DLL manipulation in User space installs?

I am not too scared of DLL injection/manipulation for most programs, since they are protected under UAC. But certain programs default install to User space (eg Chrome, Dropbox on my machine).

What's a good approach to stop these being tampered with, while still allowing them to update themselves, and without having to go the route of "DLL protection" which invariably slows down the system in most implementations I've seen?

 

Hello, Melf,

Can you give an example of "being tampered with?"

thanks,

----
rich

 

Appguard has dll protection, and it does not slow down my system. I have it installed on 8 machines. I have not seen any reports of it slowing down anyones machines. Its very resource friendly. Much lighter on the system than any traditional AV I have ever tried.

 

You can use Chrome alternate installer and install it in %Programfiles% - installation for all user accounts.

http://support.google.com/installer/bin/answer.py?hl=en&answer=126299

Back to question: you can use some kind of HIPS, if you want control over dll injections. Malware Defender is one option, although I don't control dll loading and don't know if it would slow down the system.

 

Is Malware Defender still only 32 bit compatible? Appguard is 32 bit, and 64 bit. It's an AE instead of a HIPS though, but it still has dll protection. Melf needs to let us know what OS he is using.

 

Yes, Malware Defender is 32 bit only

 

That's a shame. Its such a great product

 

I was thinking of DLLs being overwritten, because they are in a non-protected location in disk. This would bypass a whitelisting approach, unless DLLs are also required to be whitelisted. Despite the reports of others above me in this thread, this can often come with significant performance issues (I think it will depend in large part on the particular application which might explain the different experiences).

So, I am wondering about options that do not require a reinstall or scrutinizing every DLL. Perhaps something that guards that location in disk from processes that aren't installed there? We have to allow the program itself access without letting other programs modify it, ideally.

 

You can achieve this with Malware Defender's file rules. You can protect whatever you want and allow only some application read/write/create/delete permissions on specific files. Location of files is not important. No system slowdown when using this feature in my experience.