adaware terminates spybot and process guard is helpless to stop it

Discussion in 'ProcessGuard' started by vam, Mar 8, 2005.

Thread Status:
Not open for further replies.
  1. vam

    vam Registered Member

    Joined:
    Mar 8, 2005
    Posts:
    3
    Adaware se 1.05 Using definitions file:SE1R30 08.03.2005

    declares that spybot search and destroy 1.3 is spyware (180solutions) and then terminates spybot. Process guard flashes it's warning saying that adaware has tried but was blocked from terminating spybot. Adaware does indeed terminate spybot.

    I tried to terminate spybot from within taskmanager but was blocked by process guard.

    adaware is authorized to read and modify. spybot is protected from termination and modification (except from this killer version of adaware).

    These adaware definitions make it the first time that adaware called spybot 108solution spyware and then proceeded to kill it outright.

    Just in case spybot was spyware I installed a new copy of spybot and adaware called this copy spyware and killed it off as well.

    Am I to make from this that process guard is unable to protect from termination? Has adaware sold it soul to the devil?
     
  2. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    Don't recall what it was but I saw a complaint recently about new ad-aware versions allowing previously declared (by ad-aware) spyware. ie I believe it was removed from def.'s
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Vam, AdAware defs: Reference Number : SE1R28 16.02.2005
    Hmm, not sure what is wrong there: AdAwrae and Spybot with default PG settings.
    Here is my PG log.
    Tue 08 - 05:51:59 [EXECUTION] "c:\program files\lavasoft\ad-aware se professional\ad-aware.exe" was allowed to run
    [EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
    [EXECUTION] Commandline - [ "c:\program files\lavasoft\ad-aware se professional\ad-aware.exe" ]
    Tue 08 - 05:53:57 [EXECUTION] "c:\tds3\ext.sys\execprot.exe" was allowed to run
    [EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
    [EXECUTION] Commandline - [ c:\tds3\ext.sys\execprot.exe tds|tdsdll-test:c:\program files\spybot - search & destroy\spybotsd.exe ]
    Tue 08 - 05:53:59 [EXECUTION] "c:\program files\spybot - search & destroy\spybotsd.exe" was allowed to run
    [EXECUTION] Started by "c:\winnt\explorer.exe" [1336]
    [EXECUTION] Commandline - [ "c:\program files\spybot - search & destroy\spybotsd.exe" ]
    Tue 08 - 05:55:12 [TERMINATE] c:\program files\lavasoft\ad-aware se professional\ad-aware.exe [3844] was blocked from terminating c:\program files\spybot - search & destroy\spybotsd.exe [4080]
     
  4. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Pilli, your log indicates termination was prevented by ProcessGuard. Did Ad-Aware succeed in termination anyway? It looks like new definitions came out yesterday for Ad-Aware.

    I would try this out myself, but I recently removed paid Ad-Aware SE Plus 1.05 from my system since it's Ad-Watch protection was no longer functioning as it did under the older non-SE versions and not protecting start up entries. Ad-Watch would flash red, but not indicate anything in it's logs and I found that I could delete start up entries normally protected by the non-SE versions without a deny/allow prompt, including Ad-Watch's own start up registry entry. Since Ad-Watch was the only reason I paid for their program, it was uninstalled.

    I have always been a fan of Ad-Aware, but I am starting to ponder the same question Vam mentioned last.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Rick, No spybot was not terminated :D Wth the last definitions or the latest ones

    Pilli
     
  6. jon123

    jon123 Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    76
    Last edited: Mar 8, 2005
  7. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Well I took the ad-aware/spybot s&d challege since I backed up my partition yesterday and could put it all back quickly.

    I reinstalled Ad-Aware SE Plus 1.05 and loaded Ad-Watch. I gave it all the same rights I did before in my firewall and in ProcessGuard and updated to the current definition. Upon launch of Spybot S&D, Ad-Watch indeed popped up touting the process as 180solutions and prompted for allow/deny. I allowed. Upon reboot Ad-Watch crashed saying something about a corrupted process list and to close and restart Ad-watch. It appeared to function normally after that. Ad-Watch was even protecting start up entries from deletion like it was supposed to, for a change. But upon relaunch of Spybot, Ad-Watch again promted to disallow Spybot from starting touting it as a 180solutions dataminer. But running a full Ad-Aware scan yeilded nothing.

