Process Guard Rootkit prevention - in need of an update?

OK, I'll drop that question.

OK, then had you made that clear in the title of your thread, those of the Prevention=Blocking persuasion probably wouldn't have posted

Because they wouldn't be interested in that feature of PG anyway.

And for those who are, it should certainly be conceded that to continue to use a product which is no longer being updated, is not wise security practice.

For that, you do them a service by pointing out the weaknesses!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Most users seem to know how to reboot their computer, while freeze sounds like you can't do anything anymore. Of course most users don't have a reboot-to-restore like me, but that's not my worry. Let's hope these users have at least an Image Backup software, which I also have.

 

But who said the opposite point of view is detection, and not prevention? Unless I didn't understand everything in your post, I've the feeling that you take driver blocking for rootkit detection : It's pure rootkit prevention indeed.

Upon that, PG was never meant to be a rootkit detector, just a rootkit prevention tool. Exactly the way I test it .

Anyway I think we'll never agree, since you consider the only way to prevent malwares is to prevent them from running. I can't agree, because there are other ways to prevent it, once they were allowed to run - which is not an option with a program like Anti-Executable, I agree; in fact, I think this is the node of the problem, since your opinion is based on your use of this program.

Let's have a look at policy restriction sandboxes, for example : Do you think they need to prevent file execution to protect the user? No, of course. Would be useless. They prevent changes on the system instead. Exactly like the hypothesis we're discussing here, about rootkits and drivers loading.

Cheers,

nicM

 

With that, I agree!

regards,

-rich

 

I tend to agree with nicM. PG alike will do what you say (execution prevention), and monitor installations, monitor executables actions etc.

Why? Not everyone has your pattern of pc usage, or mine etc.
If one has a stable system and will not need to do anything specially new, AE will do. But when installing anything, AE is a no go.

If this or that program is useful/ useless to you, doesn't mean it's the same for others. And this particular feature is critical when running unknown processes, untrusted processes.. Saying to not run untrusted processes is way general. I could be suspicious of yahoo messenger for some reason, or some Sony CD...

I do get your point Rich, i think, but try to understand mine, which is: perspectives.

 

Hello Pedro,

I do understand your perspectives. My point is -- I'll describe it in a different way -- that PG prevents rootkits both at the outer perimeter (execution protection) and inner perimeter (blocks drivers/hooks etc).

By outer perimeter, I include any point of surreptitious entry, either by exploiting a firewall vulnerability, a browser vulnerability, attempting to sneak in by means of an autorun.inf file on a CD or USB drive, etc.

The first post states,

This clearly refers to blocking at the inner perimeter, that is, after the bad file runs. I caused some confusion by using the word "detection" so I will modify: "blocking the driver install" is clearly a type of prevention, as is "execution protection."

Now, the title of the thread suggests that PG may be in need of an update in order to prevent Rootkit infection, which is misleading, since the outer perimeter prevention works quite well, thank you very much, and needs no update.

Others before me, starting with fcukdat, pointed this out, and I joined in.

That's why I suggested that the title of the thread could have made this distinction so as not to be misleading.

For those using PG for preventing driver/hook stuff, it may indeed need to be updated.

That's it!

regards,

-rich

 

L*o*L, I think sophisticated rootkits bypass anything.

 

Hi nicM, did u try these two rootkits with other HIPS like SSM, PS etc?
Just interested to know if u did compared PG with any others in this regard.

 

Hi aigle,

Yes, in fact I was asked to test it with Prosecrity and EqSecure.

I tried the test with Prosecurity last night (alfa1 asked it), but I think something didn't work during Prosecurity install, it doesn't detect services at all since installed. Will retry later, with a new install.


EqSecure (as requested by Kees1958 ), although used with adapted settings, didn't block it (double-checked) :

http://img471.imageshack.us/img471/7584/20070521200525vj7.png

(we can see driver hooks working in the screenshot). It only detected process execution :

http://img518.imageshack.us/img518/5378/20070521193942nb6.png



I've tested it with Sandboxie too, here the test is passed :

The rootkit is successfully blocked : Files are in the sandboxed zone only, no service/driver loaded.

http://img515.imageshack.us/img515/6903/20070521185428hj5.png

Svchost is not blocked from starting (new instance, connecting to a nasty site), but it is not hidden, of course - and running in the sandbox. That's quality system changes protection , even if the file was allowed to run - wink.



Without to reveal too much, DSA does block it successfully (file access/creation, then driver loading):

http://img48.imageshack.us/img48/7559/20070521014518pb2.png

http://img255.imageshack.us/img255/6262/20070521014529xh5.png


Edit : For those who do not see what i'm talking about, when talking about hidden svchost, syssrv.sys driver, etc, please see the vid in post 46.

 

Great nicM
Could you test it against GeSWall?

 

dang you beat me to it lucas i was just about to ask him that

 

We're on the same page.

