Safe Admin & Chrome

Could you try to perform the steps mentioned here -http://www.wilderssecurity.com/showthread.php?t=288332 and see if you can also reproduce it?

 

i tried and could not reproduce it.

however, in about 20% of tries, when opening chrome, i have one of the 2 sub-processes at Medium.
this is a little worrying.

in over 20 tries IE8 did not show this behaviour.

please m00nbl00d, keep us posted.
i'm very interested in finding about your results.

here's a pic of what it looks like on my machine:
-http://img39.imageshack.us/i/image1eu.jpg/-

 

Perhaps you could perform a test? Start chrome, get the PID, and for every tab you open write down the site and pid. Then when one finally opens at the different IL, maybe you could try to write or execute something in a directory that should be off limits.. because you know the pid of each window, you can see which one is not at the correct IL. Now maybe this won't work, as the parent chrome process is the handler, I don't know.

Perhaps I will see about pulling the integrity out of a process as a query, I found the code to do it at one point. Might be nice just to enter in a pid or handle and get the IL back.

Sul.

 

i hope you're not talking to me.
this is way beyond my level of "expertise".

 

I tried a similar approach. I took note of the PIDs where chrome.exe (children) was assigned a medium level, and then I thought of something we never though of - Close and reopen Process Explorer.

All chrome.exe processes (children) that were running with medium IL, according to Process Explorer, now run with a low integrity level.

Now, I don't know if this means anything or not...

But, what started to raise my suspicion at Google's way of handling this, was telling to Kees1958 that it was a problem with Process Explorer, but not replying when he asked for some other tool he could use, or even to suggest to close and reopen Process Explorer and see if there would be any difference.

Nonetheless, I'll be waiting for what Google developers have to say. I find it confusing that Process Explorer has no problems of what so ever with IE8/IE9 and Adobe Reader X.

Could it also be that, for brief seconds, chrome.exe children processes may, in fact, inherit a medium integrity level, and then go back to a low integrity level? Hence the reason, when reopening Process Explorer, everything returns to normality?

-edit-

Closing and reoping Chromium, and then openening and closing tabs will result in Process Explorer show some of the children processes with a medium level. By right-click that process and checking its Properties > Security, you'll see it's assigned a low integrity level.

Hopefully, that's all it is - a glitch in Process Explorer, that for some reason cannot show the real ILs for Chromium/Chrome children processes, and an awkward way of Google developers have towards people seeking for answers.

But, all the ingredients did seem to point to a bug... Anyway, this quest did reveal something - don't fully trust anything, do your own findings.

-edit 2-

Perhaps, you could still try to code something that could reveal the real ILs? Who knows what's truly happening. Because, even if for a brief second Chromium's children processes may inherit a medium level and then go back to low integrity level, it must be fixed (if it's what's happening!).

 

same thing happens here with Process Hacker.

so either it is just a bug, or like you say, maybe Chrome opens with Medium sub-processes for a micro second.

either way i don't think it is something to worry about.

i hope...

 

I still haven't checked with Chromium latest builds, but this noon while using a relative's computer running latest Google Chrome, out of curiousity I download Process Explorer and checked Google Chrome integrity levels.

The parent process was running with a medium IL (as expected), and some child processes running either with low or medium integrity levels.

I checked the Security tab for each of the chrome.exe child processes with medium integrity level, and some had a low integrity level (as it used to happen before), but some had a medium integrity level.

So... Is anyone up to monitor their Google Chrome/Chromium for a few days... open tabs, access websites, close a tab or two, open more tabs and access websites. Keep an eye on the integrity levels, and for any child processes running with a medium check its Properties > Security tab, and look for the mandatory label.

 

Newest process explorer has increased interval checking and it still shows medium level.
On the benefit of when i exit process explorer those tabs run with low level.
Chrome sets alow rights token, assigns job object and alternative desktop. With less extensions running the medium level error happens less often.

 

Examine the command line using PE. The medium level threads are due to the gpu rendering, which must be at medium. I cannot recall now, but there might be an extension or other feature of the browser that also runs at medium integrity, although all actual tabs are supposed to be at low. You can use the chrome task manager I think to view which process is associated with what.

Sul.

 

If it hasn't been said yet, this is no longer supported and will do nothing.

