GSS Alpha 1.2 Feedback

Discussion in 'Ghost Security Suite (GSS)' started by Chubb, Jul 25, 2006.

Thread Status:
Not open for further replies.
  1. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: GSS Alpha Feedback

    Can you pinpoint from the logs what this blank alert should be? Do you consistently get this alert each time you bootup? If so, if you set the .DEFAULT to LOG ALL for each protection, and then change the rest of your rules to LOG BLOCK ONLY, you should see in the "recent alert" area what this should be.

    One alpha tester mentioned that Winlogon.exe requiring network access was slowing his login, once he allowed that the slowdowns went away during login.
     
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hi to Jason and all.
    I currently can't test the alpha, being in vacantion.
    However i've read the thread and seen the screenshot ;)


    a nice addition to that capability of naming what process loaded when, i'd like to have timestamp and maybee a graphical bar / timeline.

    This can be usefull to see if a particular process / driver takes too many times to load and see what effect each componment have on the boot time.
    I know it's not part of strict security set, but it's part of a nice maintenance / debug capabilities. ;)

    I'd like to have some feature of icesord / darkspy incorporated intoo gss:
    like a kernel view of registry to compliment regdefend.

    That would be wonderfull.
    Rigth now the user need to click two buttons before making a choice.
    this is twice the amount of work needed to make the same work.

    maybe a double click to say yes and a ctr-double clibk to say no.

    HIPS already have a bad reputation of being too click intensive, do not double the work of those who already have them ;)


    Another idea to make the alert more productivity-friendly is to make a non-textual (color) distinction

    eg:

    net alet have ligh greener tint
    process spawning are more blue
    process modification / send message are more like yellow
    new driver (rootkit) / access to physical memory are more red

    that way the user sort of know the kind of alert before reading the text.
    I know it simplify the life to those who do not want to read and it's not the most secure behavior, however, productivity-wise you alwais have to consider human as lazy. The less they have to work to have the same result, the better they'll feel.


    i think that's a good start and i'll post more when i'm back from vacantion and can install it.
     
  3. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Ok nevermind about that blank alert. It was a bug when the "GUI" disconnected from the driver and didn't update the GUI properly. Will be fixed in next alpha.
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Yep... actually the timestamps are already stored for process creations (along with thread creations) already, I just need the GUI to display the available information.

    Some good ideas there. I am particularly interested in ways to limit the "impact" GSS/AD/RD has on the user in regards to their time. Ideally the perfect HIPS would not even need to alert once, so minimizing the amount of alerts, and making them easier to read are high on my agenda.

    If anyone else has other ideas on how to make the alerts easier to read/use please give your ideas. Everyone's input on this is valuable.
     
  5. some made up name

    some made up name Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    60
    finding it a little difficult to reproduce the maximize / minimize problem ... maybe bacause the alert was up so early?

    anyway, here is a screenshot
     

    Attached Files:

  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    That problem "some made up name" looked like Explorer was stuck doing something (in this case a network connect) and hence the thread which updates the desktop was frozen whilst the alert is being displayed.

    That behaviour will always occur because the thread is stopped whilst GSS processes the action.
     
  7. buffet

    buffet Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    53
    Re: GSS Alpha 1.2> plz let ones download as they like

    Hope you put the link for that everyone can download it as they like. thx.
     
  8. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: GSS Alpha 1.2> plz let ones download as they like

    There has been a way to sign up to the alpha for almost 7 weeks now. The people who are currently testing the alpha have already been selected. When the beta is released, it will be available for everyone.

    The alpha was released like this to ensure people who are used to AppDefend and can diagnose problems easily participated. There will be some people who see the current alpha now who will fit the criteria I mentioned, however the testing process has already begun and all the positions filled.

    The beta is only a few weeks away so there isn't that much longer to wait, and you get to use something which has had most of the kinks ironed out of it.
     
  9. some made up name

    some made up name Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    60
    Doh ... should've guessed as much (with the minimize / maximize) when i wasn't able to reproduce it properly :shifty:
     
    Last edited: Jul 27, 2006
  10. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    In Windows 2000, occassionally, the Ghost icon in the system tray bar would disappear, but double-clicking the Ghost icon on the desktop would make the Ghost icon in the system tray to re-appear again. There is no window pop up saying "Already running Ghost Security Suite" in this case.

    The Ghost icon in the system tray will also disappear when I pressed the "X" in the GSS main menu. Clicking the Ghost icon on the desktop would make the Ghost icon in the system tray appear again, but a window will be pop up saying "Already running Ghost Security Suite".
     
  11. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Re: GSS Alpha Feedback

    Same here. Pressing the "X" button on the main menu to close the GSS main screen, then click on the Ghost icon on the desktop again to bring back the GSS main screem, click on AppDefend will have all items in the list back again.
     
