Application to prevent process termination

Discussion in 'other anti-malware software' started by n8chavez, May 14, 2008.

Thread Status:
Not open for further replies.
  1. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    Okay, I nearly have my security setup complete. I'm relying heavily on Sandboxie, as I am now going with a scannerless setup. But I'm not that worried about it. SBIE has always been great. But I am a little weary of its process being terminated, thus my security compromised. I'm looking for an app that can prevent process termination without having to use a classical (rule based) HIPS. Is there such a thing?

    I've heard of taskcatcher but was never able to install it; whenever I tried the installer would launch yet nothing would happen.

    Any ideas?
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hello there n8chavez

    I sympatize with your interest in something like that. TaskCatcher just doesn't cut it with me either, but i'm trying my darnest to see if i can make a HIPS protect apps from termination because i don't know of a single app thats been given attention to keeping programs from termination short of the way System Safety Monitor is been able to do, but i since moved away from it for EQS.

    Very good question n8chavez and a very valid topic and i'm also curious just what if anything might be suggested that can help make that possibility finally a reality without having to add a whole security program.

    A nice standalone would be great.

    EASTER
     
  3. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    I'm tempted to go with EQSecure again and I know that would solve my issue. But I don't like the idea that woth classical HIPS you need to set rules for everything. It's very hard to remember everything that you might eventually need to do so the rule(s) can be created before I make an image. Also, at least this is the case with EQS 4b2, I've never been able to get the sandbox to work right. But that's why I have SBIE.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hi n8chavez

    You're not missing what your discovering with EQS Sandbox, it's not complete even though it is a nice feature IF they repair it's issues and finally have it perform as we expect it to. I don't use it although i have tried it and it shows promise!

    Thats why i'm very impatient and anxious for EQS 4.0 final because if they fix that sandbox and it works to everyone's satisfaction, that will change everything. I still want them (if they will) to use like SSM's "keep this process in memory" so we can LOCK apps from being terminated.

    EQS representative posted tonight but on ProSec, but i sent a PM and a post asking when we might expect to finally experience EQS at it's best.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Is this software terminated ? Is it still good enough ?
    http://www.diamondcs.com.au/advancedseries/apt.php

     
  6. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Ask Tsuk !
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Advanced Process Termination(APT) from DCS, doesn't prevent termination, but it does test whether a process can be terminated.

    I just tested it using Sandboxie. Ran APT sandboxed. ALL of APT's kill and crash tests failed.

    Also you can configure Sandboxie to nothing but your browser can run in the sandbox.

    So unless you are worried about something coming from somewhere other than a browser you are covered.

    Pete
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. Thanks for the explanation.
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    I guess I'm worried for no reason. But there have been a couple of times when I noticed that Opera wasn't sandboxed and it was supposed to be. I have it set up so that it is forced, so that means that the process wasn't running. At least I think that's what it means. That's my worry. Is SBIE is in any way bypassed then I'm completely vunerable.

    I am trying out AnVir's Security Suite. I like it, it's a good replacement task manager. I was on their forum the other day and suggested to them that they implement process protection into their application. They responded by saying that it was a good idea and that they'll discuss it, whatever that means.
     
  10. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    You can use Processguard from Diamond CS and add different process to the list to protect against termination. You will be stuck using the free version as you can't get a license for the full version any more.
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    It is interesting, if you run Apt not sanboxed, will SBIE prevent sanboxed browser from termination by Apt ?
     
  12. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    You could always e-mail Bill at support@WinPatrol .com (with out the space of course)
    I know it says WinPatrol but its the same Bill.
    I'm sure he would be happy to help.
    Myself i've never have any problems with either WinPatrol or TashCatcher, ever.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Have you considered using a HIPS with monitoring turned off for all item types you don't care to monitor?

    Comodo Firewall 3 could achieve such a setup, I believe. Turn off monitoring of all items except process termination. Specify those programs you wish to protect from process termination. Also, in Computer Security for item 'All Files' (or 'All Applications' or something similar), allow all process terminations, and make sure this entry is moved to the beginning of the list. This setup, I believe, will protect only those programs you specified from termination, without other alerts.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Don't know. I don't see, at least for me, a plausible scenario. The whole point is something coming down the pike while browsing, so how does it get on the system to do what you are asking?

    Pete
     
  15. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    No, if i understand you correctly, SBIE can prevent process termination only from sandboxed applications. Of course the application you want to protect have to be listed as protected. Please see below for further explaination.
     

    Attached Files:

  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Not really. I just ran APT sandboxed, and picked a process at random. Didn't add it to any settings. Sandboxie prevented all termination attempts.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    The only security program that i've had plenty of positive experience with in protecting full closure of running processes is been System Safety Monitor. If for what ever reason any app you set it to "keep process in memory" happens to either crash or is forced closed, SSM immediately restarts it again and again to infinitety.

    I don't know of any standalone app that can do that, and all other HIPS to my knowledge don't bother to impliment this protective procedure except SSM, and of course it's a HIPS.

    EASTER
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    You are right about SSM. But Prosecurity also protects against termination. But all HIPS programs require the user to do the right thing with the pop up.

    Sandboxie doesn't require user intervention. No Pop up's. If a program is running sandboxed it can't terminate another process period. That's a big advantage.
     
  19. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    You are correct Peter. However, if you are using SBIE as your main security application, especially to protect against process termination, then you have essentially made the SBIE process(es) extremely valuable and vunerable, as there is nothing in place to prevent them from being terminated. That's where I am, and why I'm looking for help in addition to SBIE.

    Let me just expand on a few things:

    That is a very good idea. I admit I like SSM better than any other HIPS both because it was the first one I used and because it has an option to restart terminated processes. That sounds like exactly what I'm looking for, right? Well, it is. Except that there seems to be some sort of compatability issue between SBIE and SSM; progras that are lauched as sandboxed take about ten minutes to load, if they ever do. I've tried installing SSM five time, each with the same result. If it comes down to SBIE or SSM I'll choose SBIE every time.

    Correct. Let me clarify what I meant. One of two things has to be in place; either the program doing the terminating must be sandboxed or the programs you want to prevent from being terminated must be protected via SBIE's settings.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Exactly on several points. I run Sanboxie, and OA paid. I also run SSM as a sort of backup. Thats it. The three play fine for me on 4 machines.
     
  21. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    That's weird. I wonder why it doesn't function correct;y on my system. Do you have the paid version? Are all the modules enabled?
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I have paid versions of all 3. They all work fine for me.

    Pete

    PS. I don't have any type of scanners on board.
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    ;) Hey Peter, I know Mike wont mind but from the OA home page,
    "Online Armor also provides powerful protection against keystroke records and even filters your email messages to weed out banking scams. While you're surfing the web, Online Armor filters web pages that you visit to remove potentially dangerous content."

    Now that sure as heck is close to "scanning" as you can get in my view point. Just having some fun my friend. I figure as long as Avira is not set to do a pre-scheduled scan, then I dont use a scanner either.;)
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Okay, not scanning in the sense of AV's and AS's.
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    cant argue with a honest man.:thumb: ;)
     
Loading...
Thread Status:
Not open for further replies.