ProcessGuard v3.xxx Suggestions / Wishlist

Discussion in 'ProcessGuard' started by Jason_DiamondCS, Nov 3, 2004.

  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Because this method was requested by users, your firewall & AV almost certainly do it the same way. It is added security unless you specifically want to close the GUI - This occurs quite often in service type programs.
    KAV, NOD32, Tiny, Kerio, SpyWareGuard, Giant(MS) to name a few :D
     
  2. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    I'm not suggesting they change what happens when the X is clicked (ie. it should still minimize to tray icon), just that they should also save the window size and position when the X is clicked. Surely there is no security risk in doing this ?!
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jason explained this somewhere else, it is the way that windows works and cannot be easily accomplished. It is either or so to speak :)
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Maybe its just me, but ....



    • a window resize is an event that is handled by the application
    • waiting for the program to exit (or the x to be clicked) before saving this particular bit of state information seems somewhat of a sub-optimal way to do it given that the program cannot trap all exit points
    Just another one of those situations where the problem is hard to solve unless you have a clear problem definition, which in turn generally leads to changing the way the solution is considered.
    In this case you don't even need to know anything about Windows programming to reason out the solution...
     
    Last edited: Feb 5, 2005
  5. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    It certainly is possible. As gottadoit states, a window resize is simply an event sent to the application. The same is also true when the X is clicked.

    I would not save the window state on a window resize because that would mean the state was saved too often and become inefficient.

    However, saving the state when the X is clicked would be easy to achieve and still be efficient. All they have to do is add the required code (which they have already coded) to save the window state when this event/message is received.

    It would be a 5 minute job to do.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    In that case I stand corrected and we shall have to await Jason's response :D
     
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Might be a long wait, statistics aren't on your side here looking at the number of responses from Jason in this thread so far

    NB: I'm sure he reads the thread... ;-)
     
  8. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    oh ok...

    still think it should be added ;)
     
  9. Wijly

    Wijly Guest

    ATTENTION EXTREAMLY IMPORTANT:

    Please can you impliment the following idea(s) into Process Guard ASAP...

    1. The ability to see in real time what is global hooking and give option to stop (even if on a reboot to complete)

    2. Protection for the registry / service information of Process Guard its self and Optionally maybe other services from being altered, Eg a program changes the registry in system and currentcontrol set and services and changes the file name of important files / drivers / exe's for Its self (process guard)

    Please email me at as_crucker8 [I]at[/I] yahoo [I]dot[/I] com with your thoughts / plans

    Wijly

    ~email address modified....Bubba~
     
    Last edited by a moderator: Feb 11, 2005
  10. PG#1

    PG#1 Guest

    It seems that dcsmutex.exe is pretty changed/updated after TDS3 updating db; under PG protection, blocking new/change exe enabled, tds startup scan shows mutex found in memory for the changed dcsmutext.exe is blocked from running. Is it safe to implement another option "frequently change" into PG?
    thx.
     
  11. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Re: ATTENTION EXTREAMLY IMPORTANT:

    Already both the files and registry entries of Process Guard have very strong protections against alterations. But I agree that it would be an interesting new feature to extend this protection to registry entries and files of your other protected applications. Espessially knowing that the engine is already there in Process Guard.

    -hojtsy-
     
  12. Yo . . .

    Yo . . . Guest

    Actually i test software, and get my friend to buy software for me to test ;) (nice to have rich friends!) and i wrote a small site for instructions for the most complete security i can find at this time, The link is http://www.chums-of-kandi.netfirms.com/security But i must stress that in order to actually "do it" you will have to either try it with any demo releases or buy the software ALSO i did this for some friends for info In the process guard i PERSONALLY tick all the advanced options (memory, root kit etc) please check the pages out and let me know what you think about it. I provide this info for INFORMATION SAKE and if you decide to actually impliment it i take no responsibility for any damage, Its JUST INFO on what i found and how i did it.

    Please email me at computersoftitian@yahoo.co.uk with your thoughts.
     
