Can malware get past ProcessGuard and RegDefend?

Discussion in 'other anti-malware software' started by richrf, Apr 23, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    A general "archetectural" question:

    Suppose I install ProcessGuard and RegDend on a clean machine and thereafter always deny permission to all programs that PG and RegDefend alert on (this is theoretical of course). Is it possible for trojans, spyware, keyloggers, rootkits, etc. to ever me installed on my machine?

    What I am trying to understand are all of the known ways for malware to install (infest) a machine, and what guards are needed. Thanks for any insights.

    Rich
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    As I understand things, since virtually any installation would have to originate at a user mode level, and you have said that you would deny them at kernel mode, I would say no. Attempts to get around this (call from a numerically higher to a lower ring level, e.g. 3 -> 0), should generate a CPU based protection fault.

    I'm of the never say never school, but lets label this one as an unlikely scenario at present. Virtually every scenario that I can build a concept around should generate a flag that you've already posited as denied from the outset.

    Blue
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks Blue.

    I am positing this theoretical scenario in order to better understand the type of threats that I might face and whether my security theoretically takes care of everything. I realize that I might always make a mistake, which is why I continue a layered defense, a la KAV, but it appears that PG + RegDend is an extermely strong defense - which has been my experiences to date.

    I would welcome any additional comments. Thanks, as always, for your very helpful replies.

    Regards,
    Rich
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Rich,

    At least right now I would view the likelihood of erroneously answering one of the PG/RD pop-ups as much greater than either of these applications failing in a way to yield a vulnerability (as opposed to a simple protection fault restart). If a measure of protection could be added in this regard - and I'm not sure precisely what I mean here - maybe some indication beyond a simple statement of this application is attempting to do whatever to include some type of "seriousness factor" (now there's a technical term if I ever met on), I think that would help. However, I can see the pragmatic issues this would involve and it is likely beyond the scope of commercial product development.

    Also, for both product some level of recovery is possible except for an embedded compromise of the kernel mode layer. But that's true of all scenarios since the only solution there is nuke and pave.

    Blue
     
  5. ring0

    ring0 Guest

    I'll just say that there are individuals working very hard right now on ways to defeat these programs. Whether they have been successful or not, you may never know, because not all who work on ways to defeat these programs will ever make it publicly known. These are the real serious threats, the ones who hide in the shadows, the ones who could have compromised your machine already, and you don't even know about it. Just be aware that it can be done and may have already been done to you. No security program, or combination thereof, is immune from compromise by ring0. ;)
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    How incredibly lame. Okay, "ring0", I'm sitting here at snip~~~snip . All you have to do is get past everything I've got on here and I'll believe you. Not some lame-ass DoS, but something concrete (open and close my CD tray; put me a message up on my screen: "Pete's 0wn3d" ) - IOW, DO something I can see so that I'll know beyond a doubt that I've been breached and that all of these defensive programs don't work.

    THEN I'll believe you. Pete
     
    Last edited by a moderator: Apr 24, 2005
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Pete,

    While you're waiting, have a quick read, the link in post #1 obviously.

    Blue
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    lol! Yes, that was good alright! I'm not implying the same level of stupidity to "ring0" (whoever or whatever that is) - I simply believe that this particular statement - "No security program, or combination thereof, is immune from compromise by ring0." is a crock of (fill-in-the-blank).

    I'm quite willing to change my tune should I be proven wrong - but not until then. His whole post sounded like some drama queen 16-year-old who still lives at home with Mommy trying to intimidate people.

    All I'm saying is - bring it on. Pete

    AND I WANT MY IP ADDRESS PUT BACK IN TO THAT FIRST POST, PLEASE
     
  9. NICK ADSL UK

    NICK ADSL UK Administrator

    Joined:
    May 13, 2003
    Posts:
    9,218
    Location:
    UK
    Thank you all!!!
    If we can stick to the topic in question without going off in various direction's like the posting of ISP Address's and using praise's like bring it on it would be much appreciated I'm sure by all
    It is a interesting topic so please lets keep this way as i have no wish to lock it
    Thank you
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I think that the issues of getting past security products and these 2 security products in particular center around the safety and reliability of software that you install on your computer

    Lets just say that some malware targets a broad spectrum of products and these 2 are included (as part of a shotgun effect), there are what seem to be fairly obvious ways of engaging in the startup race to have a chance of stripping the layers of protection out

    Thankfully, due to the differences in peoples protection setups it would take someone(s) very dedicated with a high level of skill to have analyzed many different security programs and come up with ways to subvert all of them
    The likelyhood is that something would be missed somewhere and the malware would be submitted for analysis and then its game over for the "clever" hacker
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    In addidtion to gottadoit's arguments. I would also add that such a hacker tool would be a little larger than your avarage virus or worm, it would have to be run (allowed) and it would have to run perfectly at the kernel level ie. set to install it's driver /service very early in the boot process. This in itself would be an onerous task because of the driver race making it highly improbable that the malware would win evertime, so the first time it fails it will be caught and then be identified and it's abilities known.

    Agreed there is no such thing as 100% security and there never will be but by making your PC a hard target to crack it is far easier for the hackers to target the vast majority of insecure machines.

    Pilli :)
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Note to "ring0" - Since they're not going to allow me to post my IP, you can simply do a "Search" through all my posts if you want it - I've posted it a bunch of times before and it wasn't a problem. Later. Pete
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, Can you try and stay on topic re. the initial post.
    If you wish to, please post your challenge elsewhere but Wilders is not the place to do it.

