PC Magazine EndItAll... Gets by ProcessGuard?

Being a security application, maybe the SMH option should be enabled by default. In particular with apps that have termination protection.

I know people should read the manual all the way through, but the fact is that most people don't (apart from the feature they're looking up at that time). With this in mind, most users will not be protected from this kind of attack by default, even though they might think PG is protecting them.

Maybe this is one for the Wishlist thread...

 

This isn't wish-list fodder if it points to a problem in PG, which it does seem to.

To wit: Even enabling SMH for certain applications doesn't prevent EndItAll from closing or terminating them. I can close Ad Muncher with EndItAll, even with SMH enabled for it.

Besides, SMH handles messages. Terminating is different. EndItAll isn't just a "simple closing application"; it can send close messages and directly terminate.

 

I agree there does seem to be a problem with PG. However, having SMH enabled by default is not simply wishlist fodder in my eyes, although obviously it is not as important as the problem you have uncovered.

Not if it's a termination message!

 

What? It's not sending a message. It uses the TerminateProcess API as a last resort (or on demand).

 

I have no more doubt. I just duplicated it on an entirely different system (a 100% clean install of WinXP SP-2). The steps:

1. Install ProcessGuard 3.050 and reboot. Enter registration code to enable multiple program handling.

2. Install Ad Muncher (just to enable testing on at least one third-party program).

3. Run notepad.exe, calc.exe, and admunch.exe, and ensure that they get added to the PG list, with termination protection for each. (Procguard.exe should already be in the list.)

4. Disable learning mode and execution protection (or, keep execution protection enabled--it doesn't matter).

5. Install EndItAll 2.0.0.0, but at no point allow it to be added to the PG protection list (so as not to grant termination privileges).

6. Use EndItAll to close (WM_CLOSE) notepad.exe, calc.exe, admunch.exe, and procguard.exe. It works on each.

7. Use EndItAll to kill (TerminateProcess) notepad.exe, calc.exe, admunch.exe, and procguard.exe. It works on each.

8. Enable SMH on notepad.exe, calc.exe, admunch.exe, and procguard.exe.

9. Repeat steps 6 and 7. PG successfully blocks the closing and termination this time--except, strangely, for the first time a close is attempted on procguard.exe. (The first time I tried a close on procguard.exe, with SMH in place, it worked. The second and subsequent times, it did not. And this is without additional manual "training".)

Edit: I tried steps 6 and 7 with my command line process killer of choice. PG stopped it in all cases.

 

I was simply replying to what you said...

Termination *can* use messages, and so is not different per-se! I wasn't speaking about what happens as a last resort. Anyway, maybe we're speaking at cross purposes but this is irrelevant...

What's important is that you seem to have found a fatal flaw in PG...

As you mentioned, you didn't have SMH enabled when you performed this step the first time and so PG performed as expected.

This is where my previous "fodder" post would come into play. I was going to go even further in the "wish-list fodder" post and say that basic SMH protection should be "built-in" and included as standard with the Termination Protection option, but I thought this might conflict with some other programs. I would personally prefer it if the Termination protection was beefed up in this way, and included by default.

PS. While I may have wound you up in this and other posts in this thread (I love a good bit o' banter ), I'm glad you went to the trouble of verifying the problem, as documented in your last post.

Here's hoping we get a response (and more importantly, a fix) on this matter. I like DCS products, but this kind of problem doesn't inspire confidence!

 

i think the problem might be due to switching back and forth between learning mode on and learning mode off without rebooting..

 

It appears to me that EndItAll 2.0 employs "User Imitation" attacks (see the PG3 help file) when using the "Close program" option. I was able to block these attacks by either using SMH, or working with the target apps' built-in password protection, shutdown-confirmation dialogue, or even enabling the "minimize to tray on close" option.

When you select "Kill program", it attempts to somehow modify the target process. These attacks are automatically blocked by PG (see below). EndItAll was unable to "kill" either Outpost Pro or BOClean on my systems. The source is included with my copy of EndItAll, if anyone can make use of it.

Nick

 

Well, what can I say? Those attacks aren't automatically blocked by PG on my systems. But I'm confident that the issue will be addressed soon.

 

i am not inclined to do a lot of testing with "enditall", but, for what it is worth, it seems to me that pg (with no "smh" being used) will prevent enditall from shutting down some apps while not preventing others from being "killed" by enditall..

if i try to kill cavtray.exe, pg protects it (if i disable protection in pg, then enditall will kill cavtray.exe), but if i try to kill "notepad" or "calculater", enditall will kill those.. maybe it has something to do with the types of apps..

 

I tried it on my system and do not use SMH on any apps. I got mixed results also.

I tried to close and kill everything. I was able to kill some desktop/GUI applets I protected with PG3, like my desktop clock, calendar, todo, GUI applets like YzShadow, YzDock and YzToolbar.

But the only thing detrimental is was able to close was the GUI task tray app of PG3 leaving the actual protection services unclosable. It also was unable to close or kill my firewall, adwatch, or antivirus app.

So at least I find that very reassuring.

 

Hi rickontheweb,

Do you have SMH enabled for procguard.exe? I think it is off by default.

Nick

 

No, I don't have SMH on on anything, including procguard.exe.

