keen sence v outpost+process guard

(1) is irrelevant in terms of PG's claim to block process termination.

As for (2) The method referenced here seems to work in usermode.

https://www.wilderssecurity.com/showthread.php?p=541221#post541221

It seems that this 'self termination' doesn't seem to be addressed by Secure Message Handling??

 

like passing thru said, since pg automatically blocks hook, drivers etc. then doesnt that count as pg already protecting you? of course since pg relies on the user for such decisions, its still possible for a new user to allow such action to occur. and like ---- said doesnt SMH protect in some way from self termination?

 

I think this argument is a bad one.

I suppose if we carried your argument to the logical conclusion, the only thing you need is execution protection , since logically PG would 'protect' you from any malware if you had the foresight to click no, when you started running the malicious software. Only problem, you didn't know it was malicious when you started installing it.

Heck if you had such forsight, you wouldn't even need PG, just don't install the malware

The same problem to a lesser degree comes about when asking a user to decide if a process should have global hooks , drivers etc. How the heck is any user, even an experienced one is supposed to know if it is supposed to have this?

Either you trust it, or you don't. If you don't, why the heck are you installing it?

I suppose one answer, is that you "Semi-trust" it enough to run but not to do certain things. But if even this is no longer certain......

The promise PG gives you is that you can allow processes to run and still get some protection by preventing them from termination of other processes, getting global hooks etc.

The install driver thing I agree is a different kettle of fish, but it seems even user mode programs can terminate other PG protected processes!

So even if I refuse to give any normal program any rights at all, it still can terminate my programs!!

Not only new user. Just because you are a reader of this forum for say 2 years doesn't mean you can spot malware better than a noob just by looking at the prompt PG throws up when you install a new program.

Not against the method Regdefend is using. Test it yourself.

That is why I say there is a problem. A user mode program that can terminate other processes, means PG's termination protection is useless.

Since PG termination protection is one of the main and most important features in my book, I think this is a big problem.

 

Let me clarify what I'm saying.

Based on what Jason is saying there can be a program X that doesn't require kernel access, doesn't require any rights at all and it can terminate any other program, even PG protected ones.

The only thing that PG can be said to do against this is that when program X runs execution protection spots it. This is scant protection of course, if this is a program you run yourself or install yourself.

Of course you could choose not to run the program, but in that case, you would be equally protected, PG or no PG.

 

point well made - - -guest i think some people are such die hard fans of thier software applications they are not willing to see comman sence you are basicly saying what i have said allredy but you have put it in a better way hope some of the other people on the forum can grasp what we are saying maybe its my poor grammer confusing them but after your post thier is no excuse peace!!

 

Well PG, like any software of its type, relies on user judgement. If a program tries to run without you explicitly triggering it, you can stop it. If a program tries to install a driver when its description suggests that it doesn't need to, you can stop that too. Saying that PG is useless because a user can override its protection is like saying all anti-virus software is useless because a user can choose to ignore their warnings.

Block it and see what happens - that is the approach I use for software and parallels how I would treat network connection attempts also. Yes, some programs do then fail wholly or partially but then you can review your decision and try again if need be.

The key word here is "some" - without PG or similar software, if malware gets to run then your system is toast. PG and similar programs allow you to limit the damage.

Keen Sense is not really an exploit in that it does need to install a driver to work. RegDefend seems to be a different case, but its author had written PG also so would be the best able to work around it. Doubtless this will encourage DCS to provide an update which corrects this, just as PG v3 included an update to fix the SDTRestore exploit.

PG is not a guarantee of 100% security, no product is and a quick search through the PG forum should turn up other weaknesses also. However it does provide considerable extra security and is still a worthwhile addition to most systems.

 

A example of PG blocking malware:

https://www.wilderssecurity.com/showthread.php?t=95082

 

Yes clearly. But this provides Zero protection against software you run explictly, which is the point. This is the very area, where people bash AV and ATs, but don't realise that PG and other so called HIPS provides zero protection.

