuable. A person can make five figures by flipping burgers - and on top of that have better Karma to boot!

There are probably some valuable exploits out there, but I think the primary problem nowadays remains the well-known exploits that are not being contained because most users still do not have good protection.

What I am getting out of this discussion is that KAV (or any other top AV/AT/AS) + ProcessGuard + RegDefend is very powerful against known exploits, and possibly the vendors of these products need to do a better job at:

1) Marketing
2) User friendliness (particularly in their interfaces and help documentation)

in order to have a deeper penetration of the market. Much wider usage would certainly help the PC community at large.

Rich

As has been already noted above, the throw down and pickup of challenges will be left to other sites, not Wilders.

@ cluessnewbie:

While Wilders certainly has a diverse member base, refering to it as a wading pool of beginning to intermediate users does miss a lot. Many beginners visit, there are a fair number of intermediate users, and there are a much smaller number of extremely capable individuals. I'd say that's true of virtually any general site such as this.

As for your other comments, applications such as PG and RD have a role in the spectrum of protective software. There are lots of persistent bits of junk more irritating than benign adware, but less critical than the directed use of a previously unknown exploit, that many of us can stumble upon. These types of programs deal with that intermediate range of problem cases. If one feels the need for more comprehensive coverage, there are plenty of options for someone willing to spend the money.

Now, let's everyone keep the discussion on topic and off personal comments. Thanks.

Blue

Yes indeed one more personal comment or going off topic and i will close this thread. I am not in the habit of repeating myself
Thank you

-{ Quote: "@ clueless... you must be the smartest and the coolest guy alive he??

being unregistered and commenting on people and doubting the skills....rock on clueless, you're my idol!" }-

Infinity, believe it or not I know spy1 pretty well. Heck I know most of the regulars here pretty well.


-{ Quote: "
p.s. no matter if you register or not: the admins/mods/... do have all the ip's anyway lol... talking about being clueless :)" }-

I hope you don't think this is something surprising to me, much less to 95% of the people on the internet. And of course, I wont insult your intelligence by implying you don't know how to use proxies to circumvent that.

But to forstall any questions, no I don't usually borther with such tricks.

;) no prbs Clueless, have a nice day

Inf.

Well the debate on this topic looks over and the question by the thread starter answered so i will now close this thread