DiamondCS - Has PG's Protection been Compromised?

Discussion in 'ProcessGuard' started by Taz, Mar 28, 2005.

Thread Status:
Not open for further replies.
  1. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    As a prospective customer of Process Guard, I find the report in this thread that the program's protection has apparently been compromised to be very troubling. I followed this thread from its inception thinking that any time now the vendor would jump in with an answer as to how this happened. Perhaps I've missed a report from them elsewhere? Has anyone heard anything from them as to how this happened?

    If Adaware can find a way to terminate a protected process, I'm sure those that are clever enough to make use of advanced rootkits and other malware can find it too...especially now that it's been discussed openly on the net.

    What is the customer to deduce from all this? Now that it has been compromised, does this mean PG is not worth purchasing?

    Thanks,

    -Taz
     
    Last edited: Mar 28, 2005
  2. amoeba

    amoeba Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    22
    Location:
    Illinois,USA
    This is troubling.
    Is there more info on this?
    Rich S
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Well, I read that thread and frankly there's not enough information presented to render a verdict either way.

    Clearly some users report termination of Spybot S&D by AdAware. That's an observation that is hard to miss, so let's assume it is absolutely correct.

    Nobody posted any menu screen shots to provided explicit confirmation of the settings for both programs. The original poster does note that AdAware is set for read/modify, while spybot is set protected against termination and modification. Since AdAware is allowed to modify, that will supercede the protection against modification. Maybe it's tied up in this area, although termination clearly should not be the result.

    Pilli's challenge confirmed the attempted termination, but termination was not successful in that instance. The original poster (vam) noted that he is using the free version of PG (see here) which is not quite as comprehensive as the full version. I haven't really considered the full impact of this on the oberved behavior.

    Before I become worried about this situation, I would like a lot more detail behind the basic observations. I'm not saying the observations provided by the OP are incorrect, but there are gaps that would prevent me from fully analyzing the situation. I'd specifically focus on some of the areas left unguarded by the free version (e.g secure message handling, etc.) that may be pertient.

    As to your main question - is PG worth purchasing - I'd give that an unqualified yes. That's an impression as a user. The current version works seemlessly on my system and at a default configuarion level functions quite well. The unlimited home license is well worth the expense IMHO.

    Blue
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    I totally agree with Blue's observation.

    Pete
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I agree with Blue it is a very useful program that is quite easy to use and provides a very good security layer without adding too much complexity.
    Certainly something to strongly consider purchasing, the cost would easily be saved in your time if it blocked a rootkit trying to install a driver...

    There are some other *small* issues that have been discussed in the PG forum that mean that PG has some *potential* problems. If some actual evidence of process termination surfaces (other than by window messages when the app is not protected by SMH) then by all means take it seriously (in the mean time keep watching the thread..)

    The *potential* problems are not such a big deal if you are willing to deal with the additional complexity of a few more prompts and forcing yourself to read and understand the contents of each allow/deny prompt each time....

    Andreas1's sticky thread summarises the potential issues quite nicely

    Secure Message Handling has been discussed in the ProcessGuard v3.xxx Suggestions / Wishlist thread, a variety of different suggestions have been put forward to help deal with dialog boxes etc. The current implementation is a little cumbersome but it is a lot better than having nothing

    One other one I am aware of is that you can bypass the GUI prompt during startup and get something happening with "permit-once" privileges fairly easily if you have a slow machine or a machine bogged down by Disk IO during startup.
    To avoid this use a startup manager for most of the non-security apps and leave your security tools as registry startups to make sure they get started and initialised before anything else

    Another issue and this is not strictly a problem with ProcessGuard but another attack vector that you should guard against is unwanted entries appearing in your startup sequence... Another unwanted program could disable ProcessGuard by starting before it does and stopping it running (in a variety of ways)

    As you are probably already aware, you need some sort of registry monitoring tool to guard against some malware targeting ProcessGuard. ProcessGuard will stop unauthorised programs starting by prompting you once it has finished initialising, but before that its on for young and old...

