PGS - Pretty Good Security

[Sully]

EDIT: Final release version 1 is now available - July 28th
(time restraint removed)

http://mrwoojoo.com/PGS/PGS_index.htm

Anyone who has been here for awhile knows I like SRP. Tlu started it with his awesome information located here
http://www.wilderssecurity.com/showthread.php?t=200772

This went beyond what little use I ever had for SRP. I played with it for awhile, but I don't use LUA for the most part. It wasn't until I found out about the 'Basic User' option that SRP really started to catch my interest in a big way.

Still, I did not really like the interface with secpol or gpedit. I knew of the registry portion of it, and even messed with this a little. It wasn't until Lucy's very fine thread on Vista and SRP that I started really contemplating it's use. That thead is located here
http://www.wilderssecurity.com/showthread.php?t=232857

Over the next few months I developed a number of different schemes for utilizing SRP. I still have a few more up my sleeve to pull out at some point, but my job is currently taking what was my 'free' time.

Anyway, a few months ago I posted that perhaps this whole SRP registry bit needed a GUI. Lucy was on-board and we started collaborating. Soon Zopzop started giving input as well. Not too long after that, I had a rough shell. Those two performed initial testing. Tlu was next to start giving input. Many more versions were compiled and tested. And recently Kees1958 joined the fray with his input as well.

I have ran the program, called PGS, a thousand times, in as many different scenarios as I can think of. It has changed beyond what I initially set out to create, but for the good.

I cannot state enough how much I appreciate all of the testers input and experience. The more viewpoints the better I say.

I used to have a website to house some small programs I shared with some friends. I still have the domain name, so I decided to open a small free website account again and place the beta version there.

lol, I dislike html, so it is as bare as it gets. Nothing fancy, just text and pictures.

Any feedback is appreciated.

Sul.

[Rmus]

Hi Sul,

Congratulations on all the work you and the others put into this!

When it's out of beta and ready to be released, I want to notify several people who will be interested.

----
rich

[Sully]

Thanks.

I think I will put the beta up by Monday at the latest if all goes well.

I know there will be nuances that need to be corrected, but it is fairly quick to do those things. Final release I don't know, whenever the nuances are sorted.

Probably one of the greatest features of PGS will be it's ability to manipulate the registry easily for those who have XP Home or lower end Vista versions. Since the process to invoke SRP is built into those OS's, and only the registry values are really required for functionality, this let's those people use SRP without having to muck around with .reg files or try to install Group Policy stuff, while protecting the default rules or providing them if they don't exist.

Hopefully it will be useful.

Sul.

[Meriadoc]

Thanks Sul, sounds good - really interested in having a look.

[Joeythedude]

Sounds really good. Looking forward to trying this out.

Like the page too ( Looks like my 1st attempt at a web page )

[Sully]

Quote:

Originally Posted by Joeythedude

Like the page too ( Looks like my 1st attempt at a web page )

lol, while not my first attempt it sure does look like it. I discovered a number of years ago that I would rather use a script other than anything to do with the web. Probably should have invested more time, but I prefer applications that don't involve a browser.

Sul.

[Sully]

See first post for update. Beta version is available now.

Sul.

[soccerfan]

Quote:

Originally Posted by Sully

Probably one of the greatest features of PGS will be it's ability to manipulate the registry easily for those who have XP Home or lower end Vista versions.

Many thanks May I assume that all this can be done without a reboot (as I recall from your previous posts).
If true, it would make it easy to try out if one uses returnil, for example.

[Sully]

Quote:

Originally Posted by soccerfan

Many thanks May I assume that all this can be done without a reboot (as I recall from your previous posts).
If true, it would make it easy to try out if one uses returnil, for example.

Yes, no reboot required. Logoff or a restart of shell will do usually. There is a menu item for those with taskkill.exe (running under admin, not user) to restart the shell for you.

It is interesting that because these values are saved to registry, they often are not immediately effective. So a logoff or shell restart 'reloads' the hive and then they are effective. I have noted, that if lets say you make a new path rule, like block notepad.exe. It is not immediately effective. But also say that you are using the option to 'include dll's', if you use PGS to change this to 'exclude dll's'. Apply the change, then go right back to 'include dll's' and apply the change. Very often, this seems to trigger something, and no reloading of registry hive is needed. Not sure why, as I have not studied it in detail yet, just something I noticed along the way.

Sul.

[m00nbl00d]

Hello Sully,

Nice to see you developing a tool to make things easier for those users not having other way than hacking registry for SRP.

I still haven't tried it! But I will! But, meanwhile, I'd like to ask if it would be possible to add exclusions in what comes to logging. (For what I can remember of the screenshots, I haven't see it.)

