Hi,

I just wonder, is PG able to stop Zero day bugs like in IE for example? At the moment I´ve configured IE in a way that it isn´t allowed to terminate, modify, or read other protected applications. Itself is protected against modification, should I also protect it from "Reading"?

Btw, I installed SSM and I liked the option to deny IE from loading other programs. That´s not possible with PG. I also noticed some other options see the pic. Does PG also offer this and will it protect IE in any way?

-{ Quote: "Hi,

-{ Quote: "

I just wonder, is PG able to stop Zero day bugs like in IE for example?

" }-

Depends on the type of zero day exploit of course.

-{ Quote: "
At the moment I´ve configured IE in a way that it isn´t allowed to start, terminate, modify, or read other protected applications. Itself is protected against modification, should I also protect it from "Reading"?" }-

?? What do you mean IE isn't allowed to start? If it isn't allowed to start the rest of the permissions is mostly moot.

Unless you mean IE isn't allowed to "start other applications" which makes no sense. Since PG can't do that.

-{ Quote: "
Btw, I installed SSM and I liked the option to deny IE from loading other programs.
" }-

no, not possible, SSM gives greater control in that area.

-{ Quote: "
That´s not possible with PG. I also noticed some other options see the pic.
" }-

SSM just puts start in technical terms. The first one is actually equal to "Allow global hooks". The next 3 allows a process to do all sorts of stuff simplified as "modify,terminate process" in PG.


-{ Quote: "
Does PG also offer this and will it protect IE in any way?
" }-

PG handles IE just like any other proccess. No special treatment. Just follow the defaults for IE given. (Allow global hooks)

I don't think you run IE though. You run Maxthon, same difference, just treat it like IE.

You want more IE protection, use PrevX, SafenSec, Winpatrol etc.

Yes my mistake (about the starting), I have edited my first post. And yes I use Maxthon but say IE to simplify things. ;)

But what I´m trying to figure out is how to lock down IE as much as possible, it seems to me that an app like PG can help a lot.

Let´s say there is a higly critical zero day bug (remote system access risk), if a hacker tries to install malware on your system, then a good AV-AT-AS system will probably be able to prevent that.

But what if a hacker will try to take over your machine and has access to your file system? Shouldn´t PG be able to prevent that too, so that IE doesn´t have the right to do that. ???

Hi Rasheed,

There are many approaches to what you are trying to accompish in defending yourself against zero day bugs. Here is my approach:

1) I do not use IE, I use Firefox.
2) As you suggested, I use high detection rate anti-malware tools - in my case Kaspersky and Ewido.
3) I use ProcessGuard to defend against dll injections, rootkit and keylogger installation and installation against unauthorized services/drivers (real nasties all). These are some of the Zero Day bugs that you are referring to.
4) I use WormGuard to defend against unauthorized scripts (there are other similar tools).
5) For further defense, I use RegDefend to defend against unauthorized registry updates, since most malware try to update the registry in order to instantiate themselves in the operating system.
6) For further protection, some members use a product called Prevx (there are free and licensed versions) to guard their file system (and registry). I do not use this product for several reasons and there are threads that discuss this.

As you suggest, it would be nice to "close down" entry points into your machine that would protect against malware that somehow gets through your anti-malware tools. ProcessGuard closes does some of these points but not all. Different forum members use different strategies. I think that if you investigate more, you will find the strategy that best fits your needs. I hope the description of my strategy helps you with some ideas.

Rich

-{ Quote: "Yes my mistake (about the starting), I have edited my first post. And yes I use Maxthon but say IE to simplify things. ;)

But what I´m trying to figure out is how to lock down IE as much as possible, it seems to me that an app like PG can help a lot.
" }-

Why? It's called PROCESSguard not IEguard. :P
IE is so dangerous, you need a specific app to guard it, not something as generic as Processguard.


-{ Quote: "
Let´s say there is a higly critical zero day bug (remote system access risk), if a hacker tries to install malware on your system, then a good AV-AT-AS system will probably be able to prevent that.

