Problem: Windows Explorer > right-mouse-click > not responding > hard reset

Discussion in 'ProcessGuard' started by newbornii, Dec 5, 2004.

Thread Status:
Not open for further replies.
  1. newbornii
    Offline

    newbornii Guest

    Hi Pilli, Thanks. I will keep an eye on this if it ever happen again on my box. Probably I will try set SMH again on PG-GUI and switch back and forth between adm_acct & a limit_acct and see whether there is a hint to reproduct it.
    Today, my box gets back a problem with windows explorer and rightmouse clik (shortcut menu). Now, opening windows explorer, do a right-mouse-clik on a filename (no problem with folder(s)), WE goes to "not responding" and I need to end it either with its shortcut menu (using rightmouse-clik on its display on the taskbar) or do a hard-reset. It persists right now either adm/limit accts. I dont know whether PG has something with.
    I have read about something with WE that it tries to reach the internet (access) everytime doing such RMC on a file; is that correct? If no internet connection ready, the system stalls ? Anyone can jump on this for help. The problem really bothers.

    Thanks all.
  2. bloodscourge
    Offline

    bloodscourge Registered Member

    Hi,

    Got a similar problem with windows explorer right-click menu but I think (pretty sure) it's related to TDS3. I've encountered it since its install. Here are the symptoms : opening a movie by double clicking file works quite well, but opening the same movie with right-click -> open with -> player (same issue with both media player classic or windows media player) shows strange behaviour : TDS3 process suddenly takes a lot of memory (up to 700 Mo!!! PC instabillity & crash guaranteed!!! :D). TDS3 doesn't even release the memory after player's exit, but only if I launch another application. Surely a problem related to scanning/unpacking(?)...

    Don't known if this issue is already known or if it's related to yours... :doubt:
    Thought it was a "no-luck" problem :rolleyes:

    PS 1: same thing happens with winamp but it's more subtle (memory charge).
    PS 2: it seems to be format-independant (at least for movies).
    Last edited: Dec 6, 2004
  3. newborni
    Offline

    newborni Guest

    Thanks for your info. How about that problem has been fixed on yours?

    The problem on my box was with any files (not folder). Right now it has gone away; I dont know whether it relates to some changes done to PG security settings for winlogon.exe & smss.exe, and a reboot. I should try to remove such changes to those and see whether the problem reappears?

    thx all.
  4. bloodscourge
    Offline

    bloodscourge Registered Member

    I'm happy you managed to fix your problem! Mine? Not FIXED yet :D

    It would be nice if someone else make some tests as detailed in my posts, 'cause I don't think it comes from my configuration (or maybe from my RAM modules... but I ve done some tests with memtest86+ and nothin') ;)

    PS : FYI, here are the settings I have for your processes (from learning mode) :
    - smss.exe : termination+modification;terminate+modify+read;install drivers+access physical memory
    - winlogon.exe : termination+modification;terminate+modify+read;access physical memory
    Last edited: Dec 6, 2004
  5. newborni
    Offline

    newborni Guest

    Thx for the info on the processes setting. On my box, I have the same setting to those, but the "APM" right.
    In fact, I dont believe that I managed fixing it although it is gone. I doubt that my box has been compromised even having PG/PrevX/ZAP in place of defence. Do you know whether attackers can elevate system/adm rights through hacking windows os to bypass all security softwares? my box is winxp prof sp2. Please help if you/someone else know. Otherwises, I believe my box has been keylogged so any pw being exposed to the attackerso_O Or that my defence programs has already been backdoors? (mostly, should be not)
    Right now, there is another thing: every time login (adm/limit), windows explorer starts up and show its windows anyway. I took a look at the option "Restore Previous Window at logon" - unchecked; I checked startup points (msconf.exe/hijackthis/regedit), there is nothing relates I knew yet. Can one help me out?
    Appreciate much any help.
    Thx all
  6. Pilli
    Offline

    Pilli Registered Member

    If ProcessGuard is installed on a clean system then nothing can get below it. Administrators do not have kernel mode privileges so if ProcesGuard's kernel driver nothing can kill it or the processes it protects except by the direct actions of the operator.
    Obviously if your machine had an unknown RAT or keylogger in place before installing ProcessGuard then you may well be still compromised.
    If you are not sure that you machine has not been compromised or not then please send your HighJackThis report and or AutoStart Viewer log for analysis with your license details to support@diamondcs.com.au .
    AutoStart Viewer is available from here:
    http://www.diamondcs.com.au/index.php?page=asviewer
    When creating the AS Viewer log please select all three menu items.

