AppDefend rules...

Discussion in 'Ghost Security Suite (GSS)' started by sweater, Mar 29, 2006.

Thread Status:
Not open for further replies.
  1. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    As an ordinary pc user that don't have indepth knowledge on pc. What is the general rule we should put into in the Permissions tab for our Anti-virus, Anti-Spywares and Anti-Trojan programs? Also..Browsers, and also office applications and some other known trusted programs? :rolleyes: :cautious: o_O
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    sweater,
    If we are talking generalisations then here is the way that I approached my rules
    When setting up the rules I made the .Default entry set to "Ask User / Allow" for all categories apart from Self Terminate which I have set to Allow (and I have Log ticked for each one)

    What I did was to wait for prompts from my programs and if they were "trusted" then I would generally use Allow for a little while until I established that the behaviour being requested was frequent and at that point I click on "Allow Always".

    An exception to this is "Rootkit Drivers" as I haven't yet come across a valid application requesting this on my PC

    Another exception to this is Network Access, what I generally do is to set network access to "Ask User / Block" or "Block" for most things except for my browsers and local filtering proxy.

    As a "general" approach that worked fairly well for me, the only thing that I find annoying is that there are some programs that want to execute a limited number of other programs and I can only allow "execute anything" in the current design. Making it fully configurable like SSM would make it overly complex to maintain I expect, but maybe a whitelist could be associated with the "Ask User / Allow" to remove those annoying cases

    Some annoyances that come to mind are Avant calling itself with "-helper" and "-t" and "-tt", also Thunderbird calling talkback.exe on startup, the startup of Open Office causes a few prompts as well which I would prefer to avoid.

    There has only been one instance where I wanted to have a blacklist (so far) and that was with acrobat reader which also launches wisptis.exe (I expect there will be others as time goes by).
     
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    That's basicaly what I'm doing too ..
     
    Last edited by a moderator: Mar 29, 2006
  4. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I use this:
     

    Attached Files:

  5. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Execution to allow is necessary only if you use alot of different program.

    Start application may be anoying for program like winrar who start allot of different application.

    Network access is to be used as a software application control firewall.

    Allow alwais for process modification can be dangerous (dll injection)
    However, alot of program want to modify themself... This is the case with most commercial packers.

    Allow alwais for memory access is even more dangerous...
    But it can be needed if you have an nvidia graphic card...
    It's a tempoary fix until next beta.
     
    Last edited: Mar 31, 2006
  6. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    What do you mean by that? o_O :cautious: :blink:

    Ahh, oks, I check that. I was then thinking that it's just another program. But, what the effects of that if I set it to that? :rolleyes: o_O :doubt:
     
    Last edited: Mar 30, 2006
  7. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    f3x already said the effects that you could have with my configuration...

    I set it like this to avoid a lot of annoying dialogs... :)
    And like it to complement my firewall (CHX) ;)
    I will put the ´Process Modification´ ´Physical Memory´ on Ask User/Allow to see the difference...
     
  8. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Ok, got it. ;)

    But, maybe AppDefend will still be possibly upgraded to have some kind of "additional" things on permissions tab. That's maybe, coz it has already put many of them for making our programs well protected. :cool:
     
  9. tlu

    tlu Guest

    Yes, you should definitely do this for .Default since your settings heavily impact the security GSS offers to you. You can easily set these permissions to "Allow" for trusted applications if necessary, and you won't be bothered by annoying dialogs any more (... well, at least not that many ;)).
     
  10. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Until now it's working fine, without annoying me... :)
     
  11. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hi Sweater.

    Default setting in appdefend is rigth for power user who want to be warned of potential risk.

    When you setup your appdefend, who have to think of three thing.

    1) What level of security do you REALLY need
    2) What are the dedundancy option
    3) How obstusive do you want the HIPS to be.

    In my case:
    I try to avoid risky situation
    For confirmed thread i have nod32
    For new thread nod32 Heuristic is really not that bad
    If a new thread pass nod32, it'll certainly trigger a bad behavior monitored by RD,AD or firewall.

    1)Set execution to ask is the BEST way to get protected. IF and ONLY IF you take the time to check each prompt and assure you it's a program you want to run.

    I call this behavior triple click. You double click to open the .exe file then you click again to confirm you want it openened. In that situation it's not really usefull (except if you accidently execute a worm file in a email for example).
    The most usefull situation is to verify if a "trusted" program want to execute a "rogue" program.

    You'll soon build a whitelist of trusted application so you'll not have to constantly check each time you execute programs. However if you do alot of application testing, your whitelist can get cluttered and you'll need to clean the dust once in a while.

    PERSONALY I have it turned to allow alwais as I assume that bad program will be catched later. If i open a program i alwais want it to be opened.

    2) Start application same idea as 1)

    3) Network access.... same as any application firewall

    4) Rootkit ... let it on ask ... but be prepared to alwais block it.
    This section covers "Special" way of installing driver.
    Those way are generally used by rootkit authors.
    Normal installation of driver is taken care by RD.
    There is one exeption to this rule which is
    /windows/system32/smss.exe
    Wich load win2k.sys on windows 2000

    5) Terminate another application. Set it to ask, but very few program should use this.
    One exeption is if you use the task manager to terminate program
    Or if you see one adobe thingy close a non responsive adobe reader thingy
    Use your comon sens.

    6) Proccess modification.

    This is the hard category. Personnally i think it should be splitted into other sub-category. This happen when a proccess A inject a dll into process B.
    This is really like if A tell to B:
    If action X happens .. execute code Y.

    The problem is Y. You don't know if Y is good code or not. Y can be a notificataion of where is the mouse. A notification of link clicked (think download manger) Or something else stealing a password.

    There is two kind of process modification.

    Program A want to modify program B:
    Try blocking once then if something is broken allow next time.


    Part 1 of program A want to modify part 2 of program A.
    This is mostly what i call commercial packer.

    Program A is loaded in memory encrypted and only a small part who need to be executed is decrypted on the fly. So part one decrypt part 2.
    It's also possible that part one open a debugger on part two so no other debuger can attach to part two. All those stuff are useless, exept it make it harder for medium level hacker to crack the program.

    One of such commercial protection is Armadillo and Ghost security use it on it's own product. This is the only reason you see two GSS.exe in taskmanager. It's not one scanner and one Gui or anything else.
    I do not knwo if it's good or bad, but it should help to prevent hacker from playing with gss and thus assure better revenue available for devlopment of gss.

    7) Memory access. Bad ... let it to ask, but be prepared to alwais block.
    If a program have memory acces to the kernel ... then it can do anything it want .. even escape your antivirus and GSS.

    However some low level componment like activeX or other game / video realted stuff absolutely need this low level access to be efficient with the videocard. Allow only for trusted games.

    8 ) Keylloging...

    Does nothing in the current beta version. It should be interperted as process modification. ( i may be wrong on this one )


    9) Self terminate... every program should be able to kill themself.
     
  12. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    Thanks f3x, I also take note of that on my list of using the AppDefend...;)
     
Thread Status:
Not open for further replies.