APT 1.9 - Testing Process Guard

Discussion in 'ProcessGuard' started by Pilli, Jun 5, 2004.

Thread Status:
Not open for further replies.
  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The new Version of Advanced Process Termination 1.9 includes a new Termination method: From here:
    http://www.diamondcs.com.au/index.php?page=apt

    Here is what Wayne has to say about it with special regard to PG testing:

    A new kill function has been added. This function, WinStationTerminateProcess, is located in the system32\winsta.dll file. It's completely undocumented so there's little risk of it being used by malicious software, but APT now gives you the option of using it. Please note that this kill method requires the Terminal Services service to be enabled, and this fact alone will also discourage trojan authors from using it.
    - Anti-hook code has been improved to ensure that processes can't use usermode hooks to prevent APT from working properly.
    - An "All" button has been added, which attempts to kill the target process using all available termination methods one at a time.
    - Because of the splitting of the Close Message kill methods and the addition of the WinStationTerminateProcess function there are now 9 kill methods (as opposed to 7 in the previous build), hence the version number of 1.9.

    There's no need for a Process Guard update - it already secures you against all 9 kill methods - yes, even the new WinStationTerminateProcess one. However, this kill method WILL kill Process Guard and protected processes but only if svchost.exe is allowed Terminate privilege, so ensure that svchost.exe doesn't have that privilege.
     
  2. mekon

    mekon Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    10
    Calling Pilli. I.m posting with regard to my post at. PG disabling itself. I hav'nt DLd APT1.9 and yet I see in Sys32 that winsta.dll is there. Theres a hell of a lot of stuff that put itself in the protected programs in learning mode on my fresh install of XP on the test hard drive. the only other things are a couple of Linux distro's on that drive that i'm working with. All seem to be system stuff and have the usual blocked privileges except Read and Getinfo. But also they have all Allow privileges enabled, including Read and Getinfo, which don't make sense as they arn't blocked anyway. Amongst em is one entry for svchost.exe with all Allow priveleges. Could this be the thing were looking for that's causing PG to be compromised. winsta.dll using svchost.exe to shut down PG. I'm not giving up on this one. PG is a really good security tool. Mekon.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Mekon, svchosts needs to have it's Allow Termination flag disabled.

    You probably mean the checksum list?
     
  4. mekon

    mekon Registered Member

    Joined:
    Apr 3, 2004
    Posts:
    10
    Hi Pilli. this is not a good idea posting on different discussions. I've just posted on the other one, but now have taken your advice to remove the terminate flag off the allow list for svchost.exe. It might have been good to leave it run to see if that really is the cause of these disabling problems, but even as it is if PG still disables itself, at least we'll know its not a svchost.exe related problem. Mekon.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Mekon, I have replied in the other thread :)
     
  6. tech-addict

    tech-addict Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    71
    I just blocked svchost.exe from having terminate privlage and got this logging:

    8 Jun 02:10:14 - [P] c:\windows\system32\svchost.exe [1092] tried to gain TERMINATE access on c:\windows\explorer.exe [1588]
    8 Jun 02:10:46 - [P] c:\windows\system32\svchost.exe [1092] tried to gain TERMINATE access on c:\windows\system32\winlogon.exe [752]
    8 Jun 02:10:46 - [P] c:\windows\system32\svchost.exe [1092] tried to gain TERMINATE access on c:\windows\system32\csrss.exe [704]
    8 Jun 02:10:48 - [P] c:\windows\system32\svchost.exe [1092] tried to gain TERMINATE access on c:\windows\explorer.exe [1588]

    What should be changed now ? :doubt:

    TIA
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Tech-Addict,
    Nothing, your PC is still working as you would expect I pressume?
    A few entries like that are not usually a problem as svchosts is just trying see what it can do. Normally it has no ill effect.
    Only if you get continual entries ie. scrolling continuously, should you worry, then you can change the allows or add an offending program providing it is trusted

    Here is a few lines from my log in a normal session none of which cause any problems on this PC:

    8 Jun 06:31:46 - [P] c:\winnt\system32\svchost.exe [796] tried to gain TERMINATE access on c:\winnt\system32\winlogon.exe [548]
    8 Jun 06:31:46 - [P] c:\winnt\system32\svchost.exe [796] tried to gain TERMINATE access on c:\winnt\system32\csrss.exe [524]
    8 Jun 06:31:47 - [EXECUTION] c:\winnt\system32\rundll32.exe with commandline rundll32.exe nvcpl.dll,nvcplmanageusersettings 3 was ALLOWED to run
    8 Jun 06:31:52 - [EXECUTION] c:\program files\spywareguard\sgbhp.exe with commandline "c:\program files\spywareguard\sgbhp.exe" was ALLOWED to run
    8 Jun 06:31:54 - [HOOK] c:\program files\webwasher\wwasher.exe [356] was blocked from creating a global CBT hook [00000005][00000000]
    8 Jun 06:32:12 - [EXECUTION] c:\program files\mailwasher pro\mailwasher.exe with commandline "c:\program files\mailwasher pro\mailwasher.exe" was ALLOWED to run
     
  8. tech-addict

    tech-addict Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    71
    Ok, I will just live with the logging since it's just 4 entries on every boot.
    Thanks for the info. :)
     
    Last edited: Jun 9, 2004
Thread Status:
Not open for further replies.