Correct Protection Settings for dcsuserprot.exe and procguard.exe?

Discussion in 'ProcessGuard' started by LuckMan212, Nov 22, 2004.

Thread Status:
Not open for further replies.
  1. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Hi I know some of you may think I am beating a dead horse here with this.. since I already have my other thread that covers a similar subject. But, since it was kind of a "dud" thread, I specifically would like to know the official DCS recommended Protection settings for:

    DCS programs:
    dcsuserprot.exe
    procguard.exe


    Micro$oft:
    iexplore.exe
    explorer.exe
    winlogon.exe
    svchost.exe
    services.exe
    rundll32.exe

    I consider all of the above to fairly "dangerous" and/or important processes which is why I am requesting the recommended settings. BTW: we are talking XP SP2 here. Thanks much! ;)
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Yes it is a very dead horse. The settings to use are the ones that are set IF you run Learning Mode. You are asking for the "official DCS" settings. Do you suppose the ones they have set in the program aren't those settings?
     
  3. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Well I'm not sure what you mean by "the ones they have set" -- as a fresh PG3 install does not contain any settings whatsoever. Just because explorer.exe may, at one time or another during learning mode, decide it would like to Access Physical Memory, does not IMHO mean that necessarily that is the best/safest/recommended setting. That is what I was trying to get at.
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you run all your progs while PG is in learning mode it will soon accumulate the settings you need. If, for example, rundll32.exe decidees to set global hooks during learning mode, then that is the recommended setting.
     
  5. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Where does it say this anywhere? This is questionable-- example, what if "mylittletrojan.exe" runs during learning mode and decides it wants to hijack iexplore.exe, requesting global hooks and install drivers/services. So iexplore.exe will get these options set. Now are those the recommended settings? I doubt it...
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    DCS recommendeds that PG be installed on clean systems. If you install PG on a compromised system or let malware run while in Learning Mode, you will of course be granting any permissions the malware requests. I leave PG in Learning Mode only long enough to reboot twice and never use it again. The only processes I have in my Protection List are default system and security processes (about 34 items). It is not necessary to leave PG in Learning Mode for hours until you have added every app on your system to the Protection List.

    Nick
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    PG is to protect you from trojan attack. If your defences have already been overrun it is too late! You will have to make your own arrangements in that case.

    It is assumed you are clean when you install PG.
     
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    on pg's "protection" tab, you can "reset to default" the settings for items in pg's "protection".. that will reset the default settings, but then you have to start over, adding apps to pg's "protection", either manually, or using "learning mode".. i remove some of the items that are added to pg's protection while it is in learning mode..
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Note that before the 3 version PG wasn't protecting you against Access Physical Memory so any program that wanted to do so could. If explorer.exe wants to access physical memory for something and you deny it I suspect the results will be less than satisfactory. Internet Explorer doesn't need this permission for 99% of the things I do, but when it does need it and doesn't have it, it simply and gracelessly crashes. So if you are asking if there are recommended setting than what learning modes sets, the answer probably is maybe, and it may be a trial and error thing. But for a start with the system processes I'd stick with what learning mode comes up with.


    Also a fresh install does indeed yield settings unless you deliberately turn off learning mode on the very first reboot, and frankly at least from my perspective if someone does that, they are on there own, as they aren't following instructions.
     
  10. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Luckman212, I missed your first attempt at this, so thanks for trying again and pointing me back to the first. What an interesting tension for DCS, writing a manual that works for everyone, encouraging folks up a steep learning curve, and satisfying a core group of demanding users hungry for a dynamic feedback loop and high end configurability. I have to commend DCS for walking that tightrope brilliantly.

    I hope we find a way to share our settings and evolve our consensus about them more efficiently. It seems to be a missing part of this otherwise vibrant interchange.

    A few specific ideas (guesses). I don't trust rundll32.exe, and permit it once only. If you trust that one, I think you're open to any trojan .dll that can get itself started that way. PG still limits your liability, but it can't protect your data.