    I forgot to test if ProcessGuard would protect Spybot from termination while running however. I restored my partition back, removing Ad-Aware. If you go to lavasoftusa.com, go into their support forums and search on Spybot, you'll see there are several reports of this being mentioned with no answers yet from mods or forum volunteers. You'll also see the link in that search result for the very long and heated WhenU removal discussion and Lavasoft's responses.

    I guess we'll see some answers over the next few days. I might try a reinstall of Ad-Aware tomorrow if I get time and see if ProcessGuard stops the termination on my machine here.
     
  8. vam

    vam Registered Member

    Joined:
    Mar 8, 2005
    Posts:
    3
    Hi everyone.

    I did some more testing.
    When using adaware definition se1r30 08.03.2005 adaware kills spybot.

    When using adaware definition se1r29 05.03.2005 adaware does not kill spybot.

    I suppose this thread has two issues.
    1 adaware killing spybot.
    2 Process guard is unable to stop adaware from terminating spybot.

    Note: adaware doesn't just close spybots window it actually stops it dead (per windows taskmanager)

    I can remove adaware, but how do I stop it or other programs that develope this ability terminate a program that Process Guard is supposedly protecting from termination or modification??
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Vam, As far as I know there is no method of terminating a protected program except by another protected program that has the allow termination flag enabled.
    You should try both of the following.
    Remove AdAware.exe from the protection list and see if AA can terminate Spybot.
    Get the Advanced Process Termination tool from here: http://www.diamondcs.com.au/index.php?page=products and test it against your protected apps. Note that two of the tests 6 & 7 if I remeber correctly, require that Secure message handling is enabled.

    It will be interesting to see your results. :)

    Thanks. Pilli
     
  10. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Hi,
    It's funy because I have the same definition on my system and the same program including PG. I did the same test couple of minutes ago and nothing happend. :eek:
     
  11. Diazruanova

    Diazruanova Guest

    Hi,

    It seems that in order for Ad-Aware to kill SB process, SB has to be open and have it´s process active, otherwise if you scan with Ad-Aware, it detects nothing BUT if you have Ad-Watch running and then you proceed to open SBSD, Ad-Watch detects it and warns you inmediately and yes, this started to happen upon updating the most recet de.files: 08/03/2005. and there are already some threads in both forums Lava´s and SBSD regarding this issue.

    Diazruanova
     
  12. wyrmrider

    wyrmrider Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    59
    Location:
    california
    Ad-Aware is also targeting Zerospyware and Aluria for removal
    both good apps accoriding to Eric Howe's list on www.spywarewarrior.com but with some questionable affiliates (IHMO) recently in the case of Aluria

    Vendor:possible Browser Hijack attempt
    Category:Vulnerability

    TAC index:3

    Description:possible attempt to control/redirect the browser. This object referrs to a "blacklisted" site. If the site listed is the site intended (in other words, it is set to the setting you wish it to be set to), add this listing to your ignorelist. If not, then selecting this item will reset your browser to the default setting for this item.

    however going to the "more data" site shows nothing
    so how do the determine a TAC?

    The do show these:
    Comment:(http://www.aluriasoftware.com/support)
    Comment:(http://www.zerospyware.com)

    why is this not in the "more information" page?

    Wyrmrider
     
  13. Corrine

    Corrine Spyware Fighter

    Joined:
    Jan 10, 2005
    Posts:
    106
    Location:
    Upstate NY
    A new Definition File is in the process of being tested right now.

    As soon as the report was provided to R&D this morning, 180Solutions was allowed to be installed in stealth on a test machine and tests were run. Indeed the problem that has been reported was duplicated. Steps were taken immediately to correct the problem. If you use Ad-Aware, please watch for a new Def. File to be released.

    Thank you and apologies for the inconvenience.
     
    Last edited: Mar 9, 2005
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the information Corrine. :)
     
  15. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Looks like Ad-Aware fixed the Spybot S&D detection error in an updated definition file. I'm glad they fixed this issue quickly. No mention of what the problem was.

    Corrine, just for the record I never had a 180solutions infection. Thanks for the update!
     
  16. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    Which leaves us with "How was adaware able to shut down SB when it was protected by PG?". I ran the same tests and adaware did, in fact, shut down SB no matter the log saying otherwise. And this is probably an easy one but why does adaware need to modify all running applications?
    I uploaded a view of my log, it says I did but, I dont see it in this preview so I hope it took.
     

