ProSecurity v1.21 [HIPS software]

Thanks Stem but I meant how did SSM behave with the SSM tests?

 

Just to confirm that PS was running alone. SSM had been uninstalled.

 

Anyone tried SPT from syssafety here.

 

I have a test snapshot setup in FD with PG, SSM beta, PS, App/reg Defend to have a play


So far I've tried the APT, Keyhooker, physmem and a couple of leaktests. It does seem pretty good.


The registry protection does not appear to be as full as regdefend. Not looked at it fully or how keys etc can be added. I have Tony's ruleset in Regdefend.

I do not like the tick greyed out - for ask user - not very clear at a glance


I find the hooks tab confusing - SSM and Icesword list other items that might be expected in this tab? Outpost hooks for example - should it be shown or is this becuase it is not originating in user mode

 

Well,.. as the SSM tests are built around the SSM protection,.. it will protect you against these (They are not going to put out tests that their own app fails on)

 

I have just finished fully running APT, I will move on to SPT. (but I may need to move to XP,.. these tests where a little probmatic under W2K, but will try on this O.S. first)

 

Thanks for that.

 

True, but not all computers work the same as has been shown with other producers.

 

I have run SPT against Prosecurity, and all 16 kill methods are intercepted. (SPT does run correctly on W2K now,... so the test where made on W2K)

 

This then would infer that there is no point to my testing / posting results for you,.. as the results would be different on your system.

 

I don't see it that way. With your testing we have a good base to work from. You are providing a consistent resource and I for one appreciate all the work you put in here. Let's just forget my comments as it is not serving any useful purpose - no offence.

With SPT, what is meant to happen as nothing appeared on my machine and I wonder if BOClean might have been intercepting it.

 

Thanks. That looks great.
BTW can u post ur test settings in brief.

 

First, place the SPT.exe file onto your c:\ drive \or main drive, (so you can find it easier).
You need to run SPT from the command line. Go to "start menu / run" in the run window that appears,.. type cmd this will bring up the command window. Type at the prompt cd\ this will then default to the main drive. Type SPT this will show all option for SPT.

SPT option:-

 

I used the default settings in both SPT and Prosecurity

 

Thank you very much for your testing!
ProSecurity's hook tab is not a list of hooks in system currently, it's a rule list only. ProSecurity will auto add hook modules which contain a global hook or which were installed to another process. But if a process install a hook to itself, because this type of hook has no threat so this type of module will not been listed.

Another thing is Windows\system32\browseui.dll will been ignored by auto, this file is a system file, this contain a hook which will been installed when user open a "open file" dialog, it's safe, and this is designed in the early versions to avoid any process which show open file dialog will been show a warning box, I will remove this design in the next version. Except this dll, all dlls which contain a windows hook will been listed in hook page.

As you said, there maybe a few kernel level hooks not been listed in this tab, I will check about this.

 

I mean how did u run the test.
In my case I will usually protect an application, say IE, from termination via security software and then I will try to kill IE with SPT and I will allow SPT to execute. If u just stop its execution, then ofcourse any simple HIPS can stop SPT.

 

Thanks I like this product - fairly simple to use like PG but with a much fuller feature set.... yet granular control.

I will continue playing when I have some more time ...

 

O.K.,.. I left the Prosecurity as default settings,... I then ran each "kill test". I allowed the kill test to execute and memory access "csrss.exe", I then watched the popups from Prosecurity to see if the actual "kill" was intercepted. What I mean by this is:- example: SPT test 3, is for killing by "remote thread". On running the test I allowed all other actions, such as "read process virtual memory" / "write process virtual memory",.. the test then attempted "inject remote thread", which is the actual test,... as Prosecurity intercepted this, and blocked when I selected to block, then the test failed to kill the process, and Prosecurity passed the test

 

Thanks, much informtive now.

 

I had never heard of this program until seeing the posts
about it here on Wilders, looks really interesting so will
have to take it for a test drive, and thanks Stem for
posting your test results.

Regards,

Wake

 

Thanks Stem

Did not realise it was a command line program. However it still does not run here. I get the following pop up. It was run from the root of C drive.

 

Have you downloaded the latest release. There was this problem with W2K and earlier releases.

 

Yes you are right, I had an earlier one.

I think earlier we were at cross purposes. If you thought I asked how well SSM protected itself against its own suite of terminators then I can understand your attitude.

What I meant and probably did not express at all well is how effective it is at protecting other programs, in my case the f/w Kerio 2.1.5.

I cannot see in PS how to set the protection and cannot find any method to actually protect Kerio. In PG you could set a program to be protected, although there are now some methods to by pass that protection. PS does give warnings and maybe I am expecting to protect in spite of allowing.

 

On my testing, all "kill" attempts where made directly against my firewall.

All programs are protected from termination by default. (All termination attemps against any application will be intercepted), unless the application making the termination is allowed (by rule) to perform this. (default rules are "ask"). So in your case, Kerio would be protected by default installation of Prosecurity.

You need to approach this program differently than you do with PG. In PG, as you mention, you set a program to be protected, in PS, this protection is there by default. You must change the application rules for the program that you want to "allow" to terminate another program

 

Yes I see that now but I am sure I am doing something wrong because I am getting odd results.

I tried SSM kill 1 to 8 against Kerio and it stopped all of them even though I clicked Allow. 9 and 10 failed and have not gone further. I then tried changing the settings which is when I began to realise it might have protection by default. Now setting the Kerio settings back to default it is failing to protect on the lower kill numbers it previously passed on. Any ideas?