But what if a hacker will try to take over your machine and has access to your file system? Shouldn´t PG be able to prevent that too, so that IE doesn´t have the right to do that. ???" }-

By default if you run as admin, all programs have the right to access any file.

What you are looking for is a way to 'sandbox' IE, to run it in a restricted environment to limit the damage it can do.

So you can either run as a non-admin, or use drop my rights http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure11152004.asp
to run IE as a non-admin.

That restricts the damage IE can do if it's somehow compromised since it can't affect system files for example though it can still do quite a bit of damage to the user account it's running on.

This is one way of "sandboxing" IE.

Or you could use a third party software to do it http://www.sandboxie.com/

-{ Quote: "On the other hand, you may want to run your Web browser inside the sandbox most of the time. This way any incoming, unsolicited software (spyware, malware and the like) that you download, is trapped in the sandbox. Changes made to your list of Favorites or Bookmarks, hijacking of your preferred start page, new and unwanted icons on your desktop -- all these, and more, are trapped in and bound to the sandbox.

You could also try a new toolbar add-on, browser extension or just about any kind of software. If you don't like it, you throw away the sandbox, and start again with a fresh sandbox. On the other hand, if you do like the new piece of software, you can re-install it outside the sandbox so it becomes a permanent part of your system.

Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.

Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well. " }-

None of these methods are perfect , since there are exploits capable of privilege elevation, or the sandboxing program might not catch everything the sandboxed program does...
Eg the app above, allows total READ access, it just accepts writes...

This is getting way of topic, could a moderator move this out to another forum?

Even just disabling "3rd party browser plugins" in Advanced IE options is enough for IE ;)
Free and easy, and works fine if you want to install some first

Stopping processes running stops an attacker from doing much at all, especially without being detected :)

Hi,


As far as i know, ProcessGuard and System Safety Monitor are not a NIPS/NIDS (Network Intrusion Prevention/Detection System) and have not the ability to prevent Oday attacks.

SSM rules will not be very helpful against zero days: if the browser is launched by an unknown application, then it means that the intruder is in your host and in this case, it's often too late.
Even by running legitimatelly IE with the exlorer, it can be a communication vector for a stealth backdoor.

But both PG and SSM have an MD5 integrity protection and can detect a major change in IE.

There is specific paid and free solutions to protect IE: here's some free ones:

-a specific integrity protection with AFICK (like Tripwire): http://afick.sourceforge.net/
But when the change is detected is also often too late.

-IE monitoring: there's some free tools which can monitor the browser behaviour (FileChecker in this javacool forum for instance).

NB: SandBoxie will not protect against zero days but will just prevents some agressive scripts, spywares during a surf (like SurfingGuard from Finjan).

In any case, it's technically very hard to prevent all O days, perhaps impossible: even specialised products can be defeated by a 0 day attack:

http://secunia.com/advisories/15961/

For a short info about the subject, here's an article from EEYE:

http://www.infosecurity-magazine.com/comment/050613_eeye.htm

Against zero days attacks, prevention measures are more recommended than expensive over-protections:

-as it was said, never run as an admin during a surf: Aaron Margosis explains how we can limit the impact of zero days by this manner:

http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx

-stay aware about Windows/browsers (IE or Mozilla)/softwares latest vulnerabilities (http://secunia.com/advisories/ for instance).
And then patch anyone of them.

In all cases, zero day attacks/exploits are not common on home users systems.



Regards

I run IE and I only use medium security setting for the most part. I even have to run with admin privileges, as some of my mission critical software requires it. But with ProcessGuard, Regdefend, Prevx, and PopupCop, I never have had a problem. I have even explorered a few so called high risk sites, with no problem. These programs have consistently caught attempts to play with IE.

Pete

-{ Quote: "Hi,


As far as i know, ProcessGuard and System Safety Monitor are not a NIPS/NIDS (Network Intrusion Prevention/Detection System) and have not the ability to prevent Oday attacks.
" }-

Not that these work either....

-{ Quote: "
But both PG and SSM have an MD5 integrity protection and can detect a major change in IE.
" }-

A zero day attack doesn't always involve a "major change to IE", in fact some of the most well known involving buffer overflows, cross-site scripting attacks wouldn't be detected.


