keen sence v outpost+process guard

Discussion in 'other security issues & news' started by trojan, Aug 26, 2005.

Thread Status:
Not open for further replies.
  1. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    keen sence killing outpost+process guard

    see outpost killed process guard has no effect

    link removed as the avi clip wasn't clear use the link in my second post !!!
     
    Last edited: Aug 28, 2005
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Re: keen sence killing outpost+process guard

    The video cuts off right when "terminate" is clicked, can't see the results.
     
  3. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    Re: keen sence killing outpost+process guard

    Sorry! the clip wasn't clear i hope this 1 is better :cool:

    http://my.netomat.net/trojan/kill/outpostkill35498.zip ziped to reduce size avi 3mb zip 2mb!!

    At the begining of the clip you can see that keen sence has no termanation rights in process guard you can also see outpost has full protection in process guard
    including "secure message handling". The real time file monitor top right of my screen displays outpost running as does task manager and keen sence, In the clip i try to termante outpost 2 times with taskmanger, you can see the process guard icon in the taskbar flashing red indicating process guard has detected an event also a ballon window pops up. The screen capture is unable to capture the ballon messages for whatever reason so you will have to take my word for that. process guard detects and prevents "taskmanager" from killing outpost AS IT SHOULD DO!. Next i try with keen sence you can see that within 1-2 seconds its a completly differnt story outpost is killed its entry disapers from taskmanagr and keen sence, the real time file monitor no longer displays outpost accessing, next i use keen sence to kill all programes running on screen including process guard within 1-2 secs. At the end you can see in the system try outpost is no longer running!!! weather this test displays how week process guard is or how strong keen sence is im not sure lol but to me its a bit of a worry a programe desinged to protect us from these attacks is obviously not doing its job.! Hope this clip is better than the last one and allows you to see more clearly some of the frames in the first clip were missing/skiped the screen shot was 44mb the codec i used to reduce the file to 2-3mb caused this. The new clip uses xvid mpeg4 and no frames are skiped hope this clip shows what i was trying to do peace!!! :)
     
  4. passing thru

    passing thru Guest

  5. Sfel

    Sfel Guest

    Hi,

    I have a question. Does this program work on kernel level [By the way, if you could post a download link, it'd be great. The site in its titlebar doesn't seem to work for me] ?

    If it does, was it installed before or after PG ? Because PG blocks driver installations. If it was installed before, all this means nothing, since PG's programmers always told everyone it needs to be installed on a clean system. PG would probably have blocked it from installing.

    If it doesn't, I'm sure they'll look into it some more. :)
     
  6. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    PG's programmers always told everyone it needs to be installed on a clean system??

    lmao kinda makes it useless then!!! a binded trojan to an application lets say you just downloaded a programe that installs drivers or services you allow that programe to install its drivers and services in learning mode or the programe doesnt work now do you know weather those drivers/services are genuine or could they be a service of a binded trojan etc basicly process guard will protect you if you install it then never install or download anything ever again kinda makes no sence !!!! or should i say keen sence!! lol this proves that a working programe binded to an undetectable trojan could kill process guard another point if you dont switch your computer on and "watch tv instead" you will also not get infected!! :-*
     
  7. Sfel

    Sfel Guest

    You're generalising stuff, and giving more meaning to my words than there really is.

    PG is PROACTIVE. As in, it prevents. It's not reactive. As in, it doesn't clean the mess. Think of it as a bodyguard. He'll do his best to keep you out of harm's way, but if you do get shot/beaten/robbed, he'll just find another employer to work for. That's where the doctors/police[antivirus/removal tools] come in.

    PG was never advertised otherwise. If you do download from untrusted sites, it's the AV's business to warn you of a trojan.

    If a kernel level driver gets installed, it can do anything. That's why PG needs to be installed on a clean[just formatted] system. Saying PG is useless just because it doesn't clean/protect you of already installed malware is like saying a kevlar vest is useless because it doesn't cure cancer.

    I kindly suggest you read the threads in the PG forum to see what its purpose is.
     
  8. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    thats a very nice story lol what you basicly saying is what i have allredy said process guard can easly be killed simple as that i know how and what process guard is ment to do but to people in the real world they are going to allow drivers and services whit new apps or basicly your saying install process guard and never install anything ever again now thats not very practical whilst process guard "does the job its claiming to do" its scope is very limited!!

    i have just coded a new programe based of your logic its a antivirus it will make you 100% safe install my antivirus on a clean system ofcourse then unplug your computer put it away somewhere for safe keeping and never use it again :D
     
    Last edited: Aug 28, 2005
  9. Sfel

    Sfel Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    3
    You know how ? As in, you can code a program that does it ? I doubt it.

