AppDefend Wishlist / New Features / Suggestions

Discussion in 'Ghost Security Suite (GSS)' started by gottadoit, Nov 19, 2005.

  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    P2K wrote:

    I am not sure if i understand you correctly,
    or better, on how to implement the checksums mentioned.

    I think you are right, but again, CYGWIN ( and others) is an application that uses hondreds of small executables, installing or upgrading these will drive you mad (clicking through the messages).

    So it would be nice IF you could 'trust' the complete set, inmideatly after install or upgrade. And be warned at every checksum change AFTER that.

    And i asume that a configuration-start-stop real password is already on the wishlist
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This would be a case of adding a new option "Update checksums for all listed applications" in the Security tab menu - this would then recalculate and update the checksum for every application that has been permitted (with the option, hopefully, of providing a list of changed apps allowing users to review and block updates for selected items).

    This would not help with installation of new software but should cover any upgrades or patches (System Safety Monitor has this feature).
     
  3. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    To all who are debating how to apply an update checksums feature. What is wrong with the current method:

    ApDefend tab > click the Maintenance button (far right) > Check Now button, see the attached screenshot.
     

    Attached Files:

  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If that can cover all executables in a specific folder then that would be ideal.

    I was getting confused in my previous post with "another program" (that can't be mentioned for legal reasons... ;) ) so please ignore it.
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Currently on the maintenance tab where it says "Check Now" for updated hashes, I will also be adding a way to update the hashes of any selected item in the list and deleting any items also.

    So it would be a 2 step process,

    1) Check Now for updated hashes in your list
    2) Select all "FAILED CHECKSUM" hashes and then click Update Hash
     
  6. budfox

    budfox Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    103
    I would like to suggest that the Ghost Security Icon change color when GS is disabled. Sometimes you need to do an install and have to turn off GS, and forget to turn it back on.

    Thanks.
     
  7. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    252
    Location:
    NJ, USA
    I agree. Happens to me too often.

    Also, I suggest that options be added to save and rename the AppDefend and RegDefend rules, so we don't have to manually copy the rule files. I think a lot users don't know the files can be copied, sothis change would make it more user friendly.
     

    Attached Files:

  8. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    All info areas of the alert should word wrap and be scrollable. Currently with long paths and/or command lines, it just goes off the right of the alert area which means the alert has to be resized to about 3/4 width of my 1600x1200 display (and even that is not enough in a lot of cases), which is not ideal.

    I would also like to see splitters between the process being started area, parent process area, and the extra info area. If the GUI used standard Windows controls, this would be very easy to achieve. (Nudge nudge, wink wink.....) ;) Splitters should also be used on all other parts of the GUI where appropriate.

    Also, to borrow something from PG, the alert should also display Company name and file size.


    Just noticed a possible bug (although not sure it can be fixed) - Resizing the height or Moving an AD/RD alert so that it moves over the taskbar causes the taskbar to not repaint, leaving remnants of the alert window.

    The taskbar is correctly redrawn after the alert is allowed/denied.
     
  9. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Defenestration,

    When Explorer.exe is being blocked from doing something, it's drawing operations are stopped until the alert is answered to. This is why anything created by explorer.exe (the taskbar, desktop, etc) might not redraw correctly until after an alert has been processed.

    I agree that the alert needs to better show very long information, I will see what I can do to rectify this.
     
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi berng,

    I will probably never "fully support" profile creation, simply because it is a rather advanced feature. As such I think the users who are capable of using such a feature without issues are capable of using explorer or whatever to create/copy rulesets. If there was a way to do it in the GUI then some people may mistakenly use it to create dud rulesets which aren't protecting them, and not even know it.
     
  11. f3x

    f3x Guest

    Hi,
    I would really like to see Hardware keyboard shortcut.
    Like Ctr-maj-F5 to accept
    Like Ctr-maj-F6 to block

    Moreover i would really really appreciate if this keyboard hooking is done by the driver and not the GUI. That way if the GUI freeze, the keyboard is still responsive and you can tell the driver to allow whatever alert cause the gui to freeze. Hopefully this will take care of the situation.

    Then someone can see in the log what it actually allowed and can correct the situation. I know that correction after the fact is exactly what we try to avoid using GSS but in some rare cases i still prefer this to a forced reboot.

    The other advantage of the driver taking care of keyboard is that it's available for all users.
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I doubt it would be possible to do such a thing outside the GUI itself since it would then have no easy way to determine if there was an AppDefend prompt to respond to.
    And how would you suggest AppDefend protect itself from malware sending similar keystrokes (e.g. via Windows Scripting SendKeys commands) to bypass it, if this feature was added?
     
  13. f3x

    f3x Guest

    Yet i admit i have not tougth that sendkey could be a problem.
    I'm pretty sure there is a difference between high level key handling and low level key handling. And even if at high level there is no such differecnes between sendkey and keyboard there are in low level somewhere.


    You can do a test

    1) On your destop assign two shortcut key let say F5 and F6
    2) Use any macro / automation tool taht will senkey F5 or F6
    3) Use any keyboard remaprer that use the registry such as KeyTweak to switch F5 and F6 on your keyboard.

