AppDefend v1.000 Public Beta

Discussion in 'Ghost Security Suite (GSS)' started by Jason_R0, Nov 19, 2005.

Thread Status:
Not open for further replies.
  1. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    http://www.ghostsecurity.com/downloads/appdefend_betasetup.exe

    Uninstall all versions of RegDefend/Ghost Security Suite prior to running the above installer

    If you have problems with this beta it is very simple to fix. Simply boot into safe mode and uninstall the beta through the start menu.


    I am very pleased to be able to finally release a public beta of AppDefend. After many months of work and distractions (GhostWall and another yet to be announced feature) it is in a state which most people will be able to use effectively. It is still a little rough in some areas, so please be mindful of this, on the whole though it is working as it should. RegDefend has also been updated a bit, mostly through the GUI and some driver enhancements. Many thanks to the beta testers for providing testing and ideas throughout the development phase.

    AppDefend currently protects against :-
    1) Network access
    2) Process creation
    3) Process execution
    4) Global Hooks (DLL injection / Keyloggers)
    5) Process/Thread suspension and context modification
    6) Virtual Memory modification
    7) Remote Thread Creation
    :cool: Physical Memory access
    9) Termination of threads and processes
    10) Rootkit installation methods


    In this beta you will most likely be introduced to "George the Ghost" which is a small nag screen for people who have not purchased the components. It is purposedly coming up often in this beta (5 minutes after the launch of gss.exe he will appear once), and will be reduced to only 2 or 3 times a month by the final build. I just wanted everyone to be able to see the nag screen and possibly provide any feedback regarding it.

    All in all there have been a lot of changes, and I hope to hear some feedback regarding the changes and AppDefend.
     

    Attached Files:

    Last edited: Nov 19, 2005
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    AppDefend FAQ


    Permissions
    Each protection in AppDefend can be set to 5 different states :-

    BLOCK - This means the protection item will be blocked without popping up an alert
    ALLOW - This means the protection item will be allowed without popping up an alert
    ASK USER / ALLOW - This means a popup alert will occur when this protection item occurs. If for some reason it is unable to ask the user it will ALLOW it.
    ASK USER / BLOCK - This means a popup alert will occur when this protection item occurs. If for some reason it is unable to ask the user it will BLOCK it.
    DEFAULT - Use whatever is defined in the .Default rule

    When an alert occurs and the application isn't in your AppDefend list, it will use whatever is defined in the .Default rule also. This means if you don't like a protection which AppDefend has, you can easily disable it by setting it to "ALLOW".


    Network Access alerts
    Sometimes you will receive an alert which says "UDP Send" with "Unknown IP" and "Unknown Port". In the current build of AppDefend it is unable to obtain the port and IP address for UDP communications, this will hopefully be addressed in a future build.
     
  3. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    Sounds interesting Jason. Just a question though, will users of ProcessGuard (like myself) benefit in anyway from AppDefend? That is to say, does it have featuers that cannot be found in PG?

    Thanks :)
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    It does have features not found in ProcessGuard, but whether or not those features are enough to make you want AppDefend, I am not sure. Some of my beta testers have run both side by side, I however don't see much point in running 2 somewhat similar security applications on the one system, I prefer the minimalist approach. :)

    If you are very happy with ProcessGuard and don't need the extra features and useability offered by AppDefend, then I would suggest you wouldn't need to try AppDefend. Of course, the beta is free to try and there is no harm in trying something new. :)
     
  5. james246

    james246 Registered Member

    Joined:
    Nov 5, 2005
    Posts:
    80
    Jason,
    Most potential buyers of Application Defend are probably already owners of Process Guard, your program however looks as though it may well be raising the Bar to an even higher level. Can you list all the features and functions that are different in you program that would attract a user of Processguard (such as myself) to jump ship. I am also particularly interested in how it handles Rootkits.
    PS Congratulations on Regdefend it is the best registry protector in the game.
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I don't want too sound too biased, and hopefully once more people have used AppDefend they can comment. Top 5 reasons why I personally use AppDefend now compared to ProcessGuard (used to be a ProcessGuard user myself :) ) are :-