 

You're right. I never associated it with extensions/plugins. --safe-plugins no longer works, as user Hungry Man mentioned. The medium integrity level belongs to AVG LinkScanner extension plugin.

Since in the past --safe-plugins was being used, I never spotted this behavior.

 

Update (on request)

Deny elevation of unsigned programs
I have set UAC to automatically elevate (no prompt). To compensate for this protection, I allow only signed programs to elevate (Deny Elevation of unsigned) and hardened UAC (no installer detection, also build in admin under UAC).

Use Chromium because it is a non-signed program
Chromium comes as as win-zip file, just extract it to Program Files and no Medium rights programs can change it (Chrome itself neither) and because Chromium is unsigned therefore it will never get Admin rights (elevate to HIGH integrity level)

Added 1806 drive by protection
Added 1806 trick to registry. This option prevents downloads of executables under IE. Allows download of executables under Chrome/Chromium, but prevents executing them through explorer (unless block is removed).

On demand blacklist check HITMANPRO
Before executing a downloaded file, scan it with HitmanPro (my only on-demand check) when save, I will remove the block (see pic three steps to remove block)

Last picture lists the warnings you will get when enabling 1806 and UAC deny unsigned

 

Pimped Chromium
Installed Avast and removed it afterwards, just to throw AswWebRepChrome.crx file on the extentions tab (adding it to chromium). Using only Avast WebRep, Chrome Phising filter (enabled by default), Norton DNS (via router) and McFee site advisor to stay out of dodgy websites. Installed Chrome and removed it to copy the Google plug-ins for PDF and Flash (copy them to Chromium directory C:\Program FIles\Chrome), see pic. Sandbox of chrome is very safe and strong in Vista and Windows7.

So I do not have adobe Flash nor PDF reader installed on my PC, as PDF reader for downloaded files I use Foxit.

 

Windows FireWall: also outbound protection
I have set it manually, but there are lot's of freebies (http://wokhan.online.fr/progs.php?sec=WFN)

UAC: ValidateAdminCodeSignatures
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem set this to 1 (meaning deny elevation to ADMIN of unsigned programs)
with REGEDIT (Home and Premium versions) or use Group Policy (see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx)

Internet Zone: 1806 drive by protection
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1806 set to 3. Added 1806 trick to registry. This option prevents downloads of executables under IE. Allows download of executables under Chrome/Chromium, but prevents executing them through explorer (unless block is removed, through right click properties). See http://blogs.msdn.com/b/askie/archi...ng-applications-and-unsafe-files-setting.aspx

Block users from installing unsigned drivers
Also disabled the user to install unsigned drivers (set to 2) through registry editor HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing

Windows hardening through EMET
EMET 2.1 pdf, email, mediaplayer, browser. All overflow protections enabled to max.

Use Chromium because it is a non-signed program
Chromium comes as as win-zip file, just extract it to Program Files and no Medium rights programs can change it (Chrome itself neither) and because Chromium is unsigned therefore it will never get Admin rights (elevate to HIGH integrity level). The good thing of Chromium is its LOW RIGHTS internal sandbox. I run Chromium with Bitdefender's traffic light and chrome block and have Norton DNS enabled through router plus using Chrome's anti phising protection.

On demand blacklist check HITMANPRO and MBAM
Before executing a downloaded file, scan it with HitmanPro and MBAM free (my only on-demand check) when it is safe, I will remove the block (see pic three steps to remove block). When it is unsigned it will not install.

Performance versus security
By staying away from nasty places the chances of being the first victim of exploit is rather small. Patch/update you system every day. By only installing signed programs and blocking execution of downloaded executables (so you install intentionally), you will reduce infection risk with 99,99%. Screening them with HMP / MBAM is your best bet to close the gap as far as possible.

Three years ago I updated CPU + HD +GPU, Samsung 1 GB disk (Spinpoint) and a three year old low end dual core (E5200 @ 2,5 Ghz) with only 2 MB RAM (266 Hz) on a stripped down Windows7 gives a less than 30 second boot time (see pic). The joy of using ony internal protection (of the OS and your Browser).

 

Out of curiosity, are you using the installed version of Traffic Light, or the Chrome extension?

 

Installer gave mixed read outs on networkspeed. It was twice as fast as previous installer versions though, so they will problably fix the delays further.
Therefore using the faster chrome extension. Latest chrome plug-in extension version does not slow down on my PC (tested).

