PGS - Pretty Good Security

Discussion in 'other security issues & news' started by Sully, Jun 5, 2009.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    EDIT: Final release version 1 is now available - July 28th
    (time restraint removed)


    http://mrwoojoo.com/PGS/PGS_index.htm

    Anyone who has been here for awhile knows I like SRP. Tlu started it with his awesome information located here
    https://www.wilderssecurity.com/showthread.php?t=200772

    This went beyond what little use I ever had for SRP. I played with it for awhile, but I don't use LUA for the most part. It wasn't until I found out about the 'Basic User' option that SRP really started to catch my interest in a big way.

    Still, I did not really like the interface with secpol or gpedit. I knew of the registry portion of it, and even messed with this a little. It wasn't until Lucy's very fine thread on Vista and SRP that I started really contemplating it's use. That thead is located here
    https://www.wilderssecurity.com/showthread.php?t=232857

    Over the next few months I developed a number of different schemes for utilizing SRP. I still have a few more up my sleeve to pull out at some point, but my job is currently taking what was my 'free' time.

    Anyway, a few months ago I posted that perhaps this whole SRP registry bit needed a GUI. Lucy was on-board and we started collaborating. Soon Zopzop started giving input as well. Not too long after that, I had a rough shell. Those two performed initial testing. Tlu was next to start giving input. Many more versions were compiled and tested. And recently Kees1958 joined the fray with his input as well.

    I have ran the program, called PGS, a thousand times, in as many different scenarios as I can think of. It has changed beyond what I initially set out to create, but for the good.

    I cannot state enough how much I appreciate all of the testers input and experience. The more viewpoints the better I say.

    I used to have a website to house some small programs I shared with some friends. I still have the domain name, so I decided to open a small free website account again and place the beta version there.

    lol, I dislike html, so it is as bare as it gets. Nothing fancy, just text and pictures.

    Any feedback is appreciated.

    Sul.
     
    Last edited by a moderator: Jul 29, 2009
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Sul,

    Congratulations on all the work you and the others put into this!

    When it's out of beta and ready to be released, I want to notify several people who will be interested.

    ----
    rich
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks.

    I think I will put the beta up by Monday at the latest if all goes well.

    I know there will be nuances that need to be corrected, but it is fairly quick to do those things. Final release I don't know, whenever the nuances are sorted.

    Probably one of the greatest features of PGS will be it's ability to manipulate the registry easily for those who have XP Home or lower end Vista versions. Since the process to invoke SRP is built into those OS's, and only the registry values are really required for functionality, this let's those people use SRP without having to muck around with .reg files or try to install Group Policy stuff, while protecting the default rules or providing them if they don't exist.

    Hopefully it will be useful.

    Sul.
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks Sul, sounds good - really interested in having a look.
     
  5. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    Sounds really good. Looking forward to trying this out.

    Like the page too ( Looks like my 1st attempt at a web page ) :)
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    lol, while not my first attempt it sure does look like it. I discovered a number of years ago that I would rather use a script other than anything to do with the web. Probably should have invested more time, but I prefer applications that don't involve a browser.

    Sul.
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    See first post for update. Beta version is available now.

    Sul.
     
    Last edited: Jun 6, 2009
  8. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Many thanks :thumb: May I assume that all this can be done without a reboot (as I recall from your previous posts).
    If true, it would make it easy to try out if one uses returnil, for example.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, no reboot required. Logoff or a restart of shell will do usually. There is a menu item for those with taskkill.exe (running under admin, not user) to restart the shell for you.

    It is interesting that because these values are saved to registry, they often are not immediately effective. So a logoff or shell restart 'reloads' the hive and then they are effective. I have noted, that if lets say you make a new path rule, like block notepad.exe. It is not immediately effective. But also say that you are using the option to 'include dll's', if you use PGS to change this to 'exclude dll's'. Apply the change, then go right back to 'include dll's' and apply the change. Very often, this seems to trigger something, and no reloading of registry hive is needed. Not sure why, as I have not studied it in detail yet, just something I noticed along the way.

