PC Magazine EndItAll... Gets by ProcessGuard?

Discussion in 'ProcessGuard' started by nameless, Nov 18, 2004.

Thread Status:
Not open for further replies.
  1. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I had ProcessGuard 3.050 enabled, with a nice list of applications being protected from termination. Enabled learning mode, then started PC Magazine EndItAll 2.0.0.0, expecting PG to throw an alert when EndItAll tried terminating the protected applications.

    But it didn't. Instead, EndItAll just worked as designed, without a problem. And enditall.exe wasn't in PG's list.

    I disabled learning mode, then closed and relaunched EndItAll, to see if it would happen again. It did, but I don't know why.

    When I tried using EndItAll to kill procguard.exe, PG finally blocked it. But the others, it let sail right through.
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Re: PC Magazine EndItAll... DOESNT get by ProcessGuard!

    nameless,
    You must be a pcmag.com member to download the file:
    Could you email it to me please - wayne at diamondcs.com.au, thanks

    However, I don't believe that this has any chance against PG whatsoever, and it doesn't appear to use any fancy termination tricks at all - just standard ones. From my brief read it seems to close applications by closing their windows, which Secure Message Handling in PG will protect against, assuming you've configured it correctly of course :)

    Another thing that may be allowing it to terminate protected processes is if EndItAll itself is given Terminate privileges, which then allows it to terminate any process.
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    You're right that EndItAll doesn't do anything tricky. But I don't have EndItAll in the list at all. I've triple checked.

    So, I wasn't saying that EndItAll outsmarts PG, but rather that somehow, PG isn't noticing what EndItAll is doing in the first place.

    Email on it's way...
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    when you say you enabled learning mode, if that is what you did, it disabled pg's protection..
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    That's not quite how it works. Even with learning mode enabled, I'd get an alert when EndItAll was blocked the first time. And after that, PG would automatically add an entry for it, so it would work the next time. I'm saying that I wasn't getting alerts at all.
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Three words with these simple closing applications :- Secure Message Handling

    Make sure that is enabled. :)
     
  7. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Email sent.

    The problem is strange: I can use EndItAll to kill some protected applications, but not all. For example, I can terminate UltraEdit (uedit32.exe) or HandyThing (hndythng.exe), but not TDS-3 (tds-3.exe) or the PG GUI (procguard.exe). But all of those executables (uedit32.exe, hndythng.exe, tds-3.exe, and procguard) are listed in PG, and all are set to be protected from "Termination + Modification". And again, enditall.exe is not listed in my PG list at all.
     
  8. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I tried Enditall, with Secure Message Handling I first get a prompt, I cancel that, then enditall is blocked from modifying the program in question.
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I don't understand the point to SMH. If I enable it for an application, then try closing that application, I get the SMH dialog. But then, even if I click cancel, the application closes.

    I can see the reason for an alert dialog, but why SMH? If an application was going to take another down, couldn't it also click Cancel on the SMH dialog, too? (Or, if the SMH dialog is protected somehow, why not just an OK button?) I must be missing something in my incredibly sleep-deprived state.
     
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Well almost nameless :) , clicking CANCEL should not still close the application down. You might need to teach ProcessGuard to learn whatever method you used to close the program in question down (like pressing a button or clicking on a menu item, read the helpfile for more info on this) so that when you click CANCEL it does actually cancel the termination.

    ProcessGuard only handles "default" messages when you just tick Secure Message Handling which will work for a lot of applications, however some applications need some tweaking to get to be properly secured.
     
  11. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Yep, done that. I've really only tried with Look 'n' Stop, but that sucker exits no matter what, if the SMH dialog comes up. I haven't played with it since PG 3.000 though.

    Thank you.
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Sure, but shouldn't PG block EndItAll, in any case where a protected applciation was being terminated?
     
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Well it can, with SMH on you are protecting applications from "Message Termination". ProcessGuard's main role is to protect applications from process based attacks, however we saw the need for adding Message based protection too, which is what SMH handles.
     
  14. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    when i have pg in learning mode, i don't get any messages/notices/prompts/balloons/warnings.. pg just allows everything that is executed while in learning mode and creates rules to always allow everything that is executed while in learning mode..

    if, for some reason, you put pg in learning mode before testing it with "enditall", that is the reason that pg did not appear to protect you..

    when you have pg in learning mode as opposed to not being in learning mode, the "system status" window in pg, on the "main" tab, will tell you that your system is then vulnerable to attack..
     
