DCS products and PrevX, overlap?

Discussion in 'ProcessGuard' started by jwcca, Sep 4, 2004.

Thread Status:
Not open for further replies.
  1. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Hi, I saw the thread about PrevX, installed it and then wondered about all the apparent overlapping of features already provided by DCS. I have all the DCS apps except Crypto suite, paid versions by the way, and would like to know if it makes sense to also pay for the PrevX Professional. I haven't had much time to examine PrevX, but it's log showed that it was stopping AdSubrtract from accessing the HOSTS file. It also stopped PCcillan TSC.EXE (just like Process Guard did until I allowed it to avoid the PG logs) from accessing a couple of files that I can't even see with Explorer, scmx32.exe and scam32.exe.
    So, Wayne/Gavin/Jason.. have you had a look at PrevX yet? care to comment?

    Jim C
     
  2. Gohan

    Gohan Guest

    Having briefly looked at PrevX, I would say it is worth using with ProcessGuard. Although there is an overlap, they also compliment eachother. PrevX includes buffer overflow protection of core services which ProcessGuard does not implement. All of PrevX protection and services can easily be terminated which Process Guard prevents. (I tested this using DCS Advanced Process Termination).

    I think buffer overflows are a very serious problem and would like to know if DCS will ever implement any buffer overflow protection of processes in Process Guard.
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Any buffer overflow protection done in software will never be as good as hardware based overflow protection. I'll have to check prevx to see if it is "real" buffer overflow detection or actually just checking if the area where some code is residing has execute privilege or not, but I assume it is the latter since the former would require a lot of cpu cycles. If you havn't already, you might want to read a few phrack articles which detail lots of methods to get around overflow protection many programs like PREVX implement.

    An Athlon64 CPU with Windows XP SP2 is your best defense against buffer overflows at this stage, and since every new cpu in a year or two will also have this protection, I don't see much point in kludging some method to protect against it in software. There is no way to get around buffer overflows when you have hardware protection against it, since there is no kludge method involved, it's direct and simple.

    If you get an Athlon 64 you can also get a NFORCE-3 motherboard which has an inbuilt hardware firewall, so you can really improve the security and running speed of your system with the new hardware out now for not that much outlay.
     
  4. Gohan

    Gohan Guest

    Jason, I appreciate the informative reply to my query regarding possible buffer overflow protection in Process Guard. I had a look at the Phrack articles regarding the exploitation and bypassing of software based stack/overflow protection. I agree that hardware protection would indeed be the best solution. I also assume that Prevx does not have ''real'' buffer overflow protection, however this basic protection does add another layer to security. Here is the part of their FAQ that describes the type of protection:

    -----------------------------------------------------------------------
    How does Prevx protect against exploitation of Buffer Overflow?
    Prevx Home provides protection against both known and unknown buffer overflow vulnerabilities. Generically detecting and shutting down the attacks that exploit buffer overflows on stack or heap memory achieve this. By detecting violations with regard to buffer overflows, the product will protect your system and data against unauthorized access to stack and heap locations outside legitimate boundaries. By doing this, Prevx Home is able to detect - and subsequently 'deal with', any process that attempts to gain control of execution through a buffer overflow exploit. The offending piece of code will typically be terminated (the result of a buffer overflow attack) to prevent further execution, and an alarm/report log issued to alert security managers of the potential compromise

    ------------------------------------------------------------------------

    I think it would be interesting to see the methods of bypassing software overflow protection detailed in the Phrack articles tested on Prevx.
     
  5. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto

    Hi Jason, I'm running W2K on an Athlon 2700XP with WD Raptors in RAID1 which is quick enough for me and I'm not moving to the AMD64 or XP-SP2 because my main app may not work with SP2 (and I'm not going to spend $$$ to find out). So I think that PrevX may be an addition to my current protection, along with TDS-3, WG, PG, RP etc.

    Maybe the TDS-4 will add even more protection, but I'm sticking with my current hardware.

    Thanks all,

    Jim C.
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Jim,

    yeah there is no problem with holding with your current hardware it is still mighty fast. Any properly coded application, and even then, unless it an application which is very technical and advanced, it should work fine with SP2 and an A64. The poorly written programs (and these are the only ones which have experienced some probs with A64) will be fixed. It is a programming error to rely on the fact that memory created with READ access can also have code which runs in it. This is what those programs which have problems with SP2 and Athlon64's are assuming, it is a bad assumption and should be fixed immediately by the respective companies.

    I have noticed that even on my high end Athlon systems a software firewall can really bog down your system (~50% cpu with a lot of sockets), which is why a hardware based firewall is a really good idea even for a fast system.
     
  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Cohan, yes another layer of security is always a nice thing, as long as the layer doesn't involve many resources. That is one of Process Guard's main goals, make sure the target system doesn't experience any noticable drop in performance having Process Guard installed. Plus the memory footprint of Process Guard is really small, especially when compared to other security software (C++ and ASM help here :) ).

    We will probably check out the latest PREVX after the next version of Process Guard is released to test compatability and various other things, so I will give it a look over then. Some of the features sound interesting, but to me it still seems to not have that many system security features. One of the most important things with Process Guard is even if you detect it is on the system, it is nigh on impossible to get rid of it through programmatic ways. You basically need a human there to get rid of it.

    With the next version of Process Guard there are no ways that I know of at all to remove it from the system apart from the disabling of protection manually by a human. With older builds there was one or two highly undocumented ways I myself knew to programmatically remove it from the system (having done a lot of rootkit research these methods weren't really publically known until recently), but these have been removed in the latest version.

    So there is some overlap of features between the two, and some people might even run both to get all the features. But with a firewall, Process Guard properly set up and a scanner or two, you are pretty much guarded from all harmfull things.
     
  8. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Hi Jason,
    Yes, it is. I use it mainly for a video surveillance system.

    Well I'm using an older (V2.6.362) ZoneAlarm and I block everything (well almost) but I also run MBM which shows that while browsing, I'm using about 1 to 2% of the cpu. I get very few pokes and prods from the nasties since so far I'm stealthed 100%. Of course you're probably quite right for many folks systems, and I always appreciate the advise. BUT - I just did a quick check on prices and saw that for a good FX-53 system board and cpu I'd spend about $900USD plus the cost to upgrade to WinXP-Pro(?) so I think that I'll wait awhile.
    Thanks again,
    Jim
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    http://msdn.microsoft.com/security/productinfo/XPSP2/memoryprotection/execprotection.aspx

    Actually (if I assume you are in the USA), it would only take roughly $300 to get one of the lower speed Athlon 64 (3000+) and a motherboard. The cheaper Athlon 64's still have no execute/buffer overflow protection to my knowledge.
     
Thread Status:
Not open for further replies.