    1) AppDefend is more efficient. Checksumming is done in the kernel driver (rather than in usermode, avoiding permissions issues and being at least a second faster). Faster list searching (used when checking what has which permissions). Better multi-threading technology ensures AppDefend works the best it can on multiprocessor / dual core systems and hyperthreading systems, whilst also taking less time on single processor systems.
    2) AppDefend has more protections, with the one I am most happiest with being "Application Network Control". I don't like the major firewalls due to ineffeicient methods of dealing with applications dialing out so have mostly gone without this luxury because I like a fast system. Now I can have this protection without slowdown
    3) AppDefend can alert on every protection item rather than just execution like PG does. No more messed up installations because PG blocked something rather than asking
    4) Configuration abilities, I can disable any protection I don't want/need. I can also log items that I want rather than things I don't need to worry about. AppDefend protects every application by default, no need to add every program you want protected.
    5) You can hash all the items in your list to see if anything has changed, integrity wise, and perform other maintenance activities (cleaning your list of applications no longer on system).
     
    Last edited: Nov 19, 2005
  7. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    Wow that's a pretty impressive list of features; I guess I'll have to give this a go!
     
  8. James 246

    James 246 Guest

    It will be interesting to see how many leap from PG to AppDefend For PG owners their program will be free for them to upgrade, for them useing AppDefend instead will be extra cost, but AppDefend does look as though it is going to be magnificent.
     
  9. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    I've been using it for a few hours now and I'm finding it remarkably stable for a beta program.

    I can certainly understand why you like the "Application Network Control" Jason, it's very, very handy. Running the Windows Firewall as I do (SP2) it's an added bonus to have this feature.

    System still feels nice and light yet very secure - a winning combination :)
     
  10. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    I'm testing it now, and seems really impressive :)

    Very good for a beta version...

    When I install it, appears on the main window, Limited free version on the right of AppDefender.

    AppDefender will have a free version with limited features, like Network and programs protection?

    Regards
     
  11. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    One nice feature to be added, is a Learning Mode to AppDefender, like in ProcessGuard ;)
     
  12. xmen

    xmen Guest

    Okay, though, PG is pretty fast for me already.

    Hmm, but I could be wrong, but most people here like app control firewalls.
    Still there's there's an elegence to the idea of adding this to appcontrol as opposed to letting the firewall do it.

    Yes, I like this. That's also why i prefer stuff like prevx pro, which alerts on driver installs.

    Interesting point , with regards to the discussion here about auto-protection of all entries.
    https://www.wilderssecurity.com/showthread.php?t=100007

    IMHO The interface for Appdefend looks more logical than PG, and is a big improvement

    Nice little feature.

    Interesting, PG uses the more weaker and broken Md5 no? Still is this a realyl big problem?

    All in all, AppDefend looks like a much user friendly implementation of the same feature set as ProcessGuard. Very very nice, I always thought the way PG's interface worked was very strange.

    There are some additional security features, which as far as I can tell is the network control and the use of SHA-256 for hashing, but not a big deal I suspect for most people who run app control firewalls.

    Some other improvements are under the hood, i guess, with stuff like speed which is hard for me to measure anyway.

    Still I'm sure the smart money is on Appdefend being better and more well developed than PG not only now, but in the future...
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Jason, Very nice application. :)

    I especially like the Network Access protection.

    @VaMPiRiC_CRoW : Peronally I do not see a need for learning mode as AppDefend works differently Ref. Jason's post above:

    3) AppDefend can alert on every protection item rather than just execution like PG does. No more messed up installations because PG blocked something rather than asking.

    As far as I can see Jason has inserted some basic apps thus obviating the need for learning mode an this is also a safer way of doing things as the user is in control.

    @Jason. I notice you are using SHA 356 instead of the normal MD5 hash checks, is there a particular reason for this?

    Anyway keep up the good work :) Pilli
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Exellent piece of software!! :D :D

    Go george!!

    Thanks Jason!!
     

    Attached Files:

  15. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    That is very nice. I had driver blocked by PG and when the application finished installing, my system rebooted, whereupon I ended up with the BSD. When I tried to boot in safe mode, my system hung. I had to use ER Console to get back a usable system.

    I especially like that additional info is supplied when a process starts, like parent process name and network access. Reduces questions when a decision has to be made on a process.

