Standard Windows dialog installs global mouse hooks

Discussion in 'ProcessGuard' started by earth1, Nov 16, 2004.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    While disabling the AutoComplete does seem to address part of the issue, you can still see this problem manifest itself by right-clicking on your desktop and selecting "New --> Shortcut" and then in the subsequent dialog box, begin typing. If there are any previous history entries in there, you will get a dropdown and at that point an alert from PG saying that rundll32.exe tried to install a global hook. :'( So even with AutoComplete disabled this still rears its head in various places.

    Still waiting for Jason's thoughts on the latest postings in this thread since his Nov 16th reply. :rolleyes:
     
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Allowing *ANY* hook by "default" will allow malware authors to inject their code on the system, so it isn't something you really want to be doing for untrusted programs. In a way I can see the usefulness of having options for the allow hooks for a program, so for the next version I will see if it is feasible to add it without adding a whole lot of complexity to the program.

    However I wouldn't feel like ProcessGuard is useless in its current state against Global Hooks even if every legit application did them, it protects you fully from any possible attacks. For instance if you have global hook protection disabled and something runs it can inject into nearly every process on the system, hence nullifying all the other protection in place. I don't see why you would want this even if all your legit applications did have "allow global hook", the above attack would be blocked (if you have BLOCK GLOBAL HOOKS enabled aswell). In regards to the standard open/save as dialog, you can ignore the request without any ill effects, or even disable auto complete as some people have suggested.
     
  3. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hi Jason thanks for poking your head in :) the problem is not that PG in ineffective in its current state, I think what earth1, rick and others (including myself) are saying is that the way it is set up, it is either very tedious to set up properly (i.e, having to add "allow global hooks" to every program on your protection list -- which causes the protection list to be immense and unnecessarily long or perhaps forces you to give hooks to a program that you really dont want to) or encourages the user to disable features that might leave their system in an unprotected state (i.e disabling block global hooks or suppressing the balloon alerts etc). YES I can enable learning mode and then proceed to launch each and every program on my hard drive and then attempt to get that program to pop up an open/save dialog and then PG will learn, but in the end that would take days, or weeks of time and would leave a huge mess in the PG config GUI. and YES AutoComplete can be disabled but as I mentioned 2 posts up that does not solve the problem in all cases...

    I understand that adding features is annoying and hard work -- I am a db programmer myself and I hate when users ask for stupid features that I dont see the value of. But in the end I have to remember that when programming I am trying to find that "middle ground" that keeps users happy but also keeps my software from becoming overly bloated and too specialized for specific groups of users. Sometimes we dont see eye to eye but in the end they are using the software more than I do so usually after going through some revisions eventually the final result is a better piece of software -- even if initially I thought it was a bad idea. So I understand if you feel this feature would not be useful to you, but I believe that it would benefit your users, as evidenced by others comments and other threads in the PG forum.

    so anyway I guess enough has been said about this but I sincerely hope that this granular control or some other solution makes it into the next major revision as I believe it would be a huge improvement.
     
  4. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    That's very good information to know. My mental image of injection was more related to memory/code modification.

    Thank you for agreeing to the attempt, Jason, that's wonderful to hear. I hope it may also seem useful and feasible enough to evaluate a "Local Learning Mode" property for each program.

    Far from it, Jason, ProcessGuard is the most essential security program I own. My primary concern over hooks is to optimize security. I'm feeling pretty good about the standard dialog glitch since Nick helped me disable auto-completion. Many thanks to everyone at DCS for what ProcessGuard is already, and for earnestly considering what others think it might become.

    Mike
     
  5. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    I tend to agree with Jason in some respects. Some things like this are very easy to simply ignore.

    Even with turning off global hooks in IE, it took me a week to notice that the only ill effect I found was that menus didn't open when sliding over the menu sideways, they all had to be individually clicked open to drop down. So I turned on global hooks for IE to eliminate that annoyance, but I would definately prefer to limit IE to mouse hooks only.

    Allowing global hooks can create some pretty dangerous scenarios. Anything that communicates out my LAN to the Net needs "global hook shackles" in my opinion or at least needs to be scrutinized as a security risk until proven innocent, with IE being a really "if" in my book these days. I've simply caught to many trust worthy apps doing things out my LAN without asking or even in defiance of privacy or communications settings or encountered strange goings on "if"y websites. It's just to easy to Google a hostile website on a legitimate search.

    Of course I have since switched to FireFox. Security is multilayed thing after all, but I would like to have a little more versatility in global hook control....if possible.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.