PG's Achilles heel?

Discussion in 'ProcessGuard' started by TopperID, Nov 22, 2004.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    This may seem naïve, but I ask it anyway. If you download a program which, unknown to you, has a trojan bundled up with it, when you install the program PG will ask you if you want to permit that installer to run. You will unwittingly answer in the affirmative – so how can PG protect you in these circumstances?

    You are installing what you believe to be a legitimate program and when the cuckoo in the nest (i.e. the trojan) tries to run it will have a plausible name related to the genuine program and you will be none the wiser and will give it permission. In that way PG will be circumvented – or so it seems to me.

    How can PG protect you in these situations? It always seems to me that the big Achilles (was he Greek or Trojan!!!) heel of PG is human error – how do we minimize this?
     
  2. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    It's not naive; it's a good point. I have raised it myself (not necessarily in this forum), and always get blown off. The PG help manual itself recommends disabling PG during software installation. There you go, the malware is in.

    It's not hard to imagine a rootkit being disguised as some utility that needed to install a driver or service. So you disable PG, install the software, then let it do its thing.

    I think that this isn't a weakness of PG, per se, but rather one of the security model itself.
     
  3. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    Well my take on this sort of goes against the PG documentation. I too read the part that recommends disabling PG during software installations. I must admit I was sort of surprised to read this, as this seemed to be defeating the purpose of PG in the first place, or at least opening a rather large door for malware to waltz in.

    What I do is leave PG on, and keep an eye on the alerts tab during installation. If I see that the installer is attempting to do anything suspicious like install a driver or modify an .exe, then I try to do a web search for the name of the driver, etc on various spyware info sites to see if it's related to a known trojan or virus. Then I check the software's documentation to see if there is any mention of a driver being installed, etc. Basically when I have ruled out the possibility that the program is malware, I roll back the botched install, disable PG, and re-install. This may seem like a royal P.I.T.A but I believe it is more secure than simply blindly disabling PG during each and every install.

    Human error will ALWAYS be a factor no matter what so the best you can do is minimize the chance by having a multi-layered defence (i.e, not just PG, but also other helpers like TDS-3, BoClean, NOD32, Kaspersky etc). Ultimately you are never 100% secure but that's probably a good thing. Keeps you on your toes, on the defense, and always learning new things. Blindly assuming that ANY piece of software can keep you totally safe is one of the biggest mistakes you can make, IMHO.

    And I speak from experience: just a few short months ago I thought I was safe just running Ad-Aware, Spybot, and NOD32. Then one day I bought DCS Port Explorer and found that I was infected with a trojan that had been sending god-knows-what to some IRC channel for the last 5 weeks!! I was horrified but that was initially what prompted me to join Wilders and become a "regular" so in the end it was a blessing in disguise.
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    But that procedure won't protect you in the case I described, which is that of a true trojan: It presents itself as something that needs to install a driver or service, so you let it--but that driver or service is actually malware.

    I know, I know, there is no such thing as perfect protection.

    But DCS has to word the help file the way they did; a typical user isn't going to be able to go through the procedure outlined above (which can, in fact, be problematic even for experienced users).
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Like LuckMan212, I rarely disable PG to install software. The only exceptions I make are for Windows Update, hardware drivers, and upgrading existing security apps that use drivers and run services. PG is not meant to replace your AV/AT. When I do disable PG, BOClean is still there.

    Nick
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Thanks for the feedback guys, we'll have to look at the wording in the helpfile then to see what we can do to make it clearer, we hope there hasn't been too much confusion and we apologize if that is the case.

    But ... for something to be an "Achilles heel" wouldn't it have to be a forced problem? You don't have to disable ProcessGuard at anytime - that's completely up to you, it's just recommended for novices to avoid problems. Likewise the settings you use in PG are also completely up to you, so if that were the case then you could also consider turning off settings as an "Achilles heel" :).

    Ideally you should follow a procedure along these lines when wanting to install a program ... First, install the program (with PG running, protection enabled). If there weren't any problems, then that's it - you're free to use the program without having to do anything in PG. However if for some reason there was a problem, if you're an experienced user then you should be able to figure out from PG's alerts as to what PG settings you need to add/modify in order to correct the problem. However, you can see why it's simply easier for most users, especially novice users, to simply temporarily disable PG protection, then install the program, then re-enable protection, but this is really only recommended for known trusted applications.