    Thank you. Pilli
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You're quite welcome! :D Pete
     
  15. McCartn3y

    McCartn3y Guest

    maybe Mr Rovermatic Internalized Nerve Ganglia knows people who reverse engineer security apps? Maybe malware has been embedded into "full.version" ProcessGuard?? Imagine, someone downloads a really sweet security program from unofficial source and BANG! they get rooted and never know it. LOL

    Anyway, in PG forum there are unanswered reports of apps executing without permission. Make of it what you will....
     
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    McCartn3y,

    I think the general concensus is that if you actively allow malware to install, you'll have a problem. The outcome of someone downloading a piece of malware masquerading as PG, not having the savvy to know the difference, and having that piece of malware control the system is completely different from the scenario that is the subject of this thread.

    With respect to PG allowing apps to execute without permission, in at least the most recent example that I can see there, the information is so vague that I have absolutely no idea what did and did not occur. Some additional, detailed, and more objective information would certainly help detemine whether the initial interpretation provided is correct or not.

    Blue
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    Thanks for the replies so far.

    The "strawman" that I set up was:

    1) The ProcessGuard and RegDefend are installed on a clean machine. Let's say installed when the system is first put together by the manufacturer.

    2) That no other programs are installed after that. I realize that this is theoretical, but I am pushing the case just to see if there are "holes" in such a defense. Clearly, this can be relaxed a bit by installing only programs from trusted sources, and so on.

    Given this, it would appear that a "race" would never occur. I understand that the malware would always have to win the race, in the case where it did some how get on the system. But, if programs are either never installed or only installed from trusted sources, then it would seem that the malware would never have a chance to even get into a race. Please correct me if I am wrong.

    Windows is a complicated piece of software to protect. So, I am suggesting tactics that may greatly limit the perimeter of defense, and have two good progams (as an example) guarding this limited perimeter. I think this might be handy, for people who have just purchased a new system, and are looking for a way to provide themselves with the maximum amount of protection, e.g.

    1) One top rated AV/AT/AS
    2) ProcessGuard
    3) RegDefend

    This is just a strawman, but since I am relatively uninformed about the nature of malware, I thought that this type of defense might be an excellent place to start.

    Thanks again for all of the comments.

    Rich
     
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    As an addendum, there is the issue of giving rundll.exe "permit once" or "permit always", which is amply covered here. Certainly, something that has to be addressed in some way by new PG users..

    https://www.wilderssecurity.com/showthread.php?t=59185&highlight=rundll processguard

    It would seem that a layered defense, as in my strawman, which includes a top-rated AV/AT/AS along with PG and RegDefend (which is watching the registry over and above PG's mechanisms) somewhat mitigates the rundll "always issue", especially if rundll is not given extra privileges.



    Rich
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If your last line of defense is a lock-down program such as ShadowUser or Deep Freeze, a reboot will remove any malware, so you can just enjoy your computing and not waste time worrying about it.

    Regards,

    ---
    Rmus
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rmus,

    I have considered DeepFreeze and Shadow-user lock-down defenses, but it would seem that they are most appropriate for systems that are relatively static. Of course, your point is well taken. If one is not allowing programs to download, then this would infer a relatively static system, in which case these lock-down defenses make all of the sense in the world. A top-rated AV (and possibly PG and RegDefend) would provide necessary intra-day protection.

    Thanks for the additional idea. I certainly will keep it in mind.

    Rich
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    ROFLMAO here Blue, what a classic :D

    :D :D :D
     
  22. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I totally concur with that, Blue.

    It depends on how you use ShadowUser (in my case, anyway). This system is anything but "static" - but in my case, all my defensive programs are still running within ShadowMode because everything I've got is on my "C" drive. This eliminates the threat of being un-aware of becoming "infected" by something during a Shadow-session (with the subsequent possible loss of data, passwords, etc., etc. ) while you're still within that session (which is the only true, current vulnerability of programs such as ShadowUser or DeepFreeze).

    Even when I'm not in ShadowMode, I still have PG set to "Block new and changed applications" and locked - and I'll trust that condition every day of the week to keep my computer secure.

    IOW, the only time that PG isn't "cocked and locked" is when I'm installing new software or updating (even while in ShadowMode). Pete
     
  23. cluessnewbie

    cluessnewbie Guest

    You see Pete, only loves to post such challenges in places like this, which to put it frankly is merely a wading pool for beginners to intermediate, the chances of someone who is truly skilled coming across this is slim to zero.

    In any case, even if Pete issued his challenge is the right place (eg usenet), the truly skilled will be unlikely to be willing to tip their hand just to put a foolish user like Spy1 (who has way too much faith in software despite having no clue at all about how it works) in his place, when they have much more juicier targets.

    As we all know, unreleased useable windows exploits are worth at least 5 figures, and are meant to be sold to the highest bidder, to waste it on Spy1, would be crazy. (Though whether Pete would be smart enough to figure out how he got hacked is doubtful)

    Still it would be fun to see what happens, if Pete issues his challenge on usenet. I could be wrong of course.
     
  24. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    lol! Another cowardly un-registered user heard from.

    Interesting opinion of this site and the people who work here you have: "which to put it frankly is merely a wading pool for beginners to intermediate, the chances of someone who is truly skilled coming across this is slim to zero."

    Have a nice day. Pete
     
    Last edited: Apr 25, 2005
  25. cluessnewbie

    cluessnewbie Guest

    Would registering the alias 'cluessnewbie' suddenly endow my posts with more truth?

    Your failure to address my points speaks volumes , registered or not.

    Good day.
     
Loading...
Thread Status:
Not open for further replies.