    As many people have said before me (and undoubtably will continue saying) if you get your programs from trusted sources then you are less likely to be exposing your computer to problems in the first place and the issues I'm mentioning above will simply not matter
     
    Last edited: Mar 31, 2005
  6. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    I would agree that controlled tests followed by screen prints of settings and whatnot would be a better indicator of a security lapse. Still...the original user's report was followed up by someone else (Rodehard) reporting the same behavior. He at least attempted to document his findings with a posting of his log that says Adaware was prevented from shutting down Spybot...yet his observation was that Adaware did indeed terminate the program.

    I think it would be highly unlikely for separate and (I’m assuming) independent users to have ulterior motives for reporting the behavior they observed. Therefore I'm forced to conclude that their observations were correct. However, as has been pointed out, a possible explanation for this apparent security lapse could be tied to user configuration errors. (The trial vs. full-featured programs explanation seems to have been negated by Rodehard's assertion that repeated tests were done with secure message handling enabled for Spybot...an indication that he had the full-featured program.)

    While user configuration error is a plausible explanation, an equally plausible explanation is that Adaware used an undocumented method within Windows to terminate the protected program. Considering the almost daily findings of new security holes within Windows, it would tend to make one gravitate to the latter explanation rather than the former.

    But once again, without controlled testing both explanations at this point are pure conjecture. This is why I was hoping DiamondCS would have responded the questions raised. It has been sometime now since these questions were raised in the original thread (and now this one) and the issue still goes unaddressed. I find this to be as troubling as the protected program termination behavior that was originally reported.
     
  7. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    I agree - DiamondCS should be looking at this to duplicate the issue and fix it, in their own closed lab environment. But, maybe DiamondCS doesn't read this forum? Did anyone email them directly?
    I'll admit, DiamondCS's response time for me has been less than spectacular, but has the issue at least been brought to their attention (not in these forums, because they may not be reading them - but thru email instead?).

    On the other hand, I still have unresolved issue that DiamondCS simply won't respond too. I just [sigh] and live with it.
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Taz,
    I wasn't suggesting that ppl making the reports had ulterior motives, if I see something that looking like trolling I just ignore the posts.
    From re-reading the thread I see now where Rhodehard suggests that he had enabled SMH and made repeated attempts...
    If SMH was enabled for SB S&D when the app was running then the first kill could be explained away but not a second, time for me to actually try it and see what windows messages (if any) are being passed I think

    As far as DCS and their lack of response, they do read the forums but remember if they joined in the conversations too often they would have even fewer deliverables

    I'd suggest emailing the support address after all that is the way to get support, the forum is an added bonus
     
  9. Mephisto

    Mephisto Guest

    I bought a full copy about 5 weeks ago.
    I must say if i had known about this issue back then i would probably have not done so. This is the very core and essence of what this program is supposed to protect you from - if it doesn't work properly then it's of no use to anyone (at least not to me).

    If this does become a trend and PG can be derailed at will by other programs then PG will have been big waste of my money and an even bigger disappointment.

    Time will tell.
     
  10. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    Oh absolutely, Gottadoit...I totally understand that's not what you were suggesting at all. Forgive me for my poor way of putting things. I was just trying to do the classic "If A, then B, = C" logic type trail.

    And I do think you and the previous poster are correct. Perhaps this is something that would warrant an email to DiamondCS. Being somewhat new around here I thought they monitored this forum a little more closely than what they do. However, I should've remembered that small businesses have a hard enough time running lean and mean as it is and don't have unlimited resources to follow every thread.

    I'll do my best to drop them a line here in the next day or so and report back with any response I might receive.

    -Taz
     
  11. Simon Says

    Simon Says Guest

    C'mon guys, why would these users (registered i might add) come on this forum and make up a story like this? They were correct in the other half of their story about 180 Solutions. Sounds like some PG fans don't won't to admit that not everything DCS turns out is made of gold.

