Protecting AV/hips-processes

Hi!

Is there any sense to protect my F-secure, Prevx1 and Winpatrol Plus with
Processguard free? (What other tools there are for this?)
Or is such an action pure paranoia?

ako

 

I don't know if it is pure paranoia but, for one, I am protecting my resident protection to be terminate from nasties...
Other than Process Guard, there is Prosecurity and, if I am not mistaken, the next version (2.0) of Online armor.

 

SSM free can protect apps against termination.

 

No Atomas, you are not mistaken

If they can protect themself, it's better to protect them from nasty things trying to kill them and then open widely the door for their bad friends.

MaB

 

Does it do it better than PG (PG fails Darkspy)? What about Online armour?

 

Soon, OA will protect progs from termination but not in the current beta build

MaB

 

Hi ako,

What is Darkspy? Is it a spy software or something like that?

As for Online Armour, version 2.0 who got the function you are looking for ("process guard") still in beta...

But why not give a spin to Prosecurity and SSM to see wich you like the best and work the best on your system and than give us your impression?

Personnally, I have chosen to replace my Process Guard with Prosecurity

Best regards,
Atomas31

 

An antirootkit

More information here

Regards,

MaB

 

So, if Darkspy is an Anti-Rookit (wich mean a security program) when Ako say that PG fails Darkspy what does that mean

Best regards,
Atomas31

 

Protecting the processes for firewalls, AVs, etc makes good sense. SSM for example can "keep a process in memory", restarting an app if it's terminated as well as requiring other apps to ask permission to terminate a process. Many of the better HIPS apps can defend themselves against most process termination methods. It's true that the most advanced process termination apps can be used to eventually kill or disable many HIPS or firewall suites. What gets overlooked here is that the user had to give that process killer permission to run in the first place, and often had to respond to other prompts for that app as well. While this is fine for testing, it doesn't reflect normal usage. In a real life situation, where would these advanced termination commands come from? How did the app responsible for them get onto the PC and get permission to run? To even get to this situation, the rest of the security-ware and the users judgement would have needed to fail. The AV has to miss it. Either the user chose to download it, the browser was exploited, or the firewall failed to control traffic. When the HIPS alerted to the new process, the user had to permit it. If enough if this can happen for a user to end up in that position, they have far more serious problems to address than adding additional protection for the HIPS process.
Adding another application to monitor or defend the HIPS process is an overkill. Little would be gained, and if this appliaction is another HIPS or process control application, it could create the potential for software conflicts that could kill the apps for you.
Rick

 

Indeed! Compliments for this interesting topic and posts. Even though more & more security apps (HIPS) and AV's are exercising new methods for protecting themselves from terminations, adding to SSM's "keep a process in memory", for instance as herbalist mentioned, in my case would be the vital processes of AntiVir AV and the Firewall, along with other choice selections. For any end user concerned about keeping their system's SECURITY up and ACTIVE, that adds even another layer of protection and thus confidence.

It's a highly welcome & favored feature of SSM and i expect more safety apps would follow similar techniques as they can.

SSM will protect them "ALL", in fact "ANY" process, if it gets hit by some stretch of the imagination or a determined malware prevayer, it will "Restart" the app as aforementioned "immediately" and continue as often as it gets terminated, if they are so inclined.

Everyone of course keeps to their own preferences, what they will live with when it comes to PC "FULL" Protection, so my answer to that would be "no paranoia", just good prudent sense.

 

PG can be killed by darkspy easilly.

 

Any process can be easilly destroyed from kernel mode. Nobody will not help in this case.

 

Unless your HIPS blocks the service installation.

 

My F-secure IS 2007 stopped Darkspy killing processes (forced kill) by its new HIPS called Deepguard.

But PG failed.

 

Can you please post a screenshot of Deepguard stopping the attack?

 

There was nothing special in the dialog. DG just warned that darkspy was trying to kill the process by a fancy way.

 

Hello,

I see no point in this. It means baddies are running on your machine already, which means you have executed something. Horrible. And now you want to protect the AV? How about protecting the documents? If they get irrecoverably deleted? What is more important? You can always re-download the AV, what about your private stuff?

Protecting processes means you don't trust yourself. If that's the case, switch to Linux.