    Best regards,
    Wayne
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    If the moderators will forgive a blatant plug for other software here. The issue raised here is very valid. My solution is Raxco's First Defense-ISR. Unless I am doing an update I 1000% sure of, like for example Quickbooks which I use, and is totally trusted, I will sometimes test an update first in a FD-ISR secondary snapshot. I can install it test it and do anything I want with it. Once I am certain it is good, I just copy that snapshot to my primary and I am done. On the other hand if there is a problem I just boot back to my primary snapshot and copy over the bad one. Virtually no time wasted, no unistall issues, and safety. Just another layer of security.

    Pete
     
  8. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    I heard a rumor that Raxco is currently in the process of a major overhaul of FD-ISR. I plan to give it a try as soon as its released.
     
  9. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I just don't allow any software to do service/driver installs unless it is from a company that has a established, good reputation and I learn the reason for why the software wants to install a driver.

    Usually, I will only allow security software or new hardware installations to install drivers or services. If I am installing something like a new jpeg viewer or a mp3 player etc and it tries to install a driver I get very suspicious.

    A month or so ago, I downloaded Process Explorer. The developer has a good reputation. The developer is the same one behind SSM which has a great reputation but I have a problem with Process Explorer because it tries to install a driver when I attempted to run it. I blocked it with PG. When the driver for Process Explorer is blocked, I found that most of its functions are still operational. I still don't know the reason for why the driver tries to install.

    DCS makes a tool called APM that does much of the same thing as Process Explorer. APM does not use a driver....so I did not see the purpose of the driver install when I do use Process Explorer. With Process Explorer, I won't let the driver to install and that is coming from a source that is considered "trusted" by me. If you try to install a driver/service on my computer then I must clearly see the reason in the documentation and you must have a sterling reputation.

    Call me paranoid but I never had a virus or trojan infection. I only had things like comet cursor several years ago which really pissed me off and made me focus on learning how to keep crap off of my computer.

    I doubt a perfect program will be developed to save someone from their own ignorance. If one wants their computer secure then they have to learn. In my view the amount of malware on your computer is somewhat proportional to the amount of time learning about keeping the computer safe.

    If you put in little time learning then you must depend on blind luck in order not to get infected. If you put the time in to really learn and implement good strategies to keep the computer safe then more likely than not, you will rarely be infected if ever.


    Starrob
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    They may be planning an update, but it is pretty darn good the way it is. It has already saved me a couple of times.
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I have no problem switching off protection while I install a 'trusted' program. I'm quite happy to allow Process Explorer to install drivers, because I run several Sysinternals progs and have no reason to doubt their integrity.

    Obviously in the case I was envisaging you would not be disabling protection when you install the program. I am thinking of a case where an entirely unknown trojan installs itself while you are attempting to install something else. In that case you could end up letting it through even though PG protection is enabled. Aborting the installation while you Google for info will not help you because the trojan is unknown.

    It is the human element that is the problem here - PG cannot protect you from that and it is a real chink in the armour!
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well yes & no, providing your other layers of defence are up to date, I would imagine the chance is pretty small but downloading anything that you have not checked before running is taking a chance, as you say the human is probably the weakest link. :D
    There is always a risk where human's are concerned and all we can do is try to minimise those risks. Hence why organisations spend millions on risk assessments every year but people still get hurt or killed.

    Cheers. Pilli
     
  13. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    It is just a personal preference for me but I don't like allowing anything to install a driver unless it is absolutely necesarry. It is not necesarry to install the Process Explorer driver to get all of the features that I use to work, therefore the driver does not get installed on my computer. I try to keep my driver and system files as low as possible.

    I keep PG protection on always so I am not worried about unknown trojans. With PG in place and driver installs not allowed things like rootkits and dynamic dll trojans are unable to work.

    All other trojans, I would be able to pick up either with the various scanners that I have or I would likely pick it up also with Port Explorer or it would be blocked with my firewall or I would see it trying to make registry entries and I would block those with my registry monitors.

    There are other things I do on my computer that make it extremely difficult for trojans to install without my being able to block it. I worry most about rootkits which are virtually impossible to install with PG active and driver service installs being blocked.

    The weak point in my defenses is getting me to drop my defenses and turning PG off which is why I am reluctant to turn PG off or turn off the blocking driver/service feature.


    Starrob
     
Thread Status:
Not open for further replies.