Overthrowing idols (ProcessGuard 3.4)

Discussion in 'other anti-malware software' started by thatman, Aug 24, 2006.

Thread Status:
Not open for further replies.
  1. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Overthrowing of idols (ProcessGuard 3.4)

    Hi folks, I have recently tested new Process Guard 3.4 (full version), and want share my findings.
    I have no pretend that my results is fully comprehensive as I were estimating only specific aspects of software while others (perhaps no less significant) remained unexplored.
    This examination is more elaborate than my previous, and I hope I'll stick this plan for further testing.
    Soon I'm going publish analogous overviews for some another good known products.

    Here are aspects that I interested by:
    - Process Defense (how processes are secured by this software against various attacks, as process injections, dll injections and so on)
    - Registry Defense (how system is protected from malicious registry injections)
    - Firewall
    - Own Security (how modules of this software are protected from modifications causing switching off whole security)

    Process Defense:
    41 of 54 tests were succesfully passed (76%).
    Some uncovered holes:
    - Create suspended process then patch it in memory and resume
    - Installing key reader
    - WM_CLOSE window messages
    - Installing/controlling drivers/services
    - Windows scripts not handled

    Registry Defense:
    1 of 10 were succesfully passed (10%)
    Only test was passed with AppInit_Dlls registry value, but I know exactly there are abundant of other ways for registry injections.

    Firewall Module:
    Not applicable, 0 of 20 tests were passed.

    Own Security:
    4 of 9 were succesfully passed (44%)
    All components, dll and exe files can be easily removed from disk (interesting thing: if you'll try to move files through explorer.exe, you'll get access denied, but simple MoveFile WinAPI call will do it no problem).
    Driver procguard.sys (as well as pguard.dat - settings file) is better protected, but anyway with additional efforts can be removed.
    BTW after restarting PG did not alert user that driver was not accessible, it just always was in initializing status.
    PG 3.4 protects driver from disabling on registry modifying, unlike PG 3.1.5 where driver could be easily disabled, just by its Start value.
    Also looks like that driver well protected from unauthorized DeviceIoControl calls.
    However WM_CLOSE window messages easily force application to be closed.

    Overall rating:
    Average by all aspects: (76+10+0+44)/4=32.5%
    Average without firewall aspect: (76+10+44)/3=43.3%

    P.S.
    These results are not so good (as many here supposed) but also not so bad :)
    Be waiting for next "Overthrowing of idols" posts (hope this series will compel good attention), my nearest aims are new Outpost 4.0 (with new anti-leak and others modules) and SSM 2.2.

    Do not hesitate to place your comments/questions here. I'll appreciate such things.
    Thank you.
     
    Last edited: Aug 25, 2006
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    very interesting results, could u post more info about what these tests are tho?

    it would also be interesting if u tested prevx1, cyberhawk, and ghost security suite.
     
  3. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Thanks,
    I used well known tests as awft, apm, apt, bang, breakout, copycat, cpil, delsrv, dfk simulator, gswdemo, sdtrestore, drvloader, firehole, pcaudit, physmem, regtest, thermite, jumper, scoundrelsimulator.
    And also some own simple utilities.

     
    Last edited: Aug 24, 2006
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you thatman.
    We need more people to openly and actively challenge the popular defenses people depend on (often blindly).

    Very detailed examples of working vulnerabilities on PG would not be a good idea to post in public. Better might be to post a summary as you did and then PM or email Wayne or Gavin the details of the PG vulnerabilities. Please send them the details of your findings.
    This way every PG user will benefit from your tests by making our security better.
    If after some reasonable time these faults (if proven) are not addressed by DiamondCS in any way, then the problem is with DiamondCS.

    The mods will probably move this thread to the PG forum.

    Looking forward to your future tests!
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Might it be better to calculate the final rating using:

    100 x (number of tests passed)/(total number of tests)

    Using your method, an application that passes fewer tests, could gain a higher rating than, an application that passes a greater number of tests.
     
  6. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Thanks,
    I just wanted to compare various HIPS at nowadays :)
    In these tests practically no any new ideas - and my short descriptions are pretty enough to recognize ways to improve the product.
    Hope it will really help.

     
  7. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    It is hard to say which method is better to calculate final rating.
    Injustice in the method you suggest is following: as each aspect is tested against different number of tests, so on simply summarizing all test passed we then significantly decrease magnitude of some aspects in final rating, while I think these aspects must have the same weights there.

