Icesword and PG "Free"

Discussion in 'ProcessGuard' started by TNT, Oct 30, 2005.

Thread Status:
Not open for further replies.
  1. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Today, I dowloaded the 1.12 english version of IceSword (http://xfocus.net/tools/200509/IceSword_en1.12.rar) ; I have PG "Free" setup on this machine. Something absolutely unexpected for me, occurred: with IceSword, without ever giving it the permission to do it, I am able to terminate all the processes "protected" with PG, with no problem whatsoever. I even removed all "terminate" permission from all executables in PG, since I had doubts that IceSword might hook on some system program to terminate processes... but no. I was still able to terminate protected processes with no problem. I can even kill all the running Process Guard executables and, as a result, I am able to start new programs without Process Guard even showing a prompt. What gives? I am quite shocked by this. o_O
     
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    TNT, once allowed to run, IceSword can do everything it wants, because it's running at a very low level (like PG) and, I think, with full privileges (like rootkits :D ). You say you're running the free version (which doesn't completely protect other processes, only the full version does), but that would be interesting to see what happens with the full version, blocking hooks, and drivers.

    I guess it would block theses attempts, but if IceSword does need hook and/or driver/service to run (I did disable PG when I tested IceSword, so I don't know), maybe it will be able to terminate other processes too o_O (provided 1° you allowed it to run in the first place, and 2° allowed it driver/service install, thus allowing it to bypass partly PG's protection -even if the term is inapropriate here, as IceSword doesn't have "nasty purposes" :) ).

    The problem is, if IceSword does need driver/service enabled to run, you can't run it without this permission enabled, and then can't check if blocking driver/service does affect its ability to terminate other processes (a sort of wheel Lol). Think I'll try it, that made me curious :)
     
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Thanks. I am going to upgrade to "full" PG as soon as possible, providing there are no more surprises. ;)

    I know the free PG setup is limited, and although I would say I am fairly well protected (Deep Freeze, Kaspersky, SnoopFree, and Sygate, plus a hardware firewall and a lot of on demand spyware scanners).

    I still was surprised to see just how easy it was for Icesword to control EVERYTHING on the machine (it killed anything I told it to kill, Kaspersky, Sygate, Process Guard, etc). If this was a malware, it would have taken control of the machine without problems (ok, I am guessing it would have had problems writing permanently on disk, but still); IceSword able to run and terminate protected processes also on Process Guard "Full" would be sort of a shock, IMHO.

    I recently tried the Morgus threat simulator, but the free PG setup and SnoopFree blocked a lot of things. It actually shows that that simulator is nowhere near as powerful as a malware could ever be.
     
  4. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    right, but you still have to allow it to run first :)

    btw, here's what I get when opening IceSword with PG full: IsPubDrv service blocked, initialization failed :cool: : PG rocks! :eek:

    Oh, yes you're quite protected with your current setup, but personally, I wouldn't do without PG!!

    (oops, changed the pic :D )
     

    Attached Files:

    Last edited: Oct 30, 2005
  5. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    ...and as I suspected, if you suspend Block rootkit/driver/service installation in Global Protection options in PG, you let IceSword with full privileges through its only service: was able to terminate other protected apps without any notice about it in PG here :blink: . Better to enable this protection! :eek: , for thoses who don't.
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Thanks. Yes, the full version is a must for me now. :)
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    That's why rootkits are so powerful ;)

    Once code is running at the kernel level, it can modifying existing driver routines, unhook kernel level hooks, implement its own hooks, install other drivers, hijack data meant for any service, the list goes on. If the coder has the time and patience to create it, virtually anything can be done
     
  8. Disgruntled

    Disgruntled Guest

    I've posted elsewhere about what this "tool" did to my OS so I'm not going to repeat it all again. However, please do not run this program unless; 1/ you're using a test machine or 2/ you are an expert comp user who knows exactly what is going to happen to your system when you run it. I should have my head examined for running a program whose only documentation consists of a little note which says "If you find any bugs please mail me".
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I didn't experience any problems so far. Its interface seems reasonably simple as well.
     
  10. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Tried TNTs link to Icesword eng version

    but it didnt start downloading.

    Thought Id install it as untrusted in my new sandbox DefenseWall HIPS 1.0 and see if it gets out of there.

    Are so many trying to download or is there other explanation. Can any of you retry this donwload link to see if it really starts downloading?

    Best Regards
     
  11. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    The link works but it`s an auto download.
     
  12. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    First time I tried it showed no progress after 15 minutes - not a single "green box" working its way towards the right side/end.

    Next time it showed 1 green box and stopped there for 20 minutes.

    All downloads are from my sandbox DW HIPS 1.0 since IE is in the untrusted zone and the download window is also monitored/headed "DefenseWall 1.0 untrusted" or something like that. But that should not influence? - IceSword cant already when only partly downloaded start trying to inject something outside untrusted zone into C:?

    Try again another day.

    Best Regards
     
  13. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    The site is very slow. It didn't actually take THAT long when I downloaded it, but it still took something like 10 minutes.
     
  14. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Dowloaded within the untrusted=sandbox - rightclick and run as DW Untrusted - nothing happens.

    Right click and add it to untrusted to make sure it end up in the utrusted zone whatsoever - cause its my DW Sandbox I want to test - then the normal left doublecklick - PGfree alerts - something wants to run a rundll.exe ( I havent got that on always permit yet cause I dont know what it is), Folder is
    C:\windows\system32\ - permit once - Windows says the Ice Sword file can not be opened windows dont know which program to use and I should search the webb or list for a program to open it with.

    Dont know if its my DW untrusted=sandbox thats making IceSword unable to do what it needs to do to install - or what.

    I heard someone had IceSword mess up his PC - I dont want that - I always need help when in deep problems - cant do the reformat C by myself - I am the guy that someone wrote does not excist - he who doesnt know much about anything but cant keep away from the tests - thats me.

    On the other hand I use protection programs to compensate for my ignorance so that my PC wouldnt be messed up ;-). I have a strong feeling that if I move IceSword to trusted it will install - but can I really take care of what happens then? If it installs when trusted=not in the box - does that prove that DW is good stopping install when IS in the box?

    Now I hope I have tickled someone computersavvy who hasnt already downloaded IceSword to download DW and do the same as I - and also go next step to see if it installs when not in the box. Pls do my dirtywork ;-)

    Best Regards
     
Thread Status:
Not open for further replies.