PG 3 failed Advanced Process termination?

Discussion in 'ProcessGuard' started by Atomas31, Sep 20, 2004.

Thread Status:
Not open for further replies.
  1. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi,

    Just to check how well my security software was safe from being kill by a virus, I try the Advanced Process Termination and at my surprise for almost all my supposed protected program I was able to kill them with at least one of the nine ways to kill a programo_O Is this normal? What is the problem since my PG 3 indicated that my system is secured? Does the Advanced process termination, with is nine ways to kill a program, to strong for PG 3?

    Thanks for your solution,
    Atomas31
     
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I just tried APT also because I saw this post and I wanted to make sure PG v3 actually blocked all the termination attacks. In my case PG v3 was able to block the attacks but.....

    I found out something interesting while doing this. I was able to suspend the Yahoo process using the suspend button on APT. I was also able to be able to terminate the process using method 7 until I put a check in the box "securely handle window closure"

    I assume method 7 in APT is the one that closes any open windows.

    I also tested suspending the internet explorer open window. I was able to suspend the process without the "securely handle window closure" box checked. So does this mean that any process that has a window must have the "securely handle window closure" box checked in order to prevent freezing the window with the suspend button?

    I look forward to hearing the answers on how PG 3 failed APT for the original poster also.


    Starrob
     
  3. Ocol

    Ocol Guest

    I installed Process Guard V3 Public Beta onto my AMD Windows XP SP2 system and I ran the Process Kill Demo that comes with Process Guard V3. This Demo found and managed to kill my Procguard.exe and Proxomitron.exe process with no alerts. Both process had terminate protection enabled and Proxomitron had ''securely handle window closure'' enabled as well.

    On one occasion, the Process Kill Demo stated that it had been unsuccessful at terminating the processes and when I went to click on their icons in the taskbar, they dissapeared and had in fact been terminated.
     
  4. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Hi Starrob,

    Where did you see : the "securely handle window closure" o_O

    I don't see that in my PG 3 or in my APT?

    Thanks,
    Atomas31
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    APT's kill methods 7 and 8 are using windows messages to close the target program. Sometimes clever target programs are dealing with this themselves, sometimes they don't. In these cases Close Message Handling might help. In other cases (far fewer than in PGv2) CMH might lead to some trouble - mostly with getting too many confirmation prompts.

    HTHH,
    Andreas
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    In PG, Protection Tab, one of the "Other Options"
     
  7. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    Thanks Andreas1 :)

    I'm checking that box for all my applications, if it can make more protected!


    Atomas31
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    it will probably add protection. but i would go about this rather carefully. (one at a time and see how it goes. It can quickly get on your nerves, IMHO, that's why I try to restrict it to as few programs as possible. But your mileage may vary.)

    CU,
    Andreas
     
  9. Atomas31

    Atomas31 Registered Member

    Joined:
    Sep 7, 2004
    Posts:
    923
    Location:
    Montreal, Quebec
    [SHADOW]it will probably add protection. but i would go about this rather carefully. (one at a time and see how it goes. It can quickly get on your nerves, IMHO, that's why I try to restrict it to as few programs as possible. But your mileage may vary.)[/SHADOW]

    You are right Andreas1, That's why, just like you, I have put this option for only a very few programs ;-)

    Atomas31
     
  10. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Yeah, the Close Message handling sometimes works and sometimes doesn't. It works with some programs better than others too.


    Starrob
     
  11. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Learning Mode can be a bit of a trap. Any program started in this mode ended up in the "Protect" section as well as the "Security" section. In the "Protect" section you really only want programs that you wish to protect, not every program that is started while in the learning mode. Consequently you may find programs like PG-Demo and APM ending up there and being protected and given permissions like "Modify" which may allow them to knockout any protected program and defeat the purpose of any security test of PG. After all you wouldn't knowingly give any malware this protection or rights. The moral of this story is to watch what ends up in the "Protect" section during the learning mode.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    To All,
    Please note that for Securely Handle Windows Closure to work properly the process or service must be stopped and restarted so that procguard.dll can be injected into the process.
    Using tools such as Sysinternal's Process Explorer or Faber toys you can check that the .dll file has been successfully injected.

    I would also add to Andreas's comment that when considering using Close Meaage handling, if the program has password protection then use that first which considerably increases an application's security without having PG's Human Interface Device always popping up. :)

    Thank you. Pilli
     
  13. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Our own freeware APM tool (just 110kb) will also show you all DLLs in a process (and even let you load/unload directly) :)
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the reminder about APM Wayne :D
     
  15. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Right now, I am finding that some programs load the procguard DLL but others won't for some reason on my computer. Programs that loaded the DLL were Port Explorer and PREVX.

    My firewall would not load it (I suspect it has it's own protection), My antivirus would not load it, TDS3 would not load it, Adaware would not load it, Spybot would not load it.

    I just tried loading the procguard DLL into Adaware using APM with Processguard turned off and it would not load.

    All of this is not too important as I am just playing around to see the capabilities of APM and PG v3. PREVX was the one I really wanted the "close message handling" on. I suspect my antivirus and firewall can take care of itself as they are password protected.

    The one thing I am concerned about is I am able to suspend and freeze the GUI of all my applications that have windows using the suspend feature in APT. I can even freeze the GUI of my firwall and antivirus. I suspect that the underlying programs of AV's, AT's and FW's are well protected but their Window GUI programs are not and can be frozen. On my computer, Processguard V3 is not stopping this. I never tested this on version 2. I wish I had but it is too much of a pain to switch back, especially since I like PG v3 better. Is this happening with anyone else?


    Starrob
     
  16. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    On my comp. I've tested this only with one app but there PG prevented the target from being suspended. Can you specify what OS you are running and what settings (general options and security options for the resp. target/"victim" program) you have (I'm on W2k.) ?

    Andreas
     
  17. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    XP sp1
    Adaware
    Protect application from termination, modification
    authorized to modify, read protected applications
    securely handle windows closure

    Starrob
     
  18. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    I suppose you don't have APT listed with modify privileges, have you :blink: :rolleyes: ?
    then I'm afraid it's up to someone else to shed light on this one

    Thanks for the details, nonetheless
    Andreas
     
  19. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Yes, I did. In the learn mode, APT was given modify priviledges. I guess I missed that one. Everything is working perfectly now. It works better than v2 on my computer.



    Starrob
     
  20. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Whoops...I spoke too soon. I am able to get the Close Message Handling to work better but I am still able to freeze programs interface using the suspend feature in APT.

    I might email in to find out if I am doing something wrong.



    Starrob
     
  21. Frieza

    Frieza Guest

    I have Proxomitron added to my Process Guard V3 protection list with Termination and Modification protection.

    Advanced Process Termination has not been added to the protection list and has no privilages.

    Worryingly I am able to suspend Proxomitron as well as other protected process with no alert from Process Guard. I am even able to suspend the Process Guard GUI (procguard.exe).

    Process Guard V3 prevents all of the other termination attempts so perhaps there is a problem with suspend/resume.
     
  22. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Same here, All termination halted (except 7 and 8 which require CMH) but can suspend all protected programs.
    Tom
     
  23. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    I guess this is not just a problem with my computer then.




    Starrob
     
  24. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    so, frogfoot and frieza, are you on XP as well? (Which SP?)
    (feeling a bit awkward to aks you this all knowing that I won't be able to learn anything helpful out of your answers, but maybe Jason will...)

    TIA,
    Andreas
     
  25. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    XP Pro SP2 here
     
Thread Status:
Not open for further replies.