A detailed discussion paper on ProcessGuard by Andreas

Discussion in 'ProcessGuard' started by Pilli, Dec 1, 2004.

  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I have added this thread as Andreas is a DCS beta tester has spent much time writing this excellent paper which can be viewed here:
    http://www.commontology.de/andreas/win_secure_pg3.html

    Andreas still has a few additions to make regarding version 3.050 but the paper is still very valid, this paper is a useful read to both new and old ProcessGuard users.

    I am sure that Andreas would welcome any constructive comments :)

    Thanks Andreas and to those that contribute. Pilli
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Definitely yes. Just mail or IM me via my profile.

    Thanks for sticking the site here, Pilli :D

    Cheers,
    Andreas
     
  3. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Thanks for the article. It helped me learn a few more things. Keep up the good work.



    Starrob
     
  4. Stefan12

    Stefan12 Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    4
    Thanks for the fine piece of documentation work!

    The paper says that PG checks "signatures" for programs, but not for DLLs. Is this still the case in the current PG version?

    Thanks,

    Stefan
     
  5. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Good work Andreas, it is a good read. :)
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Stefan12.
    That is correct ProcessGuard ony checks executables at the moment, the overhead for checking every .dll would be horrendous, also ProcessGuard protects one from .dll injection, physical memory space, blocks global hooks and stops driver/service installation, so it is all a matter of balance.
    Having said that an option to be able to do some sort of .dll checking may be possibility in a future versions providing DCS deem it desirable & or feasible.

    Pilli
     
    Last edited: Dec 2, 2004
  7. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I don't know how DCS can make it possible but I hope DCS can one day provide some type of solution for protecting against changes of DLL on the disk or static DLL injection.

    Right now, this appears to be a difficult area for trojan authors to attack because of the complexity and for security companies to defend against because it appears .dll checking might not be feasible (at this point in time)

    I hope DCS can innovate in this area. There may not be such a thing as 100% security but that does not mean you don't continue to strive for it and accept the status quo.

    Continue the good work on ProcessGuard too. I believe you guys are breaking new ground. This I like. I dislike the old solutions that are not providing real security against new threats.


    Starrob


     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    As an aside:
    for dll checking you could combine PG with some file change monitor like filechecker NISFileCheck and the like. It won't (AFAIU) give you real-time protection, but at least try to cover the issue.
    Andreas
     
  9. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Thanks for this great work Andreas ;)
     
  10. Stefan12

    Stefan12 Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    4
    Hi Pilli and other responders,

    I appreciate your details and recommendations.

    DLL checking would seem, at least in theory, to desirably strengthen the intrusion control. No? I hadn't realized that usable/effective DLL checking was a tough nut to crack.

    The bright folks on the DiamondCS team have a powerful piece of software in PG. Working on getting my chops down with PG ...

    Thnx,

    Stefan
     
  11. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Andreas1,
    How about adding some information about WFP and how PG blocks the attacks quite nicely (with winlogon.exe read protected) and that there is still an open avenue of attack via the API's that are used by Windows Update and that additional software would be useful to alert if files are being replaced in that way

    There are a couple of threads discussing it, but its really a very simple issue
    See here in other anti-trojan software and here on bo.funpic.de as well as here and here in the PG forum

    Thanks
     
  12. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    gottadoit,
    I think this is an interesting thing to investigate/write about, so I will try to cover it. But it will surely take some time - I don't want to write about what I don't understand, so I will have to do lots of reading first. Early next year, probably.
    Thanks for pointing out the issue for the website (and for insisting on it being an important one).

    Andreas
     
  13. ^Ale

    ^Ale Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    187
    Location:
    Italy
    Thanks Andreas for your good work (and to Pilli for the link)
     
  14. Whynot

    Whynot Registered Member

    Joined:
    Feb 8, 2004
    Posts:
    50
    Excellent article Andreas - greatly appreciated. Fancy doing similar for TDS3 :D
     
  15. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Andreas1,
    Another thing that might be worthy of mention is that if you are being paranoid, then rundll32 is a good thing to have set to "Permit Once" and not to grant runddl32 any extra privileges if at all possible

    Having it set to Permit Once will only be effective if you are the type of person that actually reads the popup dialog prior to clicking Allow and are interested enough to learn about what the various options are

    The reason for doing this is that rundll32 is just a mechanism for invoking functions inside dll's, this basically means that it allows code to be run under the guise of rundll32

    There are some threads discussing this already, see here and here

    In the second thread above Jason said
    Edit :

    If Block New and Changed Executables is enabled then "Permit Once" items will be denied in addition to anything new and changed (teach me not to read the help file to find the non-obvious things).

    If you make rundll32 permit once and also enable the "lockdown" option you won't be able to run control panel applets and a few other things that you might normally want to do from time to time (until you turn the option off again) ....
     
    Last edited: Jan 2, 2005
  16. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Okay, thanks for all your feedback.
    I've updated the page and included many of your suggestions.

    Have a good year ;)

    Andreas
     
  17. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I read much of Andreas' paper. I had downloaded the free version of PG but not installed it. I am not at all sure I can figure out what to do with it or how to do it. It looks very complicated for an average user like me.

    What does it mean that the free version is only able to guard one process? What is a process in that context, and if only one which one should it be?

    See my ignorance?

    I was considering installing Spyware Guard, and PG. Maybe not a good idea considering my state of understanding. I am not sure how SG and PG differ.

    Jerry

    Jerry
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jerry, They are completely different.
    ProcessGuard has a learning mode which does most of the work for you.
    If you open Task Manager you will see all the "Processes" that are running, these can be terminated or changed by some types of malware so protecting them helps create a very strong defence aginst the nasties.
    Also ProcessGuard lists every executable file and will notify you of any change, so is a nastie changes say, outlook express, then ProcessGuard will tell you and ask if you wish to allow such a change.

    In the full version of PG you have extra options for protecting processes from all currently known termination exploits such as those used by rootkits.

    HTH Pilli
     
  19. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks again for your help.
    I know if I get in trouble I can get help here. That gives me confidence to do some things that I would not otherwise attempt.
    Jerry
     
  20. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Andreas1,
    Have a read of this thread about some more variations on the permit once theme (regsrv32 and cmd)

    It might be worth considering including a little on the suggestions in the thread

    Earth1 pointed out the usefulness of having a copy of cmd.exe with permit always for trusted batch jobs and I've been applying the same principles for other trusted batch jobs (with cmd and regedit etc)
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi gottadoit, Andreas is completing his Phd ATM so is not around much but I am sure he will update his report when he gets some time back :)
     
  22. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Is Andreas's site down? I can't seem to connect to it and I wanted to print it out prior to installing PG. :'(
     
  23. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jag,

    I was just able to access it. Are you having trouble with just this site, or other sites as well?

    Rich
     
  24. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hey,

    any updates here?

    Hopefully Andreas1 can update his report for PG 3.3 :D

    thx and best regards,

    iNsuRRecTiON