-{ Quote: "
NB: SandBoxie will not protect against zero days but will just prevents some agressive scripts, spywares during a surf (like SurfingGuard from Finjan).
" }-

Given that the unknown nature of zero day attacks and that zero day attacks can involve a wide range of vulnerabilities and exploits it's a bit hasty I think to claim that only a certain measure (intergrity tools for example) will help against zero days, while running IE in a restricted environment wouldn't.

In the context of home users , some of the "very aggressive scripts" are in fact or could be the most likely source of zero day attacks. On servers this would not be so important I agree.

One other thing I do I forgot to mention. Like the other day I wanted to download some new jpg files for desktop wallpaper, and I do consider some of those sites high risk. Sooo.... I boot into my secondary snapshot (First Defense ISR of course), and have at all my surfing and downloading. Then when done, I thorougly scan the jpg files, and if okay set them aside and reboot back to my primary snapshot. That way even if something infected me from one of the websites, it doesn't matter. The FD-ISR copy will get rid of them.

Pete

Hi,

James Taylor: my english is not perfect, but your post means the same conclusion as my previous one: it's impossible to prevent all 0days, even with specialized products like NIPS/NIDS/HIPS which can themselves be victims of a zero day!

Consequently, all mentioned solutions are not perfect:not running as an admin, hadening the host, Sanboxie (or web filtering), integrity checking, browser monitoring, web application attacks countermeasures (http://www.imperva.com/application_defense_center/glossary/), NIPS and reverse proxy (web servers) and so on.

Therefore, any solution publisher/vendor who claims to prevent unknown malwares and attaks (then 0days) is only can be considered as pretentious arguments and untruth advertising: there 's no 100% security system.
Even when we "shutdown" our computer, it's still vulnerable to Tempest during a few minutes...

ProcessGuard prevents Malwares (from the basic trojan/keylogger to the stealth rootkit) and not Attacks (and Diamondcs never claims anything else).

And sure, as Peter2150, we can surf for years without being victims of a zero day attack.
There 's a diiference between decent and logical security and paranoiac one.

regards

Well, I´m no expert, but from what I understand is that IE is in fact the "entrypoint" for a hacker, that means if you go to malicious site and a hacker attacks IE (zero day bug), he will only have as much rights as IE has. That´s why I´m already running in "non-admin" mode, because it will make it a lot harder to install malware this way.

Let´s look at what the risk of a remote code execution vulnerability exactly is:

"If a user is logged on with administrative privileges, an attacker who successfully exploited a vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges."

But it seems logical to me that if you restrict IE even more (process launching, file access) there isn´t a whole lot that a hacker can do, am I correct? :)

@ James Taylor

About SandBoxIE, it looks like an interesting app, only problem is that it will cripple your normal browsing too much, and as said before I don´t think it´s the number one solution against zero day bugs. ;)

@ Gavin

I´m not sure what you meant, but isn´t that a too simplistic approach? I´m not worried about BHO´s etc. since Maxthon doesn´t even support them (or at least you turn them off). And with all these advanced anti malware tools (AV-AT-AS-IPS), I´m not that worried about other malware too.

What I´m basically worried about (and maybe I´m missing the point) is that a hacker could view, change, or delete data, because even non admins can do this. Or can a hacker only do this by installing malware (trojans, RAT´s) first? ???

I mean how exactly can a hacker do all this stuff (remote code execution), I assume he will have to use some kind of tool, and have to be able to run stuff (executable files and scripts) on your system?

kareldjag

Yes, your english is not perfect. The way I read your post, you were saying that intergrity check tools and Netbased intrusion detection tools were much better than sandboxing tools (which merely stop aggresive tools according to you) for detecting and stopping zero day attacks.

In fact, you know and I know that all these tools are hardly perfect.

And I don't appreciate being calling paranoid.

-{ Quote: "Well, I´m no expert, but from what I understand is that IE is in fact the "entrypoint" for a hacker, that means if you go to malicious site and a hacker attacks IE (zero day bug), he will only have as much rights as IE has.
" }-

Every program you run as the same rights as IE except for network outbound access. Every network enabled program has the same rights as IE.