    HTH Pilli
  7. bloodscourge
    Offline

    bloodscourge Registered Member

    And my problem Pilli? :D

    Did you ever heard of this kind of memory leak (cf my first post) or is it a "normal" behaviour of TDS3? :eek:

    Thanks,
  8. earth1
    Offline

    earth1 Registered Member

    Hi newborni,

    One thing that comes to mind is password policies. The older MS implementation of password authentication actually weakened passwords very severely. If Windows stores the old style hash codes and/or passes them across a network, your system could be extremely vulnerable. Microsoft has tended to favor the weak policy by default to ensure backward compatibility, but I'm not sure about XP-sp2. There is a program being sold for $50 that requires only seconds to break those weakened hash codes for alpha-only and 99% of alphanumeric passwords. Obviously, if your admin password is cracked, someone else owns your system.

    I'm probably not your best source, so I'll just point you to some relevant information. There is a thorough explanation on this page
    For more information, try googling the phrase:
    "Send LM & NTLM" +crack

    I've seen ambiguous/conflicting opinions about what is safe. If you're not networked with older systems, NTLMv2 is much better than anything before it. Everyone agrees that "LM" is horrible. I'm not sure who's right about NTLM. There are many helpful people here who can better clarify matters if you think you have a problem.

    To see your current setting (Win2000, not sure about XP) go to:
    ControlPanel->AdministrativeTools->LocalSecurityPolicy.
    Under SecuritySettings->LocalPolicies->SecurityOptions you will find an entry for "LAN Manager Authentication Level".
    Last edited: Dec 7, 2004
  9. Pilli
    Offline

    Pilli Registered Member

    Hi bloodscourge
    There is a known problem with TDS3 and large compressed files 500MB +, especially or if they are large .rar format or spanned zip files. I am not sure if this can be worked around by but I do know that TDS4 will not suffer the same problems.

    HTH Pilli
  10. Starrob
    Offline

    Starrob Registered Member

    It might be possible but it is probably unlikely. It would take someone with a little bit of knowledge to pull it off. Unless you pissed off someone with really good hacking skills, it is unlikely that someone can bypass PG.

    Is it possible? Well, I am hoping that a solution can be found to close one potential way that for example may allow you to replace the original winsock dll by a trojanized version.

    Nothing is foolproof because Windows is just full of holes and has a lousy design. I do believe, however that Jason is doing a excellent job plugging as many as he can find.


    Starrob
  11. Starrob
    Offline

    Starrob Registered Member

    Last edited: Dec 9, 2004
  12. Pilli
    Offline

    Pilli Registered Member

    Hi Starrob, I cannot answer these questions but hopefully DCS will drop by in the morning (Perth time).

    Pilli
  13. newbornii
    Offline

    newbornii Guest

    My box is connected to a router (home version) and the router is hooked to cable modem; it works like a stand-alone box and no active directory; so does it that MS Weak Auth. Protocols effect to the box? Anyway, the box has already these entries set:
    "Network Security: Lan Manager Auth. Level" = "Send NTLMv2 response only/refuse LM & NTLM"
    "Network Security: Dont store Lan Manager Hash value on next pw change" = [enabled]

    What did you really mean one with a little bit of knowledge can do hacking a windows box patched? Really? that's scary. Can you please specify in details how to do that so I can try to see how mybox is full of holes?
    Did you mean that PG can be bypassed by good hacking skill ones? that makes me fustrated.
    I also put in PrevX to monitor/protect system files (.exe, .dll,...). This is not enough to defend againts deleting/modifying dll files by malicious programs (attackers)? Do we can trust PrevX?

    Thanks all and looking forward to all instructions/info/xp.
  14. Starrob
    Offline

    Starrob Registered Member

    There are three different ways that I have recently seen that might get around PG. I will tell you that they involve disabling Windows File Protection.

    There is a actual virus that was built in 2003 that disables WFP which is why I consider this issue important. The threat is not just theoretical.


    Starrob


    Last edited: Dec 9, 2004
  15. Pilli
    Offline

    Pilli Registered Member

    Hi Starrob, I am sure that Jason has stated that ProcessGuard does protect against disabling Windows file protection, unfortunately I cannot find the link ATM :)

    I'm in a bit of a rush this evening so have not got the time to do the searchs.

    Hopefully Jason will clarify this in the morning.

    Cheers. Pilli
  16. wayne_b
    Offline

    wayne_b Registered Member

    I am unable to duplicate any right click issues in windows explorer including any .rar archive over 1gig including media files with PG and TDS-3

    Right clicking any media files then selecting 'open with' 'Windows Media Player - TDS-3 memory bounces up slightly, CPU breifly bounces up to 2% then back to zero the same for Process Guard.

    I also done Right clicking media files then selecting 'open with' 'Windows Media Player in quick recession with no adverse effects.

    -wayne
  17. earth1
    Offline

    earth1 Registered Member

    I probably mentioned this because I have more questions than answers and a fear of ineffective passwords. Just wanted to make sure, if you have been bitten, that it wasn't from this gaping security hole. AFAIK, so long as you only send/accept NTLMv2, a strong password is not weakened. Obviously, there are other helpful policies too, but you can find much better advice than mine. It seems to me that MS should have a policy that limits network login to a specified IP range/mask, but I don't think that exists.