    Such program use this key to remap the keyboard:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout
    >> Scancode Map


    reboot and test.
    THe F5 key of the keyboard is translated as being F6
    The F6 is not F5

    However when you are using sendkey
    F5 is really F5
    F6 is really F6

    That mean that somewhere in the host a process *know* what key (scancode) have been typed by the keyboard and that process then buble the keyup/keydown/keypress event in an architecture similar to sendkey. The good news is that this process is not fooled by sendkey wich mean its something worth to hook

    and this effectively give +1 more reason for the keyhook to be processed using driver.

    i'm deceived by you on this one.
    It should be easy.
    The driver does all the work of GSS

    1) driver intercept the event
    2) driver interpret the rules
    3) if it is set to ask, driver launch GUI
    4) driver wait for answear
    5) driver interpret GUI answeat

    "to determine if there was an AppDefend prompt to respond to" is as simple as cheking if the driver is itself in step 4

    the hard part would be for the GUI to determine if the driver have receive a keyboard answear, again it's as hard as step #3. if driver can launch the gui then driver can decide to close it.
     
  14. joe999

    joe999 Registered Member

    Joined:
    Dec 22, 2005
    Posts:
    2
    The ability to use the RegDefend conventions of * and ** in the command line of applications.

    Example :-
    This is a commandline passed to rundll32.exe to show an image in a Rar.

    "rundll32.exe" c:\winnt\system32\shimgvw.dll,imageview_fullscreen c:\docume~1\user\locals~1\temp\rar$di00.610\img_0303.jpg

    Now obviously it will be different for each image, so if I could edit one to :-

    "rundll32.exe" c:\winnt\system32\shimgvw.dll,imageview_fullscreen c:\**.jpg

    It would cover all .jpg's on my C drive.

    A similar thing could cover the issue with GIMP etc where you could use a directory path \*.exe to enable any *.exe in that directory (without SHA256 checking).

    On the AppDefend/Ghostwall application control front, how about if both are installed then an option to integrate them becomes available in general options. When enabled, the Network Access option in AppDefend is disabled but now you can tie a particular GW rule to an application via AppDefends SHA256 checking.

    Im a user of Kerio 2 at the moment, bloat free with rules tied to applications via MD5 (broken maybe but better then nothing) and it would be really nice to see GW being able to fill that role.

    It would also leave it open for people to use it with application control or not as the case may be.
     
  15. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    The Look 'n' Stop firewall gives the option to Allow/Block for this Session (session is until either LnS or Windows is restarted). This option would be a handy addition to AppDefend. Maybe have the buttons "Allow Session" and "Block Session"...
     
  16. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    252
    Location:
    NJ, USA
    +1

    Or just comments for the application. Some called applications do have weird names and I realize by their effect and additional research that their permissions need to be overridden from the defaults. But sometimes, months later, I've forgotten the reason.
     
  17. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    I have also been testing System Safety Monitor which offers similar features. I'm not really sure it's necessary (I'm sure Jason can enlighten me) but SSM offers a finer degree of control over some permissions. For example, AD groups Process Modification into a single category, but SSM splits it into "Allow global hooks", "Allow remote data modification" and "Allow remote code control".

    Do you think it would be a good idea to split Process Modification into these three categories ?

    If so, then that's a feature request.

    If not, then why don't you consider it necessary ?
     
  18. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    to talk about SSM (which is a fine program btw) :

    Jason, Will it be possible to have more control about the parent and child processes just like SSM and Tiny2005? That would be an immense feature and would certainly make AD a more complete application defender ;) that way we can limit some actions of certain processes that would have full access otherwise?

    then finally I'll be able to ditch Tiny2005 ;) did I say that? :D ..
     
  19. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    I can't agree more. I have also searched for a replacement of Tiny for a while already, but there's still nothing comparable (I talk about protection, not complexity :)). If there's process spawning control in AppDefend, I would be one step closer. ApDefend is on on my watching list, but Safen'Sec is actually my favourite today, cause of a good network acces control (port,IP,protocol filters), and a skecthed out child-parent process control. I consider these two feature the most important, because generaly lacking from other HIPS programs, everyone concentring on process and memory protection, stuff that PG and many others are already covering very well.

    isnogood
     
  20. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    maybe you should try SystemSafety Monitor aka SSM , they offer spawning control and registry protection as well but it is still beta and I don't know what they're up to. but it looked promising two years ago don't know about now.
     
  21. isnogood

    isnogood Registered Member

    Joined:
    Sep 22, 2004
    Posts:
    83
    Location:
    France
    Thanks Infinity. I have also tried this one about one or two years ago. Very good set of features, but it crashed my system too often. I may be wrong, but since it has been beta for at least two years and continuing, it doesn't seem very serious comparing to quickly developing competitors. Anyway, there's no hurry, I'm still very fine with Tiny :) Just looking around.


    isnogood
     
  22. f3x

    f3x Guest


    Yep this is something usefull.

    Even if next beta dont have *cosmetic* changes,
    it would be great to have at worst an hidden button to switch back to main gss pannel in order to disable rd/ad if we are stuck with to much popup.

    At the best this button can be a "more option" dialog alowing you to do different things ( allow for session(until log out), allow until the program terminate, disable the rule responsible of the alert (for session/forever) etc )
     
  23. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    252
    Location:
    NJ, USA
    APPDEFEND should allow users to exclude selected folders from being monitored.
     
  24. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I tend to group particular protections into what they are capable of. For example if a process modification means you can get complete control over another process I will lump it into other protections which allow the same thing. Even though in theory it isn't as secure as allowing individual settings of each particular item (one malware might only do one method, but not other) there is no real difference in letting an application gaining control with one method and not another. Advanced malware would use multiple methods.

    A benefit of the way AppDefend does it is you have fewer annoying configuration options.
     
  25. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Maybe I´ve missed this suggestion somewhere, but anyway, when an application want to access the network, I would gladly see if there could be a split between internet access/server rights when you allow/block. Instead of only allow or block an application completly.

    Regards, C.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.