Auto protect applications

Discussion in 'ProcessGuard' started by Rasheed187, Oct 2, 2005.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Hi,

    Is it possible to make PG scan all of the running processes at startup and then will notify you that some applications/services or not yet protected? Because I totally forgot to add protection for two apps that I´m running all the time.

    So that means that a trojan could modify the two apps that weren´t protected yet, and all of my defence is kind of useless right? I mean know you have to keep track of all the apps that need protection yourself. :rolleyes:
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    PG will not scan for anything, tho it does have a default list of protected apps. u can run learning mode and if i needs permission like global hooks it will be added to teh protected list. otherwise ull just have to add teh apps manually.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Learning Mode should pick these programs up during a reboot. If not, the next new version might do better at detecting them anyway, even without additions to Learning Mode.

    We are planning on including a slight addition to Learning Mode for the new version, it will check all current processes and add them too I believe. We are still making sure it's designed right and working right before including it in this upcoming version.

    A few extra Windows services are also being added to the default list.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    I never used the learning-mode, I didn´t know it added basic protection to each application you run. And I assume "basic protection" means protection from modification right? Because know that I think of it, my request in the first post wasn´t that smart, it´s not just about processes that you run on startup, but also about new applications that you start, they need protection too.

    But shouldn´t PG just protect all processes from suspicious/malicious behaviour, without you having to add certain rules? And if PG gives protection to a malicious process it isn´t a problem right? Because all of your anti malware tools should of course have the option to modify-terminate-read other processes, am I correct? o_O
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    like i said, PG's learning mode will first add processes to the security list and then if the process need hooks or pther permissions, it will also be added to the protection list. PG would first block processes from modifying another unless it has permission to modify apps, so its not terribly crucial to have every executable protected. also if PG protected malware then ur security software should remove it (it may need permissions from PG to terminate apps) and then PG will remove the nonexistent (malware) file from its list.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    OK so let me get this straight, even if a process has no specific protection rule, it is still being protected by PG?

    For me it seems logical that only certain services/apps that need to be able to do stuff, need certain privileges. And all other processes must not be allowed to do stuff of course.

    So what I basically don´t understand is why I need to protect for example IE.exe from modification, I mean it should have been protected anyway right? o_O
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Nothing is protected unless it is in the list. This is why PG starts in learning mode and adds protection for Windows services and the programs you use.

    Nothing OUTSIDE the list can interfere with PROTECTED programs. Only something on the list with ALLOW modify or ALLOW terminate for instance.

    Something TRUSTED however, could still need to modify a protected program, hence the ALLOW options. Iexplore.exe might need to install a global hook, SMSS.EXE will need to modify another process.. sometimes these things happen.

    Just a little additional info - the default list in the next version is a bit bigger, but most importantly we've verified all the places where REMOVING allow access for a critical process could cause a problem. PG now doesn't allow the removing of certain volatile ALLOW options for some Windows services, meaning no chance of blocking something Windows needs to start or for the user to login.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Oh.. and the one which might catch you out:

    ANY PROCESS can modify any OTHER process, if neither are on the list. Put simply, ALLOW access is only needed if something wants to modify a PROTECTED process. As I said, something needs to be on the list to be protected.. otherwise anything can modify it for example.

    Its all logical, right? :)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Well, it´s a bit confusing. :rolleyes:

    Shouldn´t all processes be protected even though they are not on the protectionlist? Check out this scenario: I have 30 processes running, now I open fileBX.exe, this app isn´t being protected. And let´s say I get malware on my system, it keeps trying to inject code into other processes, finally it manages to do so in fileBX.exe, so now I´m compromised.

    It seems logical to me that only your anti-malware tools and some Windows Services should be allowed to modify/terminate other processes (protected or not). Any other process should not be able to modify/terminate stuff, even if that stuff is not protected. So basically, I´m not seeing the point of the "protected from" column. Or am I missing something? :ninja:
     
  10. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    This is the way I understand it.

    The protection list should contain important windows files which need to be protected from termination so malware can't mess with them and lock up your system. These files also need special privileges which allow them to access physical memory and install global hooks etc, so they also need to be protected from modification.

    Then you have security applications protected so malware can't terminate them and stop them from doing their job. These programmes also have special privileges like the ability to terminate processes and so they also need to be protected from modification.

    Next on my list come applications which need special privileges in order to operate properly e.g. web browsers seem to need to install global hooks.

    Rightly or wrongly (I don't know which), I then add applications which have access to the internet. I protect these so malware can't mess with them.

    It's a bit of a read but it's all explained much better by Andreas (see this thread: https://www.wilderssecurity.com/showthread.php?t=56848).
     
  11. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    One can grasp the logic of the process easily enough. It is the reasoning behind it that eludes. How can this possibly be a good idea. Allowed free modification rights by default, malware is allowed full access to any inadvertently unlisted program. This limits the protection provided by PG to only listed programs.
    This change in method forces an attempt to put EVERYTHING on the list to achieve the level of control currently provided. Is that not so? o_O

    It is more desirable that a process get permission to modify others and yet another to modify protected. THAT would be an improvement rather than a step back.
    Modify processes -
    Modify protected -

    It is pouring rain and one is safely dry beneath an umbrella (currently). Now you come along and take the umbrella and hand over gloves (allow unless on list). You say, "At least your hands are still dry. And if you want your head dry put a hat on!"(add another to the list) ;)
     
  12. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    You do not need to put all your processes on the protection tab.