So what? If you are so scared of using Maxthon, just drop it and be done with it.

-{ Quote: "
That´s why I´m already running in "non-admin" mode, because it will make it a lot harder to install malware this way.

But it seems logical to me that if you restrict IE even more (process launching, file access) there isn´t a whole lot that a hacker can do, am I correct? :)" }-

The point is a "zero day exploit" is something 'magical', by definition it allows you to break the rules. So even with all these tools , it's still possible for a zero day exploit or a combination of to hurt you.

You want to use IE, you take the risk, even if you ask these questions in a million security forums, no one can teach you a method to gain 100% assurance against zero day exploits.

But yes, if you restrict the files IE can access, restrict the processes it can spawn, carry out intergrity checks to ensure IE and it's related dlls arent' compromised, then you should be fairly safe.

kareldjag will tell you about NIDS but most of them are meant for servers.

-{ Quote: "@ James Taylor

What I´m basically worried about (and maybe I´m missing the point) is that a hacker could view, change, or delete data, because even non admins can do this. Or can a hacker only do this by installing malware (trojans, RAT´s) first? ???

" }-

Sure and, a skilled hacker can read your mind by snapping his fingers. LOL.


-{ Quote: "
I mean how exactly can a hacker do all this stuff (remote code execution), I assume he will have to use some kind of tool, and have to be able to run stuff (executable files and scripts) on your system?" }-

Without getting into details , essentially correct. How else would a attacker hurt you, by sheer willpower? Either he has managed to modify/ compromise an existing process on your computer, or he managed to "inject" one of his own.

In the context of getting "hacked" by visiting web pages, if you turn off all the active content (Scripts,Java,ActiveX), it gets harder to damage you.

Of course, even then you can be hurt, by other ways, such as flaws in the rendering Trident engine... But this is much rarer.

There is where your other safe guards come into play, intergrity checking tools, restricting IE's access to files, preventing it from spawning other processes, restricting its ability to modify processes in memory, hooks etc.

But the magical genius hacker who is out to get Rasheed, would probably research and come up with zero day attacks that could overcome these methods too, so you are dead anyway :)

First of all, I´m not scared to surf the web with IE, if I was I would have already switched to Opera or Mozilla. I´m just trying to figure out how to make IE as safe as possible. I already run it in non admin mode, have closed the known attack vectors (with tools like Samurai, Secure-It) and use anti malware tools (AV-AT-AS-IPS and firewall). I´m also aware of the fact that zero day exploits are not that common.

And I know that PG already is a powerful tool against malware with its ability to block services/drivers, global hooks, process modification/termination etc. but I think it should also be able to restrict process spawning and file access. However, I don´t know if it will make PG more difficult to use/configure, I´m hearing a lot of bad stuff about Tiny Firewall which in fact is a full blown IPS.

About zero day bugs, I understand that they might still hurt you even with anti malware tools installed, because 100% security doesn´t exist. However, as said before, it will be a lot harder for a hacker to do any damage, if faced with all kind of restrictions on a system.

And about my (perhaps silly) question, I understand that if a RAT is installed, hackers are in control, but if I read the security bulletins, they in fact imply that a hacker can take control by just hacking IE. So without even installing RAT´s he can perform certain actions (remotely) via IE´s process. I´m clearly no hacker, so I have a bit difficulty visualizing this.

-{ Quote: "First of all, I´m not scared to surf the web with IE, if I was I would have already switched to Opera or Mozilla. I´m just trying to figure out how to make IE as safe as possible. I already run it in non admin mode, have closed the known attack vectors (with tools like Samurai, Secure-It) and use anti malware tools (AV-AT-AS-IPS and firewall). I´m also aware of the fact that zero day exploits are not that common. " }-

Well , it seems to me that every post you make is about IE this, IE that, sure sounds scared to me.

-{ Quote: "
And I know that PG already is a powerful tool against malware with its ability to block services/drivers, global hooks, process modification/termination etc. but I think it should also be able to restrict process spawning and file access. However, I don´t know if it will make PG more difficult to use/configure, I´m hearing a lot of bad stuff about Tiny Firewall which in fact is a full blown IPS." }-

PG cares only about processes starting, while something like Tiny allows you to restrict processes access to files and folders, that is a much higher level of complexity.

