GSS Alpha 1.2 Feedback

Discussion in 'Ghost Security Suite (GSS)' started by Chubb, Jul 25, 2006.

Thread Status:
Not open for further replies.
  1. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Just received Ghost Security Suite Alpha 1.200 for testing :D :D :D
     
  2. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    The people selected for the ALPHA have been given information on how to obtain it, so expect to see some comments from them over the coming days regarding it.

    I'm going to post a few screenshots from the ALPHA. This one is from the new "System" tab which shows running processes (a "real list" not enumerated one which can be used to compare against say ProcessExplorer to detect some rootkits) along with their loaded modules.
     

    Attached Files:

  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    and why not 'merging' your own process explorer into this all? with all those extensions this could be merged within ? ... just dreamin .. but the efforts were already made I guess ?
     
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    This screenshot is from the improved AppDefend tab. Hopefully this will be an easier to use improvement over how it was previously. Multiple selection of multiple processes and specific rules is now allowed. Editing is "hidden" away with a right click making the GUI a little less complicated.

    You can also see the network rules section which will be the place to put specific IP rules to disallow/allow.
     

    Attached Files:

  5. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Re: Ghost Security Suite Alpha 1.200

    Hi Jason,

    Do you have any built in tools for debug logging of errors encountered? I would like to turn on debug logging from the begining, so that I will not miss the moments when bugs would occur. Sometimes, it is not easy to reproduce the error again.

    Thanks...
     
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    those network rules do look realy cool :) :) and AD looks better, true
     
  7. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    I'm not sure what you mean exactly? Why did I bother adding this process list? Simply because very few, if any, products show you a real process list (which cannot be wrong, unlike processexplorer,taskmgr, etc).

    GSS now monitors every single process execution which occurs on the system, it is a boot driver and you will see it before you see windows load.

    This list was also added because of some right click "options" which will be related to RegDefend and AppDefend rules. I don't plan on rewriting Process Explorer into GSS, that will be kind of pointless. The features you can't find elsewhere however will be there.
     
  8. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    Here is a screenshot of the new Alert (which will look similar for RegDefend also).

    Another thing this screenshot shows is the new "message" protection AppDefend now has. In this case it is protecting against the CLOSE message from the DiamondCS tool APT. I know a lot of people have wanted this.

    Shatter attacks are now also protected against (preliminary support) which are in a similar vein.
     

    Attached Files:

  9. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    Re: Ghost Security Suite Alpha 1.200

    Got mine running too.

    Sent some initial feedback to email address in PM.
     
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    I'm not sure what kind of errors you want to "log", but if a BSOD occurs, the crash minidump/dump will be useful to me. Apart from the standard ways to log any errors there are no "internal" ways to "log" things apart from configuring AppDefend to log specific items.
     
  11. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200


    ok, thought the point was making your ProcX his way into GSS .. with all his own capacities .. but now I hear you .. it is even better .. well thought if I may say ..

    sorry for misunderstanding ..
     
  12. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    No, I think I misunderstood what you were trying to say. :)

    ProcX was developed by GKWEB, and hosted as a Ghost Security product. I did not actually develop it. Products like ProcX/ProcessExplorer/etc are useful tools, what GSS will be offering will be something different, although similar. :)
     
  13. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    exactly .. and if I can read between the lines it will something useful .. if cooperable with the other kernel players .. but then again: a coder like you .. :thumb:
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    I must say that this is a very thourougly upgrade Jason .. and at first sight there are still some stuff left aside like network rule creation (wondering how this will be implemented, we'll see .. ).. my other frustration was a lack of learning curve .. even before windows logon was going on .. therefore .. learning mode is nice .. or a timer on the accept all (windows update installs .., .)
     

    Attached Files:

  15. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    not this popup exactly, but all others too, just to avoid confusion..
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    a double click on one of the two options to avoid going back to the "Allow" button?
     
  17. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    Another little bug ..

    btw

    AMD64 X2 4400+ machine but no win64 Environment.
     

    Attached Files:

  18. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    There is no learning mode in the ALPHA "on purpose". I designed it like that so the testers could see how early GSS starts, and how you don't need a learning mode for it to work on your system (a lot of other programs *NEED* a learning mode/automated rules for your machine to even bootup).
     
