General Query RE: Allowing Global Hooks ET.AL.

This is a general question concerning the best action a user should take to PG notices that global hooks or driver installs have been blocked.

I have preferred not to use the learning setting when installing PG as PG would then allow whatever privilges a particular program stated that it required or (simply -- which is my concern -- wished to have). To maximize the security potential of PG, it seems that the best action to take is to provide a particular program with as few privileges as possible -- only those that are absolutely necessary to the program's function. I am aware that, through perusal of various threads on the issue as to whether to allow the installation of a global hook or driver or access to physical memory, one party, in the PG section of Wilders, recently replied that it would be best to allow the installation of whatever a particular program is attempting to install, assuming of course that the user recognizes the particular program.

Still, certain execution files I have found -- case in point -- outlook.exe, requests installation of a global hook. PG gave me an alert and I blocked the installation and my MS Outlook 2003 does not appear to be suffering from the blocked installation. Moreover, since MS Outlook is often the mechanism through which viruses and other assorted insidious malware is often inserted into an OS, I have inferred that the fewer privileges I give to MS Outlook, the better. Similarly, I use an adblock program called "AdMunch," which, too, has requested installation of a global hook. I have allowed this as AdMunch appears to have a problem operating effectively in the absence of the installation of a global hook.

The question is: does anyone know of the existence of a list of programs with accompanying suggestions as to what privileges need to be, or ought to be, allowed, in order to use PG to good effect and, at once, allow legitimate software programs to operate effectively. If there is no such list, perhaps DiamondCS can create one and publish it on either this Web Site or its own. I realize that there are literally thousands of programs available and, many more new ones are created continuously. The list could, then, be periodically updated.

The advantage of such a list (or directory) would be that users of PG would not have to contact Wilder's Forum constantly to ascertain whether "this or that" program need be or ought to be given the privileges that it seeks and which PG, ever security-minded (as it should be), blocks. Does anyone else out there have an idea or comment concerning this idea? Thank you.

 

There's a link to a PG Database on the ProcessGuard section of DiamondCS' that list a few common Windows and security programs. This has been mentioned in another thread and I agree that, if possible, there should be a larger database of common programs with a list of protections, allowances, and special permissions that they may need. One thing I've noticed in regards to applications is that the Open/Save dialog box often triggers a global hook warning. Blocking it doesn't seem to affect it adversely and it's usually as a result of the autocomplete functionality, IIRC. That's just one of many quirks I've found in regards to Windows. One word of "warning", if you use Internet Explorer to check Windows Updates, expect a lot messages alerting to IE trying to access physical memory. That seems to be the only time I've had the program try to do that, but I don't use IE that much and all zones but the Trusted Zone (set at medium and Windows Update is in this zone) are set to high.

 

Thank you StriderSkorpion. It would indeed be beneficial for the user to have a compendium (database) of all software programs, with suggested PG settings. The list could be periodically added to as new software is developed and made available to the public. I know that this would be an ambitious undertaking, but sophisticated HIPS software such as PG that require much user interaction mandate such a resource.

 

I agree. I'd really like to see a list like this. It would have saved me a lot of head scratching and stumbling about when I first installed VMWare Workstation some time ago. VMWare requires a global mouse hook for the mouse to work properly. I didn't know this and thought there was something wrong with VMWare tools which I had trouble installing. At the time, I could not get registered at VMWare store for an account for their discussion forums so I couldn't ask why the mouse wouldn't work in VMWare forums. I had a terrible time for about two weeks and then I finally figured out that it was PG blocking the global mouse hook. I had not been using the full PG but just for a short while at that time and global hooks were sort of a mystery to me so it just didn't occur to me to think that was the problem. I never saw a popup from PG either because I turn off balloon tips in the XP registry when I get a new computer.

 

I understand what Peter2150 is saying and agree with what he has to say to a point. For, clearly, to my mind at least, there is a downside to using learning mode if one doesn't know what privileges to extend to a particular program. Truly enough, if one agrees with Peter2150's basic assumption that, if one trusts the programs that one is installing (and one should trust those programs or, obviously, should not be installing the programs in the first place), then one would be correct in concluding that learning mode is both the most expeditious as well as safest route to follow. To that general assumption, I have a couple of concerns.

