Application to prevent process termination

[n8chavez]

Okay, I nearly have my security setup complete. I'm relying heavily on Sandboxie, as I am now going with a scannerless setup. But I'm not that worried about it. SBIE has always been great. But I am a little weary of its process being terminated, thus my security compromised. I'm looking for an app that can prevent process termination without having to use a classical (rule based) HIPS. Is there such a thing?

I've heard of taskcatcher but was never able to install it; whenever I tried the installer would launch yet nothing would happen.

Any ideas?

[EASTER]

Hello there n8chavez

I sympatize with your interest in something like that. TaskCatcher just doesn't cut it with me either, but i'm trying my darnest to see if i can make a HIPS protect apps from termination because i don't know of a single app thats been given attention to keeping programs from termination short of the way System Safety Monitor is been able to do, but i since moved away from it for EQS.

Very good question n8chavez and a very valid topic and i'm also curious just what if anything might be suggested that can help make that possibility finally a reality without having to add a whole security program.

A nice standalone would be great.

EASTER

[n8chavez]

I'm tempted to go with EQSecure again and I know that would solve my issue. But I don't like the idea that woth classical HIPS you need to set rules for everything. It's very hard to remember everything that you might eventually need to do so the rule(s) can be created before I make an image. Also, at least this is the case with EQS 4b2, I've never been able to get the sandbox to work right. But that's why I have SBIE.

[EASTER]

Quote:

Originally Posted by n8chavez

I'm tempted to go with EQSecure again and I know that would solve my issue. But I don't like the idea that woth classical HIPS you need to set rules for everything. It's very hard to remember everything that you might eventually need to do so the rule(s) can be created before I make an image. Also, at least this is the case with EQS 4b2, I've never been able to get the sandbox to work right. But that's why I have SBIE.

Hi n8chavez

You're not missing what your discovering with EQS Sandbox, it's not complete even though it is a nice feature IF they repair it's issues and finally have it perform as we expect it to. I don't use it although i have tried it and it shows promise!

Thats why i'm very impatient and anxious for EQS 4.0 final because if they fix that sandbox and it works to everyone's satisfaction, that will change everything. I still want them (if they will) to use like SSM's "keep this process in memory" so we can LOCK apps from being terminated.

EQS representative posted tonight but on ProSec, but i sent a PM and a post asking when we might expect to finally experience EQS at it's best.

[ErikAlbert]

Is this software terminated ? Is it still good enough ?
http://www.diamondcs.com.au/advancedseries/apt.php

Quote:

Advanced Process Termination

This program is FREEWARE.

Are your security applications vulnerable to termination attacks? Security programs are useless if they aren't running, yet it's so easy for malicious software to terminate them unless they're protected by a kernel-level process protection system like ProcessGuard.

[Huupi]

Quote:

Originally Posted by n8chavez

But I am a little weary of its process being terminated, thus my security compromised.

Any ideas?

Ask Tsuk !

[Peter2150]

Advanced Process Termination(APT) from DCS, doesn't prevent termination, but it does test whether a process can be terminated.

I just tested it using Sandboxie. Ran APT sandboxed. ALL of APT's kill and crash tests failed.

Also you can configure Sandboxie to nothing but your browser can run in the sandbox.

So unless you are worried about something coming from somewhere other than a browser you are covered.

Pete

[ErikAlbert]

Quote:

Originally Posted by Peter2150

Advanced Process Termination(APT) from DCS, doesn't prevent termination, but it does test whether a process can be terminated.

I just tested it using Sandboxie. Ran APT sandboxed. ALL of APT's kill and crash tests failed.

Also you can configure Sandboxie to nothing but your browser can run in the sandbox.

So unless you are worried about something coming from somewhere other than a browser you are covered.

Pete

OK. Thanks for the explanation.

[n8chavez]

I guess I'm worried for no reason. But there have been a couple of times when I noticed that Opera wasn't sandboxed and it was supposed to be. I have it set up so that it is forced, so that means that the process wasn't running. At least I think that's what it means. That's my worry. Is SBIE is in any way bypassed then I'm completely vunerable.

I am trying out AnVir's Security Suite. I like it, it's a good replacement task manager. I was on their forum the other day and suggested to them that they implement process protection into their application. They responded by saying that it was a good idea and that they'll discuss it, whatever that means.

[Threedog]

You can use Processguard from Diamond CS and add different process to the list to protect against termination. You will be stuck using the free version as you can't get a license for the full version any more.

[alex_s]

Quote:

Originally Posted by Peter2150

Advanced Process Termination(APT) from DCS, doesn't prevent termination, but it does test whether a process can be terminated.

I just tested it using Sandboxie. Ran APT sandboxed. ALL of APT's kill and crash tests failed.

Also you can configure Sandboxie to nothing but your browser can run in the sandbox.

So unless you are worried about something coming from somewhere other than a browser you are covered.

Pete

It is interesting, if you run Apt not sanboxed, will SBIE prevent sanboxed browser from termination by Apt ?

[LoneWolf]

Quote:

Originally Posted by n8chavez

I've heard of taskcatcher but was never able to install it; whenever I tried the installer would launch yet nothing would happen.

Any ideas?

You could always e-mail Bill at support@WinPatrol .com (with out the space of course)
I know it says WinPatrol but its the same Bill.
I'm sure he would be happy to help.
Myself i've never have any problems with either WinPatrol or TashCatcher, ever.

[MrBrian]

Have you considered using a HIPS with monitoring turned off for all item types you don't care to monitor?