Also PG doesn't keep track of dlls so that's yet another level of complexity removed.

Even so, a lot of people find this white listing of processes confusing.

-{ Quote: "And about my (perhaps silly) question, I understand that if a RAT is installed, hackers are in control, but if I read the security bulletins, they in fact imply that a hacker can take control by just hacking IE. So without even installing RAT´s he can perform certain actions (remotely) via IE´s process. I´m clearly no hacker, so I have a bit difficulty visualizing this." }-

You clearly are confused, an exploit generally allows the hacker to run any piece of code they want , and it's generally assumed that once this is done you are finished.

Running as a non-admin minimises the damage, because at best the attacker will gain the same level of previlages as you, unless he applies another elevation of previlage exploit.

Well I might sound scared, but then why haven´t I switched to another browser yet? Because I don´t think the chance of being hacked via IE is big enough. But I obvious care about security.

About my request, if it will make PG too complex to use or configure (and if it´s hard to program), maybe its not such a good idea. But I just thought that it would be a nice addition to PG.

And yes it´s a bit confusing, I never really understood the whole concept of remote code execution. This is the way I saw it:

Most of the time, hackers will just try to install malware on your system via (known or unknown) holes. But anti malware should be able to stop malware from installing (or prevent changes to your system), so in fact they can protect against zero day exploits.

But that´s not the case according to you, so you can´t do anything against zero day exploits? I wonder why tools like Prevx claim that they actually can protect you against them then. ???

Hi Rasheed,

In a very affirmative way, behavioral monitors such as ProcessGuard, RegDefend, Prevx, Safe N' Secure, all help to defend against zero day exploits since they are attempting to prevent malicious software from accessing operating system resources, and instantiating themselves as an "infection". A malicious program that cannot complete its intended work (e.g.access install its files, drivers, services, registry updates, access protected memory, update or terminate other programs, etc.) can not infect your system (at least not in the way the malicious program intended). So I am entirely in your camp.

The reason IE is a target, is because malicious programs usually need some "target" program that they know will exist on a target computer in order to "jump start" its own code. IE is a nice place for malicious programs to begin because it is so ubiquitous, so vulnerable and has so many nice and powerful features that can be exploited by malicious programs (e.g. ActiveX). Changing to a different browser removes this nice lauch pad for malware.

Rich

-{ Quote: "Well I might sound scared, but then why haven´t I switched to another browser yet? Because I don´t think the chance of being hacked via IE is big enough. But I obvious care about security. " }-

You know yourself best anyway. But clearly you love Maxthon too much to switch, and yet you 'care about security' (but not enough to switch).

-{ Quote: "
And yes it´s a bit confusing, I never really understood the whole concept of remote code execution. This is the way I saw it:

Most of the time, hackers will just try to install malware on your system via (known or unknown) holes. But anti malware should be able to stop malware from installing (or prevent changes to your system), so in fact they can protect against zero day exploits.

But that´s not the case according to you, so you can´t do anything against zero day exploits? I wonder why tools like Prevx claim that they actually can protect you against them then. ???" }-

First thing, you seem to think that exploits exist only for IE, but not for security software. Take Prevx, one of its function is to detection modifications of sys files in c:\windows\sys32.

However did you know that by using symbolic links you can bypass this protection? Not to mention other methods?

Second thing , Prevx and other security software try to prevent zero day exploits in IE by observing the behaviour of worms and exploits.

Eg A lot of exploits in the past, was able to automatically download and then execute all by themselves. What technical flaw it uses doesn't matter. When such a thing happens, it will generally run in the temp internet folders. This is a very common class of explots, each exploit achieves this via a different method, but the end result is the same.

Prevx tries to prevent this class of exploits by warning you when a file runs from the temp folders. It doesn't matter what technical method it uses as long as it runs from the temp folders.

In that sense , Prevx protects you from "zero day exploits" that do this. But you are very naive if you think this is the only way zero day exploits can work.

