Is it possible to add a whole folder in the protected list ?

Discussion in 'ProcessGuard' started by HoLmEc, Dec 8, 2004.

Thread Status:
Not open for further replies.
  1. HoLmEc

    HoLmEc Registered Member

    Joined:
    Sep 30, 2004
    Posts:
    17
    I wonder if its possible to add a whole folder, such as c:\program files or c:\windows into the protected list, instead of adding all .exe files from these folders
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi HoLmEc

    The quick answer is no. ProcessGuard has to know the signature of a exe file to check it before execution. As to the protection list, it is extremely unlikely that everything in anyone folder would need the same protection.

    Pete
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi HoLmEc,

    Even though it might be more work, you will be more secure if you only add executables with your permission as they execute. PG is behavior-based intrusion protection. That means that once you set PG up, you want it to alert you when something out of the ordinary happens. If you give blanket permission to directories like C:\Program Files, you will be defeating the purpose of PG.

    Nick
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    The definite answer is no. HOw are you going to add a folder. Can't execute a folder so it won't get added to security protection. Try adding one manually(i tried) to your protection list. Can't do it.
     
  5. HoLmEc

    HoLmEc Registered Member

    Joined:
    Sep 30, 2004
    Posts:
    17
    Hi folks

    Umm i see.. I would like to do the same way as Prevx does, which protects all .exe files in your c:\program files and c:\windows from being modified or even added .. I like it coz i suppose it protects against uknown virus (when it tries to modify n infect a file there, it wont be possible .. so i install most files in this folder) and most worms\trojans copy itself in the c:\windows folder so it is denied too .
    Nevertheless, I prefer PG coz it protects against termination and is much more light .. prevx is damn heavy on my system ..
    I know both programs are different, but it would be nice if I could protect all my .exe files on these folders from being modified, accessed using PG.

    P.S: I dont know if i used the correct term .. when i said "protected list" i meant protecting files from being modified/accessed/terminated
     
    Last edited: Dec 9, 2004
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    HoLmEc,
    If you were just wanting to add lots of programs to the security list as a permit once item but not the protection list to get checksum protection then you could do it. This would also work to add them to the protection list but either way I don't think it would be a good idea....

    PG only protects executables and (currently) not DLL's so there is no point in including them in your search. It would be nice to have it all managed in one place and happen automagically but it isn't in the product at the moment and nobody knows if or when it might be added

    PG doesn't need to provide this facility if you really want to do it, get a windows command line version of unix find and have it find the *.exe files under a starting directory and execute them... you should have a whole bunch of entries in the security tab with "Permit Once" and their checksum recorded

    I wouldn't suggest blindly following the steps below, but its a free world and let nobody say you weren't supplied with enough rope. You can always take everything out of the lists again and/or reinstall PG if you don't like the results

    I also wouldn't execute what is produced without editing the cmd file.
    It will contain all the uninstall executables and many other executables you are never likely to run. PG might well become slower as a result of filling up a windows list box (which will be paged back into memory every time you run a program) with loads of executables you aren't likely to be running
    You may achieve better performance using another specialised program to keep checksums and using PG just for those programs you regularly execute
    [NB: Just making a guess at what might happen]

    Here is a little example of what I am referring to, using Outlook Express because you probably have it installed
    Program Files\Outlook Express\msimn.exe
    Program Files\Outlook Express\oemig50.exe
    Program Files\Outlook Express\setup50.exe
    Program Files\Outlook Express\wab.exe
    Program Files\Outlook Express\wabmig.exe
    Those are the executables, and how often are you likely to run anything other than msimn.exe ?
    If you just add everything you effectively have 4 useless entries with 1 good one and doing that for everything in Program Files will probably create a bit of memory overhead that you might find detrimental to performance

    If you follow the steps below then because all these apps are "deny once" with a similar timestamp to the others you executed at the same time, you will know that this is an executable that you don't normally use (when looking at the security list)

    Unfortunately when the next PG prompt is displayed it doesn't tell you the last time that the program was executed and that you chose to "deny once", that would be a useful enhancement for when programs are denied... and especially useful if you do something like this
    [added as a suggestion to the wishlist thread]



    One way to achieve what you want to do ::

    Don't be starting up other applications at the same time as you might inadvertently change the security options for something else that starts up (not a big problem if you do, as you will just get a prompt the next time that app runs, but it might be confusing)




    • Firstly on the Main tab make sure that :
    Protection Enabled is ticked
    Execution Protection is ticked
    "block new and changed applications" is NOT ticked
    Learning mode is NOT ticked

    Global Protection options don't matter for this task as nothing will be allowed to execute
    (I prefer to leave them ticked so that PG is doing its job...)

    • Use a unix style "find" command to execute all of the programs in your target directory
    So get a working unix style "find" from somewhere, there is one at unixutils.sourceforge.net
    Get UnxUtils.zip and unpack it into a convenient directory (like c:\gnu32) You only need the executables find.exe and sed.exe for this task so you could just extract those 2 by themselves
    The commands to do it would then look like this (from a command window).
    NB: If anyone is wondering why I didn't use "-exec" it was initially because anything with a "Deny Always" already setup stops the find from running at that point and secondly it makes more sense to review the list before running it
    You could add some exclusions to the find command to exclude what I would consider dross. The find & sed command below
    up to the "> runit.cmd" all belongs on one line (just like the one above but a bit longer...).
    You can put the command into a cmd file if you like rather than typing it all in at a cmd prompt

    • All executables that are already in your security list as permit always *will run* when you start the cmd file so this will probably thrash your memory and hard disk for a little while as you are closing them down...
    Running this cmd file will result in all of the executables being found attempting to be executed and you clicking on Deny (or Deny All) each time (if the program was not already registered as permit always)
    If you are using 3.0 or 3.05 :



    • click on deny for each app and it will be checksummed in the security list
    If you are using 3.1 :



    • tick the "always" box and click on Deny and it will be checksummed in the security list
    • Once you have run all of them sort the security list by "Last Action" and go to the part of the list showing the "Deny Always" programs.
    • Select only those programs that you just ran (which should be identifyable by the timestamp)
    • then right click and choose "Change Last Action" and "Set to Deny Once"
    • at this point you could right click and "Add to Protection List" to get the default protections
     
    Last edited: Dec 9, 2004
Thread Status:
Not open for further replies.