I mean, for example, whenever I turn logs on, to check what is possibly being blocked by SRP, it's almost an impossible task to read, for example, *.txt files in usb drives. It simply crawls. Even having the logging disabled, at the registry, doesn't cut it. I have to delete the entries, otherwise the crawl will still be there.

So, a nice feature would be to allow users to exclude SRP to log to USB drives.

I don't know if would be something easy to implement, but, well, here you got my first suggestion.


Thank you

[Sully]

That is an interesting idea. I have not seen over at MSDN anything related to effecting what SRP logs. But then I have not looked. If they expose a method it might be possible. I am assuming you are saying that using PGS to set the LogFileName registry value to a filename and not any error logging that PGS does on failed functions. And I assume you know that by removing the LogFileName registry value that a log is not created, although I don't know if that actually turns logging off or just does not write it to a file.

Sul.

[MrBrian]

Quote:

Originally Posted by m00nbl00d

I still haven't tried it! But I will! But, meanwhile, I'd like to ask if it would be possible to add exclusions in what comes to logging. (For what I can remember of the screenshots, I haven't see it.)

The free program Mandiant Highlighter may be useful in filtering items from log files.

[Sully]

I have looked quite a bit for anything related to turning off SRP logging. The only thing I can find related is the registry value we are already using (LogFileName). I have not found information of whether SRP actually generates the log data even if it does not write it to a file, nor any information at all on SRP logging in general. So at this point unless I stumble across it somewhere, there is not much to be done other than that registry value.

BTW, new beta compiled on June 8th, v1102. A few small fixes.

Sul.

[soccerfan]

Can the PGS tool be used to block execution of autorun.inf? Any instructions appreciated. Thanks.

[zopzop]

Congrats Sully and crew! This program is great, I've messed around with an earlier beta of it and it didn't mess up my machines or anything.

[Sully]

Quote:

Originally Posted by soccerfan

Can the PGS tool be used to block execution of autorun.inf? Any instructions appreciated. Thanks.

Yes and no. Here are 2 threads devoted to just that topic
http://www.wilderssecurity.com/showthread.php?t=240319
http://www.wilderssecurity.com/showthread.php?t=240474

Last time I played with it, SRP can only stop autorun.inf if you Deny the entire drive. I have yet to find a way to get SRP to stop autorun.inf itself while leaving the drive letter open for other executables.

So you can add a path rule like g:\ and it will stop everything. The easiest way I have found is to create a DIRECTORY on the USB drive called Autorun.inf. If something tries to place a FILE autorun.inf on that drive it will fail because a DIRECTORY of that name already exists. That is, until the script kiddies figure out how to circumvent it.

Sul.

[soccerfan]

Quote:

Originally Posted by Sully

Last time I played with it, SRP can only stop autorun.inf if you Deny the entire drive. I have yet to find a way to get SRP to stop autorun.inf itself while leaving the drive letter open for other executables.
So you can add a path rule like g:\ and it will stop everything.

Thanks. This should work and, I suppose, be easy to add as a path rule in PGS (as per your instructions).
I suppose adding path rules for several drive letters (g:\, h:\ etc) should prove a good preventative?

Quote:

Originally Posted by Sully

The easiest way I have found is to create a DIRECTORY on the USB drive called Autorun.inf. If something tries to place a FILE autorun.inf on that drive it will fail because a DIRECTORY of that name already exists.

This is what I have done for my own USB drives,
but I was more concerned with the scenario of using an unknown flash drive on my PC.

[Pedro]

Hey Sully,
just wanted to congratulate you on your new tool. Will try it out when i can.

Wait, what's this, no spam filter, no file backup?

[ParadigmShift]

Has your tool been tried on Windows 2000?

[Sully]

@Pedro

Thanks. I was thinking of a command line option that allows you to have a hotkey to open the coffee cup holder when needed. Would that make it a suite then?

@Paradigm

Windows 2000 AFAIK has no SAFER functionality. I have not tried as I read at MSDN it started with XP and up.

Sul.

[ParadigmShift]

Quote:

Windows 2000 AFAIK has no SAFER functionality.

Ah, yes, I know.
Just wondered if you've tested your tool with that O/S.

[Pedro]

Quote:

Originally Posted by Sully

@Pedro

Thanks. I was thinking of a command line option that allows you to have a hotkey to open the coffee cup holder when needed. Would that make it a suite then?

It would make it a jolly good program

[Sully]

@paradigm, I will try it at work and see, on both 2k sp4 and 2kAdvServer.

@Pedro
I will make in the next version, any time you press the 'Any' key, the coffee cup holder open

Sul.

[Warklen]

Very nice tool indeed...Congrats and thanks

[Sully]

Thank you.

Any comments/bugs?

Sul.