Effectiveness of execution monitoring/app launch control - is it useless?

I have being playing with tools like SSM, PG, TTT etc for a while and would like to share my experiences and views on them.

For the person who has being living on the moon for the last year, such products basically, prompt you when any process tries to run . Typically, you can put them in a whitelist/blacklist/ or set to prompt. Pretty much like a rule based firewall except it monitors all processes not just those asking for a outbound/inbound connection.

After playing with them for a while I noticed prompts tended to come from 2 sources

1) In response to any action you do. For example , it might be clicking on a new program, or going to the service panel

2) Some process which was earlier whitelisted, starting another, NOT in response to your action.


Type 1 is pretty much a no-brainer, you typically "allow always" (or set to "prompt me" in certain cases), so this kind of protection doesn't buy you anything but instead wastes a couple of seconds of your time clicking yes.

Type 2 is a much tougher call. It's usually some process you have whitelisted earlier starting some other child process (call this type 2a event) In many cases, this is some kind of updater, but you never can tell . Just because something is named updater.exe doesnt mean it updates! Sometimes though if you are playing with leak tests , it's pretty obvious, something fishy is going on though if you see it try to open Iexplorer.exe. But other than that, it's almost never obvious.

It could also be (call it type 2b event) some mysterious windows services starting (imapi.exe, wmpiprvse??) for some MS knows reason, in which case you would probably google it, and realise "hey it's fine" (remember to check file locations and md5 hash if available!!!).

In theory , type 2a events are what the app is supposed to protect you from, but I'm pretty doubtful of my ability to answer the prompt correctly. It seems to me that when you install a new program, either you trust it or you don't. If you do, you will allow it to run all sorts of child processes, if you don't, you won't run it at all!

PS Is it me, or is PG's exe protection junk? If i put internet explorer on the trusted list, ANY app can launch it?? SSM's system is much better you can define specific parent-child processes. So you can allow firefox to launch IE (via IEview extension), yet not opening IE to being exploited by anything else?

 

Hi cluessnewbie,

Good point concerning IE. I do not have it on my trusted list. I also have rundll.exe off my trusted list. Some discussion of these very common executables (pros and cons of putting them on the trusted list) in a "User Manual" would be very helpful. Really no different than a software firewall, which I use and also have to make similar decisions. After a while, people figure things out though having some upfront explanation and discussion would be very useful.

I tried SSM and the problems I have found with SSM are two-fold:

1) It caused an enormous amount of instability on my machine, similar to what I was reading was happening on other user's machines. This leads me to believe that there may be some architectureal issues.

2) Overall support for SSM seems ot be much less than for PG. Questions about these products do arise, as for any product - even MS Word (have you noticed how many books there are on Word, and yet people still survive and use it), and it is good to have support.

Rich

 

Hardly. Most rule based firewalls give you far greater control. You don't just allow IE to dial out , but you can restrict it by port, by source/destination etc.

Rich, I was disappointed to see that instead of responding to to my thoughts and doubts about the usefulness of exe monitoring , you choose instead to attach a reply to a postscript remark.

I'm not arguing SSM is better , it was just a side remark.

 

I thought the point of .exe monitoring was to block the execution of programs that had got onto your machine without your knowledge.

 

Heh, I think I was posting at the same time you were starting this thread, CN232. See my thoughts over in the buffer overflow thread HERE

 

Hi cluelessnewbie,

I agree whole heartedly with this part of your assessment - I do wish PG offered finite controls for child process and launch control - I believe it's on the wishlist (thanks to P2K). Many would say/agree TTT (Tiny Trojan Trap) was/is the best sandbox available to date - Too bad they discontinued it as a standalone app, and chose to only offer it as an integrated (limited) version into TPF.

I'm either a bit paranoid or an anal control freak because I do like / want total control, so I run Both PG and SSM, along with a KPF that offers app control (behaviour blocking plus HIPS).

All three aren't perfect yet, but I think PG is the most refined, but it badly needs the added control for child process and a more defined launch control. SSM is nice also, but it does have some conflicts with a few apps (WMP off the top of my head), although none to put you off/prevent you from using it. KPF probably has the farthest to go (but the latest beta is improving on that). I like them all and truly should one of them become "the perfect app", I'd still run all three as a layered protection - I don't mind spending a ~little~ extra resources/effort on what is the most effective way to protect one's system ... rather than the remedy type method used to date (scanners).

In regards to white listed apps in PG, I do limit them to crucial system items, security programs, and a few daily used apps, for any other I don't mind a prompt or two (I actually prefer it like this )

I don't think PG protection useless at all. It could be diminished some what with poor choices (in re: allow always) but even that could be changed/corrected to remedy an error, overall it provides the best protection IMHO with it's global protections.

The one other thing I do long for is an "active" file protection/lock system, rather than the polling fair offered currently (RegRun is nice in this regard though).

Regards,

Steve