  12. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Re: GSS Alpha Feedback


    The grid lines were there in grey colour in my case, in Windows 2000.
     

    Attached Files:

  13. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Re: Ghost Security Suite Alpha 1.200

    Confirmed, and found another bug:

    In AppDefend, in the Maintenance tab, added a new .exe file (for example VCDcut.exe). The Permission tab was brought up immediately and you can see that the file was added in the Permission tab. Then going back to the Maintenance tab, click on the newly added VCDcut.exe and then pressed the Remove button. It didn't remove the item in the Maintenance tab, as Disciple has said. Then going back to the Permission tab, the list in the Permission tab would become empty.

    Randomly added another VCDcut.exe file in the Maintenance tab will bring the list in the Permission tab back.
     

    Attached Files:

  14. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Balloon description of the enlarge button is not correct.
     

    Attached Files:

  15. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Does GSS without RegDefend prevent its statup string value in the registy from being deleted? I can delete the "GhostSecuritySuite" string value ("D:\Program Files\GhostSecuritySuite\gss.exe" -minimize) in Run in the registry in Windows 2000. Is it normal?
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jason does not usually implement the security features of the application at this early stage, they are usually added in at the beta stages

    Pilli
     
  17. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Re: GSS Alpha Feedback

    OK, Win XP Pro here. I did not state my OS, but will go back and add it. Thanks for the screenshot, that is what I would have thought it would look like.

    Just an observation here, that most of the reports posted are about what I call look & feel items or features that are not functional. There has not been much in the way of when I do this this always happens. Rather nice.:D
     
  18. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    yes, the whole gss gui thing seam to have overcome a major cosmetic (and implementation) change, wich is often accompagned by small gui error.
    good to know that few of the report actually are bugs.

    Hi Jason, it's good to know that you are woried over such "pratical aspect"

    I have a few idea that i mostly already stated in other thread, but each time we can think about it.. it led to something simplier wich is good ;)

    • the first interesting aspect to simplify the user life is to give more attention to special cases.
    eg in RD it may not be a good idea to popup a confirmation where a pooler wouldn't.
    Such cases are:

    Delete a registry key that is non existent.
    Modifiy a registry key with before=after
    Add a registry key that is already there.

    I have a few program that rewrite it's setting to registry each tiem the program start.
    If it's set to autorun' it'll add itself.
    if it's not set to autorun, it'll delete the key.
    gss should not alert me in any occation where before is the same as after.

    In AD there are also some special cases that need to be considered.

    A program that try to modify "itself".
    A program that start another time itself (with the same command line or with a diff cmd line)
    A program that listen or talk to 127.0.0.1

    There was also a "false" global hook alert in the open/save dialog box, I noticed you before.
    I also beleive there was some cases when you need to play special card with nvidia driver and/or activeX

    • Another nice thing to have would be a flag system.
    Currently, I tend to beleive that global setting alwais is better than case by case.
    So one can setup it's own settings for different groups like:

    Trusted Antivirus
    Backup program
    Instalation
    Unsafe

    Then instead of repeating a pattern of settings for each individual program,
    you can try to put it in a group and that will save many trouble.

    Later you can alwais adjust special cases.

    Flag will have also a nice informative role, eg:
    I know that i classified this program as an antivirus (or unsafe), so i'll act accordingly

    Flag will (optionally) be inhirited to child process, that will save a lot of trouble:
    If you set IE as unsafe, then all spyware launched by ie will be unsafe.
    If you set application X as instalation, then all sub instalation process will be marked as instalation.

    Flag will appear at three places:

    1) In the security permissions of an application (appdefend tab)
    2) On the alert (informative role) + (it migth be possible to set the flag directly on the alert)
    3) Special command line utility: GSSlaunch.

    this would be nice to have a command line utility to launch a program with certain security permission and a configurable gss flag ;)


    • The last but not least improvement i could see regarding the alert is a *first run wizard*
    The first time you launch an application (or when you launch an app and have F12 pressed)
    then a screen wich is a simplified version of configuration tab appear.

    This way you can setup the permission in one step, at one screen, without going thrue a huge set of alerts.
    This would also prevent ppl from launching the configution gui each time they use a new application.
    This step can be even more simplified by presenting a list of preset configuration.
    eg: default, alwais ask, unsafe, <custom user flag>
     
  19. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Re: Ghost Security Suite Alpha 1.200

    Just wanted to throw my two cents in for future (non-alpha) when you are ready to add a more user friendly learning mode feature. Don't use automated or default rules, etc. Just give us a real learning mode. So we can turn learning mode on and by default from the time we turned it on until the time we turn learning mode off, AD sets everything to Allow Always. And remembers those settings after we turn Learning Mode off.

    It is impressive how early it starts catching starting processes. But the initial setup is way over any everyday user's head with the number of dialogs needing acknowledgement.

