AppDefend Misses Changes to Online-Armor

Discussion in 'Ghost Security Suite (GSS)' started by siliconman01, Dec 7, 2005.

Thread Status:
Not open for further replies.
  1. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I am running Online-Armor V1.1.0.542 as part of my security protection. When an upgrade to OA is released, OA downloads and installs the update. Then it requires a reboot to bring in the new software update. AppDefend does not detect the change on the reboot and any subsequent reboot. If I manually shutdown OA totally and then restart it, AppDefend issues its MD5 change alert at that point.

    This seems to me to be a substantial security hole in AppDefend.
     
  2. alley

    alley Registered Member

    Joined:
    Sep 8, 2005
    Posts:
    18
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I'm sure that Jason will get around to addressing these points in a later beta. Though Jason will be able to give you a more definitive answer I am sure :)
    BTW Siliconeman AD uses SHA256 not MD5, I am sure that was just a typo on your part ;)

    Pilli
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The reason it "gets past" AppDefend, is due to the .Default rule which has "Ask User / Allow" for executions. When the hash changes, AppDefend uses the .Default rule to make a decision on what to do , and since the GUI wasn't available to ask the user, it then allowed it. In the log it will be changed to make this clear that a hash has changed (at the moment it isn't obvious at all).

    If the default rule had "Ask User / Block" then Online Armour would have been stopped from executing.
     
  5. tlu

    tlu Guest

    Thanks, Jason, you confirmed my assumption. But wouldn't it make sense, then, to change the .Default rule for Rootkit Drivers to "Ask User/Block" since the installation of "normal" drivers is covered by RegDefend as pointed out by you some time ago?
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi tlu,

    Yes you are correct, such alterations in how the .Default rules work will be tweaked before the final release. At this moment in time the .Defaults are lax just to ensure compatibility and allow beta testers to tweak how they want.
     
  7. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Is there a mechanism that can load AppDefend/RegDefend/GSS at the "top of the heap" on system boot? This would permit a user alert to be issued when a valid "changed" service/program/registry entry is detected.

    On my system when I boot up, Ewido's icon is the first icon to show up in the systray. Then others straggle in. GSS shows up after Spy Sweeper and a few others pop in. It doesn't seem practical to me to set "ask user/block" for such programs as Online-Armor and Spy Sweeper which have their realtime monitors established as services. These programs would not start up at boot time with this option selected in AppDefend for them. However, with the "ask user/allow" option selected and the inability for AppDefend/GSS to alert until long after these services have loaded and are executing, such programs as OA and SS seem quite vulnerable to malicious changes potentially getting through.

    At least that's the way it seems to me....
     
  8. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Siliconman,

    I will be working on improving the way AppDefend works with Windows to ensure it is #1, not only driver based but also GUI based. It will most likely have to wait as a point release after the final, but research has been underway for a while.
     
  9. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Thanks Jason for the feedback. Sounds great to me. Plus it sounds like it will be a significant competitive advantage once implemented.
     
Thread Status:
Not open for further replies.