Comodo Firewall 3 could achieve such a setup, I believe. Turn off monitoring of all items except process termination. Specify those programs you wish to protect from process termination. Also, in Computer Security for item 'All Files' (or 'All Applications' or something similar), allow all process terminations, and make sure this entry is moved to the beginning of the list. This setup, I believe, will protect only those programs you specified from termination, without other alerts.

[Peter2150]

Quote:

Originally Posted by alex_s

It is interesting, if you run Apt not sanboxed, will SBIE prevent sanboxed browser from termination by Apt ?

Don't know. I don't see, at least for me, a plausible scenario. The whole point is something coming down the pike while browsing, so how does it get on the system to do what you are asking?

Pete

[n8chavez]

Quote:

Originally Posted by alex_s

It is interesting, if you run Apt not sanboxed, will SBIE prevent sanboxed browser from termination by Apt ?

No, if i understand you correctly, SBIE can prevent process termination only from sandboxed applications. Of course the application you want to protect have to be listed as protected. Please see below for further explaination.

[Peter2150]

Quote:

Originally Posted by n8chavez

Of course the application you want to protect have to be listed as protected.

Not really. I just ran APT sandboxed, and picked a process at random. Didn't add it to any settings. Sandboxie prevented all termination attempts.

[EASTER]

The only security program that i've had plenty of positive experience with in protecting full closure of running processes is been System Safety Monitor. If for what ever reason any app you set it to "keep process in memory" happens to either crash or is forced closed, SSM immediately restarts it again and again to infinitety.

I don't know of any standalone app that can do that, and all other HIPS to my knowledge don't bother to impliment this protective procedure except SSM, and of course it's a HIPS.

EASTER

[Peter2150]

Quote:

Originally Posted by EASTER

The only security program that i've had plenty of positive experience with in protecting full closure of running processes is been System Safety Monitor. If for what ever reason any app you set it to "keep process in memory" happens to either crash or is forced closed, SSM immediately restarts it again and again to infinitety.

I don't know of any standalone app that can do that, and all other HIPS to my knowledge don't bother to impliment this protective procedure except SSM, and of course it's a HIPS.

EASTER

You are right about SSM. But Prosecurity also protects against termination. But all HIPS programs require the user to do the right thing with the pop up.

Sandboxie doesn't require user intervention. No Pop up's. If a program is running sandboxed it can't terminate another process period. That's a big advantage.

[n8chavez]

Quote:

Originally Posted by Peter2150

You are right about SSM. But Prosecurity also protects against termination. But all HIPS programs require the user to do the right thing with the pop up.

Sandboxie doesn't require user intervention. No Pop up's. If a program is running sandboxed it can't terminate another process period. That's a big advantage.

You are correct Peter. However, if you are using SBIE as your main security application, especially to protect against process termination, then you have essentially made the SBIE process(es) extremely valuable and vunerable, as there is nothing in place to prevent them from being terminated. That's where I am, and why I'm looking for help in addition to SBIE.

Let me just expand on a few things:

Quote:

Originally Posted by Easter

I don't know of any standalone app that can do that, and all other HIPS to my knowledge don't bother to impliment this protective procedure except SSM, and of course it's a HIPS.

That is a very good idea. I admit I like SSM better than any other HIPS both because it was the first one I used and because it has an option to restart terminated processes. That sounds like exactly what I'm looking for, right? Well, it is. Except that there seems to be some sort of compatability issue between SBIE and SSM; progras that are lauched as sandboxed take about ten minutes to load, if they ever do. I've tried installing SSM five time, each with the same result. If it comes down to SBIE or SSM I'll choose SBIE every time.

Quote:

Originally Posted by Peter2150

Not really. I just ran APT sandboxed, and picked a process at random. Didn't add it to any settings. Sandboxie prevented all termination attempts.

Correct. Let me clarify what I meant. One of two things has to be in place; either the program doing the terminating must be sandboxed or the programs you want to prevent from being terminated must be protected via SBIE's settings.

[Peter2150]

Exactly on several points. I run Sanboxie, and OA paid. I also run SSM as a sort of backup. Thats it. The three play fine for me on 4 machines.

[n8chavez]

Quote:

Originally Posted by Peter2150

I run Sanboxie, and OA paid. I also run SSM as a sort of backup. Thats it. The three play fine for me on 4 machines.

That's weird. I wonder why it doesn't function correct;y on my system. Do you have the paid version? Are all the modules enabled?

[Peter2150]

Quote:

Originally Posted by n8chavez

That's weird. I wonder why it doesn't function correct;y on my system. Do you have the paid version? Are all the modules enabled?

I have paid versions of all 3. They all work fine for me.

Pete

PS. I don't have any type of scanners on board.

[trjam]

Hey Peter, I know Mike wont mind but from the OA home page,
"Online Armor also provides powerful protection against keystroke records and even filters your email messages to weed out banking scams. While you're surfing the web, Online Armor filters web pages that you visit to remove potentially dangerous content."

Now that sure as heck is close to "scanning" as you can get in my view point. Just having some fun my friend. I figure as long as Avira is not set to do a pre-scheduled scan, then I dont use a scanner either.

[Peter2150]

Quote:

Originally Posted by trjam

Hey Peter, I know Mike wont mind but from the OA home page,
"Online Armor also provides powerful protection against keystroke records and even filters your email messages to weed out banking scams. While you're surfing the web, Online Armor filters web pages that you visit to remove potentially dangerous content."

Now that sure as heck is close to "scanning" as you can get in my view point. Just having some fun my friend. I figure as long as Avira is not set to do a pre-scheduled scan, then I dont use a scanner either.

Okay, not scanning in the sense of AV's and AS's.

[trjam]

cant argue with a honest man.