ProcessGuard v3.xxx Suggestions / Wishlist

Hi,
The improvements made to PG3's driver install protection are great, ie. Services.exe can now be allowed with no loss of protection. However I have a couple of apps which use RunDll32.exe to install a driver or service, and require access to physical memory (notably the ATI control panel) could the same approach be used to lock down this application? See This thread for background info.
Thanks
Tom

 

I'll add my vote to get the rundll32 issue sorted out ...

Now that its been discussed openly its an achilles heel, even if it was considered to be an obscure issue, it has now been highlighted as an opportunity to bypass an otherwise good security tool

FWIW ".msi" installer scripts also tend to make calls to rundll32
A couple more examples of what rundll32 can do can be seen at http://groups.msn.com/windowsscript/rundll.msnw

Until this issue was discussed, I was fairly happy that nothing could set a global hook without explicit permission. If I have an NVIDIA graphics card then that isn't quite true....

Of course the more paranoid (that still want to be able to run programs) possibly also run System Safety Monitor as well, just to have 2 products doing a similar thing in case one of them allows something unexpected...

Someone from DCS, how about some feedback on the issues that have been raised in this thread so far
I'm not asking for commitments that any changes will (or won't) be made or for timeframes, just your thoughts on what has been raised so far

Thanks

[Edit: Added link for SSM, its possibly worth a look - personally I'd trust PG more, being a patriotic Aussie]

 

(Addendum to gottadoit's post above)
From the little I gleaned looking at this page you may not need a malicious EXE, just some script in an INF file.
. Example =>> cmd /c rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ScriptName.INF
I need cmd.exe on "Permit Always" or certain batch file idioms are intolerable. If I also wanted "Permit Always" for rundll32, I'd get no warning at all.

An of hour searching left Rundll32 looking like one of those dodgy MS-issues where the more prevalent, dangerous and ill-conceived a mechanism is, the more unfindable, unreadable and unusable its documentation will be.

 

earth1,
Its hard to know how much detail to go into when discussing issues like this, I don't want to assist people attempting to get past PG, but equally well I want to make sure that it is fairly obvious that it is an issue (for people that don't have time to burn digging around looking at these things)

I also looked at the same site when I did my looking around and I didn't explicitly mention INF files because they are effectively similar to an MSI file
There is also WMI and the possibility that rundll32 could get executed via that

You may have seen the semi-recent post about WMI being used to disable Norton AV script protection and uninstall it...
If not then have a look here, it was mentioned on the langalist today but the information has been kicking around for a little while now
If you want to have a look at what WMI can offer M$oft have a little app to make it easy called scriptomatic (see scriptomatic download )
DX21 also has some information on WMI and a link to scriptomatic as well, not to mention an example of WMI in the NAV vbs exploit ...

What can I say other than its an interesting and varied learning experience. I had no idea that Windows security was really this bad, I've been making fun of it for years with some substantiated evidence (and its expected when you are a Unix admin) but delving a little into some of the details over the past year or so has been a bit of an eye opener

As far as protection goes I used to download programs I was interested in and leave them in a holding directory for a month (or so) and I thought that if they did contain virus's or trojans that someone else would get it and report it and I'd hopefully have the signature in my AV by the time I went to test it out [nb: I'm not talking about cracks or pirated s/w, just freeware/shareware/trialware downloads from websites]

 

Well all I can say is nobody said properly securing Windows was going to be easy . ProcessGuard provides the ability for you to secure your PC, issues like "ease of use" with security are things we are always looking to improve. Whilst some things can be annoying like this RUNDLL issue theres not much which can be done unless you don't want to be secure against it. That is UNTIL we find a better way, if there is one.

In regards to video card software requiring privileges, can you not disable the executables from running? On my ATI card at home I disable all services and don't get one issue with them. On my other machine with a NVIDIA card I have had no issues doing the same. What happens if you block the NVIDIA software from getting a global hook?

 

I would like to see each list box, Alerts, Protection, and Security, have/take focus (become active or what ever you call it) when the cursor is over the list. Thus enabling the user to scroll the list without having to click an entry in the list.

While this is not a critical feature it is something I feel should be included, to make this great product even more user friendly.

 

Just to finish off my virtual "day"....

It would be good to have the PG permit/deny box show extra information if there is an entry in the Security list already

ie: if there is a permit once or a deny once it should show that and also show the "Last Run" date using a suitable layout so that the information stands out and the box looks a little different to the norm

See here for where I got to thinking about it

 

.exe allowed to run, because it could not ask the user!!! wtf Process guard would be better if it blocked it from running at all instead of allowing the executable to run once...