    And this is the breath-taking technology that put TDS-4 on hold for so long? What a shameful exhibition. The reason no DCS personel have weighed in on this is because they basically have nothing to say that can defend PG, other than Lavasoft's programmers are obviously better than DCS's and thanks for the 30.00 bucks.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This assumes that there is a possibility that ProcessGuard has a flaw, no program is perfect but there has been no valid fault found by an expert to verify such a claim. If this is indeed a flaw it does not invalidate PG's value that much as PG adds whole host of security measures to your machine.
    There is NO program made that can promise 100% security, DCS has always maintained that ProcesGuard is just one part of your defences albeit a very strong part. I for one would forgo all my other security programs given the choice of only one security program. :)

    Pilli
     
  13. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    Hi guys
    I have been following this issue since the previous threads came out after Jason released the two tests. I was quite upset that my PC failed and further that the why of it was not explained. As I recall Jason did indicate that they finally reproduced the failure and that a fix was in the making. However, I'm still out in the cold as to why my test failed and what I might do about it other than wait for the fix. I mean, if its now known why some failed why not tell me how to fix my configurationo_O
    On the Prevx board
    http://castlecops.com/postt112062.html
    it seems that running that particular test from the desktop o_O is the secret. I'm assuming that something like that is in play with the PG test and Jason doesn't want it broadcast to the world until he issues the fix. Because of this I have restrained myself from making a big deal out of the issue on the board but am keeping an eye out for further revelations. I did purchase RegDefender and will continue to use it along with PG, Prevx, Outpost and KAV 4.5 because I feel they are quality products. But, for now, nothing gets run from my desktop.
     
  14. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Does anyone have the adaware defn file SE1R30 08.03.2005 ?

    I am going to use WinSpector to see if the termination method is actually sending window messages... in case anyone else wants to do it themselves (www.gipsysoft.com or the actual home page for the app is www.windows-spy.com)

    Its not a particularly hard application to learn how to use, there are probably other better ones out there but it looked ok when I went searching around, I'll happily accept any suggestions for better tools :)

    The next step after that is WinDbg I suppose or maybe one of the noddy API monitors ....

    NB: In the lavasoft forums it was mentioned that the false detection problem was fixed in the SE1R32 10.03.2005 update (see thread on lavasoft board)
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    RodeHard, Your post is not relevant to ProcessGuard but the the PrevX flaw, unlees, of course, your link was incorrect. The prevx problem can only be solved by the developers which they say will be implemented for the next release. :) Jason's forums are below as he is no longer working for DCS.

    Please remove your post if this is the case.

    Pilli
     
  16. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    I'm aware of who's on first this week. I was referencing one to possibly explain the other. So far, its the only theory I have as to why PG, RD and Prevx all failed the RegTest on my system.
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The PrevX vulnerability test is not the same as RegTest - Regtest will close any computer down as it uses End Session to do that, regtest tries to modify certain registry settings and if successfull displays a box after reboot. If not your reboot should be normal.

    ProcessGuard does in fact stop the test from running unless you specifically allow it so no vulnerability there:)

    HTH Pilli
     
  18. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Process Guard is not a registry protector. It is not intended to stop the kind of attacks that Regtest.exe simulates. It's like asking Windows Media player to defrag your hard drive. It's the wrong tool for the wrong job.

    If you have problems with Regdefend and Prevx failing Regtest.exe, then you should try posting those problems in those software's appropriate forums.

    This thread was originally started to report concerns with a specific case where Adaware SE allegedly was able to terminate a process that was under the protection of PG. Not sure how PG failing Regtest.exe has anything to do with that....
     