Despite all this talk about catching malware as soon as possible, the most dangerous threat for most people is still trojans via self installation.

Sadly, very few programs state if it installs a driver. And no one has yet tried to come up with some guidelines about when and when not to allow driver installations, global hooks besides saying whether you "trust" them or not.

And even if there is a description saying x requires drivers, it still doesn't help you, for obvious reasons unless you trusted the author.

I'm not sure which "protection" you are talking about, but still that would be a very poor understanding of my argument. My argument is not that users choose to override protection because they are ignorant, but rather, PG provides almost illusionary protection because you don't know what is being warned because it either "warns" about everything (execution protection), or it warns about behavior that is hard to understand.

I could market "file guard", that made alerts everytime, some file is being created or modified anywhere and prompted you, and I would claim it provides almost 100% protection, since any malware would have to eventually write to the hard-disk. You would protest, how any user would know this file write could be harmful, and I would say

"Saying that FG is useless because a user can override its protection is like saying all anti-virus software is useless because a user can choose to ignore their warnings."


Another problem comparing AVs to PG's execution protection.
The main difference is that when an antivirus tells you something is bad, you have a very high likelihood of knowing it is correct, false positives not withstanding. So that is really a warning you are foolish to ignore.

A prompt telling you that a program you explictly started is now starting is useless. One telling you that a program is asking to install drivers is almost as useless, even if accompanied by a readme that tells you this is what it is supposed to do.

I agree, that if you do KNOW that it shouldn't install drivers and it suddenly does, then PG would be useful, since you probably have a trojanised copy, but this is a rarity case.

Most of the time though you have no idea if it should or not, and you are down to deciding whether to trust the author or not. The very same situation, PG or no PG.

The problem of course is that behaviors like service installing, process starting global hooks are not even close to being reliable indicators of malware activity. Add the fact that most of these behaviors are difficult to
understand, and you have an idea why I think PG isn't really good protection

The problem is, if you block it and it fails, what do you do? The analogy with firewalls is tempting but fails. You normally know exactly what a network connection means and what it would do, and you could sniff out the connection, check where it's connecting etc.

I doubt if you could tell me what exactly a driver installation or global hook blocking would do to a specific program.

Let use assume for the sake of argument that most programs don't install drivers. Say only 20% do. So for 80% of the cases, a PG and none-PG user are equally secure or vulnerable. So that leaves the remaining 20% cases.

In the remaining 20% of the cases, a PG user gets a warning that the software is installing drivers, warning a non-PG user won't get.

In this scenario (20% of the time), PG could be useful, the problem is you have no idea at all whether to respond yes or no. Sure you could try blocking it, and the high likelihood is it fails. Now the question is, what do you do?

Are you really certain you managed to protect your computer? Or do have you actually stopped yourself from using some legimate software that you really wanted to use?

Notice that for AVs, 99% of the time, you actually did some good by denying to run it.

Some? I'm sure you know that refusing to allow driver installations for programs that request it is almost a certainly that the program won't work.

I'm looking at all these anti-rootkit detectors and most claim they need drivers to install, should I allow them or not? If I don't, they obviously won't work. If I do, I run the risk of getting infected.

As a PG user, PG doesn't contribute to my security at all, in respect of its ability to block drivers since I face the exact same decision PG or no PG

As long as you agree, that an update is required we are in agreement. Just be sure not to fall into the trap of saying that it doesn't matter cos nothing is 100% and sweep it under the rug as you seem to be in danger of doing below.

Personally I'm not a fan of 2 types of arguements

1. (When a exploit is pointed out), So what if it isn't 100% foolproof nothing is.

2. Sure , Software X can't really do Y, or Z, but because it can do <insert some other rare case> , and despite the fact that <insert dozen of problems in term of usage> it is worth using. Layers you know.

The first is just a lazy attempt to bury your head in the sand.

The fallacy of the second is obvious. Dig hard enough, and I can argue for the usefulness of anything, but whether it's a realistic case is another matter.

