Appdefend incompatibility list

Discussion in 'Ghost Security Suite (GSS)' started by f3x, Dec 12, 2005.

Thread Status:
Not open for further replies.
  1. f3x

    f3x Guest

    Well, pretty much every security application have inconpatibilities with otehr product, especialy if it's in beta. Here's two program that i found either non working or very hardly working with appdefend.

    Security task manager
    http://www.neuber.com/taskmanager/

    Program Start
    Appdefend ask for ascode.dll debug privilege
    GUI hang, cannot respond
    Pressing ctr-alt-del unfreze it
    I choose allow once to each alert

    Then at the real scaning time gui hang
    ctr-alt-delete cannot unfreeze the situation
    the screen look frozen exept each time i press ctr-alt-del,
    i have a new taskmanager in the system tray


    fortunately windows-l (switch user) was working
    and i could unfroze it


    ---------------------------------------------------
    a-squared Background guard
    http://www.emsisoft.com/en/software/personal/

    well this time things went a bit smooter
    however the gard wanted to memory write/memory protect each process runing
    i let him do ... as well i figured it was a way of protection

    however now each process that started a child process tryed
    to memory write/memory protect it's child

    the result is that the computer became almost not usable because of to many popup
    and i did not wanted to disable appdefend.

    my guess is that a² is using a viral strategy for it's protection.
    it "infect" each current process and then those process will "infect"
    their child so the system can be guarded of spyware.

    while i know the goal was good, i'm not sure it's the best way to act
    as i guess the ressource overhead will be added to every single process on the machine

    as it was only a trial i uninstall it immediately

    -----------------------------------------------------

    First of all, thank you Jason for making such a good product
    Then, thank you again as your product help me avoid to install this
    "dll injection monster" that was a squared.

    However having some extra rules example
    allow parent process to kill/modify their child
    would be usefull.

    For the Security task manager, I'm sure 95% of the issue is bad coding of their part, however having some sort of freeze detection and recovery in GSS would make this product even better
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi f3x,

    After playing a bit with Security Task Manager and AD, I would not say they are incompatible. You should give STM blanket permission to modify processes. That is what it needs to do its job. When STM starts, I get four global hook alerts from AD: Get Message Hook, Keyboard Hook, MSG Filter Hook, and System Message Filter Hook. You have to respond to the alerts quickly, otherwise STM will hang (screenshot below). Once you get past that, you will get one of these alerts for every process STM looks at:

    21:18:51 12 Dec 2005 | AppDefend | Allowed process modification [global hook] performed by taskman.exe | g:\program files\security task manager\taskman.exe | g:\windows\explorer.exe |

    Again, STM will hang waiting for you click Allow Once at every alert. STM seems to start and run with no problems once you allow it to modify processes. You should give your trusted security apps whatever permissions they need to function.

    Nick
     

    Attached Files:

  3. f3x

    f3x Guest

    Well this one is as incompatible as it can get:
    http://www.snoopfree.com/PrivacyShield.htm

    As soon as we can see the two eyes in the system tray, the computer reboot.
    I guess the problem is that it's loading BEFORE GSS



    I dowload it after reading a post on diamondCS about spying application (partypoker) with printscreen etc. I was wondering, since GSS protect against some privacy threat such as keyloger is there any plan to exten to new fonctionality such as screen access ?
     
  4. ringsong

    ringsong Guest

    not a bad idea at all.

    check this out for some scaryness:

    http://www.pcinternetpatrol.com/page/view/49

    somehow, it gets through appdefend even when I block its internet access.
     
  5. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi f3x,

    One of my beta testers has run SnoopFree and AppDefend successfully together. With all of your crashes, I am just wondering if there is something else wrong on your system.

    Would you mind emailing me the crash minidump from these BSOD so I can analyze your problem?
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi ringsong,

    Actually, maybe you "accidently" let PCAUDIT install its global hook, which would allow it to inject into other processes and use them as hosts for internet activity.

    When I blocked the GLOBAL HOOK from occuring, I couldn't get past "Step 1. Capturing User Information".
     
  7. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    Im running AppDefend, Regdefend, Snoopfree and KAV 5.388 with no problems so far on my gaming PC.
     
  8. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Here is the blocked Global Hook alert copied from the log.

    13:29:30 14 Dec 2005 | AppDefend | Blocked process modification [global hook] performed by pcaudit.exe | c:\program files\ghostsecuritysuite\pcaudit.exe |
     
  9. ringsong

    ringsong Guest

    Sorry Jason,

    Let me clarify that.