  13. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    With SHA-1 being broken, can we see process guard migrate to another hashing function, maybe whirlpool ? or SHA-256/512 (may hae similar flaws as SHA1)
     
  14. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    How about a button to get rid of old applications that are still listed in both the Protection and Security that have sense been deleted.

    Or even better make it automatically. Of course an option to disable and enable. ;)

    Thanks,
    Will
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    ProcessGuard uses MD5 and is still fine for doing executables as far as I am aware. :)
     
  16. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    I replied in another thread about this, but seeing as a fair chunk of the post was something that could be done with PG, I thought I'd put the request in here as well

    How about PG protecting against potential hash collision threats by adding a twist (or two), it doesn't sound very complicated but may add some value ....

    #1: When computing the hash for an executable add the license key to the start of the data stream
    • this would effectively randomise the first block of data making precomputed checksums non-generic
    • it would also need some extra code to manage the transition between the existing licensed PG and free PG (which wouldn't have this) and the newer licensed PG which would generate different checksums. So ideally this would be optionally switched on and at the point of enabling the feature all the binaries could be re-checked and a new checksum computed (if they were still the same)

    #2: Compute more than one hash value for a file
    • If the hash computation is done for the full file and also against different chunks of a file then precomputing things becomes much harder
    • If the size of each chunk is varied in some way between different installations, then it would be more computationally expensive to attack PG by precomputing a hash (seeing as it would need to be done at least twice)
    • Once again by different installations using varying sized "chunks", the malware needs to somehow make sure it fits inside the first "chunk" in order to avoid detection and seeing as the chunk size is hard to determine it makes the attack harder
    • If the license key is used to vary the chunksize then the hash computations will still be the same for a home user with a right to use license for all their home PC's and presumably for a business user that is purchasing multiple user licenses
    • In terms of cost of computation of this suggestion it could all be done in one pass of the file

    By varying the chunksize by installation and adding an non-generic element at the start of the stream, it stops a generic precomputed hash being generated, users would have to be targeted individually

    Seeing as its a potential threat atm, doing this would be more of a future-proofing and peace of mind enhancement so that next time a security researcher finds a way to bypass a hashing algorithm, there won't be a generic zero day exploit for PG
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This would make the pguard.dat and pghash.dat files user/licence-specific which could be a problem for companies trying to distribute a "standard" Process Guard configuration and would also prevent using these files for a licence upgrade (from single to unlimited use for example). Given these possible downsides, this addition should be made optional.
    This could be worthwhile if different algorithms were used but would impose a performance penalty - for this reason I would suggest making this optional also.
    The weaknesses uncovered in SHA and MD5 do not provide for any zero-day exploits as such. What they do mean is that an attacker who knows your existing signatures may (with a great deal of effort) be able to craft a file that matches one of them.

    For this to be a realistic exploit on PG-users, attackers would have to select a file known to be used by a large number of people (e.g. a Windows system file like userinit) but since different versions exist (due to the version of Windows installed and patches subsequently applied), at best only a small section of the PG-using community could be affected by a single signature collision. However "individualising" signatures by including the licence could tighten things up further and could be a useful option for the full version of PG (since the free one would have no licence).

    So while this is a potential issue, the work involved and the limited scope does suggest that this is never going to be a universal compromise and other means of attack are far more likely to be used (e.g. an attacker integrating a trojan with a legitimate software install which you then choose to allow with PG).
     
  18. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    I did suggest that it would need to be optional for those very reasons

    I don't agree with you on the limited scope aspect of your argument, mainly because a decent segment of the population will be able to be targeted using either a totally unpatched version of the O/S or one on the latest patchset
    There are a lot of ppl in between but Microsoft will get the message out sooner or later that people need to patch and those that don't understand have probably never patched

    To be fair the actual work involved in having an extra few variables to run several hash computations at once is not particularly mind blowing, there would be a bit of messing around in the GUI and a bit of documentation, but hardly an earth shattering effort
     
  19. Yleas

    Yleas Guest

    I would like to see Process Guards execution protection monitor what programs try to individually run since this is the only reason I also use System Safety Monitor at the moment.

