Catch "run new process" vs prevent

Discussion in 'Ghost Security Suite (GSS)' started by moni4m, Jan 17, 2008.

Thread Status:
Not open for further replies.
  1. moni4m

    moni4m Registered Member

    Joined:
    Dec 26, 2007
    Posts:
    6
    Hi,

    Sorry for this crazy question. As I see, to deny one program to run and execute another program there are two ways:

    1) the way how GSS is working - hook/handle correct functions/events and display prompt (sorry but I am not very technical)

    2) second way could be - scan and change executable in a way to remove calls to API functions which could run external process

    My world is mostly EXE's and DLL's. So I will give similar example. If a program want to load dll called "run_process.dll" and call function "execute". Then maybe without changes in exe, I could put my own "run_process.dll" with exactly the same function "execute". Then this exe will load my DLL, my DLL will allow/deny or ask what to do. If "execute" is allowed, then my DLL will call the original "run_process.dll"

    I know it is not simple answer. My knowledge in this area is very limited. I understand that there could be many complications - world is not only exe's and dll's. I see some advantages like:

    - full time monitoring will not be necessary, once all binaries are changed it become very clear which program can run another program and which program can access internet, etc.

    - virus can't attack or stop GSS process. Virus can't change GSS settings and say "virus executable have full rights without logging" (not sure if it is possible now with full time monitoring)


    Maybe there are many positives and negatives for both case 1) and case 2). Or maybe case 2) is not possible. I would be glad if someone explain me the real reasons why all antivirus software is using run time / full time protection.

    For my point of view, it is not complete crazy idea. I did read about using sandbox to isolate viruses, etc. So I was thinking for something similar but without performance problems - looks like sandbox in some cases is complete virtual machine with separate OS installation.

    Thank you very much.
     
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Changing files on the system is a pretty risky thing to do, and I can see no real benefit in doing such given the "cost" of realtime monitoring in the case of something like GSS is very very small. Other products, yes, realtime monitoring is noticeable and they would be wise to look into ways of minimizing their foot print but it's not such a concern where I'm coming from.
     
Thread Status:
Not open for further replies.