    Since the other guy was talking about how screenshot protection might be useful I tried to see what would happen if I did infact give pcaudit global hook permission.

    After giving it global hook permission (I assume this is only for the keylogging part) it successfully sent data (including a screenshot) through the internet.

    I blocked it from network access but it still managed to get through. I don't know how.

    So I was thinking that maybe a program like that except without the keylogging part (so it wont need global hooks), will be able to send screenshots through the internet even though i block internet access.

    is it possible?

    Try to give it global hooks and see what happens and let me know if that is something to worry about.
     
  10. ringsong

    ringsong Guest

    And also, with appdefend shutdown, using only my firewall I successfully blocked the test.

    My only concern here is how does it send information from my computer to the internet even though I press block on the network access prompts from appdefend. On my test I was using appdefend only. With my firewall shutdown.

    This means that any app can send data and screenshots right through appdefend using the same method as pcaudit. :(
     
  11. ringsong

    ringsong Guest

    btw, the firewall i use is look & stop and it blocks the pcaudit test with no probs.
     
  12. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Ringsong,

    Do any of your applications in the list have NETWORK ACCESS set to allow? If so try setting them back to ASK USER. AppDefend doesn't cover NEW DLL's using existing processes to communicate out through the internet like LnS would. Mostly because it already covers most of the DLL injection methods these sorts of programs use. Hope that helps.
     
  13. ringsong

    ringsong Guest

    hi Jason,

    there are absolutely no applications that i allow network access for.

    I like to press allow at each prompt and that's how i've been using appdefend through my trial which is about 5 days from expiration.

    i'd like to see if i can get it to fully block pcaudit before my trial is up.

    Jason, have you tried allowing global hooks for pcaudit? If not please try.

    After you allow global hooks, you are done for. pcaudit will pass through appdefend even if you answer BLOCK to the network prompts.

    When you block global hooks that is just stopping the keylogging. And the way pcaudit was made does not allow you to pass to the next step unless it logs something. So you might think it was blocked....

    But this also mean that if another application based on the pcaudit technology wants to send some info through the internet without keylogging then it can be done. all right under appdefends nose.

    please try it and you will see. I have tested it almost 100 times in every possible way and it gets by appdefend every time.

    just allow global hooks and you will see that pcaudit can access the internet even if you block the network access prompt.

    its very strange. please if anyone else can try it and confirm so Jason will know im not crazy. pleeeasse.
     
  14. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi ringsong,

    I will have to check, but it could be a possibility that it uses RAW sockets to connect out. If this is the case then as mentioned in the release thread, AppDefend currently won't catch it, a future build will however.
     
  15. f3x

    f3x Guest

    Normally i'd not have any problem sending them to you.
    however i'm not sure the dump even took place
    It just rebooted without any form of blue screen
    nor anything after next boot

    After i am currently thinking about it and maybee it's because i have set some setting to ask/block instead of ask/enable


    On another point you are totally rigth. I used sysinternals's autorun and i realised that i have to much .sys driver however i do not want to play with those directly i prefer to identify to wich applicatin they belong and uninstall them if necessery


    HKLM\System\CurrentControlSet\Services

    + a347bus Plug and Play BIOS Extension (Not verified) c:\windows\system32\drivers\a347bus.sys

    + a347scsi SCSI miniport (Not verified) c:\windows\system32\drivers\a347scsi.sys

    + AMON Amon monitor (Not verified) Eset c:\windows\system32\drivers\amon.sys

    + AnyDVD AnyDVD Filter Driver (Not verified) SlySoft, Inc. c:\windows\system32\drivers\anydvd.sys

    + ElbyCDFL ElbyCDIO Filter Driver (Not verified) SlySoft, Inc. c:\windows\system32\drivers\elbycdfl.sys

    + ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver (Not verified) Elaborate Bytes AG c:\windows\system32\drivers\elbycdio.sys

    + GEARAspiWDM CDRom Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys

    + ghostsec Ghost Security Unified Driver (Not verified) Ghost Security c:\program files\ghostsecuritysuite\ghostsec.sys

    + NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys

    + PxHelp20 Px Engine Device Driver for Windows 2000/XP (Not verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys

    + snapman Acronis Snapshot API (Not verified) Acronis c:\windows\system32\drivers\snapman.sys

    + timounter TrueImage Backup Archive Explorer (Not verified) Acronis c:\windows\system32\drivers\timntr.sys

    + WinDriver WinDriver Device Driver 5.05b (Not verified) Jungo c:\windows\system32\drivers\windrvr.sys
     
Thread Status:
Not open for further replies.