DiamondCS - Has PG's Protection been Compromised?

Discussion in 'ProcessGuard' started by Taz, Mar 28, 2005.

Thread Status:
Not open for further replies.
  1. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    No...not at least as reported. And that is what the fuss is about.

    Quoting from the orginial message: "adaware is authorized to read and modify. spybot is protected from termination and modification (except from this killer version of adaware)."

    Granted, as a prospective user I don't know PG as others do, but I took the above statement to mean that termination authorization had NOT been given to Adaware...only read and modification rights. I think this was the same configuration the second person in that thread reported also.

    IF (and that's a big IF) the configuration was indeed set this way, then the original question remains...how did the termination happen?
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Don't know and would be indeed another thing to discuss...I think I understand the while issue now :)

    Anyway to reproduce this "possible error/bug/situation" is indeed harder then it looks like in this case and I will follow this thread very closely cause I would like to know the outcome :) now matter what the cause will be.

    Will it therefore be exploited? Possibly :)
    Will DCS release a fix if needed? Probably fast enough, they allways done it in the past too :cool:

    cheers
     
  3. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    There is also evidence in Pilli's log posting indicating that AdAware did attempt to "terminate" Spybot on his system (but was not successful). Pillli did not report having to Cancel at an SMH/HID prompt and Rodehard did enable SMH but didn't see it triggered, so "use SMH" does not sound like the whole story either.

    I, too, would like to encourage anyone who is still set up to test this.
     
  4. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    Let me set my half of this to rest. I can not honestly say that adaware did not have termination rights the first time it shut down SB S&S. For reasons mentioned by several posters it would have been my habit to give it that right but, I had been trimming the list of apps with termination rights just prior to that (for the same reasons mentioned by several posters) and its possible adaware made the list. So, I give you that point. However, after the first instance (and finishing my cup of coffee) I very deliberately confirmed that adaware had no mod or term rights and that SB S&D was protected from termination. SB S&D was still terminated by adaware the two or three times I tested. After that I updated adaware and the problem was resolved.

    I have been around computers for too long (first MCSE cert in 95) to panic over this and experience has taught me that most problems are caused by the lose nut behind the settings panel. I still would not trade PG for a free licensed copy of the protection suite of your choice. Faith only slightly shaken I still highly recommend Process Guard along with RegDefender as must have first line of defense protection.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Rodehard

    A double amen about PG. I wouldn't give up PG for anything.

    Pete
     
  6. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    It would seem, then, that unless and until DiamondCS can give a direct explanation as to why this happened and/or offers a patch, one can only conclude that the program will not keep a protected application from terminating in all cases.

    I for one do not think this is necessarily a black mark on an otherwise excellent piece of software. However as history has taught us, a black mark (in the eyes of the customer, that is) could result if DCS mishandles this issue. By mishandling I mean by refusing to directly address it, or by refusing to address it honestly.

    If they don't already know what caused it, I am quite certain they could obtain the Adaware defininition file from someone in their user base and attempt to replicate the problem. Doing so and then honestly reporting their findings would help retain the value in their product that they have worked so hard to build. If it turns out there is a security hole, then by admitting it and then plugging it will only result in increased value.

    But saying a vulnerability doesn't exist because no malware to date has done what Adaware did is circular logic at it's best and an attempt at burying one's head in the sand at worst. I think DiamondCS' customers deserve better than this.
     
    Last edited: Apr 1, 2005
  7. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    My thoughts exactly. Even if to say they simply can not reproduce the results. Considering the apparent rarity of my experience I'm willing to believe it was a simple fluke. :cool:
     
  8. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    I think reasonable people would agree that no matter how well written or designed, an occasional program anomaly can occur. However, your repeated tests plus the report of another independent user experiencing the same behavior doesn’t quite fit the common definition of a “fluke”. Barring some as yet forthcoming explanation from DCS, it would seem to point instead to a vulnerability within the program.
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    When I tested at the time I could not reproduce the termination , a few things come to mind.

    Sometimes changing the termination settings or any other settings on a service or driver require a reboot to initiate the change correctly and or a restart of the protected process.
    Giving termination abilities to a protected programm will allow it to terminate any other program on the protected list, this should not normally be necessary as protected programs are trusted and verified at each start up by their checksums, your security applications can still terminate malware ie. anything that is not on the protected list.

    Changing an applications protection criteria may have deleterious effects which can be instantly noticeable or only become obvious over a period of time dependent upon interactions with other programs or system operations, Global hooks being a contender here.

    In addition SMH needs to inject procguard.dll into the process, this will not usually occur until the process is restarted. Using a utility like Process Explorer or Faber Tools will show that injection has occurred correctly.

