deleting protected executables

Discussion in 'ProcessGuard' started by hojtsy, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Are you protected against deletion of the security apps?
    Withouth termination of the running processes the executable files can be removed with zap.exe from:

    http://helpdesk.kixtart.org/KixUtilsTasks.asp
    (Source code is public)

    It can remove AT, AV and firewall executable files while these softwares are actually running. Then all you need is a reboot to terminate all.

    Anybody know some protection from this?
    -hojtsy-
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    This shouldn't be much of a problem. Note that all the programs on that website are exe's If you have "Block all new exe's.... Then those exe's couldn't run to delete anything. If you don't have that option on these exe's would be challenged. If you hadn't specifically gone to that website and downloaded them, and one just showed up on your machine, would you allow something named kill?

    But to answer your question. Is there some protection. Yep. It is called GoBack. I have the recycle bin turned off, and I have accidently deleted complete folders. With Goback, not a problem.

    Pete
     
  3. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I was not talking about kill.exe published there: that is stopped by PG. I was specifically talking about zap.exe. It is just a demonstration of a method to delete running exes. The same method could be used by trojans, which of course will not have the name zap.exe.

    GoBack does not protect you:
    Is there a protection against robbers stoling your TV? Yes, hide some money to buy a new TV, and then you are protected from stoling it!
    Could work, but what about also perfecting your locks?
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Doesn't matter if the name is kill, zap or whatever, if the only way it can run is if you allow it too. Also doesn't matter what method they use. If an exe has to run to do something it is blocked unless you deliberately choose to block it.

    Re Goback to use your analogy, there simply is no such thing as a perfect lock. Someone can always find a way by it. BUT.... Goback isn't the same as having money to replace the tv, it is a way to turn things back before the tv was ever stolen, without loosing other events that have taken place. That is a form of protection to me.
     
  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Well yes the all-powerfull execution protection. If we have this we don't need privileges, we don't need the generic protections, we don't need TDS, we don't need personal firewalls. And we don't need to protect the files.
    Because no malware will ever be started with it. Glad you mentioned, i will sleep well now.

    I never advocated against GoBack, I only say that prevention is also needed. I also don't think that perpect prevention is possible, but we can get nearer than this. The analoge of money in my example is the efforts and time needed to always keep GoBack up to date, and to restore it.
    -hojtsy-
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    The simple first. Goback requires zero effort on my part to keep up todate. It is automatic Resource usage is neglible. Restore effort amounts to picking a time to go back to and rebooting.

    Your response sort of trivializes execution protection. I run a firewall,av,at, and spyware stuff. Layered approached to security.

    As far as file protection. I'll bite. I am the only one who uses my computer. What file protection can I put on that I can't defeat myself, and if I could would I want to do that?

    I assume the protection you are seeking is from an unauthorized attack from some external source. How does that get done without running something on my machine?? Not theoretical but real world.

    I tested the layered approach with eicar.com. Had to disable stuff just to even get it on my machine. Then when I ran it, first F-Prot(AV) trapped it. Turned F-Prot off, and then Wormguard challenged it. Let it by wormguard, and then Process guard checksum protection challenged it. Is it perfect. Probably not, but I do sleep at night.
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi hojtsy,

    i don't think there is anything we can do about it, as soon as i start a malware, if it attacks my protected processes, well, PG is here, but if it wants to delete files on my HDD, i can't do anything, unfortunaly.

    I think that viruses and trojans wants to live the longer possible, which mean to remain stealth and undetected, and to delete critical files is all but stealth (above all security apps).

    However, if they wants to delete, they can delete, whatever it is already running or not, you can't protect against logic bomb.
    If your post is "why not to add file access allowances" to Process Guard, why to not call it like that ? ;)
     
  8. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Peter2150,
    OK then GoBack is a fine piece. Still:

    Why have I purchased Process Guard?

    Have I purchased it to protect me from known viruses (demonstarted by the eicar test file)? No, I already have AV for that.
    Have I purchased it to protect me from known trojans? No, I have already TDS for that.
    Have I purchased it to protect me from running new or changed executables? No, because there are free tools doing this! I am not paying for a feature which is also provided by a free tool.
    Have I purchased it to limit what certain executables can do while executing? YES!

    In particular a half-trusted app should be blocked from:
    1) external and internal communication
    2) read or write access to designated memory areas
    3) read or write access to designated hard disc (+cd,floppy) areas.
    4) read or write access to designated registry areas

    Personal Firewall provides number 1.
    PG provides number 2.
    These softwares are dedicated to limit the privileges of a running software. If you have purchased one of them, you are suspecting that malicious software can actually be executed on you machine. If you are not suspecting that, then you have not installed these.

    In previous threads it was said that PG also partially provides number 3, because executables files of running security software can not be modified. But zap.exe proves that this assumption was false.

    Number 3 or 4 is not provided yet. There are some inital attempts for these by Tiny firewall, but no dedicated software. It is like a keep guarded from 2 sides and wide open on the other two, and if any of these defenses fail it can ruin the other 3.

    gkweb,
    my post is: "why not add file + registry allowances to PG or some other DCS product" and "does anybody know of some existing software for this".

    -hojtsy-
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hojtsy

    Presumably you bought it because it does what it claims to do.

    All the issues you are bring up are things you would like, or things you think it should do. Fine. I am sure Jason and company welcome suggestions. If something doesn't work as advertised everyone involved wants to know so it can be fixed, but just becaue it doesn't do what you think it should doesn't mean there is anything wrong with the program.
     
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Process Guard will expand it's features overtime to include things like file and registry protection. If a trojan has to delete all security EXE's and reboot, to get around Process Guard then that is better than having those EXE's running on your system compromised.

    If all your security apps get deleted dot you think that it isn't highly obvious something is wrong with your system? Trojans are designed to blend into your system not destroy it. Process Guard covers the worst attacks, but it will expand to include a lot of other things in the near future.

    -Jason-
     
  11. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Hmm, still only user-level granularity of file access control, and not process-level, but a good start with own file system driver:
    http://www.softstack.com/fileprotpro.html
    Oops.

    -hojtsy-
     
Thread Status:
Not open for further replies.