Ok, I'm hooked....

lol (I meant checksum tools) + Regdefend can be made in such a way that whenever there's a difference is in the tables (possibility of rootkit) it would notify you with the result what the differences are (like Rootkit Revealer) and I think it would be better anyway cause regdefend is kernel driven and can inform us in realtime while RootkitRevealer is on demand.

I lost myself too and I'm at work at the moment ... so I am switching between numbers (accountant) and rootkits

 

Pollmaster,
In your scenario the act of not passing something down the chain means that the event will not actually happen because the code that actually performs the real action is never reached.

However the first function that is encountered could accept the request and pretend to have completed and return false results and none of the security apps would see the request (seeing as it didn't really happen)

If the first application in the chain was trying to skip the others and still do something it would have to not follow the chain and somehow jump to the original address for that function (sdtrestore shows that the original address can be found)

The point is that once you allow something to install a driver you are stating that you trust it as you have no easy way of knowing what the driver is doing once it is running

Regards

 

Hi Starrob,

In some manner, it probably is. The problem is that complex code like Windows XP does not necessarily behave as "documented". So, whereas, we can look at documentation and try to understand what is suppose to happen, the documentation does not tell the whole story. Developers, in their labs, learn things (possibly undocumented events, or "bugs" in the code) that totally change the way XP actually runs as opposed to "suppose to run" (this happens all the time).

For example, in the ProcessGuard forum, Wayne recently put a message up suggesting that Install Drivers/Services permission be removed from services.exe in order to "close a hole" in the rootkit intallation protection. Another "entry way" was discovered. There are probably more. So given that all of the "facts" are not known or clear, the subject is very hazy and difficult to explain "accurately". If a developer from one of these companies actually tried to get involved and explain all of the nuances "correctly" (as best as they understand it at this time), it would probably take an enormous amount of time and possibly even reveal information that a security company may not want to reveal if they intended to provide entirely accurate information.

It was great of Jason to take some time out, but I think we have to cut developers some slack. It is a difficult and time-consuming subject. However, I do think all of the companies in this area can do much, much better in creating a user manual which at least gives the gist of what they are trying to accomplish and possible areas that users should be more aware of. I think the user documentation for the most part is really poor and is probably undermining more widespread adoption. Better to do it once, and well, in documentation, then constantly answering questions on a forum.

Rich

 

That is why I am sort of putting a halt to purchasing any more security related software. The only ones I will really consider are ones that explain themselves a little better.

While the Windows operating system might be difficult. It is no more difficult than subjects such as quantumn mechanics which deals in multiple probability factors. As difficult as quantumn mechanics is, it can be explained in plain English.....a number of people do it such as Stephen Hawking http://www.pbs.org/wnet/hawking/html/home.html

I just believe that if software is advertised to have certain features then those features should be documented a little further than they currently are right now and not leave as much guess work in the hands of the user that wants to know why things are a certain way.

Don't advertise the headline if you can't put the meat into the story. I read the Wall Street Journal not the National Enquirer. Now......software developers need not go overboard and explain too many technical details but they need better explanations of what their software is doing. They could even make two parts too the documentation. One a very easy read for computer novices and part II for more technical explanation that maybe the new user might not understand but some of the ones that want more substance will.

Remember that Burger King commercial?

"Where is the Beef?"




Starrob

 

Only problem is that could potentially scare away the less knowledgable users. Having it available on request might be another thing, though. The creater of Anti-Hook did have quite a bit to say about hooking, too.. take a look at the "Publications at..." link on the left here: http://www.infoprocess.biz/Links.aspx

 

Speaking of Antihook, it has been updated to version 2.5 and works nicely on my PCs.

 

Hi Starrob,

I certainly agree that many developers of security products need to explain their products much better. But, I guess, historically that is not what developers like to do - or know how to do. Sometimes they have to go outside of their group to find a person that knows how to explain products to end-user customers. I personally think it is well-worth the time and effort since it inevitably leads to a better informed and happier customer base. This was my experiences when I use to develop softare. At least 15% of the budget went to end-user documentation and training.