    As said earlier this condition has not been verified as a vulnerability by any expert source and beleive me there are many experts trying to find bugs in programs such as PG, these experts are not all hackers or crackers and so far there are no reports of vulnerabilities in this build, having said that it will only be a matter of time before something is found as with any other software.

    Just my view :) ProcessGuard is a very powerful tool and has almost infinate possibilties. It is not perfect and nor is ANY other program

    Pilli
     
  10. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Pilli, your experiences throw some more light on what could've happened in testing EndItAll. Thanks for the input (but all those reboots sound daunting). :)

    Taz, the more time you spend here you'll likely find an increasing sense of complexity around the question of "what really happens". I'm sure DCS has been asked to slay many dragons that didn't really exist, but's it's no easier for them to prove that the dragon doesn't exist than it is for us to prove it does. I think the burden of proof has to lie with us, but sometimes I do wish there was a bit more "process". :rolleyes:

    You've already managed to focus an unusual amount of attention on this issue, so I hope it's possible for you to continue persuing these questions. I think you've seen a pretty good demonstration that, while opinions vary, most folks here do openly encourage discovery, wherever it leads. Before investing the effort, though, be aware that it may produce frustration on all sides. I think that's why Microsoft and Symantec won't even acknowledge our existence much less our problems. Remember too, DCS has immensely fewer resources to divert than what the big boys have.

    Best regards.
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This is, of course, related to the hardening process which does require operations at the lowest system level, as you say the "discovery" approach can mean a considerable amount of work by the user especially if one takes into consideration that every user's machine has a different configuration.

    Regarding DCS testing such unknown entities, I would rather they used their limited resources to complete TDS4 at the moment.

    Fortunately we can learn from each other's experience which, IMHO, is one of the great benefits of discussions such as this in these forums. :D

    Cheers. Pilli
     
  12. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Pilli, I agree with both your observations and your priorities. Thanks for "being on the job" ... and belated congratulations, Mr. Global Moderator. :)
     
  13. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    We could always just ask Corrine how AdAware attempts to terminate applications, you never know she might just answer and that would be the end of it....

    Otherwise I have PM'ed VAM and asked him for the definitions file (or if anyone else fronts up with it) then I can do a test and make the file available to DCS and anyone else from Wilders either known to me (or with decent creds based on what they post)

    Speculation isn't going to solve the argument one way or the other
    I think that Gavin's response was indicative of frustration as much as anything else, valid criticisms have been raised about SMH but TDS4 obviously needs to come first....
     
  14. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    Thanks, Earth1. I have indeed noticed that folks around here openly encourage discovery. It is both refreshing and encouraging seeing such an atmosphere instead of one in which discussions deteriorate into ego defenses and whatnot.

    And...I do have great empathy for small businesses that face the tough decisions on the best way to allocate scarce resources. If they go tilting at windmills there's the danger of losing their core focus. I would also give the point that it's entirely possible that all this is much to do about nothing.

    However, please consider the other side of the coin...that of the consumer in trying to make a purchase decision. In evaluating whether something “works” as advertised or not, the consumer most often does not have perfect knowledge. The consumer often has to rely on anecdotal evidence (e.g., word of mouth). Such is the case here.

    While reliance on such reports is not ideal, in this case it’s all this consumer has to go on. As questions to the vendor on their own support forum have largely gone unanswered, there is no other explanation to hang my hat on. I had hoped to hear that the program was not configured correctly. While that indeed may very well be the case, we apparently will never know.

    That said, I would like to put my questions to bed. I’ve invested enough time and energy in my purchase decision. While I think for the most part that IF there is a vulnerability, it would take awhile for most malware writers to target, or even discover it. However, for myself and for the installations I have budget authority over, barring some new information I simply would prefer not to take that chance.

    My thanks to all that participated in this thread.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Taz

    Just a quick comment. Everyone has to base their own decisions, on what is best for them, but just for a moment consider the protection that Process Guard has proven to provide, and weigh that against the small possibility, that there may be a flaw. Also consider other solutions to provide the same protection, and how do you ensure that there isn't some flaw there.

    Pete
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just a quick word that close messages are suspected, and that this protection method has many quirks. We _may_ look at this again, but the key to close messages are that they ONLY work on a window. Any really REALLY critical program such as an antivirus scanner can never be vulnerable - it is implemented as a driver and service both of which have NO window at all.