    For example, if my email program (Outlook Express) decides to execute or spawn Internet Explorer or cmd.exe, I have System Safety monitor set to alert me allowing me to permit or deny.

    Sometimes I don't want programs, for example Yahoo Messenger to be able to run anything else but I want to allow other programs to execute something. For example I would like to see Process Guard's execution protection allow me to prevent Yahoo Messenger from spawning Internet Explorer individually while still permitting me to run it directly.

    Securitywise it would be good because you could prevent programs from executing cmd.exe or automatically spawning Internet Explorer to do a malicious act etc etc.
     
  20. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I agree with Ylease. It would be nice as long as it was an optional feature that could be turned on/off, because it would overlap features a lot of firewalls have (even if the firewalls only triggered the GUI to ask user to allow/disallow network access).
     
  21. I just bought process guard and am really enjoying using it ...

    But i was wondering, since processes can consist of quite a few components or modules - wouldn't it be a more accurate program if it was a component guard versus a process guard?

    Or is Process Guard indeed checking individual Processes components?


    thanks as usual.
     
  22. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Just a reminder to remove the erroneous warnings of: "pgaccount.exe is not running...". It occurs whenever I log into a restricted account in every version of PG from v3.0 to v3.150. Not only does it misinform new users, but experienced users have grown accustomed to clickiing "OK", "CANCEL", "CANCEL" and assuming it's the same old false alarm they get every day. If it really does fail to start, I probably won't notice.

    It would also be nice to add a section to the help file for users who want access to PG's GUI from a restricted account. I have seen that question answered as, "You don't need the GUI to be protected." That's good to know, but it's not the point. When I need to change a setting in PG, I don't want to close ten programs and log on as Admin to change the setting, then log back in as User (re-enter my Admin password 2 times for "runas" ) and, finally, try to get back to where I started from. I think DCS will benefit from showing their users that it needn't be difficult to practice safe computing and use ProcessGuard. :)

    EDIT: Yes, Jimmytop, I think you have the "real" version of the problem.. The GUI issue has a much better fix that's been described by several people, but it is still undocumented. See this post
     
    Last edited: Mar 7, 2005
  23. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    I'm getting this error message AND the pgaccount.exe is NOT running. In other words, the error is true for me. I open the gui and it also notes in status that the pgaccount.exe is running. This happens when I switch from a limited user account to an admin account, even if I log out of the limited account. I posted it here and also emailed support. I'll let you know what I hear. But in my case, this does not appear to be a false warning.

    Use "Fast User Switching" (if you're running XP). You don't have to shut anything down in the limited account to switch to the admin account.

    EDIT: fixed the quoting that I messed up originally :rolleyes:
     
    Last edited: Mar 8, 2005
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I'd second this - I actually had a real problem due to installing an upgrade to a differently named folder (resulting in PG not running properly) but discounted this warning message initially since it was such an everyday event.
    I would strongly agree with having the option to run the GUI from a limited account. While using "Run As" to give it Admin access does work (with the spurious error message), it also leaves your system open to an escalation of privilege attack (any malware you mistakenly allow to run can use the PG UI to gain Admin access) though this could likely be addressed separately by having ProcGuard call the help file viewer externally as detailed in Bugtraq: HTML Help API - Privilege Escalation.

    Also the GUI is not really optional - you do not receive popup alerts without it so have no other way of being alerted when activity is blocked.
    This still leaves the escalation of privilege vulnerability, plus the requirement of having to switch back to the admin account periodically to see any alerts.
     
  25. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I'm not sure to really understand this account privilege problem.
    It's not a PG's weakness but a question of "hardenning Windows".

    There's others ways than DropMyRights or RunAs to limit privileges and rights on Windows (tools, policy configuration, registry...).

    Here's one of them: RunAsAdmin (shell explorer, integrated on the systray as a key's icon):

    https://sourceforge.net/docman/display_doc.php?docid=26314&group_id=127612

    Regards
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.