Mrk

 

the way I see it is this,
if a malware maker makes something that disables your av and then sends any malware to your pc then your infected.
an av with the lastest defs is useless if someone sends something that can disable the av.
if av's havent got self protection its in production.
if you make a program that detects what av they got then disables it then send an old RAT then the malware writer wins and has full control
lodore

 

Hello,
No, it goes like this: if YOU download malware and YOU execute it THEN you're infected. Things don't happen by themselves, the user actually has to do something - except IE, but even then you must visit a 'special' website.
Mrk

 

true but as you say with ActiveX you just need to visit one dodgy website and bam yoru infected.
self protection is mainly intended for people who dont have a clue and dont care where they visit on the web and stops there av from being terminated during the dangerous surfing that the user doesnt know is dangerous.
microsoft should stop using activez then there would be less infections.
sure the people on this forum know the facts about you dont just click random links from msn or email etc.
secure IE
or use firefox/opera
but most users just install norton internet security eiether came with the pc or reccomended by pc world and expect it to block all the dangerous stuff which we know that 100percent detection rate with no false possitives is impossible.
I know this because I used to belive this myself intill i got the pc im currently using and my das friends introduced us to spysweeper 3.0
which was the version at the time.
i ran it on the old poc and found over 200 infections and was like whoa thats alot no wonder scandisk never got going=D
plus the av's I installed on that pc found like 20-30 trojans.
so mainly protection from the user that doesnt have know whats what with secuirty or dont give a damn about it.
and the so called special websites are not rare and easy to come across with comman searchs for warez and cracks which quite alot of home users search for to avoid paying say £60 for nero etc.
i have learned my lesson and now a very safe surfer but there is still tons of high risk surfers out there.
what i fear is a teenager using a pc to download warez gets a RAT or a password stealing trojan that nicks money out of there parents account when they do online banking.
not all parents know what there kids do on the pc.
lodore

 

The approach of SSM sounds interesting. However, it might be risky business to try it with FS 2007 and prevx1.

PG has worked nicely with them. No conflicts.

 

Hello,
lodore, if you use IE and set unsigned ActiveX to prompt, they will not download. The problem is with active scripting and high inherent insecurity of the IE.
Mrk

 

microsoft should made the defaults even safe than they did with ie7 since it still has tons of ways of exploiting it on those settings.
its not like its hard to send out windows updates with high default setttings.
lodore

 

If you run IE6 on its default settings, a malicious site can easily exploit it. As installed, it's security settings are horrible. Fortunately, its settings can be tightened a lot. Start with disabling activeX for the internet zone and putting the sites used for windows update into the trusted zone, assuming they can be called trusted after the WGA fiasco. If you really want to protect Internet Explorer, run it thru Proxomitron and filter out the exploitable content, and the banner ads, popups, etc, including scripts.

Malware doesn't just appear on your PC. Malware writers don't just send it out and make it enter your system. The vast majority of the time, the user chose to download or open the infected material. Yes, malicious sites can exploit a browser with a specially made page, usually until the exploit used gets patched. Sometimes a malicious individual can get past a firewall, more often the fault of the firewall rules than the firewall itself. When compared to number of malicious files users chose to download or infected e-mails they chose to open, exploited browsers and firewalls represent small percentage of the problem. Users are exploited more than all software combined, including windows and IE6. Browser settings can be tightened. Internet content can be filtered. Firewall rules can be tightened enough to stop most any malware from slipping in.
Most of the AV killer malware I've seen were e-mail attachments. FYI, an AV with up to date defs will detect and stop most of the AV killing malware. This kind of malware can be nasty when first released, but once the AVs recognize it, it mainly a problem for those who run outdated AVs. They're no a magic bullet that kills AVs by their presence. They're running processes like any other software, and like any other running process, HIPS can prevent them from running, unless the user allows it to run.
Process protection for AVs has to be treated a bit differently than it would be for a firewall or HIPS. AVs often need to be shut down during updating. Using a separate app to protect against shutdown or auto-restarting an AV can interfere with updating it unless the user is going to be updating it manually. Trying to make an AV that can't be shut down by anything except its own updater would open up a big can of worms, starting with malware that attacks the updaters. Process protection is better reserved for firewalls, which don't need to be shut down. Even this is not that critical if you've taken the time to close the open ports on your system.
Trying to use one HIPS to protect another or using HIPS to protect a firewall suite with a HIPS component gains little and can cause conflicts and configuration headaches. Running 2 process controlling programs only shows that the user doesn't trust either one to do the job. Process killers, whether they're legitimate apps or security app killing malware are processes themselves, which any decent HIPS will prevent from running. If one is running, the user allowed it. A second process control app would only mean the user had to allow it twice.

No amount of software is going to protect a clueless or typical user if it's being configured by that same user. Someone else has to secure that PC if it's going to see any real security. It either needs to be done by a person or the user needs to turn control over to an application that can make the decisions for them. Conventional HIPS and firewalls mix with typical users about as well as oil and water mix. I've pretty much concluded that educating the typical user is an excercise in futility. This might have been an option when an AV was all that was necessary and a firewall could be treated as an option, but not anymore. It might be possible to teach some users safe behavior, but when you get to the average teenage user, there's no substitute for good security-ware, configured by someone who can do it properly, and that isn't the average parent.
Rick