PGS - Pretty Good Security

Interesting. That is why I made the DMR clone, because I wanted temporary programs to start. I like your idea as well, where I can dictate not just a program to start, but full paths.

I am working on a bit of a project now, and in the middle of installing some egress windows in my basement, so it will not be very soon, but I will see what can be done.

The only downfall to this is that you have to have PGS running for it to take effect. Perhaps you would be more justified with some small little tool to only do this one thing? Then again, maybe you leave PGS open a lot, so it would make sense to have a tray with some options in it.

Sul.

 

A seperate small icon proggie would also be fine.

Note that the setup for Vista is much easier than on XP. You only have to specify the DENY directories when you remove the LNK executable type (using UAC that is)

So maybe that should be a question in the setup screen?

 

Sul,

After having setup SRP on Vista x64 machine, I am playing with the following idea to lower the usage threshold.

In stead of setting it up in different user experience levels, just provide the basic level for running LUA or Admin, in stead add a XP or Vista selection (radio buttons) to it.

The basic ini-file provides protection of environment variable level for the user space (a simple Deny) and mitigates internet facing and servicing aps (pdf readers, extractors like 7-zip) by name as a basic user. For Vista the IE should not be included.

Accompany PGS with a simple password protected system tray program which switches of SRP for a to be specified time intervall.

Provide more tightly configured ini files on your website for more experienced members, may be some sort of posting of tips (may be Wilders could facilitate this with a sticky).

Cheers Kees

 

I just tried the program; thank you Sully and testers .

 

I've just tried to use this program, but for some reason it isn't starting. This appears every time I try to start it.

Any ideas what my problem may be?

 

I'm trying out PGS on my notebook (running on Vista Home Premium SP2) and it works flawlessly, thanks.

One noob question:
Can I set up SRP using PGS on admin account, but creating a default-deny policy with it, then allowing some files or directories to increase usability/convenience?

 

Yes, see https://www.wilderssecurity.com/showthread.php?t=250748

 

Perhaps the next version will have an 'advanced' menu item, that can show all the options that it does not show currently, such as what the default level is and even the default registry values for allowing %windir% and %programfiles% modifications. As long as a novice understands they can lock themselves out, it should not be detrimental?

Sul.

 

I like the way that with AE , nothing not already installed can run on my PC.
If I want to install something , then I switch AE off.

I like to stay using an Windows Admin account as I install a lot of stuff.

Is there a way , just using SRP , to mimic how AE works ?

For example if I set my full C drive as a denied path how would that work ?

Would it stop only new programs executing or stop all programs on my C drive.

Thought it better to ask than to try it out !!

 

for perfect SRP set a lua account , than there is no need to use AE

cheers

 

Thats a pretty pointless post
I already said I want to stay in an Admin A/c !



Please don't take the thread off topic.

 

SRP is Software Restriction Policy, as you know. The options that work readily are
Allow Unrestricted
Allow as Basic User
Deny

another option, which can work but I have yet to fully grasp is
Allow Constrained

PGS does not currently utilize the Constrained, but may in the future depending on further testing.

So we can see that SRP is pretty strictly a Deny or Allow tool. But we must remember, that SRP can deny from very early on as it is written into the OS, whereas other programs such as AE must wait until a driver (typically) is activated, and then via the driver it can monitor for events to restrict/control.

If you were to Deny c:\, it would effect c:\windows. Now, if you were in LUA, and the default rule was deny, and it applied to users but NOT admins, you could do this. Because anything that needed to run most likely would.

However, when you are admin, and expect SRP to effect you, you must also include admin in what SRP does. Therefore, if you were to deny c:\, you would be denying a lot you would need to run to have windows work. At least from my testing it shows this. You basically cannot login.

There is no harm in trying. If you know how to regedit, and can find the correct registry key for the SAFER values, and know how to reboot into safemode, you can easily delete the safer values in this way and then boot up normally again.

The problem stems from both the user and admin having execution rights in c:\windows and c:\program files. As either, when you institute a default-deny situation, you cannot easily default-deny these two directories. You can, but then you must create the holes which allow what you desire to execute. This is the whole reason why I made PGS, because to do this in the snap-in is a very slow way. It is also why I made the import/export features, so if you make a rule, you can basically save it. With the snap-in, you must start over again once you delete them.

So, if you want to take the time to make a list of things to allow or deny, you could do what you suggest, but it will take some trial and error.

Actually there was a thread by SoftTouch, where he is making a tool called ProcessBlocker, that is a standalone app. I have been alpha testing it. I don't want a HIPS, it is too much. I like SRP a lot. But I still feel I could at times use a HIPS. This program I like a lot. He is a good coder from my viewpoint, and very open to just what this program should do. He has shared with me what his vision is for it, and I have gave a lot of ideas that hopefully could make it be usable for those very novice users as well as the advanced. It is no SSM/DW/PG. But that is not what is wanted. I suggest you check it out. His thread is in the 'other software' forum. He is very nice to work with. See if you can alpha test it, and perhaps you can provide some feedback that will be useful. lol, if not you will end up with something I would use. No, not really, but honestly I am super excited about some of the features he and I are cooking up.

