PC AUDIT

Discussion in 'other firewalls' started by MickeyTheMan, Aug 2, 2002.

Thread Status:
Not open for further replies.
  1. snowy

    snowy Guest

    Jack

    the details you provided.........is that regarding an os ALREADY INFECTED?? on a NON-INFECTED os how would those results be possible? once explorer's files have been placed in protection.....that exploit just isn't going to be able to use it.
    if what you are saying is true.......than file protection programs are useless........
    Naturally on an already infected os it would be a waste of time to place any program into file protection...........
    snowman
     
  2. snowy

    snowy Guest

    Pete

    yes I certainly agree with you......the time spent changing info. etc would not make it a logical choice.

    to tell you the truth Pete.....since the past couple of days I really don't think its worth the effort anymore.
    ......if anything the situation has grown considerability worse with the passage of time...........
    the few that can or would make the changes to plug pravacy leaks are just a mere drop of water in a vast sea

    snowman
     
  3. snowy

    snowy Guest

    JACK

    I have been trying to understand the contents of your post........bear with me if you will please

    ok......as I understand this exploit.....its nothing more than a "piggy-back".......an for it to function it has to alter a dll in Explorer.....
    Now..if Explorer is placed in full protection.....which prevents any and all changes of any kind being made to the Explorer dll's..............then how is the Exploit going to mis-use the Explorer...an attach itself to it o_O
    Jack I am speaking here of protecting Explorer PRIOR to any infection.

    Thanks
    snowman
     
  4. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    I feel extremely humble after reading this thread. I'm more computer illiterate than I ever imagined. I assume that no one here has any problems with the Naviscope software? Will Naviscope conflict with ZoneAlarm? I'm using both at the moment and the jury is still out. MSIE 6 doesn't like to load with both running and some minor glitches with other web page loading. Would appreciate some of you dropping down to my level for a moment and providing me with some insight on Naviscope and ZoneAlarm (free version). Opinions, good or bad or indifferent would be appreciated.
     
  5. snowy

    snowy Guest

    Pretender

    Hey my friend don't ever....not ever feel left out........I have got to be the most computer dumb person on earth.....heck, I can't turn the darn thing off....

    You should not experience any problems using Naviscope and zone alarm.....never heard of anyone having any. Naviscope will need to be config......be sure to look at the "readme" instructions. I don't personally use naviscope......I did give it a brief try a few years ago....

    snowman
     
  6. snowy

    snowy Guest

    Pretender

    I don't use IE 6 so can't comment there..sorry.

    snowman
     
  7. FanJ

    FanJ Guest

    I would like to quote (and I hope that I’m allowed and that he doesn’t mind me doing so) a part of an old posting from Joseph V. Morris at:

    https://grc.com/x/news.exe?cmd=article&group=grc.security.software&item=33708&utag=


    grc.security.software “Subject: Re: o_Oo_Oo_O??”


    ---begin quote---

    All of the application control firewalls (with or without file authentication) currently on the market do _not_ authenticate in any manner the DLLs, SYSs, OCXs, VXDs, etc., that may be critical to the actual functioning of the application. Given the physical implementation of MSIE (in particular), authenticating the iexplore.exe executable (and only that executable) does very little -- it's little more than a stub program that calls enabling DLLs.

    ---end quote---



    Please remember, this was an old posting!
    In the meantime some firewalls has improved.

    Now what I’m wondering myself is this:
    I thought that for example ZAPro has improved in this way that it also in some way checks not only the exe file that wants access but also the other files like the dll files that that exe file calls.
    Am I right here?
    Did anyone tried it with ZAPro?
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Mickey[/]

    ..and the statement from JacK (in essence the same) is IMHO the essence here. PCAudit has used a concept which can be circurmvented, as Mickey pointed out: let's call it a "coincidence". The principle matters.

    ZAPro will fail the test - providing one runs the test while on line.

    regards.

    paul
     
  9. FanJ

    FanJ Guest



    Let's assume that you have a firewall that is capable to not only "check" the exe file (by using for example MD5-checksums), but also all the dll, vxd etc. files that it possible could call.
    Then first of all that firewall has to make a database of all those exe, dll, vxd etc. files.
    Now PC Audit, or any malware that works that way, injects its code in a dll file.
    Now that exe file wants for some reason access to the outside world; then that firewall checks that exe file and all of the dll files that it calls. If that firewall is doing its job, it should warn you: hey, one of the dll files has changed, what do you want: give it permission or not?