    If you tick all the Global Protection Options on the Main tab then no process can access physical memory or create global hooks etc.

    The primary reason you add a process to the Protection tab is because it needs extra privileges to overide the Global Protection Options. For example, the process may need to access physical memory in order to run correctly. To allow it to access physical memory, you add it to the Protection tab and give it permission to access physical memory.

    This process now has extra privileges which allow it to do things on your system that other processes can't. If this process becomes modifed by malware, then the malware also gains these extra privileges.

    That is the reason why you need to protect your process from modification. So that the malware cannot modify it and gain the extra privileges.
     
    Last edited: Nov 5, 2005
  13. Spikey don't be mistaken the ability to access physical memory does not map exactly to from the ability to modify processes (such as dll injection) or to terminate them

    Yet, processes don't need "extra privileges" as defined by you to terminate processes or to modify them. Hence if you are worried about any/all processes from being terminated or otherwise modified, you will need to put them all in.
     
  14. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    justpassingthru

    I agree with you. If I don't put, for example notepad.exe on my protection list, then it can be terminated or modified. I don't see that as a problem though because I can't see how anything particularly bad can come from that.

    However, I would put my antivirus on the protection list because it could be bad if it was terminated or modified.

    I was just trying to explain why you would put applications on the Protection tab and why you don't need to put all your applications on it.
     
  15. ~~~~

    ~~~~ Guest

    I disagree. As we all know, default deny is definitely safer than default allow. To expect people to know which apps to protect and to take time to do it is not a very good idea.

    At the very least, I think any program that has wide unrestricted default allow rules in the personal firewall should be protected by PG. That can be a pretty long list.
     
  16. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I'm glad we are in agreement.

     
  17. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    If one wishes to prevent modification of processes(it is PROCESS guard) they MUST be placed on the list. There is no desire to reinstall or restore programs modified simply because they needed no "special" permissions.
     
  18. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    It doesn't matter whether the process is on the Protection list or not. The file itself can still be modified on the hard drive. Although PG will alert you to the fact it has changed, you will still need to reinstall or restore.

    I'm happy to concede the point on whether or not it's best to add all your programmes to the Protection tab but I'm not yet convinced of my error.
     
  19. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i thought pg would block any process from modifying another unless u gave it permission?
     
  20. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    You see the point I was making.

    No. Actually it will not unless it is on the list. We are talking about the NEW version which changed things. Read what Gavin is saying again.

    Do not concede. ;) I agree that putting all the programs on the list is ridiculous. Your error is arguing the wrong point perhaps. To get the same level of protection as now, you HAVE to put everything in the list with the change Gavin mentioned.

    Okay... I was arguing the wrong point. Thank you for the clarification ;)
     
    Last edited: Nov 7, 2005
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    There is no change, this is how it has always been o_O

    You only really need to protect applications which can be terminated, or might be modified in order to cause harm (like injection into a process to bypass your firewall)

    Notepad.exe is the classic example. There is no reason to protect it at all. It wont have internet access, terminating it in memory will have no effect on your machine except notepad closes.

    This is about security - stopping injection trojans, rootkits, and other malware which is far too easily modified or privately built to avoid detection by antivirus/antitrojan scanners.

    Follow the step by step setup guide in the help file, you should then have all running processes protected, all Windows services, your firewall and antivirus, other security programs.

    An OUTSIDE influence is the risk - some unknown, untrusted program. It cannot mess with your security programs, it cannot inject into your browser. Protecting this UNKNOWN file is the OPPOSITE of what you want!
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    OK, so you don´t need to protect all running processes from modification? I understand that termination of certain processes isn´t a big deal but I thought that malware could still do damage by injecting code into other processes. But only apps with access to the internet should be protected from modification, I assume.

    And while we´re at it, can someone perhaps explain to me what "process modification" exactly means? Because it seems that I don´t quite understand the concept of it. I assume that trojans will not try to hide in just any process, but only in processes where they can achieve something, like hiding from the firewall to gain Internet access? o_O

    And about: "An OUTSIDE influence is the risk - some unknown, untrusted program. It cannot mess with your security programs, it cannot inject into your browser. Protecting this UNKNOWN file is the OPPOSITE of what you want!"

    I thought that this wouldn´t be a big deal since your anti malware tools should be able to terminate/modify/read all other processes, right?
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Which is why you wouldn't want to protect "every" program..

    Modification means use of certain functionality to change a process in memory. Changing one byte can mean the program behaves differently, this is modification. Injecting a whole new thread (program) into the space of another and then starting it, is also modification.

    You can protect more if you like, but trojans don't inject into notepad (for example). For that matter, if someone had notepad ALLOWED to access the internet.. then they have more problems than understanding PG, they need to secure other areas of their machine first.
     
  24. ~~~~~

    ~~~~~ Guest

    Indeed.

    True, but this relies on the user to be aware what types of applications require protection. For example, anything that can connect outwards through the firewall certainly needs to be protected. This means anything from browsers to Instant messangers to Email clients. Security type programs too.
    It seems to me for the novice, a protect all applications is easier for them.

    I think protecting these unknown files so that they are protected from modification or termination is harmless, as long as your security programs have the correct previlages to terminate/modify them.
     
  25. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    By using the block new processes option, it would essentially also remind you to choose protection (and/or permissions) for every process you forgot about.

    Or am I mistaken? The block new processes option intrigues me. (Aren't almost all attacks process-based anyway? Even if you get a virus or something, this would protect you until you can disinfect with an antivirus.)
     
Thread Status:
Not open for further replies.