 

If we did this the system would be unable to start. You can still control those items execution by changing the Last Action, however you won't receive any "live requests". All it means is ProcessGuard could not ask the user for whatever reason (ie. A window could not be shown to ask the user), but you can deny it retroactively.

 

Jason,
Call it a request for another tickable option in the "advanced mode"
It makes a sensible default in learning mode but is it something that an advanced user would actually want once they "block execution of new and changed programs" ?

If you wanted to get fancy, you could poll the key every now and again and give the user a HID prompt as to whether they wanted to allow that specific entry to run on the next reboot... an "Allow Once" in advance seeing as it is a known event that is likely to happen

[EDIT: I was assuming that "wtf" means "want this feature" ]

 

Perhaps even delaying a forced decision for a reasonable amount of time. I'm guessing this is usually an unapproved program starting before pgaccount.exe is ready, yes? Temporarily leave the program in limbo while PG tries every 10 seconds to see if user communication has become possible. If the situation is unresolved, after a couple of minutes, then force the deciison. Just an idea.

 

Dunno if this has already been requested:

Ability to drag 'n' drop an entire folder onto the PG screen and have PG automatically checksum everything in it and add them to the protection list. This would be great for folders with large amounts of .exe files and such. Also the ability to ignore entire folders all together would be nice.

 

The drag-n-drop part has been asked for here, and you can do it yourself although it would be interesting to see what sort of performance hit you would take by stuffing the lists full of things that are not going to be run very often....

I'm sure that the exclude directory part has been requested and I think it was going to be considered...

 

If PG could checksum entire directories like the program files or windows directory that would be great. Then you could drag the folder into PG and go watch a movie or something. That way you could create a baseline simular to how Black Ice works (if you wanted to), this would be great for newly installed copies of windows and it would save you time answering yes/no later on.

 

Hello

More algorithms for the integrity checker will be more efficient.
MD5 is too usual, and SHA-1 or 5 will surely procures more security to recognise change files .

I don't think that PG could stop all rootkits because he does't check all binary files (exe, dll, sys is not suffisant at all against thoses malwares).

Like TDS, an ability for checking ADS flux will be a great things too.

And so on maybe for the next time.

But it's impossible for one soft to protect against all insecurity issues.
That's a newbies fantasmagory!

Regards

 

ProcessGuard prevents .dll injection, also a rootkit would need to install a driver or service which PG also prevents. As far as I know there are no current rootkits that can bypass PG

Jason has already stated that the hashing will change if the need arises.

Absolutley correct, that is why Wilders always recommends a layered defence.

Cheers. Pilli

 

Re: Presets for Basic Windows Universal Processes

Most users would appreciate much for this effort to help particularly PG users. If possible it would be greater when it comes with different configurations like : [more compatible] | [safer] | [safest]. Hope I am not wrong at this.
Thanks
)

 

Re: Presets for Basic Windows Universal Processes

It is already underway, but I am not sure yet when it will be made available to the public.

 

Re: Presets for Basic Windows Universal Processes

Some features that Tiny Firewall's Windows Security has that I would appreciate in Process Guard are:

Ability to run programs in Track mode and then view All changes made by the program and select what you want to undo.

Ability to decide how a program is verified (Checksum, Path, Name, maybe even multiple checksums)

Read, Write, Create, Delete access per program per file/folder and registry keys.

System privileges, what can shutdown the computer, pre-defined groups, ect.

 

It would be nice to be able to specify an arbitrary number of extra files and their corresponding in-memory code sections (if they are dll/sys and already loaded) to be checksummed and verified each time that an executable is run

The reason to specify the files manually would be so that the overhead of checking would be minimised to things that are really of concern

Of particular interest is to be able to verify any .SYS file that is loaded when we allow programs to load drivers

Of secondary interest is to be able to monitor at least some of the key dll's for selected programs and by being selective that allows us to choose what level of overhead we create for ourselves

To go with this it would be nice to have a little point and drool tool that showed what DLL's were associated with the executable, just so that it is a little bit user friendly....

 

A complete lock down mode would be nice. Not just dont run new and changed programs but also an option to stop all programs from running besides the ones currently running.

Also pw protection so you can shutdown ProcessGuard would be nice. And maybe protect from task manager as well.

 

Hi war59312, Both of those options are already available in the full version.

"Block new and changed". - Any application which you haven't allowed to always start will be blocked from running without a user confirmation when this option is enabled.

