comparison of anti-trojan programs and intrusion protection systems when dealing with

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Oh I see!
Simply it looks like the localization of behaviour blocking and heurisitcs etc.
Sounds interesting although it's probably for advanced users only.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yeah, I dislike the term expert but I do listen to everyone's posts. However, some people's posts carry a greater weight than others.

There are maybe like 5 to 10 people on Wilders that at some point in time that I have talked to that are really knowledgeable. Most of them don't make comments very often in public. Most probably read these public posts and chuckle. Actually, the more I learn the more I laugh at some things that are said. I just am trying better not to offend others these days because it is all a learning experience. Even learning not to offend others while at the same time trying to share knowledge is a learning experience.

One of the people here on Wilders that I pay the most attention to rarely enters public "debates". If I want to know something I usually just ask this one specific person and generally I can find the right direction.

There is only one vendor that I have found that will go pretty far in answering questions but you have to know the right questions to ask. Generally if you ask the right questions you can get some answers from one particular vendor.

Please don't ask me who I go to discover things. Anyone that wants to learn just has to be observant. The ones that do know things become apparent over time.....then you just have to ask the right questions and sometimes this must be done in private.

Also, I know that some people discount the things Pollmaster says but he has many valid points....you just got to listen and learn.

Some people like RMUS would really like to discuss security on this forum but sadly the discussions many times center around who has the best detection rate or what program are we playing with today



Starrob

 

You`re right. I myself found lots of posts very knowledgeable.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

it's true. But not really surprising if you think about it for a moment. I'm sure Starrob you are smart enough to figure out why, I have confidence in you, or you could just ask one of your secret vendor sources

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

If I recall, when I installed RegDefend, it asked me if I wanted to allow RegDefend to run, and to do any modifications to the operating system that it wanted to do. I responded Yes. I do this only for trusted security applications. I do not do this with other programs that I may intentionally try to launch in, or tries to launch itself. (This approach has already stopped one security breach). That is why I have PG. If I responded No, then RegDefend can do nothing. It is as simple as that. No rocket science to speak of.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Nope, it is not surprising....lol and I don't really have to ask anyone why....lol

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

No...it is not rocket science but I doubt if most people can explain to me how it is done. If you poke around a bit you might find there are possible ways one might go around PG.

Also, it is relatively easy to go out and post a application up somewhere that looks like a legitimate security product or a legitimate application.

I am aware of one website that posts a "must have" codec that is advertised as improving the viewing in Windows Media but instead loads all types of malware on the computer when clicked. I am surprised that the website has never been taken down frankly but that is neither here nor there.

Let's just say, it might be theoretically possible to create malware where you would not get the alert that a driver or service is being installed and yet PG would be bypassed and all sorts of things could be then installed. That is as far as I'll go. You might have to do a bit of research to figure out how that might possibly be done.

The average malware coder probably might not be able to do it but maybe people who work for certain government agencies know how to do it......





Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I'm not sure if you are missing the point, or perhaps you are not being very clear here . What does 'Do any modifications to operating system' means?

To be clear, We are not talking about the effectiveness of execution protection. You might agree to install a program, but decide not to give it the right to terminate other processes.

PG claims to protect processes from being terminated by other running processes , unless they are given permission. This is indepedent of whether it warns you that Regdefend is running or being installed.

Starrob seems to be saying (or he is just giving an example, I don't know how to intereprete Starrob cos he acts all mysterious about what he knows and doesn't) that because Regdefend can kill processes even without being given termination rights is something worth investigating.

It isn't.

The key is that Regdefend claims to be kernel based, and once given that, it can over-ride any other kernel based program including PG.
Is that what you mean?


In addition, we are talking about Jason here, who worked on PG before....

Well we never know with you, since you admit to acting clueless and expert depending on your mood. It's hard to take your seriously

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes, I can confirm it can be done. Script kiddie tool being developed to do this in fact. No I won't tell you where to get it.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Hey starrob I really enjoy the way you hint about all sorts of forbidden knowledge that you have but you can't share. I also found this new place with such forbidden knowledge and I have my own personal guru too

What do you mean by discuss security?

If it's

A) Talking about *concrete* ways to modify viruses to evade antivirus, ways to exploit vulnerabilities, then it would be over the heads of the non-programmer crowd. And the moderators will shut it down anyway to "avoid giving ideas".

~snipped personal attack directed toward member....Bubba~
So what's left?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Yes, being kernel based it can over-ride any other kernel based program. That is probably the method he used to bypass PG.

It also might be possible to bypass PG without the use of a driver/service too but I am not sure that Regdefend uses that "theoretical" method.


Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

RegDefend doesn't interact with other kernel based protection schemes in any targetted manner. Rather the method used to kill processes is similar to a self termination the application itself does on exit. ProcessGuard currently doesn't protect against self termination (and I'm not necessarily saying that it needs to).

The same self termination code could be run from usermode (not kernelmode) through a DLL or other piece of code running within the process and ProcessGuard would not alert on the termination. This is why you don't get ProcessGuard alerts when a process terminates itself when you close it manually.

However since ProcessGuard protects against most injection vectors in regards to getting foreign code to run in another process the likelihood of a non kernel mode program "bypassing" it would be quite low.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

The knowledge I hint at is not forbidden. If it was "forbidden" then I would not find it. Actually, almost everything I know can be pieced together just by searching past posts here on Wilders.

Most of it has already been shared. Most of the reason I don't state things explicitly is because then people will get more into personal attacks rather than discussing issues.