    So what is the point? Where is it going wrong?
    Is it the fact that that dll file is already in RAM? (and Joseph already pointed at that too in that GRC thread).
     
  10. snowy

    snowy Guest

    Paul

    what I am at odds of understanding...is how can any program dll be exploited once its been protected ?
    I understand that some firewalls are blocking this exploit by preventing the dll from being exploited........an if thats the case......it only verifies that file protection will work. ( open to correction on this) once the program...any program....is fully protected.......an afterwards an exploit of this nature enters an os....unless the file protection fails how can the program files\dlls be changed? honestly asking for prevention purposes.
    I completely fail to see how anything could be injected into a file\dll in such circumstances

    once again I must state that I don't see this as a firewall issue. sure a firewall may alert a user of the existence of the exploit.....an firewall may prevent the exploit from accessing the internet......but a firewall wont clean the exploit...it remains on the system

    putting perfume on a smelly person may stop the oder but only a bath will remove the dirt.

    Naviscope is a proxy...thats its intended purpose.....it can "strip the headers" but it wont clean the exploit......an the machine remains infected. someone else in the household comes along.....an does not enable naviscope..an the exploit works

    for further consideration......a simple script detector could alert and allow the user to abort the exe......but the exploit would still remain on the os.

    this is not a new issue....Windows from day one has had this.........an until now no one did what pcaudit did...it always could have been done...
    a person wanting to use naviscope for its intended purpose of a proxy...hey fine.....but a person using navsicope believing it will somehow "clean" the exploit is just wasting their time and computer resources.......

    my concern is that an impression will be given that a firewall is "the holy grail" which it is not.....a virus\trojan\worm needs to be cleaned from a system.....no firewall can yet accomplish that task.

    respectfully

    snowman
     
  11. snowy

    snowy Guest

    ---begin quote---

    All of the application control firewalls (with or without file authentication) currently on the market do _not_ authenticate in any manner the DLLs, SYSs, OCXs, VXDs, etc., that may be critical to the actual functioning of the application. Given the physical implementation of MSIE (in particular), authenticating the iexplore.exe executable (and only that executable) does very little -- it's little more than a stub program that calls enabling DLLs.

    ---end quote---



    FanJ

    that comment by Joe M is just where I am going in my responses........PREVENTION BEFORE -THE-FACT
    if altering was prevented in the first place there would be no real need for such double checking
    Believe me I am very open to learn on this issue

    snowman
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Jan,

    The O/S design from W9x, and:

    ..here - as a derivative. As for now, there is no firewall being able to "check" all dll, vxd etc.

    snowman,


    Protected in what way? any running client will do. Are your referring to sandboxing, Tiny Trojan Trap?

    I agree it's an O/S issue first. That being said, it's in essence quite easy to implement for example a dll "like" the one in use by the pcaudit test (but not n innocent one like this one) in virtual any executable - say software. It would be undetected.

    True: a firewall is by no means a holy grail. Nevertheless, if O/S design demands protection, it would be nice if an app - like a firewall - would alert before executing.

    Have a go at the pcaudit test ;); it's rather fun: using Kerio FW and IE 5x, all kind of running apps will pop up - asking "is it OK to update" etc.

    regards.

    paul
     
  13. FanJ

    FanJ Guest

    So, this is where a utility like FileChangeAlarm (brother of NISFileCheck) could prove its value.
    Why? You can tell it to warn you in real time for any change in whatever exe, dll, vxd, ocx, sys, etc. file.
    Alas, I run W98SE and you can only use it on W2000/NT/XP.....
     
  14. snowy

    snowy Guest

    BY FANJ :

    "So, this is where a utility like FileChangeAlarm (brother of NISFileCheck) could prove its value.""


    John thats just my point.