"Lock". - Displays another window which allows you to lock the ProcessGuard interface with a password. Without the password no-one can change any settings

Cheers. Pilli

 

Pilli,
I read what war59312 said again and noticed that he was talking about "processes currently running" which is not all at what you responded to....

DCS,
A not so complete lockdown mode would be very useful

I would have thought "Block new and changed" would just perform the obvious english meaning of the words, but it does more
[Edit: I just read the dialog box that comes up when you enable the block new and changed and it does explicitly say that it will only allow permit always programs to be run... I had been lazy and not read that dialog box before... too many little things to read]

There have been several other threads where the merits of Permit Once have been put forward and the arguments are quite reasonable so I have been doing it that way (for a reference to one of them see rundll32)

However, now that I am fairly confident that the bulk of the programs that I will be using have been executed at least once, I would like to "lock down" the executable to the Permit Once and Permit Always list and still be prompted on my Permit Once items

This request becomes more meaningful when you consider that I allow things like Internet Explorer and Outlook Express on my Permit Once list because they get executed on occasions but I don't want them available for mailware (or poorly written software that doesn't check my default browser) to launch without intervention

rundll32 is in the same category of being a Permit Once item and that is required for many things from control panel applets to registering removable harddrives when they are inserted

Without multiple profiles (see earlier request which I haven't complained about for a good while now...) it is somewhere between hard and annoying to do it myself to have an "install" set of privs that asks lots of questions and a "secure running" set of privs that doesn't

All I can say is roll on TDS-4 so that attention can come back to the next point release of PG...

 

Hello,

I was using the old version of PG.consequently my brain was not on the right page to understand some posts!
In the 3.100 version there's not the "once" button.
Perhaps the DCS team would like PG to be easier for newbies.
But advanced users could be quite disappointed.

With a very less powerfull firewall application than PG (Safe'n'Sec) that i've tested recently, it offers choices like:

*permit/deny in this session
*permit/deny now/always
*only this action.

For Gottadoiterhaps a complete lochdown mode is useful when our member's family or friends are using our PC.

There 's another whish for PG: a free tool like Winsonar2004 have the ability to kill any unknown process during an internet connection.
It's a powerfull function (no leaktest can bypass it) who could be great to integrate in PG.
For more information: http://digilander.libero.it/zancart/winsonar/odyframe.htm

But advanced users could use free utilities with PG:

*Sysinternals tools,

*APIMonitor: http://www.rohitab.com/apimonitor/

*APIS32: http://www.matcode.com/apis32.htm

Trust-no-exe(executable filter):
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm



But a mult-layered defense base on PG is very suffisant for most users!

Happy new year, almost for asian suffering people.

Regards

 

Possible PG 3.100 bug in Lock mode - settings can be changed

To perhaps clarify my request for different lockdown modes and report what looks a little like a bug ...

I don't have an issue with the "complete" lockdown mode that is there (via block new/changed programs), it just hasn't been named in an intuitive way
It also isn't useful to me (and possibly others) the way my use of PG has evolved, I can see its purpose and it has its place in the scheme of things - its just not useful to me unless I can swap between different profiles...

I would like to see an additional mode (for trusted family and friends)

#1 Enforce currently defined security rules and allow no changes via dialog box prompts or via the GUI

• prompt before allowing execution of any existing permit once executables (as usual)
• don't allow any changes to the security or protection lists in this mode (via on screen dialog boxes or the PG GUI) just enforce what is there
  
  ie: don't allow any new or changed applications to be executed; don't allow permit once to be changed to permit always, don't allow changes to privileges​

And that leads me to the behaviour I uncovered while investigating this. I'm wondering if this a bug or if I am misunderstanding the intent of the "Lock" functionality in the GUI

The "Lock" function on the Main tab describes itself as

I did a little bit of testing to see exactly what Lock did (thinking that PG might already do what I wanted) and this is what I found...

When the PG interface is "locked" entries in the "Security" tab can be changed even though the "Security" tab has been hidden from view
Specifically once PG presents its allow/deny dialog box it becomes possible for

• existing Permit Once entries can be changed to Permit Always or Deny [Once|Always]
• New entries for executables can be added, either as "Permit Always" or "Permit Once"

It is understandable why new/changed apps can still run seeing as there is a specific setting to control this, it might be worthwhile updating the description to point that out for people like me that just read descriptions and take them at face value...

If "Lock" actually did what the text box description implies then it would have implemented what I am asking for....