     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    HI thatman, realy nice work and effort by u.
    I will be highly curious to see ur testing with SSM and may be Ghost security suite.
    Thanks.
    Plas keep us updated.
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Aren't most of of those tests just firewall leaktests?
    How is that relevant for a HIPS program?
    If these are old PG vulnerabilities, can you provide some links or more info that explain each of your tests?
    If DiamondCS already knows all about these old vulnerabilities and has done nothing about them, why not share the details with us so we can learn more?
     
  10. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Tests that can not be passed without firewall driver, that needs packet filtering or other specific firewall things - only these tests I include in firewall section testing. These are dnstester, mbtest, yalta, pcflankleaktest, wallbreaker and so on. All others that I mentioned before are strongly refered to process or registry defense.
    Now there is subtle distinction what are firewall leaktests. Most of these "firewall leaktests" use various techniques to inject own code into trusted application with intend to transmit some information - no one pure firewall can caught this, and as we can see all nowadays firewalls are acquiring with specific modules to intercept such activity. And I think that really nice HIPS must include at least firewall, process monitor and registry defense modules. So I was testing exactly these aspects.

    I dont think issues that I pointed are vulnerabilities. I just show that there is remaining enough work to do for DiamondCS. Moreover I dont even know what in DiamondCS think about it.
    I was pretty sure that I already shared details on vulnerabilities :) You can ask specifically which you interested in. I'll try to explain in more detail.
     
  11. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks.
    So you allow the leaktest to execute in PG.
    Is the leaktest in the protection list?
    Was it given any privileges?
    Was PG set to Protect Physical Memory, Block Global Hooks, Block Rootkit/Driver/Service Install, Block Registry DLL Injection, Block Services.exe from installing drivers, password protect PG GUI?
    These leaktests and other tests were able to inject/modify a PG protected process and pass? How?
    Is there a really nice HIPS that fares better on the exact same tests?

    As a paying customer, why not email them your concerns? Especially after all the work you put into the tests. They seem to rarely respond to posts here anymore, but if you email them as a paying customer, they may have some answers. I would be very interested in their reply to your test results.

    Thank you, I will. The details posted are meaningful to programmers and advanced PG users, but to the vast majority of average or intermediate PG Users, they don't mean much because we don't understand the test details. For example, the details of the baseline test platform are not mentioned (asked above). So we have no way to compare your test platform and our own PG setup. Was it version 3.410?

    Please list the 54 tests and results.
    For example APT successfully terminated/modified IE that was protected by PG.

    Was protect Physical Memory on? These little details can make all the difference in the tests and how many people can understand your tests.
    Which keylogger was used? Was it granted privileges in the protection list?

    What program did you use for the WM_CLOSE? What program that was protected with CMH (Close Message Handling) was terminated?

    How was a driver/service installed? Which one?

    PG is not a script protection program, so these tests are not relevant.
    You could use PG to block wscript.exe and cscript.exe execution to prevent windows scripts altogether.

    PG only blocks a few registry areas to prevent installation of drivers/services.
    Did your one passed test install a driver/service?
    PG's main purpose is not registry protection.

    What were the 9 tests?

    What files were moved? Is PG supposed to protect from files being moved?

    How exactly can it be removed if protection is active?

    Do you mean after PG was installed? PG was in Learning Mode?

    Are you saying the PG driver can be disabled with WM_CLOSE? The PG GUI?

    PG is advertised as:
    I certainly don't agree with the easily part.

    There is just not enough info about your tests to know one way or the other.
    Honestly, the title of this thread leads one to question the purpose of the tests, even if they are done with the best intentions.
    Is it to prove PG is not so good as everyone says?
    Is it to test PG impartially against various tests it is likely to face in the wild?
    Is it to compare PG with other HIPS type programs using a standard baseline of tests?

    As a PG customer, I just want PG to be as good as possible.
    If it has problems, I want to know, and more importantly, I want DiamondCS to fix them.

    Thank you for making the tests. I hope you can explain them to us average users. :)
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,734
    Location:
    Texas
    Excellent questions Devinco. :thumb:
     
  13. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I see no reason to get Wayne down here......yet, I am not a big fan of Process guard. I own Process Guard because diamond CS canciled TDS-3.
     
  14. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Devinco, really nice questions. Thanks.