    For this reason, the "attack" has always been low risk, no matter what might APPEAR on the surface to be dangerous in some way. All we ask is that the users have faith that we know what we are doing. You are not going to have your AV shut down like this, and malware writers know better than to waste their time closing GUI's. They prefer to develop stealth trojans, more advanced firewall bypass, work on social engineering techniques, new packers with anti emulation, complex kits with legit tools that AV's dont detect, and practice their trojan hex editing.

    If you use Close message handling, something to be aware of is that messages are held in limbo when you see the message box. In the case of this situation, they can be prevented by NOT pressing either OK nor cancel, until the attacker (AdAware in this case) has given up. Then, the termination does not succeed. There is hope if we further develop this protection, but for the reasons above its very doubtful we ever will need or want to..

    Hope that helps :)
     
  17. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    For those users who do not have access to the dated AdAware definitions file to specifically test this situation (I do), just a short comment to confirm that the problem develops and is resolved precisely as Gavin describes. Personally, I do not view this as a serious issue.

    Blue
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Special thanks to Blue for going to the trouble over the last few days, and then letting me know about this. Thanks !
     
  19. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Blue,
    Thanks for doing it seeing as you had the file, now in the spirit of learning I've got to ask how did you check to see what was going on ?
     
  20. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I performed challenge/response testing. I first had to secure an old copy of the definitions file - it seems as though a number of Asian servers store copies rather than links, a google search and 15 minutes of time and I had the appropriate file. I first tried to replicate the observations originally noted by vam. I could replicate everything noted there: the message that PG had blocked termination, and then the subsequent termination of Spybot.

    Focusing on SMH was simply a consequence of walking through the possible scope of items where control and blocking could be achieved. When I did this I noticed that if you let the windows message queue sit, and wait for AdAware to finish (but keep the AdAware application active), Spyboy S&D is fine. If you then start to clear out the windows message queue by cancelling out the successive human verification windows which appear, you can see where the termination occurs. If you do this slowly, you will find:
    • WM_CLOSE appears, S&D is fine, cancel and
    • WM_DESTROY appears, S&D is fine, cancel and
    • WM_NCDESTROY appears, S&D is fine, cancel and Spybot is killed and
    • WM_DESTROY appears again, cancel
    • WM_NCDESTROY appears again, cancel
    OK, Spybot is terminated, but it is clearly tied to termination messages at the windows level. Rather than keep AdAware active while you go through this successive cancellation of messages, wait for Adaware to finish and then close it out before doing any cancellation of the human verification messages. Only the first message cancellation is needed, there are no human verification follow-ups, and Spybot S&D survives fine. The windows message queue is cleared by the termination of AdAware so the offending message never gets processed.

    That's really all I did. I'm not a programmer, so don't ask about a nuanced interpretation because I can't provide it. You can also prevent termination by blocking the ability of applications to read Spybot, but that's a messier solution due to all the messages generated.

    As I noted, I don't view this as a pragmatic operational issue.

    Blue
     
    Last edited: Apr 4, 2005
  21. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Blue,
    Thanks for that, it is what we are all here for after all

    I suspect your post will do a lot more than putting peoples minds to rest about this particular issue, it will give people a starting point to learn about what is going on behind the scenes with windows messages and thereby raise the "bar" on the debate about SMH

    It is very interesting to know that DCS didn't consider SMH a "core feature" of PG. I'm glad it is present for the obvious reasons of preventing termination of non-core security applications. It would certainly be nice to see this area of PG refined and expanded upon in future versions

    Out of interest what tool did you use to observe the windows messages ?
    (I know there are a few out there...)
     
  22. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I used PG itself, via the human confirmation dialog boxes. Just set the secure message handling flag for Spybot.

    Blue
     
  23. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    91
    Good job, thanks. :-*
     
  24. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Perhaps a different way of handling SMH/CMH could be implemented or considered at some point down the road?

    What if there was another option - No Close Message Handling, where instead of placing close requests on hold and prompting with SMH, they are simply filtered out and denied altogether if this option is enabled for the process. It could be used for security based GUI based windows we don't want to close down.

    Of course how do you close the app if you really need to close it or need to reboot/shutdown? It could be tied to a reboot/shutdown prompt, click no, nothing changes and no reboot/shutdown, click allow and globally "No Close Message Handling" is disabled to allow the machine to reboot or shutdown normally. Optionally you could go in and manually turn off No Close Message Handling in the PG Protection tab settings for the app in question to allow it to close without rebooting.

    It would be a nice solution for always running security applications that have a GUI component you really don't want killed and for those that do not want to bother with SMH prompts, while giving us some reboot/shutdown control as well.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Blue

    Nice piece of detective work. Hopefully it puts some uneasy minds at rest.

    Pete
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.