  19. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Blue's point quoted above may be a very relevant issue here. I suspected similar issues when someone reported that EndItAll (PC-Mag utiltiy) was able to defeat ProcessGuard in this thread with DCS participation . My tests seemed difficult to duplicate, but my final (unverified) conclusion was that giving EndItAll permission to modify PG-protected programs enabled it to terminate many protected programs. At least on my system, that ability seemed independent of the SMH issues. If anyone is still set up to test the faulty version of AdAware, I'd suggest removing its permission to modify protected apps and see if SpyBot gets terminated.

    A second thread touches on the issue of limiting the number of programs allowed to modify other PG-protected apps. I am guilty of not updating my own thread, but my (unproven) conclusion is that while many "normal" applications will run fine without permission to modify, security applications should be allowed to modify PG-protected programs.

    Since AdAware is a security program I'd recommend permission to modify, but since its developers have proven themselves trustworthy, a bug in AdAware is not the same as putting malware in the driver's seat. If you download some malware and run it AND tell PG to let it run AND tell PG to protect it AND tell PG to let it modify protected programs, THEN you may have a problem. It's not really fair to fault PG for trusting a program in the ways it is instructed to do so. However, I'd agree that the modify/terminate issue should be cleared up if it truly exists.

    I agree that more DCS participation would be a good thing, but I think they are behind on other committments and shorthanded at the same time. Fortunately, there are longtime users that do try to duplicate reported problems. It's a time-consuming and frustrating job. Inevitably, it makes more sense to expend that effort when the initial report seems thorough and well documented.

    Progress may be slow, but I don't think it has stopped. I agree with the others here that PG is far from perfect, but it does address more of Window's truly thorny problems than anything else I've found.
     
  20. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    Sorry, I hop around these boards and it all starts to run together. The original issue was with adaware killing SB S&D despite PG protection. At the same time regtest came out and blew away RD and in doing so terminated PG and Prevx. Both, I mean all, of which were protected by, well sort of, PG. The only mitigating factor is that I did have to allow the test to run in the first place via PG thus confirming that, at least, component control worked if not termination protection. When I say protected by I mean that termination was protected against and the offending application/test did not have termination nor modify rights. I watched the PG log in real time as it claimed to have stopped SB S&D from being terminated while SB was in fact terminated. I then watched as the Regtest allowed all my security apps to be closed down, including PG, despite termination protection.
    PG, RD and Prevx are the core of my defenses but, foremost is PG. So, in my mind at least, this string of events very much pertains to PG when viewed as a whole. For me the question still remains as to why PG failed in this way. I thought this was germane to the original posters question since he alluded to the thread whereby adaware was able to bypass PG.
    As for the rest of it you are right, I should take it to the diamond cs board. I read Jason here enough that the lines have blurred. :)
     
  21. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Interesting discussion.

    I do want to remind everyone that that are numerous settings that can change the outcome of any termination attempt in PG, as others here have stated. You can also have the best firewall in the world, but if configured wrong or settings are configured liberally to provide an easier user experience, well stuff happens ya know.

    I think Earth1's mention of EndItAll2 was a great example. When I first tried it back in November, it terminated everything except my antivirus and firewall, using the older version of PG running using out of the box settings. I was disappointed. But that only made me realize the default settings aren't the securest settings.

    I have since upgraded PG and scaled back settings and application rights severely. Nothing gets modify or read rights unless it's a security app or core windows component and every possible component of security related apps gets protection from being read. Nothing is allowed to install diddly squat or access physical memory unless it's security related or literally breaks/crashes the application.

    I got much different results this time. First off, NONE of my security apps or related components even appeared in EndItAlls list to be terminated. It couldn't even see them at all and of the remaining things it did see, it terminated only 8 and they were relatively unprotected Desktop GUI addons like a Calendar, ToDo and Dock program. It couldn't kill any windows processes or even see the security related stuff running. And I do not even use SMH at all.

    It's important to remember with security software that the learning mode, allow everything what it wants, use default settings approach, is made to guarantee compatibility and ease of use while providing a decent measure of protection.