    No. I am saying, for the home user who writes books and checks email, the user you're talking about, a firewall and an antivirus is more than enough to keep them safe. Other users such as you and me[well, at least me] with riskier habbits, and a tiny[ok, a little more] bit of paranoia are the ones who need processguard. And these people will know what to allow and what not to. PG isn't aimed at the solitaire player.
    I am also saying, install after reformatting. Not never install anything again after. Don't twist my words, if you don't like the program, nobody is shoving it down your throat y'know.

    Define "its scope is very limited", please. The situations it can come useful in are few ? True. The things it can do are few ? False. It's not perfect ? Nothing is.

    Congratulations! When can we expect this wonderful piece of software to be in stores ? I was getting sick of my AV anyway, so might as well do the change now. PM me with the details please. Think we could work something out ? :p perhaps I can be the first to get a copy ? :D
     
  10. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    i really dont see you point at all my point is made process guard is easy to kill so i dont bother to run the programe anymore just a waste of resorces all your doing is highlighting the floors of process guard of which there is many again your missing the point new software will install services and drivers if these drivers are binded to a trojan that has the ability to kill process guard then yes your antivirus/trojan is exspected to detect the trojan but process guard is exspected to prevent the kill which it wont a comman example is binding a trojan to a firewall or an antivirus programe itself they will ask to install drivers is every process guard user going to disallow these drivers if so then the software is not going to work again your making no point at all just explaing what anyone can read for themselves in the help file or the diamondcs website so at the end of the day process guard may work if you never allow any new programe to install new drivers or services so what is the point please explain...`
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    What you seem to be suggesting is that because a couple programs can terminate something protected by PG, PG is worthless. Thing is that the methods used by KeenSense and RegDefend are not easy to do, and how many programs out there do you know that will protect against 9 other methods of termination? This is kind of like saying that because any antivirus will miss a few thousand trojans, it's not worth having at all. Of course PG is not for everyone, and many would just allow drivers/services to install anyway, however if used properly PG is your best defense against rootkits installing without your knowledge. There are plenty of trojans and spyware that will download without your knowledge and install a driver. If you're just surfing the internet and suddenly PG alerts you do a driver install, that would seem pretty suspicious, wouldn't it? Fact is that nothing is 100%, and nothing can save you from making your own mistakes.. not without making your system very very limited in what you can do with it. There's a lot of ways you can protect your system, and PG is offered as one part of a layered defense, not a full defense suite in itself. If used properly, PG can offer a strong layer against the worse of malware, without interfering with your other security applications, and indeed fortifying those other applications. As time goes on, DCS will add protection/features as necessary.

    This may well be what KeenSense uses, I don't know.. but as you can see, it's not exactly easy to do:
    http://www.security.org.sg/vuln/procguard.html

    Trojan, there's really no need to be so confrontational.. these things can be discussed without getting personal. It would also help tremendously if you could spend some time proof-reading your posts and adding punctuation.. there are a lot of non-english speakers around here that would undoubtedly have a very difficult time reading what you're saying. Please don't take offence, I can just see a lot of mis-communication already starting. :)

    Thanks for taking the time to post the video, however, it is interesting. The next step will be to figure out what method of termination KeenSense uses, and see if there's a particular reason DCS didn't include it, or if you would just have to block the driver from installing. There have also been mention of (probably) even more advanced methods of getting past PG mentioned around, although I don't think there's many malware writers skilled enough to utilze them atm.
     
    Last edited: Aug 28, 2005
  12. Sfel

    Sfel Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    3
    Although it is rather resource hungry, it's definitely not useless. By applying your philosophy, we'd be dropping all our security software. Firewall, antivirus, antispyware, registry monitors, EVERYTHING, because, they're easy to kill! WOW. Of course they are easy to kill, if the malware gets a kernel level driver installed. This is what PG STOPS!.


    I'm what ? :(

    First of all, everything is easy to kill once you're in kernel mode. Kernel mode driver = God[Well, not really, but you get the point]

    Second, trojans binded to drivers are pretty much dead. Everyone downloads from trusted sites these days. Don't you want Process Guard to defend you if a meteor falls from the sky ? Really, you're asking the impossible out of a single program.

    Third, you don't know if it won't prevent the kill. You don't know what technique that program uses, and thus far no malware can kill processguard.[I'm still waiting for a download link, BTW]


    Neither will the trojan. As said, even if installed, it's very hard for the trojan to do its stuff in kernel mode. Binding doesn't mean glued together, it's going to be just a regular trojan that PG will block just fine. If someone bothers creating their own rootkit, you can be damn sure they'll SELL it to make money, not bother binding it with some antivirus.




    Uhh, I don't think they can read what I said in the manual, but okay...