Each of the features of PG can be useful, in specialised cases, I just doubt it in the case of a typical Wilders user. Eg Execution protection is nice if you are a noob running IE unpatched and gets constantly hit by all sorts of drive by downloads.

 

u answered ur own arguement:

i dont believe PG is intended for computer illiterate people as it relies entirely on user interaction thus even if somone had pg, it wouldnt help if they always clicked allow. and if a service or hook got blocked then theyd complain their software doesnt work.

i agree on this, but PG is a HIPS and its intended to not use databases or definitions. for that we already have antiviruses and antitrojans.

i would think the opposite as a Wilders user would know how to use PG. noobs would be better off with AVs and ATs which give far less false positives.

 

No I didn't. I was trying to be generous by showing a very rare case. If I tried hard enough, I can imagine scenarios where a certain behavior or software MIGHT be useful, though the likelihood of it occuring is very low.

I think even for a computer literate person, PG is almost impossible to use.
The problem is this, even for such a person he doesn't know what driver installation means exactly, and when he should allow or disallow.

It's comforting to think of oneself as being computer literate and smart enough to use PG, but if you consider it, you will realise you don't exactly know what you are doing when you block drivers. You don't know why either.

Yes, and HIPS should target behaviors that are

(1) Have a high likelihood of being dangerous
(2) Easily understood for the computer literate.

Monitoring autostarts is useful, because it is easy to understand.
Pg's termination protection is yet another.

I find the other PG features pretty useless.

This is with reference to execution protection in PG.

My point is not that Wilders users don't know how to use HIPS better than noobs (even though this is an argument that is not without merit depending on which part of HIPS eg PG's blocking global hooks ), but rather noobs are more likely to need the protection of HIPS to avoid driveby downloads.

Sadly, noobs are the one least likely to be disciplined enough to use execution protection either. And those skilled enough or care enough to use this is probably secure enough anyway.

 

I suppose you have to try and work it out for yourself.

On my machine there are 11 files that would like to install global hooks. Of these only two will not work without them. These are character recognition software for my graphics tablet (seems reasonable that a global hook would be required) and a keylogger (again seems quite obvious). So, if anything wants to install a global hook, it gets blocked unless it's really obvious it needs it.

I have 8 programs that want to access physical memory. These are all windows files. If anything else wants to access physical memory it gets blocked.

During the installation of software I have noticed that certain types of software want to install drivers or services. For example AV's want service installation. Daemon, which creates virtual drives requires driver installation. On the other hand, golden section notes (software for creating and storing notes) does not need driver or service installation. Hence, if I install a piece of software for creating and storing notes and it wants to install a driver or service, I will block it and then probably get rid of it.

In respect of my comments, I guess that a PG user does have more (how much more? you tell me) protection than a non PG user.

In all the comments, we seem to be ignoring installation not initiated by ourselves. Here, PG's execution protection is definitely of benefit.

I know it was stated that "the most dangerous threat for most people is still trojans via self installation" but it's a bit of a throw away comment. Here, how's this, "the most dangerous threat for most people is still the installation of trojans via drive by downloads".

Which comment has most validity? I don't know.

 

in contributing to the union of united malware fighters your soft would be appreciated

 

You don't play games do you? Quite a few legacy games require global hooks.
IMs as well. And ...

A lot of "Security" programs require access to physical memory.

Yes, or these are rather good attempts to guess.

But they are basically that guesses. If you look at your comments, you are basically saying a certain class of software require x, certain classes doesn't. The problem is even if you expect a certain class of software to install drivers and it does, doesn't mean it's still not a trojan?Any security program probably has a good excuse to install drivers, but a lot of them can be rootkits.

For good reason.

I've seen that comment made when referring to all classes of users, I personally don't know if it's true. But for experienced users, I would say it is most likely true.


It's simple when you think about it.

Driveby downloads exploit

1) User ignorance of clicking yes to everything + user error
2) Holes in software.

For an experienced user 1) is unlikely. This is due to better understanding of what the various prompts means, knowledge of FUD warnings that "your system is unsafe" etc. The only possibility could be a misclick.