    It you want PG to lock down your system further, you have to scale back rights and test, since every system and user is different. It can't do that out of the box. But even still, this is a relatively new approach to security for windows, and security is always a cat and mouse game. There are no absolutes in Windows; we should all know that by now. That's why software's always getting upgraded, patched, and signatures come out almost daily, etc.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    I've been watching this thread with interest, but so far have not entered. But a thought occurred to me earlier. If I remember right some earlier defs in Adaware caused an entry in a PG log saying an attempt was made and blocked to shutdown Spybot, and then it shutdown.

    The problem well may be the assumption, that it was indeed Adaware that shutdown Spybot.

    We have all seen software that asks permission to modify or terminate something and PG blocks it, often with no ill effect. Also if we give that legitmate software the privileges it seeks, it doesn't actually do a terminate, but was just testing for the privilege.

    Secondly I've seen other things shutdown software. Every now and then I'll see a program that running just plain disappear. No crash no message, just gone. Then I quit messing with the system and these events stop. As it is they are infrequent. (my machine IS clean). Then there are interactions where two programs aren't happy at certain interactions. For example I also run DCS Wormguard. If I forget to to shutdown the wormguard protection when I am installing a Zone ALarm upgrade, the upgrade process gets so far, stumbles, and then crashes off into the sunset. BUt if I turn off wormguard, the install goes fine, I then turn wormguard back on, and they both are fine.

    Point is Process Guard can only prevent termination, IF the termination is being caused by program A issuing some windows call that allows it to terminate program B. But if some other collision by Adaware with those defs brings Spybot down, then PG couldn't be expected to stop it.

    So the real question is what actually happened. Did PG block a request for termination and then allow a legitimate termination effort to succeed, or was there some other mechanism that brought Spybot down.

    If I were to bet, I'd bet it wasn't PG, but thats just me.

    Pete
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Any termination which succeeds like the case which was discussed, will be a Windows close message, this has been discussed many times. If you want to protect against a simple attack like this, you can do so. It is really not an issue to worry about at all. It is not an attack method any malware uses. I see hundreds of malware a day. None of them can terminate PG, or terminate a PG protected application.

    The program was never meant to be a registry protector or anything else, it does its job 100% as it was intended to do. There is no reason to worry and PG has NOT been defeated in any way. Remember - Pilli tried to reproduce the problem and the termination did NOT succeed.
     
  24. Taz

    Taz Registered Member

    Joined:
    Feb 11, 2005
    Posts:
    16
    Gavin - Thanks for stopping by to comment.

    However, I still don't quite understand. Exactly how did Adaware shutdown a protected program? Are you saying it did so by simply causing a Windows close message? Also...if Adaware can do it, doesn't it seem reasonable that malware writers could do it also? Forgive me, but just because you haven't seen malware written this way so far, isn't it possible it could be written this way in the future? If it was easy enough for Adaware to do it, doesn't it seem reasonable to expect that it will only be a matter of time before malware writers also do it?

    On the other hand, if you're saying there's a way to configure PG so this doesn't happen, please tell us how we should set things up. I don't believe Pilli had everything necessary to duplicate the behavior that has been reported. If you can advise us on the proper way to set things up so this doesn't happen, pehaps someone with the old Adaware file can re-run the test and report back.

    Thanks.
     
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I don't know what's the fuss here: let me explain :) adaware has the termination privilege right? cause it is a security program it needs in certain cases termination privileges...cause terminating the malware must be possible...through PG in our cases!

    however in this case is adaware terminating another (good) process :rolleyes:

    Only if you accept the starting up of this malware through PG and only if you give the malware the termination privilege ;) c'mon guys...

    yes off course it can, everything will be possible in the future...who knows? But DCS allways released a fix, very quickly... there's no doubt bout that.

    just don't give every program termination protection, this advice is allready offered...

    no need for old adaware signature files... :rolleyes:
     
Thread Status:
Not open for further replies.