First, the assumption begs the question whether one can or, at least, should rightfully trust all of the programs that one is installing. The ostensibly benign nature of a particular program may not be so obvious to the user or, if it is, perhaps the faith and trust that one places in a particular program is, in fact, albeit, unbeknownst to the user, misplaced. Only the developer of a particular program can truly understand and appreciate the intricacies of his program and only that programmer can best be in a position to assist one in overcoming the problems or anomolies that inevitably turn up, especially given the idiosyncracies of one's own machine and its unique configuration. Consider, for example, the developers of "DefenseWall" and "IceSword." I would like to go to those individuals, first, to assist me with a problem that I am having with the use of the program, than anyone else.

And, if the programmer/designer/developer is not honest and incorporates in his or her program various assorted malware that the user has no reason to suspect and which is otherwise not readily discoverable or discernible, then the program could unleash a world of trouble for the unsuspecting and innocent user, which havoc might have been forestalled by blocking the insertion of drivers and global hooks in the first instance. Consider, for example, the infamous planting of a rootkit by Sony. Only a bright computer technician was able to first detect the exploit. And, more difficult it was to remove it without one and the same time destroying one's OS in the process.

Second, one has little choice over one's selection of the various programs and sub-programs that comprise a typical Microsoft OS, that comes pre-packaged on one's machine. Many of the queries I obtain from PG arise from matters involving MS requests to load drivers or global hooks, as for example and in particular, in reference to the the outlook.exe file that I mentioned in my post this morning that started this particular thread.

In that regard I would like to direct the reader's attention to a very helpful and learned article that I happened upon that pertains to the installation of PG which, indeed, gave me the confidence to install this HIPS program at all. I refer to the article by Andreas, to which the reader of this Website was directed by the Global Moderator Pilli on December 1, 2004. I understand that Andreas is also a contributor to these pages. See, http://www.commontology.de/andreas/win_secure_pg3.html. As Andreas says in pertinent part, in that article: "Or you build your security list another way: Don't use learning mode [emphasis my own], but just use your computer as usual, with all your apps and what you do with them, for a couple of weeks. When you're about to use a program that PG doesn't know yet, it will ask you about it, and it's easy enough to permit them always and thus get your entry in the protection list. You just don't do it in one afternoon."

Further apropos of the above point Andreas cautions the user about certain MS execute files, as he says:

"system32/winlogon.exe should have Access Physical Memory Authorization set, and it seems you can protect it from being read from without detrimental effects - this will prevent some nasty attacks on Windows' File Protection System. I would suggest to only always "Permit Once" and decide on a case by case basis with these: system32/rundll32.exe, system32/drwtsn32.exe, system32/mshta.exe (if you don't want to always deny it right away), system32/cscript.exe (if you don't want to always deny it right away), system32/msiexec.exe, and the html-using help programs like winhlp32.exe, hh.exe in windows' main directory or MS Office's msohelp.exe. Actually system32/rundll32.exe is a special case: it is a program used to start code located in some dll file. The problem is that the dll file itself isn't checked, so you have no idea in advance what will actually be executed when something uses rundll32. While rundll still has to be called by something, that something probably will be checked by PG's execution protection (but maybe not - think along the lines of a script or a batch file being executed within the context of an 'always permitted' webbrowser, msiexec or command prompt), I prefer to have the commandline parameter used in calling rundll shown to me. That is possible only if I keep rundll32.exe on 'Permit Once'. And it is important that this is an approach that involves my careful consideration and occasional research of whatever is actually shown to me there. A few people argue that you should restrict rundll even more by not granting it extra privileges and going through some extra enabling steps when you find you need something extraordinary. Personally, I am always denying iexplore.exe, msimn.exe, outlook.exe, system32/mdm.exe and system32/mobsync.exe. YMMV [emphasis my own]."

In matters of appropriate use of sophisticated HIPS apps, such as ProcessGuard, it may be best to err on the side of caution. The trouble is, it is often difficult to ascertain just where caution resides. In the matter of PG one may rely solely on learning mode, and thereby possibly open oneself up to security breaches -- how unavoidable or remote is never so clear -- or one may take the other tack of denying privileges to any and all execute files unless or until a permit request to add a global hook or driver or whatever is specifically requested, and then, only for that particular application and specific moment in time, but this approach has the downside of possibly causing an abundance of error messages and, at worse, irretrievable damage (corruption) to the OS registry. Thus, the very power of such programs as PG and Prevx and RegRun and others to assist one in protecting the OS from outside attacks has the unfortunate and rather ironic potential for corrupting one's OS from the inside, so to speak, unless the user is very knowledgeable about the nuances of the particular HIPS and is confident that he or she can use it to best advantage and at one and the same time avoid the dangers of mismanagement or mususe of that very panacea. But, how many of us can say that? I, for one, am afraid, cannot.

