How important is secure message handling?

Discussion in 'ProcessGuard' started by SpikeyB, Apr 2, 2005.

Thread Status:
Not open for further replies.
  1. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I've just got a copy of PG and am playing with the settings. I've found a couple of problems with SMH. Before I begin worrying about it I wanted to ask a question.

    Is it possible for malware to close down my AV without PG alerting me to the fact that the malware is running? Put another way, would I have to give malware permission to run before SMH was of any use to me?

    Thanks
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi SpikeyB,

    Execution protection is the first layer of protection offered by PG. If malware is not given permission to execute, then it cannot interact with protected processes such as your AV, or with your system in general.

    Nick
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well, it could be possible for malware to execute without PG catching it, if that malware was able to remotely cause a "trusted program" (e.g. Internet Explorer) to alter a DLL used by other programs permitted to run by PG, i.e. if a website included an ActiveX control or a buffer overflow exploit allowing it to cause Internet Explorer to modify files on your system.

    Since PG only takes checksums of the main program, it would not detect changes to associated DLL files. However including checksums on DLLs would have performance and usability (i.e. lots of prompts) issues though some firewalls do perform such checks on programs' DLLs before allowing them network access (e.g. Kerio, Outpost or Sygate). Abtrusion Protector performs such checks also but this can result in far greater disk activity.

    Such an attack would be difficult to achieve and is discussed further in the MD5 for dlls thread.
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Thanks for the reminder :). I had forgotten that thread.

    Nick
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Thanks guys.

    Question answered.
     
Thread Status:
Not open for further replies.