Of course!
Thanks

Nice, i hope they continue DSA. I'll revisit DSA, maybe with new version.

 

Hi, just my opinion, it might be difficult to fullfill all such requests.
Why not test urself.

 

No problem, I was sure someone would ask about Geswall

ProSecurity : Test passed, and very well too

http://img519.imageshack.us/img519/4120/20070521230451rs3.png http://img519.imageshack.us/img519/4152/20070521230502su6.png


And GesWall, then : Passed too

Code:

2007.05.21 23:42:30 ntupdsrv.exe ISOLATE on start from explorer.exe
2007.05.21 23:42:31 ntupdsrv.exe READONLY access to \Device\NamedPipe\lsass (File)
2007.05.21 23:42:31 ntupdsrv.exe READONLY access to SC_MANAGER OBJECT\ServicesActive (SystemObject)
2007.05.21 23:42:31 ntupdsrv.exe ISOLATE on start from ntupdsrv.exe
2007.05.21 23:42:33 svchost.exe ISOLATE on start from ntupdsrv.exe
2007.05.21 23:42:36 svchost.exe REDIRECT access to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate (Registry)
2007.05.21 23:42:36 svchost.exe READONLY access to C:\Documents and Settings\nicM\Mes documents\ntupdsrv\ntupdsrv.exe (File)
2007.05.21 23:42:36 svchost.exe REDIRECT access to C:\Documents and Settings\nicM\Local Settings\Temporary Internet Files\Content.IE5\index.dat (File)
2007.05.21 23:42:36 svchost.exe REDIRECT access to C:\Documents and Settings\nicM\Local Settings\Historique\History.IE5\index.dat (File)
2007.05.21 23:42:36 svchost.exe REDIRECT access to HKU\S-1-5-21-584451878-47113535-2509599342-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (Registry)
2007.05.21 23:42:36 svchost.exe REDIRECT access to HKU\S-1-5-21-584451878-47113535-2509599342-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride (Registry)
2007.05.21 23:42:36 svchost.exe REDIRECT access to HKU\S-1-5-21-584451878-47113535-2509599342-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL (Registry)
2007.05.21 23:42:36 svchost.exe REDIRECT access to HKU\S-1-5-21-584451878-47113535-2509599342-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings (Registry)
2007.05.21 23:42:36 svchost.exe READONLY access to \Device\NamedPipe\lsass (File)

As with Sandboxie, svchost did just try to connect to the server, but wasn't hidden. One leftover file in System32 (the copy of the exe file) is the only trace left.

I will probably try one or two more programs tomorrow, but it's clear that I will not try each and every HIPS and sandboxes around .

Cheers,

nicM

 

Tested both free and full SystemSafetyMonitor : They both fail this test


http://img440.imageshack.us/img440/2310/20070522234056lo9.png



Tested Defensewall : Test is passed


http://img265.imageshack.us/img265/4195/20070523000627ev6.png

http://img106.imageshack.us/img106/594/20070523000648pr8.png



Interesting to see how all these programs do have mixed results against that threat...

Btw the ProSecurity version tested is Full version, I'm tempted to see how performs the free one.

 

I'm surprised no one has replied
Sandboxes are coming on top here.

Edit: Of course, one has to consider in what conditions this rootkit is to be installed. Drive-by or installation. Installing an application would be without the sandbox protection. If we are to execute something, sandbox would win, but if it's a silent execution (drive by), it's the same. Advantage is slight for SandboxIE, because of no prompts, unless SSM is used with UI disconnected.

So, the verdict is... lol

 

Hi nicM, thanks for testing SSM.

I am really surprized that even the pro version of SSM failed here. I think they must be informed but I see their forum response too slow now a days.

 

With all this, i revisited SSM. This time i analysed the install with ZSoft, so i won't get errors after uninstall.
I'm looking for an anti-executable, with password protection, freeware. Re-found it.
Besides these benefits, there's: cool GUI, nice icon, pop-up entertainment when necessary etc. Seriously, now i can control again when IE opens, and how (sandboxed). I'll be keeping it, knowing that i don't expect too much from the rest of the features. They will serve me to learn a bit more, monitor, control if necessary legit applications.

180º turn regarding SSM.

 

And latest Kaspersky Antivirus 7 PDMs too.

 

KAV PDM you said? Wait friday then ...

 

thank you very much nicM for taking the time out to perform these tests. you rock!

 

Oh, thanks really!
And NG beta 2 if possible and I will not request any more.
If I had the rootkit, I would have never requested!

Thanks

 

thank you very much and sorry if i haven't replied early ...

 

No problem alfa1 .

Just a detail : The ProSecurity version which can block this threat is the Full, not the free one, I just did check it.

 

I just wasted a lot of time reading this entire stupid thread. PG prevents this. End of story. I don't see the point in this thread.