change of MD5 Hash by updates , howto ..

Discussion in 'ProcessGuard' started by tuatara, May 27, 2004.

Thread Status:
Not open for further replies.
  1. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Hi, First of all, i am very Happy with PG, it works great, best Windows-security tool i know/ever seen..

    But i miss something,i've searched this forum, but could not find the answer,
    sorry if i've overlooked it.

    The (small) problem is that some programs that i use, do an automatic update.

    And some of those, like BOCLEAN "update" (don't worry i use TDS-3 an ALL !! other DCS programs as well :>) ) ,
    have their MD5 Hash changed because of that.
    (like dcsmutex with TDS-3)

    PG message:
    "You allowed this file but it has been changed since then"

    Of course this message is correct, but if this file is changed after an update,
    i HAVE to trust this,because i can't see if there is something wrong with the update.So i always have to manually agree on that (goodbye AUTO-update)

    So i hope there is, or will be, an option/setting to trust a file, even if it is changed. (on path and filename ?)

    Or is there a work-around for this?

    thanks.

    BTW:
    I check the DCS website almost every day, to see if TDS-4 is there,
    i don't mind if it is not there yet, take your time and make it
    as good as the other progs/versions.
    But i would appreciate it if you gave a date as "not expected before ..."
    And even if you do that twice or more ...

    tuatara
     
    Last edited: May 28, 2004
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tuatara, I know what you mean about trusted program updates such as DCSmutex but to a certain extent I prefer to be advised when such a program is changed especially with regard to security apps.
    Maybe Jason could include an option button to exclude certain files but I, for one, would not use it. :)

    Regarding TDS4 - DCS will have to comment on that ;)

    Enjoy your weekend - Pilli
     
  3. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Hi Pilli , thanks for your answer,

    Do you mean that you like to know WHEN the update was,
    or if it is a trusted one?

    In case of the last option please explain me, on what do you make your decision if the,
    updated version can be trusted?

    Because the only thing i can imagine is that you compair,
    the DCSMUTEX file, with the one that is at DCS.

    And i wouldn't know how to do that.

    Or do you scan the file, before you execute it? and if you do how?

    This is very important,

    Or do you make a bpatch or hex-dump, or disassable the file before executing it?

    I am very curious about that, because i think that checking the update file
    is much better then the work-around that i was thinking of.

    And of course, this is an important security issue for other users as well.
    please don't make your reply too general, i'would like to know the details.

    Thank you very much, this is a great help for me.
     
  4. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
  5. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Thanks,TheQuest,

    I found the CheckSum on that Page there.
    But is this the CheckSum for the latest DCSMUTEX...
    Or the one for the latest TDS-3 download?
    OR is it perhaps the CheckSum for the latest radius/update file??

    Sorry, but i really don't know that ....

    And how can i compair them, because there is the Checksum for isn't it?

    Thanks in advance,

    This will be of great help for me.

    Tuatara
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, I like to know when the update is done and no I do not do any specific technical checks as I like to invoke my own updates from trusted vendors.
    With KAV, for instance, updates have built in checks so I trust them.
    I am not a techie but I am cautious :)
    I do check all downloads with both KAV and TDS3 - Process Guard will inform me if any .exe is changed - AdWatch will inform me of any registry run keys are added or changed.
    There is no such thing as 100% security we must try to use what knowledge we have with the tools at our disposal to minimise any risks. :D

    The checksum is for the radius file which sometimes includes an updated dcsmutex.exe
     
  7. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Sorry to interrupt this thread with my novice question, but can someone explain to me what the checksum does and what it's used for. I clicked on the link provided by TheQuest and I see that a checksum appears to be a series of 32 alpha-numeric characters. Can anyone help bring me up to speed on this? Thanks
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dallen :) Check out the links on DCS's CryptoSuite, lots of basic info' there.
    Basically it is a alphanumerical signature of an object which is checkable thus proving that an object has not changed or been changed during transfer.
    Foolproof at the moment as it has not been broken as yet.
     
  9. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thanks Phili,
    However, when you said that following:
    about the following:
    What exactly is that checksum for? I've searched all the checksums under the "Program checksums" tab in PG and I see none that match.
     
  10. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    Hi Dallen,

    That is the part fo my question that is not answered yet,

    And how can i compair them, because there is the Checksum for isn't it?


    But i think that, that answer will come soon now ...

    Tuatara
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Here is some information from the CryptoSuite help file:

    What is a checksum?

    A checksum is basically an extremely large number which represents a group of data. In its simplest form it is like referencing a larger set of data by a smaller set. If your name was Michael for instance, if someone called you Mike you would know they were referring to you even though they didn't use your full name. This is similar to how a checksum works.

    Checksums come in many different sizes, ranging from 1bit to 1024bit and anything over. Obviously the larger the checksum the more unique sets of data it can reference before "collisions" occur. What is a collision? A collision occurs when the same checksum or number is generated for 2 different sets of data.

    What the checksum does to generate a number given a set of data, is to go through ALL the data and while it is, do certain things. The simplest checksums simply add up each byte in the data. So if I had a 20byte piece of data where each byte contained the number 1, and I ran a simple adding checksum over it, it would give me the number 20. If I changed one of those bytes in the 20, to a 2, then the same checksum would now be 21. I would know there is a difference between the two sets of 20bytes simply by looking at the checksum. But what if in those 20 bytes, there was one 20, and nineteen 0's. It would also give me the checksum of 20, which would be a collision. Simple adding checksums are only used today when extreme speed is required, because they are very simple and produce a lot of collisions.

    Cryptographic checksums like SHA/HAVAL/MD5/TIGER/etc, use advanced mathematics principles to limit the amount of collisions and hence they are used today because of their high reliability.

    You can't work out what data a checksum actually refers to. This is because if a checksum is only 128bits(8 bytes) in length, any data over 128bits cannot be represented fully in 128bits. It's like trying to put more water into a cup that is already full. As in our previous checksum example, there is a lot of possibilities of the checksum of 20 appearing, hence we cannot work out which set of data actually gave us that checksum.
     
  12. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    If i do 'update database' in TDS-3 , how can i compair the checksum of the just downloaded file with the one on the website?

    Because here it is activated, before i can even check it, i must be doing something wrong i guess?

    i know how it works theoreticaly, but i can't find the checksum of the new updated file AFTER download and BEFORE it is activated.

    That must be simple .... :doubt:
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tuatara, If you manually download the file to a non TDS3 folder you can then use a utility like CryptoSuite to test the checksum against the DCS stated one.

    If you use autoupdate then you can still check it (albeit after TDS3 has loaded it) by checking the file in the TDS3 main folder.

    CryptoSuite trial is available here: http://www.diamondcs.com.au/

    HTH Pilli
     
Thread Status:
Not open for further replies.