    Good luck,
    Mike
  18. Bowserman
    Offline

    Bowserman Infrequent Poster


    From the Help File:


    Regards,
    Jade.
  19. earth1
    Offline

    earth1 Registered Member

    I think Pilli must have meant this thread . It links to a screenshot of PG 1.100 blocking wfpdisable.exe

    I'm not sure, Starrob, but the attack that Wayne describes in that thread sounds different than the attack described in your link . Instead of injecting a thread into an existing process that has access to sfc_os.dll, this virus modifies .SYS files so that, when the driver is started, it loads its own copy of sfc_os.dll. I'm anxious to hear more about this threat.
  20. Jason_DiamondCS
    Offline

    Jason_DiamondCS Former DCS Moderator

    The newest method to disable WFP is not protected against by ProcessGuard at the moment. As regards to that virus, it depends how the initial infection starts, if it needs to load a driver then yes. If however it disables WFP, patches a driver it knows will be loaded next boot, and then reboots. Then no. Of course you would get the actual execution attempt of the virus trying to work which you could deny, but I am talking about if you allow it to run.

    I think this particular virus will still be blocked by ProcessGuard since it loads the driver initially which ProcessGuard would block.
    Last edited: Dec 9, 2004
  21. Starrob
    Offline

    Starrob Registered Member

    What about the method that WfpAdmin uses?

    According to the author of that program:

    "Therefore, I researched and developed the WfpAdmin tool. It programmatically disables Windows File Protection on selected folders ufor the current session. The secret? Well, that's a secret ;)."

    Jeremy Collake
    Software Engineer


    Can this method be used to get around PG? If it can then does anyone know of any programs that can block this?


    Starrob
  22. Pilli
    Offline

    Pilli Registered Member

    Hi Starrob,
    ProcessGuard should stop this in possibly two ways.
    1. Execution protection, as normally a .exe would need to run
    2. If the program needs to install a service or driver to accomplish the disablement at the kernel level then PG would alert you.

    Another point to remember is that there are no known "In the wild" exploits ATM. Such an exploit would probably entail MS issueing a Critical update and AT & AV companies would be very quick on catch such a beast.

    When we secure our PC's we should not rely on just one program or even expect one program to protect us, that is why we use layered defences.

    Pilli
  23. Starrob
    Offline

    Starrob Registered Member

    The reason why I asked the question about WpfAdmin is because there has been no definite answer from DCS about whether it blocks the technique used by WpfAdmin or not.

    The last comment about WpfAdmin was made by Wayne on February 3, 2004 as follows:

    "As Jason just mentioned, I tried WFPAdmin v2 (I hadn't tried this new version before), and it doesn't appear to use the same trick anymore, although it does have several options so maybe one of those options still does the same trick (the winlogon.exe-based method).

    However, it hosed the test machine i tried it on (XP SP1) and I am currently in the process of rebuilding it. To give you an idea of how hosed the machine was, we couldn't even boot into Safe Mode, and then when trying a Repair installation the actual setup.exe program crashed, basically leaving us with little option but to rebuild the machine - we've got backup images so it won't take too long, but it's a hassle we weren't anticipating from something as 'simple' as disabling WFP.

    In other words, if you use WFPAdmin, you do so at your own risk!, and be prepared to possibly have to rebuild your machine afterwards.

    Exactly what trick it uses I'm not sure - I won't have any time for analysis until after I get this test machine back on its feet, but unlike the relatively 'safe' winlogon.exe-based method, this method seems very dangerous - use with extreme caution.

    I'll email Jeremy about it later this evening, I need a newer copy of PECompact anyway.

    Cheers,
    Wayne"

    I would like to know the final analysis of this and whether PG actually blocks this or not.


    As for the difference between actual threats and theoretical threats I quote Sun Tzu:

    The Art of War teaches us to rely not on the likelihood of the enemy's not coming but on our own readiness to receive him, not on the chance of he is not attacking, but rather on the fact that we have made our position unassailable.


    -The Art of War - Sun Tzu


    I am looking for a program that can block this technique that is being used by WpfAdmin. That is the only reason why I am asking this question.


    Starrob




    Starrob
  24. Pilli
    Offline

    Pilli Registered Member

    This is exactly why ProcessGuard was developed, no other software comes any where near PG's capability as you know. Any possible holes found are plugged ASAP. If this is a PG vulnerability it will be plugged as have previous possible vulnerabilities in previous versions.


    Cheers. Pilli
  25. Jason_DiamondCS
    Offline

    Jason_DiamondCS Former DCS Moderator

    Ok it does seem ProcessGuard indirectly protects against this WFPadmin (and rootkit.com method) if you do enable READ access protection on winlogon.exe . I'll need to do a little more research later to see if all variations of this method can be stopped, but for the time being it does seem to block both available methods.
Thread Status:
Not open for further replies.