 

I can't see where the problem is here. If I try and use the Close function of EndItAll on a protected program that has SMH enabled, it can't be closed. And if I try to use the Kill option in EndItAll on a protected program it also can't be closed.

In order to block the Close function in EndItAll, SMH must be enabled on the process you are testing against in ProcessGuard. All that the Close function is doing is sending a "close message" to the target program.

I have tried it on notepad.exe, calc.exe, ad-aware.exe, spybotsd.exe, proxomitron.exe, portexplorer.exe and a few others. ProcessGuard blocks EndItAll trying to close/kill each of them every time .


Regards,
Jade.

 

Who cares about SMH? And it has nothing to do with what type of application it is. I was able to kill the Windows Security Center service (wscntfy.exe), with no problem.

 

On my two systems, and apparently on those of some other users, EndItAll can kill "protected" applications, without a problem.

But you can't see the problem?

Problem on my systems +
No problem on your system =
---------------------------------
No problem exists

I get it now.

"My house is on fire!"

"Mine isn't. I can't see a problem."

 

Did you you go to Oxford or Cambridge by any any chance ?!

Even if you kill procguard.exe, PG is still active (ie. you still receive PG alerts/confirmations).

Who care's who can see the problem... I'd call the fire brigade!

 

"here" being on my comp. Was NOT saying that the problem doesn't exist on other peoples systems nameless.

Anyway....could you try adding WordPad to the protection list and then enabling SMH for it. Does EndItAll still close/kill it?

Regards,
Jade.

 

I think what SMH prevents is not really termination so much as a program being too easily duped. Window's WM_CLOSE messages just signal to a single window that it is about to be closed. If it happens to be the main window of the program, then the program may close too. It takes some extra effort, but if a program wants to confirm the user's intent before closing, it can do so.

Microsoft ordained that programs are allowed to cooperate by sending each other messages, even WM_CLOSE. If PG gets too agrressive in trying to rewrite Microsoft's design, lots of bad things could happen.

 

Sorry, didn't see page two ... catching up now.

 

Hi nameless,

From the point where I tried running EndItAll in learning mode, my system started getting flakier. It kept acting strangely until I did this:
1) Manually add EndItAll to the Protected List.
2) Remove EndItAll from the Protected List.
3) Reboot

I kinow this doesn't address all your issues, especially around the second installation. I'm just wondering if this also seems to work on your system.

 

Jason (or anyone),

Can you reproduce this oddity:
1) Manually add EndItAll to the Protected List.
2) Remove EndItAll from the Protected List.
3) Start Enditall, select procguard.exe, right click, Kill program.

It sucessfully kills procguard.exe on my system. A reboot after removal from the Protected List seems to get things back to normal.

 

Well I simply added SMH to procguard.exe since that is the only thing essential this program seems to be able to close. Of course I think we are all forgetting one aspect of PG3's protection, that is that we do not have to allow Enditall to execute at all or can even block it with a deny always. We always have to option of blocking a hostile executable from launching in the first place. Protection is always a multilayered thing, no single aspect of any security app is perfect.

But besides that I was a little surpised how easily enditall closed little applets I thought were protected, but since it couldn't touch all my essential security apps running, I'm not going to worry much. I don't want to put SMH on everything since it makes shut down or restart messy, sometimes it prompts with SMH before shutting down and waits, other times the SMH flashes and then dissappears as the machine reboots.

One thing I did notice that seems to be related to what earth1 is asking to reproduce is that if I have SMH preset on procguard.exe and then go in and set another app like my firewall to use SMH also, go back in and turn it off on the firewall, PG3 seems to get confused and procguard.exe will close without SMH until reboot. Of course after a reboot it seems to protect itself correctly with SMH. Seems enabling and disabling SMH on various apps has some sort of cascade effect on other SMH enabled processes until a reboot and no SMH changes occur. Maybe we should consider rebooting or at least restarting PG3 after setting changes occur.

 

You might be noticing "odd" things with SMH enabled on an application because you need to restart the application in question before SMH can be enabled on it properly. Which is why SMH didn't protect the applications in question the first time nameless tried to terminate them, but did on attempts after they reloaded. SMH will work correctly once it is enabled for that application and that application is restarted. Likewise removing SMH from an application will only take affect once the application is closed and restarted.

ProcessGuard by "default" will not protect a program WITH visible or hidden windows from all termination methods. With SMH on it will (in some cases some training may be required for ALL message termination methods, though the default will work in most cases).

I can't tell you why EndItAll is not terminating applications with "windows" WITHOUT SMH in all cases, it should be able to "terminate" them everytime. These message based attacks aren't really termination, they are just user imitation attacks, the application does close gracefully.

Finally the way ProcessGuard handles SMH is pretty much the only secure way of doing it. ProcessGuard is the only program available which protects you from these message based attacks, and the option is there for you to enable if you want to be protected from it. Just remember Windows messaging is fundamentally flawed from a security perspective and there will never be a "don't ask questions" way of securing it by "default".

 

I have the same problem...EndItAll is not in the Protection List. It is in my Security list. And it can terminate only some of my programs, all of which are "Protected from Termination+Modification". Thus I conclude that it does not work 100% as advertised.