 

Another issue is that certain programs can load other dll programs. For example, IE will load ActiveX controls and BHOs, which shouldn't raise any alarms unless rundll32 (if not set to Permit Always) or some other excutable is run. This is why I tolerate the error messages that IE creates when it can't access physical memory when using Windows Updates. I wouldn't want some undetected malware getting unnecessary priviledges when used in conjunction with IE. There's also the fact that nothing goes wrong when denied that priviledge leading me to suspect it doesn't really need it.

 

Now, I am seeing a level of paranoia here that I will not put up with. I read Andreas article and thought it was nonsense. I have rundll set to permit always. I have a lot of stuff set to permit because I don't want to see constant popups and generally the programs need what they ask for. I do not want to corrupt Windows because I crippled it because of my fear. The other HIPS programs are even worse than PG. They will drive you insane with all the popups. I really use PG only to control what wants to start/call out because I don't use a software firewall as I am behind a router.

 

Well I must say, there are some excellent as well as 'insightful' thoughts for all to ponder. I also have relied upon PG (confidently I might add). However, it has been my experience, as I follow all threads dealing with possible "security breaches" and varying approaches with regard to the best way to use or set PG, it has been reconfirmed to me that it is absolutely imperitive one does not rely solely on one software program to satisfy security concerns> "Layered protection" really does have to be looked at and recognised as the best way (at this point in security strategies) to elliminate various security cracks.
I use a collection of security software programs that not only monitor different areas of security concerns, also monitor each others effectiveness due to often 'overlapping protection'. To date, this approach has worked for me. NO uglys!!
Goodluck with your security offensive.

 

I have/had rundll32 set to Permit Always as I was tired of the message popping up each time I tried running a CPL (i.e. Add/Remove Programs). So, I understand what you're saying Mele20. I personally haven't had any issues with installers or other programs wanting to use rundll32 (mainly codecs for configuration and CPLs as mentioned earlier). I do also understand the paranoia as you only get one prompt for anytime you run any dll as a program. Maybe as an advanced feature, it would be nice if ProcessGuard gave you an allow list for certain dlls that rundll32 can run? Just a thought for those wanting less prompts and tighter control over rundll32.

 

As I've said there are two approaches or philosophies involving the manipulation of sophisticated HIPS software. And I see this as somewhat analogous to the options that are available to one with a good SLR camera: opt for the automatic settings feature or go with the manual override.

The goal of the photographer, whether one is a pro or amateur, is to get the best shot one can. The goal of the computer user is to be able to maximize the potential of his or her computer but without also compromising the system's OS either through one's own mishandling of the associated hardware and software or though an outside attack.

Melee20 appears to opt for the "automatic settings" approach, which is a pragmatic approach (playing the percentages rather than the long shot) and sensible enough if one infers as Melee20 does that there is more chance to corrupt the OS through constant checking and blocking of dlls than there is risk of contracting a virus by setting, rundll32, for example, to "permit always." But, the appellation "nonsense" to Andreas' article strikes me as a bit harsh as he does lay out, fairly and succinctly enough, the two basic ways to set PG's parameters: learning mode or methodical, albeit time-consuming m application of permit and blocking actions.

And, no, I do not think of myself, when swimming in the ocean of the WorldWide Web, to be paranoid. Didn't Kissinger allegedly say to Nixon, on the matter of paranoia, something to the effect: "Just because you think someone's out to get you, doesn't mean he's not." But, I agree with Melee20 that one hardly does himself or herself a service by corrupting his or her own computer to avoid a virus or rootkit. Fortunately, I have "FirstDefense," to rely on as a failsafe valve to protect me from myself. The effective use of various HIPS tools is a learning process and their are incumbent benefits and risks by installing them on one's machine in the first place, whether one takes out all stops and uses a particular HIPS to the software's fullest potential or opts instead to utilize the HIPS minimally and gingerly. Then there is the question of how many HIPS tools to utilize, what kinds and in what array.

