PG 3.4x does not protect against APT kill processes

Discussion in 'ProcessGuard' started by djg05, Sep 27, 2006.

Thread Status:
Not open for further replies.
  1. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I have been trying to protect Kerio 2.1.5 with PG and found with ver 3.4 and the latest that Kill 3 or 4 in APT will shut Kerio down. This protecting Kerio by ticking boxes "Termination" & "Modification. I tried ver 3.1.4.0 and it was successfull in stopping the closure.

    Has anyone else found this?
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You need to enable the SMH (Secure Message Handling) option on the process in PG's Protection tab to counter APT methods 3 and 4.
     
  3. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    Thanks Paranoid

    Never sure when this should be enabled, obviously this is a case in point and it does prevent the exploit.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647


    What about reading?

    Did you enable reading protection for all programs listed in PG? I'm surprised that apt could kill your firewall, APT by right should not be able to 'see' any processes on your computer at all IF you have reading protection on for all programs in PG. You don't even need SMH when you've got reading protection enabled, because APT can't read the running programs on your computer! :isay:

    It's NOT PG failing to protect against APT, it's because you did not configure it correctly! With "reading" protection enabled APT CANNOT touch any process on your computer!
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I think she failed to notice the 'reading' protection feature in PG and did not enable it, thus APT could meddle with her firewall. ;) Maybe pictures will explain this situation further.
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    APT says 37 processes, but nothing is shown!
     

    Attached Files:

  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Do you get this in your PG logfile? Hope my explanation reveals the answer to this thread...
     

    Attached Files:

  8. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    That is true, but it does not stop the process being killed.

    Untick the reading, run APT and the process is displayed. Re enable Reading, and APT can still kill the process. So if APT had a command line I assume that Kerio could still be targetted.

    As I understand it, the reading only makes it invisible not protected. Kerio is still listed in Windows Task Manager.
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Indeed, if you were using an earlier version of APT, you could have terminated the process by specifying its ID manually (v4 dropped this feature).
     
Thread Status:
Not open for further replies.