Rich

 

Rich,
The PG issue was simply a minor bug in a value added feature, it turns out that there were some extra cases that the code didn't handle. Its not another "entry way" as such, it was just that not all of the cases were observed and handled when the routine was coded. Such is the way of working with undocumented features they can change and break without notice (and things can be missed).

As far as I understand it, the result was that PG thought that services.exe was installing a driver when it was actually a 3rd party program and because of that no alert prompt was issued. The workaround given simply ensures that a dialog box will be displayed whenever services.exe does something like that (effectively bypassing the feature for now)

If you were also running RegDefend then it wouldn't have been a totally silent event, you would have seen an alert because the monitoring overlaps in that area due to these RD rules

One thing to be aware of is that installing the the recommended way and putting PG into learning mode could result in services.exe obtaining driver/service permissions again, something to check after the install if the standard instructions are followed.

 

Hi gottadoit,

Thanks for the clarification. I think your explanation underscores the overall complexity in defining a "secure environment". There are lots of things to consider so it is difficult to provide a definitive statement that, for example, software X "secures against all such possibilities". New things are constantly being discovered and things evolve.

A good example is the very fine work that Kent and Tony Klein have done in extending RegDefend's defensive capabilities and it is a credit to RegDefend that it was designed with this flexibility in mind. In the same way, ProcessGuard is "open" and it is possible to give and remove permissions. In the case of services.exe, I have removed Install Driver/Services Permission as Wayne suggests, but I do give the permission back when I turn off and turn on System Restore. Without this user defined capability, I would be locked into one mode or another. Added complexity, but it is necessary in order to handle cases as they currently exist and adjusting to new discoveries - as you described.

Thanks again for clarifying the issue.

Rich

 

Where? I don't see it on the website

 

Starrob it's clear that you are one of those geniuses /talented intellectual people that can understand quantum mechanics and whatnot, but you can be sure most people can't, or even if they couldn't wouldn't have the time.

 

http://www.infoprocess.com.au/antihook.php

 

Wow looks good.

Looks like Proccessguard has a strong competitor now.

It even looks at dlls starting with programs, something PG doesn't.

 

I have been wondering how these two compare. At first glance it appears to have all the features of PG with the addition of looking at dll's. Interesting.....



Starrob

 

Feature wise they look comparable. Apparently anti-hook is free for home users. It should be interesting to read reports on this package as they become available.

Rich

 

This might be extremely competitive with PG especially if it is free. Security software is a interesting field. I found it interesting business wise how all these security software companies position themselves to out-manuever the other.

It will be interesting to see the eventual response from DiamondDCS to this product.



Starrob

 

Hi Starrob,

Looks like it is primarily a consulting company that is targeting the corporate market.

http://www.infoprocess.com.au/about.php

I'll be awaiting the reports from the experts as to its reliability, stability and support. It would be nice to see some screenshots (I am not about ready to experiment with it just yet. )

Cya,
Rich

 

Have been running Antihook alongside Jammer and CHX, this combo compliments each other quite well, CHX does total stealth inbound, Jammer catches everything outbound and also monitors the registry, Antihook does the rest like preventing DLL injection etc. Best part of Antihook is that it lets you write your own rules with its built in rule maker.

 

There's lots of reports on Anti-Hook HERE.

 

Um, have you all tried A-squared? Its alot like these programs only - what you run has to pass thru 155,000+ sigs first, then thru behavior analysis, and THEN it barks if something is still smelling fishy. It takes much of the guess work out. much of the danger of allowing something to run - ie. you are truely making an educated guess. Meaning "The program just jumped through hoops, And I intended to download and run it, and I hear its a good program so I guess I'll let it run."

I wonder if with some of these security ProGrams you might be better of with an Apple computer?

Runs fine with that funky "Samurai" program too - which knocks Rootkits on their butt

 

Thanks Arup and Notok for the links. It appears most of the experiences were with the previous release and the concensus seemed to be that the previous release had some weaknesses and was not up to speed with PG. Still, for free, it seems like a good solution. It should be interesting to see how the latest release pans out.

Thanks again for the info.

Rich

 

I hear it works great against lots of spyware type programs, that use similar methods.

Antihook 2.5 rulez though.