  19. tayres

    tayres Guest

    Re: Ghost Security Suite Alpha 1.200

    Nice to see the network rules.

    But what happened to the ip address that used to be shown in the alert window when a network connection was attempted?
     
  20. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Re: Ghost Security Suite Alpha 1.200

    I am not seeing what Infinity has reported in his two posts:

    https://www.wilderssecurity.com/showpost.php?p=803766&postcount=14
    https://www.wilderssecurity.com/showpost.php?p=803779&postcount=17

    When I have GSS check for update I get, "Error downloading update file". I am guessing this is not turned on just yet. As for the checksum check, it runs through my list and does not present an error. AFICT all of my Allow always permissions have stuck. I have not re-booted just yet, but will shortly.

    My initial impression is WOW! This is going to put Ghost Security way ahead of the competition. Jason, thank you for all of the hard work you put into this.
     
  21. some made up name

    some made up name Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    60
    Re: Ghost Security Suite Alpha 1.200

    testing in XP atm ... will do 2k and 2k3 a little later ;)

    anyway, this is what i found so far (some have already been mentioned, but i'll repeat them to say that i'm getting them too ;) ):

    logo on logon screen still says "this computer protected by"
    should be "this computer is protected by"
    animated ghosts block buttons (could set mouse hit detection to transparent)
    eg. if ghost under mouse over AD button, cursor changes to say can't use button
    if ghost under mouse over User Login button, cursor changes to say can't use button
    (i must admit, i didn't try to see if you can click through the ghosts ... i relied on the mouse cursor)
    network connect always allow must be doing so for specific info not show
    if network connect and always allow, could allow for all network connects
    when maximizing then minimizing an alert, the maximized version is still visible

    time/date could be in system format
    ie. i have date as d/MM/yyyy
    it is probably currently in yyyy/MM/d format
    what if day was 6, would lead to day / month confusion
    if it is for sorting ease (as year advances less than month, which is less than day) then time should be after date
    adding a new application under AppDefend -> Maintenance with blank info adds blank entry
    this could be handled via default
    this is releated to the blank entry error with SHA256 -> Check Now

    DeviceTree 2.18 driver install not detected

    the modules listed under info -> system claim to be sorted by name ... but are not

    could add a 'ignore hash changes' feature


    ok ... ntcrash results for xp (cmd line: -l)
    0xfd - seemed to stall ntcrash
    0x101 - seemed to terminate ntcrash
    0x10b - csrss wanted to terminate ntcrash
    0x10f - seemed to stall ntcrash​
     
    Last edited: Jul 26, 2006
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Ghost Security Suite Alpha 1.200

    Will it play with MBR?

    Secondly I don,t like the GUI. There should be one simple black and whit skin at least. I just feel starin while working with any of GUIs of the suite, not with other appliances.
     
  23. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Re: Ghost Security Suite Alpha 1.200

    yes, that's the least you can say, that it starts very very early! as for an alpha, you've done a great job.

    I have shut down my computer and later, after work, I'll see what brings the rest. then I'll install it on another virtual session and trial it further.

    Hi Disciple, the first post was about the popups droving me crazy before windows even booted up (great boot protection)

    the second (regarding that blank errorline) .. that's good for you that you do not experience it.

    now up to work, the rest is for laters.

    best wishes,
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re: Ghost Security Suite Alpha 1.200

    Nice work Jason, Coming on really well.

    I notice a few things are not yet enabled but it is only an Alpha :)

    I like this part: Screenie taken of the Alpha Alert tab running in the free VMserver.
     

    Attached Files:

  25. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Re: Ghost Security Suite Alpha 1.200

    smun,
    My understanding of the driver protection in AppDefend was that it doesn't cover "normal" driver installs but instead the less documented methods that more advanced rootkits can use to load into memory (without necessarily persisting the driver into the registry). The regdefend component covers a standard persistent install where registry values are created (either by the process itself or via a standard api request to services.exe)

    How did you maximise the alert, the window that is displayed doesn't have any titlebar (and max/min) buttons ...




    I definitely agree with this one, having a choice of date formats would be very useful. Everyone has their own personal preferences for such things and the day and month confusion is unfortunate but can be common

    Not a bad idea but in some cases you might want to specify a wildcarded filename pattern to go with that, for those programs that create files with predictable names in temp directories for example
     
Thread Status:
Not open for further replies.