ProSecurity v1.21 [HIPS software]

So with SSM you allowed termination and it still blocked it ? sounds like a malfunction of SSM. You should report it to them if its blocking after you allow.

 

I can see where the confusion is here,....

With SSM, the default is to allow any application to terminate another. To change this, you set an application to be protected from termination. Once this is set, that app is protected from termination against any app (there is no rule to allow an app to terminate another)

With PS this as a different approuch (as I tried to explain in an earlier post) in where all applications are protected from termination by default, and you give rules to application to be allowed to terminate another.

Maybe there should be a way to change the rules for new applications, and what they are allowed to do in ref to being allowed to terminate/inject etc. Maybe the addition to "Applications NOT in the rule list are allowed to" terminate / inject / read process memory / write process memory could be included, so that when a new app is added to the list, it would not default to ask for these privlege

 

Let us suppose this exploit is buried in an program that someone wants to run and in order to do so it needs this to be allowed. I think it is quite well documented that people are happy to click through things rather than reading them. I wanted to know what will happen. With SSM I can add protection to still protect the program. I think that that is a reasonable test. I am not trying to denigrate PS and will install it again as you suggest and see what happens.

 

Yes, I think there may be a need to be able to change the default global rules for a new application, so that it is blocked from being able to terminate/inject (rather than asking the user). The user would then need to change the rules for that app to perform such actions.

djg05,..... Do you think that would be better?

 

Yes Stem that does seem to be better. Thought I was flying in the wind here, but I am glad you can see what I am trying to say. I think because people here have a degree of knowledge the attitude seems to be why do such a stupid thing as allowing malware on, but I think it must be seen from the point of view of the "innocent", for the want of a better word, and to prevent them getting into trouble.

 

I realised what you where doing from your earlier post,... and I can fully understand your point on this.

Fully agree

I have made a post at the PS forum, maybe you would like to add to my post there?
http://www.proactive-hips.com/forum/ under feature request.

 

Not quite, at least when we talk about same version. In my SSM 2.2.0.591 the default is to ask user when a process tries to terminate other processes. All processes are automatically protected as an "attacking" process would need explicit allowance for that in any case.
If I remember correctly, this is how it works in SSM up to (and including) all latest release versions (i.e. 2.1.x) and is basically the same what PS does.

The additonal process protection options which you can find in recent SSM 2.2 betas are indeed nice to have, but do only function as an override to still prevent a termination even though the "attacking" process has explicit allowance for that in general.

 

SSM seems to be dialing home . . . . i wonder why it would hide the fact by being "unknown" rootkit techo ?


[01/11/2006 05:00:52]

Direction: outgoing
Local Point: 10.10.10.10, port 1043
Adapter: Local Area Connection
Remote Point: 68.178.147.80, port https [443]
Protocol: TCP

Application path: Unknown
Description: unknown
File version:
Created: N/A
Modified: N/A
Accessed: N/A

 

Thanks - wasn't sure before.

I have added to your post at PS

 

Is it checking for updates? That is set as a default

 

perhaps, but if your not inclined to do indepth checks on ip like i did you see Unknown trying to access a server and either you block it which you should or alow it because you dont care. Point is this could have been soemthing bad and its got no name on it to identify the exe

 

As has been suggested, I cleaned out my registry and as far as I could see there were no remnants of HIPS programs. I then installed PS. Left it in learning mode, ran a few programs, rebooted and turned learning mode off. Then ran SPT and allowed everything on the pop ups but not remembering. On kill 2 it successfully defended that attack. Did the same with kill 10 and it failed. Tried kill 2 again and it failed this time. This is the same result I was getting yesterday.

On the cosmetic front the window does not expand/contract smoothly when widened. The column markers when moved give a series of lines until the mouse button is released.

 

ok, you said you allowed everything but not remember, What are you hoping to achieve? Its like saying ok i got this bullet proof vest, let me take it off and shoot my self and see how well it performed ? I truely dont understand your logic

 

How can you expect anything to protect when you accept all the popups ?

 

Obviously you don't get the point - I'll leave it at that

 

I'm pretty sure it's just a one-time test.

 

maybe i just woke up on the stupid side of the bed thismorning, but your trying to find its protection level and test it by allowing termination ? If i am missing something here please enlighten me lol because you confused the braincell out of me !

 

What "djg05" is looking for, and expecting, is the same type of protection against termination given by SSM. This being, that an application will be protected from termination regardless of user input to prompts. SSM has this option,... which is an over-ride, and blocks termination of selected apps (option to block termination), even if user allows another program to attempt this.

 

Ohh i understand now . . . weird!

Sounds to me they should fix how it works since that dont sound right somehow . . Hey anyone tried Parallels ? VM techno like vmware Fast as hell but lacking remote start stop of machines and stuff. Fast as hell. i think if i can get the networking working 100% i will use it for my tests since its so damn fast.

No joke if i maximise, i can not tell its not my host pc

 

I did think I had explained my reasoning and I see Stem has just put forward my view.

From your and my point of view who have some knowledge to a greater or lesser extent to keep pressing Allow is stupid.

Now let's look at the naive user who downloads a program which unknown to him has malware buried in it. He wants to run it so just keeps ckicking through the warnings. I just want to see how strong these HIPS programs are at resisting and protecting certain programs.

You could say that such a person would never bother with HIPS but it could be my machine which is sometimes used by another and I want to be certain it will remain protected.

I am not trying to run down PS but just seeing which I am most happy with. Hopefully PS will consider this is an area worth covering.

One thing I have not noticed yet, and Stem may be able to answer it, and that is whether either can be locked down to prevent other programs loading. There is a lock on PS but that seems to be just the interface. New programs can still be loaded.

 

I have been playing with note tab light as a simple dumb app - seeing how PS protects it or allows or denies resources to it.

Network access - I like to deny network access
If I choose check for update - prompt -it loads a dll - network access - allow - outpost prompts - if outpost blocks once. note tab app remains responsive and says cannot see server.
f I deny access to nw with PS - app freezes and must be terminated to unfreeze.

Hooks
I had a similar problem blocking a global hook launched from acrobat - pg blocks and acrobat remains responsive - ps blocks app remains frozen until reboot.

what is going on?

 

Open PS, "Privilege" tab,... change the "Block from running new applications" from "ask"(tick with grey background) to "allow"(tick with clear background). This will then block any program (not already in the application rules) from starting.

 

i am back running PS now i am done giving SSM a test, my host pc has PS, Antivir and Sunbelt kerio and sandboxie. I also use virtualisation such as vmware and parallels

 

Hey Jie, when will you release yet another version i am interested in the new GUI or temporary new gui you may have

 

Thanks Stem