However, if someone was out to get you, and knew that you used Prevx, he would clearly work out an exploit that worked differently, or one that exploited prevx's vulnerabilities (see above).

That is why there is no 100% protection from zero day exploits.

Reading secunia to bash other browsers besides IE is fine, but it's much better to understand what is going on.

@ richrf

Yes, I mean that´s what proactive defense is all about, if you monitor a lot of important stuff (Process, Service/Driver, Global Hook, Physical RAM, File System, Registry, LSP) and use an executable/script file sandbox (I´ve disabled Windows Script Host), it´s a lot harder for a hacker to do any damage, zero day bug or not.

Also, if you run in non-admin mode and have locked down IE/Windows (Samurai/Secure-It/Safe XP + Popup-Script-ActiveX-Java blocker) I don´t think the threat is that big. In addition, if I´m correct, anti malware tools are also capable of catching malware that tries to install via the web, through zero day bugs or not.

@ James Taylor,

I think the conlusion is that there is no 100% protection against zero day exploits, but that doesn´t mean that IPS systems can´t stop them at all. I mean an exploit will let attackers run arbitrary code, but if the attacked application isn´t allowed to do a whole lot on your system, that must surely decrease the chance of a succesful hack attempt.

-{ Quote: "@ richfr

Yes, I mean that´s what proactive defense is all about, if you monitor a lot of important stuff (Process, Service/Driver, Global Hook, Physical RAM, File System, Registry, LSP) and use an executable/script file sandbox (I´ve disabled Windows Script Host), it´s a lot harder for a hacker to do any damage, zero day bug or not.

Also, if you run in non-admin mode and have locked down IE/Windows (Samurai/Secure-It/Safe XP + Popup-Script-ActiveX-Java blocker) I don´t think the threat is that big. In addition, if I´m correct, anti malware tools are also capable of catching malware that tries to install via the web, through zero day bugs or not." }-

Who are you trying to convince? Yourself?

All this would sound a lot more convincing if you didn't keep asking for apps to secure IE in every other post :P

-{ Quote: "@ James Taylor,

I think the conlusion is that there is no 100% protection against zero day exploits, but that doesn´t mean that IPS systems can´t stop them at all." }-

LOL. If any system can "stop them all", it sure sounds like 100% protection. Care to clarify again?

Well I was trying to make my point, and trying to put things in perspective. Let´s face it, with a certain security setup (combined with common sense) the chance of being compromised isn´t that big. ;)

-{ Quote: "LOL. If any system can "stop them all", it sure sounds like 100% protection. Care to clarify again?" }-
You should read better, and don´t get so emotional LOL.

lol. "Criticism of others is like writing your own autobiography". (paraphrasing)

When someone keeps telling others that they need to learn how to read ....

Cya Rasheed,
Rich

-{ Quote: "lol. "Criticism of others is like writing your own autobiography". (paraphrasing)

Cya Rasheed,
Rich" }-

When someone keeps criticising, someone for criticising ..... :P

Honestly, I really can't see how someone can quote such a statement without indicting oneself of the very "crime".

Ladies, Gentlemen, Boys and Girls....let's Please simply stick to the thread title for discussion....Process Guard vs Zero Day bugs .

WARNING!
If this thread goes off of topic by those making personal remarks or innuendo this thread will be closed.

-{ Quote: "Well I was trying to make my point, and trying to put things in perspective. Let´s face it, with a certain security setup (combined with common sense) the chance of being compromised isn´t that big. ;)" }-

very true Rasheed, the chance that 50% of Wilders members get infected by clicking on link on Warez site is not that big either 8)

Can processguard block malware that accesses the Kernel directly without the benefit of a driver? That is a theoretical zero day atack.



Starrob

Removed Off Topic post.

Blackspear.

Btw, to get back to my question in the first post, it seems like some apps like CurrPorts won´t work if IE is protected against reading. :)

And a bit off topic: I don´t know why but it seems like PG solved a problem on one of my machines, it wasn´t able to shut down normally, explorer.exe would crash all the time, but when I protected IE.exe form modification the problem disappeared. :o