DLL manipulation in User space installs?

Discussion in 'other anti-malware software' started by Melf, Jun 16, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    I am not too scared of DLL injection/manipulation for most programs, since they are protected under UAC. But certain programs default install to User space (eg Chrome, Dropbox on my machine).

    What's a good approach to stop these being tampered with, while still allowing them to update themselves, and without having to go the route of "DLL protection" which invariably slows down the system in most implementations I've seen?
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, Melf,

    Can you give an example of "being tampered with?"

    thanks,

    ----
    rich
     
  3. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Appguard has dll protection, and it does not slow down my system. I have it installed on 8 machines. I have not seen any reports of it slowing down anyones machines. Its very resource friendly. Much lighter on the system than any traditional AV I have ever tried.
     
  4. tomazyk

    tomazyk Guest

    You can use Chrome alternate installer and install it in %Programfiles% - installation for all user accounts.

    http://support.google.com/installer/bin/answer.py?hl=en&answer=126299

    Back to question: you can use some kind of HIPS, if you want control over dll injections. Malware Defender is one option, although I don't control dll loading and don't know if it would slow down the system.
     
  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Is Malware Defender still only 32 bit compatible? Appguard is 32 bit, and 64 bit. It's an AE instead of a HIPS though, but it still has dll protection. Melf needs to let us know what OS he is using.
     
    Last edited: Jun 17, 2012
  6. tomazyk

    tomazyk Guest

    Yes, Malware Defender is 32 bit only :(
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    That's a shame. Its such a great product :(
     
  8. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    I was thinking of DLLs being overwritten, because they are in a non-protected location in disk. This would bypass a whitelisting approach, unless DLLs are also required to be whitelisted. Despite the reports of others above me in this thread, this can often come with significant performance issues (I think it will depend in large part on the particular application which might explain the different experiences).

    So, I am wondering about options that do not require a reinstall or scrutinizing every DLL. Perhaps something that guards that location in disk from processes that aren't installed there? We have to allow the program itself access without letting other programs modify it, ideally.
     
  9. tomazyk

    tomazyk Guest

    You can achieve this with Malware Defender's file rules. You can protect whatever you want and allow only some application read/write/create/delete permissions on specific files. Location of files is not important. No system slowdown when using this feature in my experience.
     
Loading...
Thread Status:
Not open for further replies.