    Before testing PG was set to maximum protection level, except Execution Protection was disabled, so I could run new processes. Services.exe was allowed to install services/drivers, and I can explain why I did so. I have
    a legitimate program that on its execution installs driver through services.exe, so I just not wish every time and again get such alerts. Moreover I know exactly there exist another ways to caught e.g. bang.exe installing own
    driver (even through services.exe) so alert will point on bang.exe but not services.exe.
    Password protect PG GUI - what is it ? Think it was disabled. Is this that feature that on closing protected applicationû asking to enter special symbols ? Anyway that feature for me looks some strange, PG sits deeply
    in OS and nevertheless it can't understand without human assistance who or what is closing the program.

    No, none of leaktests were possible to modify protected process - that part of PG is well working.

    Yes, there exist some HIPS that better, but also exist many that worse.

    I have no such aim now. See bellow answer on one of your questions, there I reveal what I want.

    No, it was 3.4.0 version.

    I am already listed most of them in posts above, just some tests e.g. apt has maximum 15 points, awft 10 points.

    it related to awft test 1, protect Physical Memory was on

    Key Log Reader 1.7.1, No any special priveleges were granted

    APT Kill 7 method, IE was terminated, also procguard.exe was terminated.

    for example bang.exe succesfully installed driver and then caused computer to crash

    This is usual situatiuon when cscript.exe and wscript.exe must be allowed to perform some activity for some scripts which is needed to work. So we suppose they are allowed, then any other unauthorized scripts can do malicious things no problem. I think realy nice HIPS must protect from malicious attacks from all sides at least including well known and enough dangerous windows scripts (wsh, vbs ans so on).

    No, PG on the main screen has checkbox Block Registry Dll Injections, but it blocks only attempts to write to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls registry value. For example another one popular registry place for dll injections is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify - which is not protected by PG.

    I checked own PG security by trying to disable its components in different ways: modifying settings, removing its files, drivers, terminating own services/applications, calling procguard.sys functions and so on.

    All files in Program Files Process Guard folder, also system32/procguard.dll, I mean PG didn't protect well own files.
    All sentences followed after Own Security subtitle were related exactly questions what are possible ways to disable or corrupt normal functioning of PG.

    Yes, with enabled protection it can be however removed, it is my own utility, and I not intend give more details yet. Anyway no one HIPS I tested already had protection from this.

    No, I mean after disabling of driver and following restart, there was no any warning that driver not found and protection was disabled.

    PG GUI

    Mainly to compare different HIPS - to know who is the best without any prejudice. The title of the thread used to attract more attention, moreover some well known products really showing poor results with these tests. I hope to destroy old stereotypes, prejudice and myths. Then possibly stimulate developers to advance in directions I pointed.
    When I'll finish testing some more products, about five-six of most worthwhile then I'll make combined report with summary table on each product and each test with most valuable comments collected from wildersecurity forum posts.

    Generally I don't want that DiamondCS or anyone else fix these issues ... :) within the next few months, before I can publish summary report, as I want my report to be actual by that time.

    Thanks for the questions, I really appreciate such discussions. And I hope I gave here some more details you asked. If you have another questions or not agree with some my sentences, I am ready to continue :)
     
  15. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I think the services.exe issue was brought up in this forum before.
    So far the only solution DiamondCS has come up with is to block services.exe from installing drivers. I seem to recall in the forum someone requesting more granular control over services.exe and rundll32.
    This is one of the annoying things...programs that really don't NEED to install services/drivers like spoolsv.exe, photoshop and many many others end up getting privileges when they work perfectly fine without them. That is why I turn off the anoying balloon alerts. This is also why we really need a master list of all the common programs and components that allows only the privileges that the programs absolutely need. DiamondCS certainly isn't going to do it, so it is up to end users to figure it out on their own. They have a just a rudimentary list with hardly any popular programs.

    It is the Lock feature of the PG GUI that allows you to put a password so no changes can be made through the GUI. It prevents malware from acting like the user to disable PG through the GUI.

    This is the general problem with all HIPS. They are only as effective as the user is knowledgeable. I could find no info on this particular program. I assume it is some type of keylogger? Was it able to perform it's normal keylogging activities (by installing global hooks)? Or does it use some other method that PG does not block?

    This is very interesting. If APT can kill IE while it is protected by PG then it could kill other programs as well.

    Was this through services.exe or some other method?