 

I have been running safe-admin also and like it very much. The only difference is not allowing unsigned drivers (will add that) and MSE for AV. Used to monitor incoming files only but beta 4 of MSE doesn't allow that exception.

Do you think that running Chrome instead of Chromium would be much less protection?

 

Chrome and Chromium offer similar protect except that Chrome sandboxes Flash.

 

That is why I download chrome off-line installer from time to time to get the pdf.dll (sandboxed PDF) and gcswf32.dll (sandboxed flash) and copy them into the direrectory in which ChromIUM runs (allthough directory says Chrome)

I also unzip Chromium updates to C:\Program Files, so medium rights level processes are not allowed to change it.

See pic

 

Chrome offers better protection, because you can de-install Adobe flash and Adobe reader and use chrome's own. Chromium comes without those sandboxed plug-ins. Chrome is more secure (that is why I copy the sandboxed versions from Chrome into Chromium and do all this hassle once a month).

I have Foxit Reader as PDF reader to display downloaded/created PDF's. So I am not using Adobe plug-ins.

Only advantage of Chromium above Chrome is that it is unsigned. I have elevation allowed silently. With Chrome I would not use this setting (so you can manually check whether signed programs try to elevate). I would keep UAC on default value with Chrome.

 

With wmpnetwk.exe Windows Media Player Network Sharing Service disabled, even faster boot time. From 29 secs to 26 secs

On a low midrange E5200 Pentium Dual core CPU http://www.cpubenchmark.net/cpu_lookup.php?cpu=Pentium Dual-Core E5200 @ 2.50GHz

 

Windows FireWall: also outbound protection
I have set it manually, but there are lot's of freebies (http://wokhan.online.fr/progs.php?sec=WFN)

UAC: ValidateAdminCodeSignatures
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\S ystem set this to 1 (meaning deny elevation to ADMIN of unsigned programs)
with REGEDIT (Home and Premium versions) or use Group Policy (see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx)

Internet Zone: 1806 drive by protection
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1806 set to 3. Added 1806 trick to registry. This option prevents downloads of executables under IE. Allows download of executables under Chrome/Chromium, but prevents executing them through explorer (unless block is removed, through right click properties). See http://blogs.msdn.com/b/askie/archi...ng-applications-and-unsafe-files-setting.aspx

Block users from installing unsigned drivers
Also disabled the user to install unsigned drivers (set to 2) through registry editor HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing

Deny execute of USB drives
I have set it through GPO, but freebie of PGS of Sully will do the job for free on Home versions also (Sully's site is down, so download pgs from a source I could not check http://www.downloadplex.com/Windows...Download-pgs-pretty-good-security_399216.html ) or hack the registry by hand as Lucy explained https://www.wilderssecurity.com/showthread.php?t=232857

Windows hardening through EMET
EMET 2.1 pdf, email, mediaplayer, browser. All overflow protections enabled to max.

Use Chromium because it is a non-signed program
Chromium comes as as win-zip file, just extract it to Program Files and no Medium rights programs can change it (Chrome itself neither) and because Chromium is unsigned therefore it will never get Admin rights (elevate to HIGH integrity level). The good thing of Chromium is its LOW RIGHTS internal sandbox. I run Chromium with Bitdefender's traffic light and have Norton DNS enabled through router plus using Chrome's anti phising protection. Also using Ghostery for blocking tracking, and block 3rd party cookies and allow cookies to be set only for current session in Chrome.

On demand blacklist check HITMANPRO
Before executing a downloaded file, scan it with HitmanPro when it is safe, I will remove the block (see pic three steps to remove block). When it is unsigned it will not install. When it is signed it will install, but Comodo Program Manager will do a cloud check also.

Comodo Program Manager
It works on my rig, it also does a cloud lookup (Comodo AntiVirus) before installation of any program.

Image and data backup
Any will do, currently using Windows7 and SyncToy Tool of Microsoft

 

How's the safe-admin project going? Any news, Sully?

 

I am afraid Sully is to busy.

 

Why so many processes opened with Chrome? I've got it opened to one tab only (Google.ca) and installed in Program files (x86) directory.

Does the ss imply two broker processes @Medium IL?