A wealth of information can be gained between here, DSLreports, ROKOP, nautilus's website, black hat boards and a few other places. A snippet here, a snippet there and a lot of things can be pieced together over time.

I don't think there are very many real secrets but people have to piece information together for themselves. If I come out and state things directly than I am subject to attack and many endless non-profitable arguments ensue. On the other hand, if people search out the information for themselves....they will find it and won't engage in endless arguments.....unless of course they like arguing with themselves.

Most of what people would like to know is written in black & white. It just takes a little reading.


Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

If that is the case, shouldn't Secure message handling handle it?

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Last posts including personal attacks removed as per our TOS. Let's stay on topic from here on out!

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

In my opinion, the biggest downside to intrusion prevention products is that they are relatively new products and it might take some time to work the kinks out of many of the products.

How effective these new behavioral products are will become apparent over time.

AV's and AT's have downsides too. Namely that it is increasingly hard to keep adding detection signatures for all the new malware that is coming out every single day.

I believe education is probably the most important tool in computer security.





Starrob

 

hmmm....PG does say that if another application gets to kernel level that it may not be able to stop it doing it's intended function.

If I remember right, for WormGuard they say 'give it permissions to make life easier, but it's not absolutely necessary to do so' or words to that effect.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Totally. Once a user gives another progam kernal level access, then all bets are off. In this regard, I believe that alert messages as well as help boxes of messages can be more descriptive of the nature of what the program is attempting to do - beyond just stating that it is attempting to install a driver/service.

In any case, it is for this reason, I only allow "trusted applications", (i.e. applications from known trusted sources), to install services/drivers. For example, all the security programs I install have to come from trusted sources, and not simply something coming from Download.com. This cautious approach has already saved me once.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

In this regard, I think it is far more helpful to users of behavioral monitoring software, to assist them in learning how to use the products more effectively, instead of telling them not to use them at all.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I never said not to use it at all. That is up to individual user. I do feel, though, education is more important than any application.

There are some that have educated themselves to such levels that they run virtually no security software at all and they don't get infected......then there are others that load their computer up with security applications and still get infected.

Some people use security apps for convenience sake, others have no need. It is individual decision.



Starrob

 

heheh, got time for one more post before I go to work.

I have a friend who's a MS Certified Engineer, Programmer in a number of languages, Computer Technician, Network administrator etc etc etc etc (from the old school before people started specialising).

He only runs a firewall, AV, and firefox. Says he hasn't been infected for years, and I know he surfs ...err...dubious sites.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I use to do the same thing, when my profession was learning about computers. In other words, I was paid to spend time learning about operating systems - and each new version of operating systems, etc. If a person is getting paid to do this work (and then leverage the time for one's own personal use), it is much easier to justify the cost in time that is being expended.

If a person has other responsibilities in life, or just doesn't want to spend his/her life learning about operating systems, then there are other methods to approximate the same level of security with far less expenditure of time. I guess it is all about how one wants to spend his/her time. I'm going out to get a latte.

Rich

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I don't think one needs to educate themselves to know all of the ins and out of a operating system to remain safe on the internet.

I do think, however, that people can educate themselves to remain relatively safe on the internet. Some educate themself in the use of different pieces of software to remain safe. Others educate themselves on the best habits to use to remain relatively safe. A majority of people do both.

There are a lot of factors to consider when setting up security for a computer and it is different for each person. Among the reasons why people disagree so much on Wilders is that each person has different needs and a blueprint for one person might not necesarrily work for another.

Just about for any pros people mention, there is a con and people weigh the different pros and cons differently. It does not necesarrily mean one person is right and the other is wrong....it simply means people weigh things differently.


Starrob

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

I'm not sure if Regdefend can defeat PG or not.

Anyway, the problem of PG is that it is subject to registry-related attacks. It cannot protect itself from disabling by eidting the registry. If you think this is seirous, you need to find another IPS which will protect registry as well, or use supplemenatary products to help PG (eg Regdefend, RegRun).

One one hand, PG can protect AV/AT/AS from intrusion/termination. But on the other hand, it cannot protect itself from intrusion in some other ways
Now we need registry protection like RegDefend / Rerun. Later it is expected to hear how hackers can intrude them by some other methods.

So the best is to implement multi-layered protection, in which each security product can protect each other and cover each other vulnerabilities/loopholes.

 

Re: comparison of anti-trojan programs and intrusion protection systems when dealing

Very true.
The first fact is different people have different value judgement. For the same threat, some poeple may think it is dangeorus. Others may think it doesn't really matter.

It depends on whether you are risk-averse or risk-taking.

The second fact is different people place different trust on their own preception.

Some people may value highly on their personal judgement and perception. Some others may wish to make their judgement based on magazine reviews or others' advice. Some others may wish to get answers from some independent tests/reports. Some people may tihnk that everything is not really accurate or reliable or representative, and decide to disregard them at all.

The third fact is different people have different judgement on security.

Some people may only think they are safe since their computer works fine, or they don't see they are infected by any malware. (It may be false security nevertheless since some malware ar eused not to tell them their existence)

Some poeple may take potential threats into account. The security risks are there. It's up to you to block them with different means. Remember the threats are potential, and you may be lucky enough that no one exploit that threat in your computer.

No one can get absolutely safe unless you are going to shut down your computer. Everyone can be relatively safe depending on how you decide which level is considered safe. is leaving 100 threats regarded as safe, or 1000?

We all need to take a point somewhere between totally risk-averse and risk-taking.