AppDefend and Ask User?

Discussion in 'Ghost Security Suite (GSS)' started by dja2k, Jan 25, 2006.

Thread Status:
Not open for further replies.
  1. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I know this is a really technical question which might have different resualts, but I want to compare them.

    Which programs specifically and\or windows components should be handled with allow once option instead of allways allow to minimize threats? Knowing that the program wont run until allow once is pressed each and every time repeatedly and may become annoying for some users. This is in reguards to execution only as for the program needs that first in order to go down the protected list.

    dja2k
     
    Last edited: Jan 26, 2006
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I can think of two, rundll32.exe & svchost.exe. In AppDefend I would normally have the allow once / ask user. By doing this each instance of a program installing using each of these will create a specific rule for that app only.
    I am sure others will also add to this basic information

    Pilli
    __________________
     
  3. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Thanks, I followed your advice on those two and have done the changes. Just to be right, the rundll32.exe that you first allow is the one with cmd line windows\system32\rundll32, then you say you put ask user \ allow under execution ?

    Same with svchost cmd line windows\system32\svchost.exe?

    Off topic in reguards to my first post, but I have explorer.exe blocked always to do process modification, is that safe ? I noticed that most of the time, explorer.exe tries to modify some programs, but if I block it, they still work.

    dja2k
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, you will find that the AD list will aquire various unique command lines for bothe rundll32 and svchosts

    This may not always be advisable as Windows explorer is a fundamental element of the OS, treat with care, as you have noticed no down side on your machine it may be OK but beware, :)

    Pilli
     
  5. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Yes I have noticed the various cmd line names. And about explorer.exe, well I will allow them instead. Any others that may come to you as you keep using appdefend, post please.

    dja2k
     
  6. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I see others using allow once ask user for regsvr32.exe, services.exe, regedit.exe, and regedt32.exe. Anyone know if these are advisable?

    dja2k
     
  7. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi dja2k.

    My full list of permit once appz is-

    c:\windows\hh.exe
    c:\windows\regedit.exe
    c:\windows\winhlp32.exe
    c:\windows\system32\cmd.exe
    c:\windows\system32\cscript.exe
    c:\windows\system32\ftp.exe
    c:\windows\system32\ipconfig.exe
    c:\windows\system32\javaw.exe
    c:\windows\system32\mshta.exe
    c:\windows\system32\msiexec.exe
    c:\windows\system32\net.exe
    c:\windows\system32\net1.exe
    c:\windows\system32\netsh.exe
    c:\windows\system32\ntvdm.exe
    c:\windows\system32\regsvr32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\services.exe
    c:\windows\system32\tftp.exe
    c:\windows\system32\winhlp32.exe
    c:\windows\system32\wscript.exe
    c:\windows\system32\wbem\wmiadap.exe

    The list i have carried over from Process Guard,but AD remembers cmd lines used and stores them with the app info (not all appz though),the two main ones are rundll32 and svchost,i have list of 12 entries for rundll32,and 4 for svchost,each with a differant cmd line.
    The list is pretty extensive,and you probably don't need all of them. I would say the most important ones would be -

    c:\windows\regedit.exe
    c:\windows\system32\cmd.exe
    c:\windows\system32\cscript.exe
    c:\windows\system32\javaw.exe
    c:\windows\system32\regsvr32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\services.exe
    c:\windows\system32\wscript.exe

    Hopefully someone else can verify the short list.
     
  8. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    I did have some of those but had to verify, but once again Thanks, Tonyjl

    dja2k
     
  9. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    What is your opinion on explorer.exe? I have noticed the access physical memory thing a lot even when I am just clicking on a avi file to be played. Should physical memory be allowed?

    dja2k
     
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    This issue of "a lot" of physical memory alerts should be fixed in the newest beta. It has to do with your graphics card drivers (not that there is anything wrong with what its doing...) and the way they work at the lowest level.
     
  11. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,040
    Location:
    South Texas, USA
    Okay thanks Jason for the update... will be waiting for the new release.

    dja2k
     
Thread Status:
Not open for further replies.