    Last edited: Nov 19, 2004
  15. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Here is how PG learning mode works on my system:

    1. I launch an application which is new to PG. The application tries to do something which PG is configured to intercept (such as global hook creation).

    2. PG blocks the behavior, issues an alert, and creates the appropriate entry in the protection list.

    3. I have to close and relaunch the application from step (1) in order to get it to work. This time, since PG has added an entry allowing the behavior, it works fine.

    The PG help file (very succinctly) agrees with what I described above:
    If learning mode worked as you say, they wouldn't even mention the possibility of alerts while learning mode was enabled.
     
  16. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    nameless.

    This is purely a novice thought as I've only had PG for one day. Is EndItAll effectively working through Task Manager? i.e. you can configure EndItAll to shutdown a number of processes, rather than clicking on "end process" for each item in Task Manager. If you have given Task Manager termination priveleges over your protected applications then EndItAll could be using those privileges.

    If all EnditAll actually does is to tell Task Manager to close a number of programmes, one after the other then, if you removed the termination privilege from Task Manager itself, EndItAll would not be able to terminate your protected programmes.

    When I set up PG yesterday, I gave TM termination privileges. When I read your inital post last night, I immediately removed those privileges.
     
  17. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    No. Something strange is going on, but that's not it. I don't use Task Manager at all, and it isn't in my PG list, either. EndItAll works on its own.

    Even if EndItAll did work through some other process, it would leave the question as to why some protected applications were successfully terminated, while others were blocked from termination (as I described above).
     
  18. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Agreed. This is exactly what happens on my system.

    I believe that if an app tries to terminate something while PG is in learning mode, PG will then give that app Termination priveleges which will work immediately (ie. app does not need to be restarted before they work). However, when an app tries to install a Global Hook, PG will give that app Install Global Hook priveleges, but they only work after the app has been restarted.

    This would explain why enditall.exe worked, without PG protecting the apps (apart from itself which has in-built protection).

    By this time, enditall.exe had already been given termination priveleges, which is why it worked.

    PG has in-built protection against termination, which is why EndItAll could not terminate it.


    This leaves the problem of why PG has not added enditall.exe to the Protection List. This is the actual problem, I believe.
     
  19. DRI

    DRI Guest

    I thought the SMH issue was supposed to be fixed in the final version. If one clicks on cancel twice or three times the application and the pop-up dissapear... That was something that was promised by the whole team here!

    DRI
     
  20. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Again, no. EndItAll works even if it is not added to my PG list. And the PG GUI isn't the only application that EndItAll can't terminate.

    I can't say it any more directly: EndItAll is able to terminate some (but not all) protected applications on my system, with or without learning mode enabled, and even when EndItAll does not itself appear in PG.
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    The answer is not that PG is simply failing to add EndItAll.exe to the list. If it didn't do so, then EndItAll wouldn't have terminate privs at all (but it does). And if it did do so, then EndItAll would have terminate privs, and would be able to terminate whatever protected application I told it to (but it can't).

    (Editing so people don't get yet another email notification):

    The only thing I can think of is that maybe my PG data file got corrupted somehow? I can start clean and retest, but I have about a billion other balls in the air right now.
     
    Last edited: Nov 19, 2004
  22. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    My point was that even though it doesn't appear in the list, PG still thinks it has and so will allow it to terminate protected apps. If this is a bug, then the fact that it is not in the list does not mean it won't be able to terminate apps.

    Just a thought.
     
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    But if it was in the list and not appearing, I'd expect it to be able to terminate all protected apps--which it can't.
     
  24. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    it is confusing, to me.. :) i downloaded and installed "enditall-2"
    http://www.docsdownloads.com/Tier1/enditall.htm
    i seemed to have mixed results.. i tested with "cavtray.exe" and "notepad.exe".. "SMH" did stop enditall from shutting down/killing the processes.. without "SMH", using enditall, sometimes the processes would be shut down,and sometimes they wouldn't be shut down..

    reading in enditall's help file about how it works, it sounds like that is what "SMH" is intended to stop.. now i have enabled "SMH" (as best as i know how to do) on my security apps (persfw.exe, boclean.exe, regprot.exe, cavtray.exe, cavrid.exe, vetmsg.exe)..
     
  25. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    So basically, you've reproduced the issue, then: EndItAll (and, presumably, other executables designed to terminate other processes) can sometimes bypass PG's core termination protection.

    If SMH can work around the problem, that's great, but nothing is supposed to be able to terminate those protected apps in the first place.
     
Thread Status:
Not open for further replies.