    Sul.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Hello Sully,

    Nice to see you developing a tool to make things easier for those users not having other way than hacking registry for SRP.

    I still haven't tried it! But I will! But, meanwhile, I'd like to ask if it would be possible to add exclusions in what comes to logging. (For what I can remember of the screenshots, I haven't see it.)

    I mean, for example, whenever I turn logs on, to check what is possibly being blocked by SRP, it's almost an impossible task to read, for example, *.txt files in usb drives. It simply crawls. Even having the logging disabled, at the registry, doesn't cut it. I have to delete the entries, otherwise the crawl will still be there.

    So, a nice feature would be to allow users to exclude SRP to log to USB drives.

    I don't know if would be something easy to implement, but, well, here you got my first suggestion. ;)


    Thank you
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That is an interesting idea. I have not seen over at MSDN anything related to effecting what SRP logs. But then I have not looked. If they expose a method it might be possible. I am assuming you are saying that using PGS to set the LogFileName registry value to a filename and not any error logging that PGS does on failed functions. And I assume you know that by removing the LogFileName registry value that a log is not created, although I don't know if that actually turns logging off or just does not write it to a file.

    Sul.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The free program Mandiant Highlighter may be useful in filtering items from log files.
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I have looked quite a bit for anything related to turning off SRP logging. The only thing I can find related is the registry value we are already using (LogFileName). I have not found information of whether SRP actually generates the log data even if it does not write it to a file, nor any information at all on SRP logging in general. So at this point unless I stumble across it somewhere, there is not much to be done other than that registry value.

    BTW, new beta compiled on June 8th, v1102. A few small fixes.

    Sul.
     
  14. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Can the PGS tool be used to block execution of autorun.inf? Any instructions appreciated. Thanks.
     
  15. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Congrats Sully and crew! This program is great, I've messed around with an earlier beta of it and it didn't mess up my machines or anything. :thumb:
     
  16. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes and no. Here are 2 threads devoted to just that topic
    https://www.wilderssecurity.com/showthread.php?t=240319
    https://www.wilderssecurity.com/showthread.php?t=240474

    Last time I played with it, SRP can only stop autorun.inf if you Deny the entire drive. I have yet to find a way to get SRP to stop autorun.inf itself while leaving the drive letter open for other executables.

    So you can add a path rule like g:\ and it will stop everything. The easiest way I have found is to create a DIRECTORY on the USB drive called Autorun.inf. If something tries to place a FILE autorun.inf on that drive it will fail because a DIRECTORY of that name already exists. That is, until the script kiddies figure out how to circumvent it.

    Sul.
     
  17. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    Thanks. This should work and, I suppose, be easy to add as a path rule in PGS (as per your instructions).
    I suppose adding path rules for several drive letters (g:\, h:\ etc) should prove a good preventative?

    This is what I have done for my own USB drives,
    but I was more concerned with the scenario of using an unknown flash drive on my PC.
     
  18. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Hey Sully,
    just wanted to congratulate you on your new tool. Will try it out when i can.

    Wait, what's this, no spam filter, no file backup?
     
  19. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Has your tool been tried on Windows 2000?
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @Pedro

    Thanks. I was thinking of a command line option that allows you to have a hotkey to open the coffee cup holder when needed. Would that make it a suite then? :D

    @Paradigm

    Windows 2000 AFAIK has no SAFER functionality. I have not tried as I read at MSDN it started with XP and up.

    Sul.
     
  21. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Ah, yes, I know. :)
    Just wondered if you've tested your tool with that O/S.
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It would make it a jolly good program :)
     
  23. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @paradigm, I will try it at work and see, on both 2k sp4 and 2kAdvServer.

    @Pedro
    I will make in the next version, any time you press the 'Any' key, the coffee cup holder open :D

    Sul.
     
  24. Warklen

    Warklen Registered Member

    Joined:
    Jan 17, 2009
    Posts:
    107
    Very nice tool indeed...Congrats and thanks
     
  25. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thank you.

    Any comments/bugs?

    Sul.
     
Loading...
Thread Status:
Not open for further replies.