    PAUL

    to name one program that we both know...."File Protector" by PEPI


    Paul I very much appreciate your reply....truely I do.
    At this point I just have to ask myself why....if a firewall can verify checksums.....why aren't the virus scanners and trojan scanners doing this same job? Are people just throwing away their money purchasing these products....it certainly appears this way.......if the virus\trojan scanners can't do what the firewall is being expected to do. My point is very simple..... what if a firewall detects the changes....that of itself wont remove the exploit. if the anti-virus\anti\trojan scanners were doing a good job the exploit never would have executed on the machine...or at the very least a user would have been alerted by the scanners and allowed to clean the exploit

    if a firewall vendor can make a firewall perform this function.....why aren't the vendors of anti-virus\trojan products doing the same?? This subject has been kicked around and around for years without a response from vendors of virus\trojan scanners.........to impliment the kind of protection we are discussing.......therein lies my main concern. The buck is being passed...to the firewall.

    an point of fact...the exploit is never cleaned\removed

    respectfully

    snowman
     
  15. snowy

    snowy Guest

    BY PAUL:

    "in essence quite easy to implement for example a dll "like" the one in use by the pcaudit test (but not n innocent one like this one) in virtual any executable - say software. It would be undetected"
    ****************

    PAUL

    I could not agree more....in fact thats whats giving me the shivvers..........an why I so srogly believe that the anti-virus\anti-trojan vendors need to address this issue immediately. This time the exploit was innocent.....but sooner or later it wont be. A means of immediate detection\cleaning needs to be provided before such an exploit is exploited for evil.
    certainly I don't mean to sound pushy on this issue....I am truely concerned here.............my apology to one and all if I come off sounding like on a soap box.....for be that from the truth...........this is obviously a preventable exploit....so why isn't it being prevented o_Oo_O??

    respectfully

    snowman
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    By design AVs and ATs are for one purpose only: detecting and handling malware - databased and/or using heuristics. In case of a databased "fingerprint" including malware charasteriscs (a dll could be part of that) it will be flagged.
    Thus, something "nasty" has to be detected, triggering the AV or AT. In principal, a dll as such is not malware. In short: IMHO this isn't an issue for AVs nor ATs. Only in case for example a dll is part of a virus/worm/backdoor/trojan, AVs/ATs should be able to handle it. As far as I see it, this isn't the case here.

    One could only ask AV/AT vendors to include pcaudit in their databases - but since it's harmless, there's no use in doing so.

    regards.

    paul
     
  17. snowy

    snowy Guest

    Paul

    again I thank you for replieing. hope you are having a pleasent day......always wishing you well


    snowman
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Enjoy your day as well, snowman (nearly 8:00 in the morning over here..).

    regards.

    paul
     
  19. snowman

    snowman Guest

    darn if I didn't just delete my reply!! I must need a rest break.....LOL
     
  20. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    Putting PcAudit in a database would serve no useful purpose as it only represents a synptom of what can be done.
    True, with vigilance, it's possible to intercept it, but those mostly at risk are those not usually following these forums and would be caught rigthanded.
    Heck in one of the tests i did, i closed LNS and tried Sygate, to verify it's dll authentification.
    Well the darn thing used the lns driver in trying access.
    Now you tell me. Who would usually think of blocking anything from it's favourite firewall !
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    LOL! You must admit, although a serious matter, it's kinda funny as well :D

    regards.

    paul
     
  22. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    i'm not sure about all of this stuff and how important it is in life. i've been sick for the last few days and am about to go out of my mind with pain from a botched surgery back in 97. don't mean to complain as all of this information keeps my brain working a bit. just tired i think. gotta regroup and maybe i can catch up with all of you later.
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Take care, Pretender ;)

    regards.

    paul
     
  24. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi snowman,

    PC audit does not alter the files and does not "infect" them : if you allow Explore to access the W3 by the way you allow PCAudit too.
    If you fW does not allow Explorer to access the Web, PC Audit cannot use it to access the WE, it shall try to access the W3 using another valid application.

    Rgds,

    JacK
     
  25. FanJ

    FanJ Guest

    Hi JacK,

    I hope you don't mind, but I have a couple of questions:

    1.
    That would mean that an utility like FileChangeAlarm (checking exe, dll, etc. files in real time) would not help you here, is that right?

    2.
    I thought that was described that PC Audit "injects" its code in a dll file.
    So does it change a dll file or not?

    3.
    Or is something going on like "injecting its code in such a dll file when that dll file is loaded in RAM"?


    PS: to Pretender:
    I wish you all the best, and I really hope you will feel better soon!!! Take care, Jan.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.