    It depends on what your definition of HIPS is.
    Who gets to decide what is HIPS and what is not? Is even ProcessGuard a HIPS?
    It behaves like one, but there doesn't seem to be a clear cut answer.
    I agree basically, HIPS should protect from scripts as well.
    It's a whitelist type of program anyway.
    DiamondCS probably didn't want to kill WormGuard.
    The WormGuard product has a lot of issues anyway so I don't think it would be bad to merge PG and WG.

    I see. The PG registry protection setting is supposed to block Registry Dll Injections not block driver/service install.
    It is very good that you found this. DiamondCS should include this reg key in their defense.

    As far as the modifying settings, that can be taken care of by locking the PG GUI. The rest I don't know.

    Interesting. Your utility works even if the PG GUI is locked with a password?
    If you don't want to answer yet, I understand.

    So the PG system tray icon looked blue and the padlock was closed even though the driver was disabled? If so, that is very troubling.

    The PG CMH function always had some problems. At least it is not the driver being removed, only the GUI. If the GUI is removed, that would alert a user to something wrong while they are still protected by the driver. But I would like to see the CMH feature improved.

    Excellent, then I wish you well and look forward to the results of your detailed tests.

    Well then be careful what details you post because you will end up helping malware authors more than the people who need protection. :)

    Thank you for the answers.
    All I ask is that you give the respective authors of the programs a reasonable advanced warning (and vulnerability details) before you publish. At least a two week notice.
     
  16. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    How did you manage to do that?

    On my system (with IE protected from Modification and Termination), APT Kill 7 would not kill IE but APT Kill 8 would.

    When IE was also protected with Secure Message Handling, then APT Kill 8 caused the Human Verification box to appear (as would be expected) and was unable to kill IE.
     
  17. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Devinco,
    I was some messed with these all tests and products, I checked PG again, and there is no services.exe issue now. PG 3.4 properly determines who is installing driver/service, but anyway not follows for starts, stops and uninstalls of services.

    About Key Log Reader I didn't look how it works yet, if it installs hooks or other way. But it definitely got all keys pressed and PG didn't alert it.

    It does not matter if PG GUI is locked or not. This "secret" method can move/rename any files (e.g. driver) so after restarting PG will not be functioning.

    Yes, PG tray icon was blue and the padlock was closed, actually I retried this today, and found that after some waiting about 3 minutes - there appeared balloon that PG did not initialized.

    Nuances, nuances :)
     
    Last edited: Aug 28, 2006
  18. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    I just rechecked, indeed APT Kill 8 is terminating IE, but Kill 7 is terminating procguard.exe. These things are especially strange as APT was developed by DiamondCS :)
    If both protected with Secure Message Handling then unable terminate them -but this setting is not set by default, so inexperienced user will never see this alert. Moreover SMH gives a lot of trouble to every time enter verification text, that makes it useful only for programs that runs forever and never need to be closed manually, but hmm IE is not such :)
     
  19. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    SMH isn't set by default but then again none of the global Protection Options are set by default. If the security options are configured correctly then PG will not allow the termination of the processes mentioned.

    I think it would be more of a concern if APT could kill pgaccount or dcsuserprot but this is not the case. Even without SMH these processes cannot be killed with APT.

    I agree it would be a pain. Then again, I wouldn't use SMH for something like IE. I might use SMH for stopping the termination of important processes like security software. As noted above though, SMH isn't actually required for the protective components of PG.
     
  20. thatman

    thatman Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    15
    Location:
    Russia
    Ok, leave SMH as is, I agree in some cases it can be very useful.
    But fact is that PG is not good protecting programs like IE from closing on WM_CLOSE or SC_CLOSE (WM_SYS_COMMAND), while some others products do it without any Human Verification algotithm.
    Own critical processes you mentioned protected well but again UI is not.
     
  21. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Looking back, I see my logic is flawed. I would never use SMH for IE so my argument about the correct configuration is irrelevant. On my system IE would be terminated. I see your point.
     
  22. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Hmm could you update the list again?

    From my understanding.

    Not surprising to me, claims not withstanding, PG isn't really a good generic antikeylogger.


    These two seem to be solved here in the thread. I agree that SMH is very clumsy.

    As expected, PG doesn't claim protection for these.

    Hmm, I don't see what is so strange. Even a simple pdf file when open will be locked ?? So I don't think that is a specific PG protecion.

    [/QUOTE]

    I'm not too concerned really about tests that PG fail because it doesn't claim to cover them , such as registry protection ,script protection etc.
     
  23. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Well even if you shut down the UI, the system is still protected no?
     
Thread Status:
Not open for further replies.