    I did find a few minor issues when testing, and maybe we should start a separate thread for them-
    1. Balloon tip for register button in Ghost Suite is incorrect.
    2. The check now button always gives me "Status: Error downloading update file".
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Tsk, tsk Jason, Aussies are supposed to be lounging on the beach, sunbathing and surfing during weekends, not releasing new security applications! :D

    This looks interesting so I'd like to add a few questions to those listed above also:
    • Termination protection - does this cover closing applications by clicking on the X at the top-right of their window? If so, does it include any method for checking whether this is user-initiated or not, like PG's Human Confirmation dialog?
    • "Rootkit Driver" permission - this really covers all driver installation, correct? If so, renaming it (e.g. to "Driver/Rootkit") would seem a very good idea to avoid painting every driver as malware.
    • "Keylogging" - does this only check for keyboard hooks or does it include the others (Mouse, MSGFilter, etc).
    • Any plans to include DDE (as highlighted by ZABypass) or other forms of data transfer between programs in order to block current and future leaktests?
    • Some of the options (e.g. Execute or Start Applications) could be usefully restricted, e.g. allowing execution with only certain parameters (useful for Java for applet-specific permissions and RunDLL for DLL-specific ones) or allowing only certain programs to be started. Any plans on this?
    See Slashdot: Meaningful MD5 Collisions - MD5 is not far away from being completely broken so a move to a stronger hash algorithm is timely.
     
  17. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    AppDefend will have a limited free version. I'm not sure what the limits will be, butin this beta there are no limits for the free version.
     
  18. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I have created a new beta update point which isn't up and running yet. The new GUI points to the beta update point but there is nothing there for it to check at the moment. This is so that when I release public beta updates over the coming days you guys can easily grab them, without interfering with the existing RegDefend customers and their updating.

    Thanks for the tooltip reminders. :)
     
  19. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Thanks for the info :)

    The next build will have the option to choose what features we want to have enabled or disabled?
     
  20. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Paranoid2000,

    Termination protection isn't currently handling "Windows Messages" or "End Task" . End Task will be added soon, whilst Windows Message handling is still up in the air whether I will add it or not in the near future. The way it was done in ProcessGuard I am not happy about due to the way it has to be done in usermode, and can cause application instability. I have been researching better ways to protect this rather vulnerable area, so there is some hope it can be achieved in a secure , stable and fast fashion.

    Rootkit protection in AppDefend does not cover traditional driver installations (RegDefend handles that aspect) , but rather the undocumented ways that the people who write rootkits like to use. So whilst RegDefend will alert mostly about non malicious applications trying to install a driver, if AppDefend is alerting you about a rootkit/driver, you had better watch out. :)

    Keylogging isn't implemented yet, apart from in the GUI and RULES. I am still working on that particular protection along with the others I have mentioned.

    AppDefend does take into account the commandline if you add it, when processing permissions which removes the RUNDLL and SVCHOST issues which plague PG and the other similar security applications. The alert will also automatically take the commandline for those particular processes when auto remembering (not implemented yet, will be in next build).
     
  21. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Hi Pilli,

    AppDefend uses SHA256 for checksumming applications. MD5 whilst being a bit faster than SHA256 is on the verge of being totally insecure, even for executables. Rather than wait for the day that a hacker manages to sneak past a faked MD5 hashed executable, it is better to prepare for the future now and make sure the checksum you are using doesn't have any known severe weaknesses.
     
    Last edited: Nov 19, 2005
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    That's good to hear. While PG is currently the only program to offer human verification, it does have its downsides (popping up when responding to program prompts notably) so an improvement addressing this would be very attractive.
    Given the number of programs that can run others or perform variable actions from the command line (Start, Cmd, Mshta, etc) some form of "generic" parameter handling would be nice (e.g. parsing to pick out any other executable files listed as parameters and checking their permissions separately, a whitelist of known "good" parameters like the RunDLL parameter list here or an "allow with these parameters" option for users to decide).
     
  23. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Congratulations Jason,

    A very impressive piece of software,
    it is fast, stable and a very innovative Security Application,
    which i think is a must-have!

    After all those years i am working in ICT i only see the development
    of things slowing down.
    Like waiting 6 years for a new Windows release.

    It is nice to see, that things can be different.
    This makes working in this field fun!

    Why not add Ghostwall in the Security Suite?

    :D
     
  24. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Ghostwall might be included in GSS one day, depending on certain things. It will however always remain a free firewall. :)
     
  25. controler

    controler Guest

    Nice job Jason

    I know there is a new PG beta 3200b2. I wonder if there will be any posting about the inhancements of it here?

    I still think the suite is the way to go.


    controler
     
Thread Status:
Not open for further replies.