    I note two ""bugs" using a Win XP SP2 install in a Microsoft Virtual PC 2004 Virtual Machine:
    1) The AD tray icon seems to disappear after clicking it once to full screen, then closing it. Clicking the X should not close the GUI....
    2) Allow this Session doesn't seem to work. I had instances where I kept getting an alert for the exact same thing over and over and pressing Allow this Session did no good - but once I pressed Allow Always the alert immediately stopped coming.

    Good stuff so far!
     
    Last edited: Jul 29, 2006
  20. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Problem with Fast User Switching in VPC 2004, Win XP SP2. Two accounts on the VM, one admin, one limited. Boot machine, log into limited account, things seem to work ok and GSS icon is in system tray.

    Click log out and choose fast user switching, it does go back to the main login screen and I can select the admin account. So I click to login to the admin account, however at that point it locks at "Loading your personal settings......" and never loads into the admin account.

    So I reset, then try to login to the admin account, and first thing is it's real slow and a blank AppDefend alert comes on that I don't really have time to click on, and finally the admin account loads by itself.

    So now I'm going to try fast user switching to the Limited account. Nope, same story, it locks on "Loading your personal settings......"

    FYI, In the above I clicked on allow always for every prompt. Even managed to click it for the blank one that came up after I rebooted but no difference.
    BTW, some of the alert prompts I received during the Fast User Switching for the first time, said Rootkit. But I'm sure they were legitimate behaviors.
     
    Last edited: Jul 29, 2006
  21. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Small feature request - It would be nice to be able to filter the application list by Permissions. By Default it should show just as it does, all applications listed and as you click each one the window on the right shows permissions. But maybe I just want to see the Applications that have Network access allowed, I should be able to filter the list to show just those. Or just see which ones have Keylogging allowed.
     
  22. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Now come the real feedback.
    As all alphatester said everything went well, I tryied to mimick a more average user comportement:

    1) Launched the uninstaller
    -> told me i need to exit gss first.
    -> I backup old gss files and exit and then uninstall.
    -> It told me to reboot, I ignored the message. I'll have to reboot later, do not want to do it twice.

    2)Launched the installer.
    -> did not complain about anything.

    3)Reboot
    -> Gss gui complain that it could not load the driver, it was not present etc...
    -> I figured out the new driver was deleted on behalf of the uninstall of the old one.

    4) Relaunch installer
    5) Reboot

    I see tons of alert like everyone else. ;)
    Slowdown just before i have to enter my password....

    Windows loaded correctly however gss gui told me that rd is not loaded.
    the error log also show that gss_rd.rul is missing.

    6) I rename tony.gsr to gss_rd.rul and put it in system32.
    7) reboot
    7.1) While windows was shuting down i missed an alert. It look like it was closed in the shutdown process.. is it on purpose ? Should the alert be able to suspend shutdown attempt ?

    8 ) gss gui showed that rd is disabled, however i did not have any error log saying that the gss_rd.rul is not ok.

    9) relauch the installer.
    have a message that gss_au.dll cannot be replaced.
    I ignored it. reboot.
    now after the windows logo, where i'd normally see white ghost on black bg, i only have a black bg and a mouse...

    10) rebooted in safe mode, deleted driver and gss_<anything> files in system32.


    -------------------------------
    Conclusion:

    1) the installer need to do more check to see if the machine is ready to install or not.

    this include:
    • non rebooted machine after gss uninstall.
    • half installed gss

    2) the error log should include verification if the file is corrupt or unreadable

    3) important gss files should be backed up in "program files" directory.
    an option to repair the files if corrupt would be nice.
    it'd be like an autoupdate... instead of the current version only.

    now i'll uninstall the alpha and reinstall on a clean machine...
    futher result later...
     
  23. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    ok ... i got it working.

    There's two little observation:
    1) Before i enter a password i've seen a blank alert (cant give screenshot because it's too early) What is even stanger is that the alert had a red rd ghost in it ... even if rd is disabled in the alpha

    2) under .default you can set loggin to "use .default" wich make no sens as it use itself.



    There's also a feedback concerning log:

    I'd have wanted to log all prompt i answer + all thing automaticly blocked.
    I cant do that now. There is no option to distinguish between automatic action and user action.
     
  24. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Re: GSS Alpha Feedback

    I also got a blank alert for AppDefend today immediately after loged into Windows 2000, just for today. But all my rules are set to the .DEFAULT. Will try to change to Log ALL and Log Block only to see if the blank alert will prompt again.
     
  25. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I think you will find that it is Winlogon network access. You can test by switching on logging (default set) blocked and allowed then looking in the Info - recent alerts and clicking on each one, you will probably find that one of the winlogon alerts has no information in the Detailed log info.

    Jason is aware of this :)

    Pilli
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.