    I occasionally use IE, but I confirm access thru my firewall and have disabled physical memory access for it (and explorer.exe). I, too, disable everything but protection for OE (in case Bill G. decides to check my mail for me).

    As noted by Jason and Andreas1, services.exe should now be authorized to install services/drivers. The calling program will then need to be given explicit permission too.

    I think I remember Pilli recommending that winlogon.exe be authorized to terminate (though I couldn't find the thread). I'm guessing this might be needed if you've added a security policy specifying a script to run at logon. Anyway, it sounded reasonable to me, so I did. If someone hijacks winlogon.exe, I'm pretty sure the game is over.

    You're absolutely right, we really need some way to pool our notes.
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    What do you mean by this? Do you mean that each time rundll32.exe attempts to run you permit it on that occasion? If so, wouldn't it be simpler just to allow it to run whenever it wants?

    How can you tell whether something like rundll32.exe is running for legitimate reasons or because it has been hijacked by malware? From the ordinary user's point of view this seems to be the big weakness of concepts like PG.
     
  12. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Personally I think sharing settings on core components is a great idea. It can help spot something out of the ordinary, or help over-tweakers know what to expect when they scale back toooooo much. Not that I'm an obsessive over-tweaker. ;)

    I also like the idea of setting rundll32.dll as permit once (thanks earth1). Hey I just found a use for the change "permit always" to "permit once" feature in the security tab. To answer TopperID's last question, you can see what rundll32.dll is attempting to run by looking at the command line in the dialog box that PG3 pops up when it get's run.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes, but malware is not going to call itself 'Upyours.exe' and have a skull & crossbones icon! In fact it is likely to appear almost identical to a perfectly appropriate process - and that is where the problem lies. :doubt:

    If you are going to start researhing every dll that comes into the frame, when would you have time to do anything else?
     
    Last edited: Nov 23, 2004
  14. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Like any other program, if you know that you initiated it, and it's something you've decided to trust, that's all the reassurance you're gonna get. You may infect yourself, but the alternative is to live in a world where your software options are very limited. Choose carefully and make backups.

    OTOH, with rundll32.exe set to "Permit Always", even clicking an innocent looking button on a web page could (I think) run a script that uses rundll to start malicious code. Since PG trusts rundll.exe to run ANY dll, you won't get any warning that something you've never run before is about to be started on your system.

    I just want a chance to make my own decisions about the risks I take. Sure, I'd love to have a magic bullet with with an iron-clad guarantee. Just haven't found one yet. :)

    Rundll isn't invoked when any program uses any dll. Its purpose is to make a dll run as if it's a standalone program. Typically, I see rundll starting control panel applets or security policy snap-ins. I know I want to allow it, because I just clicked on the icon that started it.
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It's unfortunate, but the way things are right now kind of require users to spend some time gaining knowledge of their system to remain secure.. and the consequences are getting more severe for those that don't. I think PG does a decent job of meeting you half way in that regard, although there probably is a little more that could be done (hence my suggestion for a small database of known system files, with full path, so that if a look-alike pops up the user is made aware that it's not normal.) Jason also mentioned that they will be putting together a database of processes and their recommended options (https://www.wilderssecurity.com/showthread.php?p=297338#post297338) In the meantime, Google is always a good starting place for things you aren't sure about. For process .exe's you can use things like RegRun's application database, and a good online database can be found here: http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
     
    Last edited: Nov 24, 2004
  16. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi Notok,

    Thanks for the links, and for putting the importance of research back into perspective. I look forward to seeing what DCS can come up with.
     
  17. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    This is what the Protection List looks like on a clean install of XP SP2 (from a restored image). I rebooted twice in Learning Mode and let PG manage setting permissions for system processes. I optionally ran mmc.exe and rundll32.exe to show how PG handled them.

    Nick
     

    Attached Files:

Thread Status:
Not open for further replies.