    Attached Files:

  17. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Ad-aware has to take on some serious contenters to remove them and knows all the termination tricks in the book. It may well be that ProcessGuard did succeed in blocking some of the attempted termination requests.

    Before you update the definition file in Ad-Aware try running the test with Secure Message Handling enabled for Spybot and see if that changes the outcome.

    I wish I tested termination and not just launch detection by Ad-Watch. It didn't succeed on Pilli's test. Maybe different variations of protections settings affect the outcome. What are the default settings for these two apps? My system is NEVER default.... :D
     
    Last edited: Mar 9, 2005
  18. vam

    vam Registered Member

    Joined:
    Mar 8, 2005
    Posts:
    3
    Hi all.

    Adaware has fixed the SB problem with Def SE1R31.

    Note: Adaware is authorized to modify and read, Spybot is protected from termination and modification (in PG).

    I can't do the test of Adaware Vs Spybot using Secure Message Handling because I'm using the free edition of PG and that's not included.

    I still have a copy of Adaware def SE1R30 if anyone wants to test it against Secure Message Handling.

    Will the next version of spyware learn Adaware's trick in terminating a protected program?

    Is the full edition of Process guard any better at protection than the free edition?

    Seeya
     
  19. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    >
     
  20. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Today (3/9/05)

    I ran a full update of Ad-Aware Se and did a full update of Spybot S&D and did a full system scan with both. Neither did anything out of the ordinary. I even ran the scans at the same time and Ad-Aware did not list anything. I activated tea timer and scanned again with Ad-Aware...still nothing.

    Maybe this is just a glitch with some systems??
     
  21. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    411
    Location:
    London England UK
    Windows Privilege Escalation allows the following escalations of privilege :-

    ASSIGNPRIMARYTOKEN
    AUDIT
    BACKUP
    CHANGE_NOTIFY
    CREATE_PAGEFILE
    CREATE_PERMANENT
    CREATE_TOKEN
    DEBUG
    ENABLE_DELEGATION
    INC_BAPRIORITY
    INCREAQUOTA
    LOAD_DRIVER
    LOCK_MEMORY
    MACHINE_ACCOUNT
    PROF_SINGLE_PROCESS
    REMOTE_SHUTDOWN <----------- Perhaps AdAware used this one
    RESTORE
    SECURITY
    SHUTDOWN <----------- or this one
    SYNC_AGENT
    SYSTEM_ENVIRONMENT
    SYSTEM_PROFILE
    SYSTEMTIME
    TAKE_OWNERSHIP <----------- Seems pretty dangerous to me !
    TCB
    UNDOCK
    UNSOLICITED_INPUT <----------- What on earth is this for !?!

    I wonder which one Ad-Aware used to terminate Spybot S&D. I also wonder why Windows would have a "privilege escalation" function in its API. I also wonder why Windows has "create thread in another running program's workspace" and "inject code into another running program's workspace" functions in its API. o_O

    Sometimes, I think Windows is just far too open to ever be secure.
     
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Graphic, I cannot answer your question but there appear to be many undocumented calls, maybe AA has found yet another :)
     
  23. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Rodehard, I completely understand what you are saying and I also agree that secure message handling is not a user friendly experience. But Windows was never built from the ground up with security in mind and there are a ton of ways to terminate a process. Looking at the post by Graphic Equaliser, some possibly undocumented. SMH can stop some termination attempts that's all I was trying to say. I personally don't like using it either though.

    I started playing with the apt.exe app Diamond offers to test terminating apps. Curiously if you protect security related apps from being read they do not even appear on the apt.exe list to be terminated and PG shows their prevention from being read as you refresh. That may offer a limited extra measure of protection against some attempts. But of course that's not going to stop another security app from reading the app if it has the rights to read other protected apps or stop all termination attempts.

    The more I learn about trying to secure windows, the more I learn it's almost impossible to actually nail it down completely. All these programs are evolving, but so is PG.
     
  24. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi! All,

    Fortunately I did not have "termination" problems. At least that I was made aware of via PG or any other of my security progs. But I was definitely having some problems...and the trail led to Ad-Aware (to the best of my humble non-expert knowledge).

    FYI... http://computercops.biz/postt109318.html
     
  25. webwatcher

    webwatcher Registered Member

    Joined:
    Mar 25, 2005
    Posts:
    1
    I'm glad that Lavasoft rectified the false positive with Spybot. But how about the remaining issues with Zerosypware, and other antispyware applications?
     
Thread Status:
Not open for further replies.