    My point is, PG is just one layer of defense. Just because it isn't perfect it doesn't mean it's useless. Your antivirus isn't perfect, and can be considered useless. If a trojan binds itself to a game, and the AV pops up and you delete, the game won't work. If you allow it it will kill your AV and eat your cat. That makes your AV useless, right ? Wrong. Same with a firewall.


    I'm sorry if i sounded a bit harsh, it wasn't my intention at all.
     
  13. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    i agree with you sorry if my spelling is bad and i didnt realise i was being confrontational i seemed to have upset to many people allredy and i only been posting for a few days peace!!!
     
  14. Sfel

    Sfel Registered Member

    Joined:
    Aug 28, 2005
    Posts:
    3
    Personally I'm not upset at all. It's just a difference of opinions, nothing more..
     
  15. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    im trying to find "euclides" the coder of the programe so he can explain its kill methods i used to talk to him on another forum i cant find him as of yet lol i do remember him saying that keen unloads all dlls of a given process and termantes drivers and services without permissions if you can make sence of that peace!
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That would be great if you could convince him to come here :)

    Kinda sounds like the same thing Jason was describing.. basically forcing the program to go through it's shutdown routine. If I'm right on that, it would be extremely difficult for PG to protect against it while still allowing you to shut down the application when you wanted to.
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You're not in this thread, but it seemed like it could head in the direction of previous threads, so just wanted to give you a friendly heads-up :) Thanks for not taking it too personally :)
     
  18. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    i have tracked down "euclides" the coder of keen sense on an old forum and have found his icq number if he still uses icq ill ask him to come here or write something i can post to explain how keen works i found this on an old forum it makes no sence to me lol but ill post it any way

    keen decrypt EPROCESS chains and PEB Struct,(and include a little defence for FU
    lots of ring-0 and all ring-3 rootkits can't effect on any function of KeenSense :cool:
     
  19. passing thru

    passing thru Guest

    I finally found my copy of Keen Sense (version 1.2.3.1) buried in a disk image made in April 2005. I believe there is at least one later version. I ran it on a test system with PG, Outpost, and Hacker Defender 1.0.0 "revisited" already installed. While it is indeed able to terminate PG-protected processes, I was more impressed with the way Keen Sense handled Hacker Defender. It not only detects and terminates the rootkit process (and hidden sub-processes), it also unloads the driver, so that you can immediately see what was previously hidden (files, registry entries, etc.)

    BTW, PG did occasionally "see" and block some of the rootkit's behavior (in about 1 in 5 restarts). On my test system, Hacker Defender had been installed in Safe Mode to get around PG. From PG's log:

    ---Process Guard Log Started---
    Sun 28 - 19:41:53 [DRIVER/SERVICE] g:\documents and settings\****\desktop\new folder\hxdef100.exe [1444] Tried to modify an existing driver/service named hackerdefenderdrv100


    So far, Keen Sense is a tool I will hold on to. Hopefully, it will be further developed.
     
  20. ct3n

    ct3n Guest

    The problem is worse than that. Jason explains that the process killing ability in Regdefend can be accomplished without touching the kernel at all.



    Bad news for ProccessGuard then, since when this method becomes widely known, termination protection would quickly become useless if there is no way to counter this.
     
  21. controler

    controler Guest

    didn't someone say the only way to shut down a kernel process without using a kernel driver was to do it in memory?

    There was a reason DCS didn't want to stop users from manualy shutting their apps down but I can not remember what it was. I do wonder if you have a BOSD and can not shut down some apps if this is why?

    controler
     
  22. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
    yes keen sence was made for the purpose of detecting rootkits and trojans its a tool i have been using for over 2years. The 1.2 build was replaced i didnt like the new version 2.0 I think if i can find it again ill upload it keen sense is a very good tool i would recomend it to everyone, i would also recomend that you dont keep it running as in a few cases it has crashed and on the odd occasion it has caused a bsod saying that "keen sense has unloaded drivers/services without permisons" i would say in 2 years that has happend no more than 5 times. i open keen all the time to check whats running and to termanate any crashed programe its keens ability to termante all most anything in 1second that i like so much without it any non responcive programe can take so long for windows to termante even when auto end non responcive programes is enabled in the registry :cool:
     
  23. trojan

    trojan Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    123
    Location:
    london
     
    Last edited by a moderator: Aug 29, 2005
  24. passing thru

    passing thru Guest

    Keep in mind that in order for Keen Sense to do what it did, I had to (1) give keens.exe permission to execute via PG, and (2) give keens.exe permission to install a driver via PG after PG automatically blocked the first attempt to do so.
     
  25. passing thru

    passing thru Guest

    Thanks trojan. I will try it out tonight.
     
    Last edited by a moderator: Aug 29, 2005
Loading...
Thread Status:
Not open for further replies.