Set to Permit Once

noob question about the "set to permit once" setting in the security tab. is this only once ever? or is it once a day?

 

oh yea, and which type of programs should be set to "install drivers/services"? i did read andreas' page, but still a littlke fuzzy.

 

Hi INTOXSICKATED,

"Permit Once" stays in effect until the next time the file is executed and then you will prompted to allow/deny, etc. No time frame involved.

Nick

 

That would be "once" period. You'll will always get a PG Pop up asking you to "Allow" every time you run this entry.

You can set it to always "Allow" by either right clicking that entry in the security tab and changing/setting it to always "allow". -or- click the always "allow" option box on the pop up the next time you run that program.

It's fine to leave it at "once" and is recommend in some cases.

Steve

 

Check your logs ... to see what apps, are requesting this ... if the app is "Trusted" allow it for that app. Or ask away here.

IE. Sysinternals "Process Explorer" - procexp.exe = will try and install a driver, it needs this driver to retrieve various OS information .etc, and needs to be allowed for Process Explorer to run correctly.

Steve

 

iiiiiiiiiiiiiiiii see. thank you both.

 

After leaving Learning Mode, you will be prompted when an executable attempts to install drivers/services (if you have that protection enabled). If you trust the executable, you can add it to the Protection list with a permission to install drivers/services. If you don't trust the executable, then you need to do some research. As the ProcessGuard Application Database grows, it will become easier to identify trusted processes/executables that require permission to install drivers/services.

Nick

 

There is one caveat to the advice given so far, and that is if the program is executed during startup prior to when the ProcessGuard GUI has started it can be executed without asking

In that case it is allowed to execute on the basis that it cannot interact with you to ask you the yes/no question so it just allows the program to run

This won't happen initially because learning mode will cover all the programs you are using when you set up PG

You will see entries like this in the Security tab with a Last Action of "Permit Once (Unable to ask user)"
The "unable to ask" information isn't recorded in the logfile so you have to look at the GUI to see it

NB: Yes I do think its a flaw that could be used by a very specific trojan that wanted to target PG, but as many ppl will point out you need to execute a program before startup registry entries could be changed and then a swift reboot performed to run another unauthorised executable that could race and try to take PG out of the registry before it starts up...

 

i see what ur saying, so processguard would be better if it was able to freeze all traffic until it has started? or else something could slip by during boot-up.

 

Gottadoit is correct that if you did allow such a .exe to run then it may be possible to get malware to stop PG but there is more to it than that. When windows boots there is a sort of race for drivers and services to install so any such malware still might not function if PG loaded before it. I do not know what the probabilities are and I imagine it would be hard to test. This would cause a real headache for the malware writer and as PG is such a small target then I doubt it would be worthwhile except as a proof of concept.

Pilli

 

Maybe silly followup Q: but isn't there some way to control the ORDER in which things startup, at least to some extent?

Or even if one was doing a fresh install of the OS (mine is Win2K), maybe would there be an order of installing things that might be more beneficial?

That would be great info to have, if any of the great forum community here has an of the skinny on it. With ZoneAlarm, AdAware, PG, TDS, and PortExplore, maybe there would be a "best" way to do it all?

 

Thanks for bringing this up. As an users, I feel not liking to have exe one(s) run once (& not be able to ask) implemented in the current PG3x releases. Yet DCS concerns for some situation (new installation, updating os,..) might be problem if not letting that happen once since PG-Users forget to update new/modified exe md5 signatures to PG's MD5 protection list.
Wow! how about to be better than ever?

 

I am not a coder so Jason will have to answer this properly but I do know that XP's startup is dynamic i.e. self adjusting at a very low level so creating a solution to set the start up might be a very hard nut to crack which may cause instabilities in other areas.

Pilli

 

Thanks Pilli! I don't know if that's even possible, but I just always wondered if it was possible that by proper order of things while building/installing a system that one could maybe have things be more optimal!

 

Pilli,
It seems that there is malware that makes use of the race condition... so as expected its not just as easy as brushing off the attack vector as "a proof of concept" exploit

Take a look at https://www.wilderssecurity.com/showthread.php?p=368727#post368463
lynchknot experienced a java exploit that disabled ProcessGuard on reboot

 

Hi gottadoit, Interesting post by lynchknot:

It would be interesting to know what version of ProcessGuard, his settings and the same would apply to his other security software. However, browser exploits are dangerous and not what ProcessGuard's protection is for.
There certainly is no easy answer that's for sure.

Cheers. Pilli

 

Here's the thread: https://www.wilderssecurity.com/showthread.php?t=58274&highlight=virus firefox

Yep, i'm infected I think. So far:

C:\WINDOWS\system32\APIHookDll.dll - PWS:Win32/Hooker.P -> Infected

All security apps failed. I should have been using "Winrollback" I would not be having trouble right now this is a true "drive by" infection that Firefox has no protection from - other than turning off Java.

Most all my startups are missing. Does anyone know what I should do?
http://img9.exs.cx/img9/8352/startups9lo.jpg[/QUOTE]

 

Hi Lynchnot, You can use DelLater from here: http://www.diamondcs.com.au/index.php?page=products This will work providing that you know the filen name.
ProcessGuard full would stop .dll injection unless you gave firefox or another app to enable modification, it will also stop the installation of services and drivers, an executable would have had to run before reboot for it to be able to do as you have described.

HTH Pilli

 

Pilli,
By your response I don't suppose you read the thread that lynchknot posted or looked at the dates of the posts, before offering to help him solve a problem that is long gone.... ;-)

However lynchknot still didn't say which version of processguard he was using and whether it was the free version or the full version, that would be good to know

 

I have an app called GiPo@MoveOnBoot that, I think, does the same thing. However, I did not realize I was infected until I performed a reboot.

**edit - i'm not sure which version of PG I was using either. If PG1.0 was available at that date then I was using the full version.**edit - In fact, I'm pretty sure I was using the full version of PG.

All this virus(?) did was shut down/delete all my startups (but one)

 

I did read it hence my question about the version of PG in use and what was allowed
It is sometimes very difficult to analyse such a problem after the fact, especially for a non techie like me.

Cheers. Pilli

 

Around dec must have been version 1.0. I just use PG as it comes as I have not learned how to program it.I usually set everything but "block new and changed"

I suppose I should study this as I have no idea whether or not these settings are corrrect:

http://img210.exs.cx/img210/9825/correct2od.jpg

 

Ok,
Given that lynchknot was most probably running the full version, then it seems likely that the exploit was written in Java and hence didn't require another executable to be run (other than java which would already have been allowed)

I've read about the fact that some java vulnerabilities existed by I updated when secunia reported it and haven't looked at the details (if anybody else has feel free to correct me) but it sounds like bytecode was allowed to run outside of the java sandbox and have access to any system resources (ie: mess with the registry and filesystem)

Given that this probably isn't the last java vulnerability we will see I wonder if the time has come to put the java executable onto permit once and do a few experiments to see what happens after it has already been loaded (for a legitimate site)

Some days...

NB: Offtopic, but have a look at the IDN vulnerability reported on by the Reg (and probably elsewhere as well)

 

You do know that I was using the beta version of Java 5.0, correct? This may have been fixed. At any rate, what I was hit with seems very rare. I now disable Java in Firefox.

 

A little OT for a sec. would this be something to allow?

http://img183.exs.cx/img183/254/hook3wb.png