PROCESSGUARD V3

Ther have been several reports of this behaviour and Jason is aware of it.
You may find that the next re boot it works fine, obviously some minor contention that needs addressing.

Thanks for your report. Pilli

 

am i only one where pg3 crashs if you open and close it 3 times?

how can i get a report of process guard crashing to submit


any monitoring software i can use on pg 3

 

Maybe this has been asked......no time to read all of the thread now...will my old key file work on this beta or must i use the other as for some reason i am having a problem with copy/paste.

TIA

 

Hi Rainwalker.

Short answer: NO.

No such thing as a Keyfile now. You have to copy/paste the unlock Code on your members area at DCS to get it to work.

Cheers, TAS

edit: Just a thought, you don't have trouble highlighting the code do you, if not, highlight and then right click and 'Copy' that way, instead of going Ctrl/C if that's the problem, then in the reg box, right click and Paste. See if that works.

 

I had the exact same problem as you describe. I have just done a bit of investigating and found a cure on my machine

What I did was to remove the 'Install Global Hooks' option for the CTFMON.EXE process.

The Reboot

This is an extract from the log

Give this a try an see if it sorts the problem, if it does then post here and one of us can inform DCS

Hope this helps
Tom

 

Good work Frogfoot, This has been reported to DCS directly for Jason assess.

Cheers. Pilli

 

Hey Tas ....thanks for responce
No , highlights fine just won't copy/paste ....my puter for sure ...i'll mess with it later. Have a great day !

 

I know it's a bell (or maybe a whistle?), but could you please enable mouse wheel scrolling in your tables for FCS.

 

PG3 already supports this!
Simply click on the list/table you want to scroll first to set focus on it, then go crazy with your mouse wheel

 

Does PG3 still use MD5 for checksumming? If so, are there any plans to upgrade that now that they are talking about being able to defeat it?

 

There is no need for what ProcessGuard uses it for. To try and get around the MD5 protection , something would need to modify one of the EXE files on disk. The method to cause a collision in MD5 would most likely corrupt the EXE file, making it unable to load in the first place.

IF more vulnerabilities are found with MD5 we will have to look at each of them and determine if they do compromise ProcessGuard's security. But at this stage the current ones don't.

 

PG3 does seem a notably improvement over PG2 both in interface and in resource (CPU) utilisation.

On the user interface side, there are 2 improvements I would suggest. On the Protection screen, there should be Confirm and Cancel buttons for any changes to application privileges - as it stands, it is too easy to inadvertently alter them for an application just by clicking within the window. This is exacerbated by having too large a click region (e.g. if you click just within the right-hand border at the same height as one of the options, you change that option's settings) - this should be restricted to the checkboxes only.

Another interface improvement would be to have the option to use flags (T, M, R, etc) in place of words (Termination, Modify, Read) in the Protection list. Currently, you need to stretch the window quite a bit to see all the permissions if the full set is enabled for an application.

One problem I have encountered with ProcGuard is that if it is not run with an Administrator user (I tried with a power user), it shows Status: Initializing for a minute then Status: Error. Failed to initialize. Check dscuserprot.exe. If it does need Admin access, could a more descriptive error message be given?

A better option would be to be able to run ProcGuard without Admin access to remove the chance of an escalation of privilege exploit. It is easy to get a command prompt window with Admin user privileges via ProcGuard and possibly attempt a buffer overflow using the techniques documented in Next-Generation Win32 exploits: fundamental API flaws (these seem to work even if ProcGuard is protected from Reading), so requiring Administrator access does pose a risk on shared machines.

 

No one jumps in yet, so let give some input.
anyway, this is windows design problem and to make it exploited, users must let shatter.exe run successfully.

 

Well since any other limited user account is run in another session, it isn't possible for them to attack the ProcessGuard GUI with a shatter attack. It is possible if a SERVICE creates windows (like ProcessGuard v2.0 does), however v3.000 doesn't so shatter attacks and things like that aren't of concern.

 

I was able to use shatter to modify the File Open dialog (via Protection/Add Application) to paste the shell code in (lacking a debugger I didn't take things any further). I can also get a command-line prompt with Admin access (this can be fixed by disabling the right click menu in the File Open dialog). Either option could be used for an escalation of privilege - though XP SP2's Data Execution Protection should prevent exploit code from being run in the first case.

 

Could you give the exact details of what you are doing here?

As far as I am aware, if you are running as a Guest or Limited User you won't be able to enumerate the Windows on an admin desktop. So I'm not sure how you are using Shatter to exploit the ProcessGuard GUI unless you are also running Shatter on the administrators desktop?

The only program which runs in every account started on the system is pgaccount.exe which runs with the user supplied privileges, the same as any program already running or about to be run in that session. So there is no point for a program to try and attack pgaccount.exe since it has as many privileges as the attacking program already does.

 

Originally, PG has been designed to protect users' boxes from harmful of malicious codes even they accidently/unknownly let it run on theirs. PG should protect important system process already in place assumed all are good ones (not bad ones replaced the legitimate ones). Is it wrong?
Now with "Shatter", if let it run and with security flaws of windows, as "Paranoid" said shatter can attack successfully even with PG2/3 in place?

Thanks for helping.

 

I'll have to take a look at preventing this, but it might be possible.

 

I was logged in as a Power User using the Run As option to run Procguard with administrator access. Hope that helps.

Another thing I have noticed is that PG3 does not appear to block all programs from installing drivers (I have all 4 Global Protection options checked). It did block PageDefrag (from SysInternals) from loading its PAGEDFRG driver but did not stop Drive Snapshot (trial download available) from loading its SNAPSHOD driver (this was blocked by PG2 Free and prompted for by SSM 1.9.5 - snapshot.exe had no entry in PG3's Protection list).

 

Blocked fine by me. However services.exe is the one which installs the driver for snapshot, you most likely have services.exe with allow drivers.

This is an issue with services.exe that I hope to fix in later versions of ProcessGuard, there isn't an easy solution to this problem.

 

Thanks for that Jason, Looking at my protection list I do not have Allow services / driver install for services.exe and have not had any alerts that indicate that it is required by anything. The same applies to my laptop and to Windows 2003 server machines.
So I assume it is normally best not give services.exe the Allow services /driver flag? Or maybe only allow it for a particlar trusted program?

Pilli

 

Services.exe did have the Install Drivers option but removing this made no difference - Snapshot still ran (I do have to use "Run As" to give it administrator rights when logged in as a power user). However thanks for the update.

 

It runs fine here too, just when you click backup drive, or one of the options which makes it drop and install it's driver, it will fail.

 

I myself would only add that privilege to services.exe temporarily to solve any issues an application was having. I know some people with AOL and various other things like it have to pretty much always allow services.exe to install drivers because they continually install a driver on every bootup.

 

No failure here, even when I start a backup. The only entry in the PG log was:

Thu 30 - 07:02:43 [EXECUTION] "d:\program files\drivesnapshot\snapshot.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\system32\services.exe" [268]
[EXECUTION] Commandline - [ "d:\program files\drivesnapshot\snapshot.exe" ]