2) is generally a result of unpatched systems, poorly configured systems, something unlikely for an experienced user. The only possibility here for an experienced user would be to be hit by a rare zero day exploit. Again unlikely

I think the reason why many noobs suddenly find that they get a lot less malware upon switching from IE to firefox shows that for them driveby downloads is a important factor. Firefox just makes it harder for that to happen.

On the other hand, the experienced users with well configured systems don't find firefox any better security wise than IE, because driverbys just isn't a factor for them.

All this shows that while an experienced user is not 100% invulernable, he does have a much better chance of avoiding driveby then a noob.

On the other hand, a trojan bundled in a software self installed, does not generally care how carefully you configure or patch your system, or how knowledgable you are about handling /javaactivex/javascript prompts.

Anyone (except perhaps the real gurus) trying to install a software package , is in exactly the same boat whether he is a noob, or computer literate.

The only protection more experience brings to the table is perhaps in terms of being smarter at selecting sources that are likely to be safe. For some this merely means downloading at big download sites while avoiding downloads at sites that look like it was made by hackers. This is something that I think doesn't really give you much protection

But given the decision to install a given piece of software, an experienced user has no particular advantage compared to a noob in avoiding infection.

 

I keep my own software private, because I don't want the bad guys to target them.

 

Correct.

I think I'm missing your real point though. I am not sure if you are saying that PG is worse than an AV or that once you've allowed a process to execute, the remaining protection from PG is useless or something else.

What exactly is this trojan? Let's say I download a new AV to try out (i.e. I'll let it execute and install driver/service/whatever). Is the trojan just bundled with the download, in which case PG may pick it up like this guy did https://www.wilderssecurity.com/showpost.php?p=541726&postcount=1. Or is the AV itself a trojan. It looks and acts like an AV but actually does other nasty stuff, in which case what would pick it up?

 

You are correct, they are guesses. In the case of the 'trojanised' AV, PG doesn't help me. In the case of the notes software, wanting to install a driver/service, PG increases the probability of me guessing correctly.

So without PG I'll get hit by all dodgey downloads and with PG I'll get hit by some dodgey downloads. So PG decreases the probability of me getting hit. That's what it's supposed to do. Isn't it?

 

I'm saying PG as it is now, is of limited use.

I think you should notice that "this guy" is using AE not PG. He makes the following interesting comment

That's interesting behavior, if he really means "unpacking" and not unpacking and executing, PG doesn't care at all what is being unpacked or where.

Perhaps it is keying off the file being unpacked to the windows directory , I don't know. I suppose someone could come up with some clever rule to catch suspicious behavior (based on where files are extracted and/or executed) but I doubt if any some rule can be even close to conclusive of malicious behavior. Of course, most so called HIPS programs favoured in this forum don't even try this.

I did a test a while back, using a file binder to combine 2 files then run it, with execution protection of SSM,PG etc. For these products the location of where the files are extracted are irrelelvant. Besides in your scenario of a compromised AV proggie, it would be "reasonable" for files to be dropped even in senstivie system areas.

So if execution protection has any chance it is for the user to notice a chain of processes starting. People have claimed that they were able to spot suspicious processes starting from the main program but as far as I can see they were due to the following

Obvious process name giveaway. Either excessively random name, or some name with "Ad" in them, or some obvious attempt to mimick the process name of a windows system file.

A much clever way to disguise these processes I think would be to match the name to the type of product being installed. some sort of updater, maybe cleaner type name for example.

I'm certainly not sure of my ability to really spot these droppers or binders, since I have come across many legimate installers, that start a chain of processes.

Only a AV with the signatures, heuristics (active or passive)

Or perhaps something like Panda Truprevent or A2 squared IDS though that would be after the fact in a sense.

That's my point actually.

 

Yes, good point.

Thanks for the clarification.

 

oops
I've been a bit lazy and not read all the posts on this thread....

if you install Nod32 and have it running before installing further program installs will not the bonded trojan dll s be detected before you allow the programs to install and PG allows them to run?

Couldbe