Maybe it should be coined Lite-HIPS.

Later.

Sul.

 

cheers sul. thought that might be the case... will ponder it a bit more...

Btw did you every use AE ?
I find it very much what I need apart from 3 "niggles".
1) That I would prefer to use the built-in OS tools
2) The time it takes to load after installing a new program.
3) Takes a keypress and a 3 clicks to turn it off , rather than 1 right-click.

 

Yes I trialed that one time. Along with a slew of others. I find most of these types of programs work well, some require more in-depth configurations than others. But that is what I am not seeking any more. I am seeking simplicity. That is why I like SRP. For those that want/need to control the box, there is probably a product available to suit them.

Myself, I will continue to use SRP in Admin mode, and I have been doing a little more with SBIE lately. But I will wait to see how this new program develops. If it comes out right, then I will use it because it has some unique features that I am excited about, that allow some level of process blocking without me having to set an elaborate configuration. Hopefully my family and friends can also see its benefit.

But I agree, anytime you have to click many times to disable or otherwise change a major function such as disabling, it is a nuisance. I won't go so far as to say bad programming, because I don't believe that to be the case, maybe though you could say not enough thought into how it will be used and how to make it more convenient.

Sul.

 

Yes, that is the one. Anyone who wants some simplistic form of HIPS like protection may want to keep an eye on this. You hardcore HIPS-sters will probably not have enough options and configs to play with though lol.

Thanks for that link JRViejo.

Sul.

 

http://mrwoojoo.com/PGS/
website offline

 

Yes, I see that now. Here is why

It seems every webhost I use ends up doing that lol. They say by Monday next week the migration should be done.

Thanks for pointing it out. If you want it in the meantime, PM me your email and I will send it.

Sul.

 

Thanks Sully. I will pm you if I cannot wait.

 

Question:

Do PGS support publisher rules? Cause i think the publisher rules function implemented in AppLocker is pretty good, insn't it?

 

What do you mean by publisher rules? I am not familiar with that term in context to SRP. Is it a set of SRP policies that are imported during install, much like WFW exceptions are made in some games?

Sul.

 

I am not sure if i really understand the protection PGS provides.

Let me ask some questions:

PGS denies any file execution except the execution of files wich are allowed by the file path. But if malware copies itself to the system direction the executable is able to launch isn't it?

Publisher rules will only allow execution of signed files if the certificate is OK.
http://technet.microsoft.com/en-us/library/ee460943(WS.10).aspx


Do PGS support dll restriction? Cause it is "easy" to bypass SRP by loading (not injecting) dlls.

 

Ok, no version of 7 I have tried yet (RC/beta) has AppLocker working correctly, so I don't know yet about this in any part. I do know that it should be possible to create a front end for it instead of using the snap-in MS provides.

As for PGS, it is only an interface to SRP, and it only creates path rules. Zone rules I have not seen anyone really use, and hash rules, well, you can use them, but they require a little magic in way of a registry value that I am not able to currently create with PGS. Hash rules in SRP can serve a purpose, but I don't know how many really want to manage the hashes. If you have a version of a program and never update it, hash rules would technically be better than path rules.

You example of a malware copying something to a system directory assumes that users of SRP will be starting for instance a browser as admin. If you were to use SRP as stictly a default deny, and IE was allowed then yes, IE could maybe write to sysdir. However, most people I believe who are using SRP as an admin are also using the Basic User setting for thier browsers, so in this case no, the browser has no create/modify rights to system directories. The malware then would be only capable of writing to custom directories or user profile. This of course does depend on a few things, but mostly it is this way.

Dll restriction? PGS is only a way to conveniently create SRP rules. If you are applying SRP rules to all files including dlls, I don't really know if it protects it from injection or not. One downfall of SRP IMO is that it does not monitor memory like that. DEP would I suppose. I used to use Cyberhawk with SRP, as it is pretty good against dll injection stuff. So maybe someone with info on that issue would be best to answer.

Sul.

 

Thank you for the explantion!

OK. I can see that point. System dir was a bad example. Despite the fac that UAC can be bypassed bt that is another question.
What about program files direction? Building up a working system without publisher rules will requier to set progam files folder as unrestricted. Am i right? So if malware stores and executes a file there via an expoit the system gets infected.

That is excatly why i am interessted in it! It is a good project!

I agree. That is not working very well. Any Update will force you to create new rules. That is exactly why i think that publisher rules are perfect! You can easily say tha MS and Adobe and Mozilla files are allowed to run. That's it. Simple and very secure. For all files without signature you will create a path rule down to the file, not for the whole folder.

I didn't talk about injecting dlls! Most HIPS and beavior blocker will catch that method. But loading dlls is something different. Because of that i think dls restrictions are necessary as well.

http://blog.didierstevens.com/2008/06/05/bpmtk-how-about-srp-whitelists/


My best regards sully!