Wilpower uses "collection of security software programs" that monitor different areas of security concerns "but [that] also monitor each other's effectiveness. . . " to maximize OS security. This sounds reasonable enough but then I recall what DeVinco told me recently (on August 13, 2006) in another thread, involving my query pertaining to problems I had been having with the use of PrivacyKeyboard. He told me then:

"You may not like this advice seeing that you already own all these programs [PrivacyKeyboard, ProcessGuard and Anti-Executable], but I'll say it anyway. Sometimes it is better to simplify your security setup. More is not always better in the case of security programs that perform similar functions.
For example, running two realtime (memory resident) anti-virus is not a good idea. The same thing with HIPS type programs.

While the three programs [PrivacyKeyboard, ProcessGuard and Anti-Executable] have apparently different goals, they are all whitelist type programs that can do almost the same thing, prevent new unknown programs from starting by themselves without your approval.

Process Guard can be set to block new and changed applications, so it can take care of Anti-Executables job. This feature, along with other Process Guard features can prevent software keyloggers from being deployed on your computer. Microsoft Windows comes with a Virtual Keyboard, so you can defeat hardware keyloggers.

It may be that one or two of the three similar programs is causing problems for the other.
It is certainly easier to diagnose a problem when there is only one of the same type of program installed."


The upshot of all this is that whatever one does or wherever one goes one seems to face perplexing dichotomies at every turn: Do I load up my system with a few security tools or many? Should I rely on auto settings for those tools in order to avoid possible internal OS corruption but at the risk of contracting malware or do I maintain maximum control, thereby essentially negating the acquisition of unwanted malware but at the risk of corrupting my own [usually Windows] OS? Is a good AV and Firewall really enough or should I construct and implement an intricate layered defense involving hardening of the OS, perimeter security tools, stealth tools, anti-malware scanners, blockers and removers of all types and descriptions, virtualization software, sandboxes etc? It boggles the mind.

But, pretending that there is really nothing to be concerned about "out there" is ludicrous. Marketing firms, government watchers, phishers, hackers, scammers and spammers -- someone wants to take advantage of you and me at every opportunity, at every bend of the road. Thus, the need for privacy and security hardware and software and thus the basis for and need for these discussions.

 

I don't think it's possible to have such a list.

For example, Andreas would suggest not allowing Outlook to even execute. So what will you do about Outlook now?

 

Okay, SpikeyB, the question is fair and straightforward enough.

I have unchecked both "Install Global Hooks" and "Install Global Drivers/Services" in PG and did the same for the iexplore.exe file. And, I will deal with the other MS execute files that Andreas denies all permissions to as the issues come up. If iexplore.exe balks, then I will grant the permissions it wants. That file is far too important to the MS OS to argue with. That is my experience. And there is no tenable alternative that I can see apart from ditching my PC altogether and going the MAC route or using an open source OS, i.e., LINUX.

If problems emerge with outlook.exe, however, then I will make a decision to either permit Outlook to add global hooks and/or drivers as it wishes and either rely on MailWasher Pro's Benign program and NOD32's EMON and IMON modules to protect me from infiltrations through Outlook or opt for a new client -- possibly either Eudora or Thunderbird. Do you have any suggestions on a good alternative to MS Outlook 2003?

 

Mozilla Thunderbird is a good replacement for Outlook Express, but it doesn't have as many features as Outlook. If you use Outlook for it calendar functionality, then Thunderbird has two options which are both still behind Outlook. One is to use the Lightning extension and the other is to download Sunbird and the corresponding extension for Thunderbird so the two can interact. Lightning is at version 0.1 and Sunbird is at version 0.3 alpha 2. If you don't really use the calendar, then Outlook is probably nothing more than a bloated version of OE in that case. I don't know about Eudora Mail as I've never used it, but I've heard that it is/was a good/decent e-mail client.

 

Thanks for the suggestion StriderSkorpion. I might try Thunderbird. I did not consider MS Outlook from the standpoint of bloat, and I do not use the calendar. Hence, from a security standpoint and, given that it is a lighter program, I might give it a try.

I realize that I am off track now from the original purpose of this thread and will consider my original query answered to the extent that the issue of whether one ought or ought not give permissions to various execute files, when using PG to best effect, can be resolved at this time. Thank you all for your responses.