plugging the holes

Discussion in 'ProcessGuard' started by NoHolyGrail, Nov 14, 2005.

Thread Status:
Not open for further replies.
  1. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Which functions of a firewall are still necessary when running Process Guard?

    Anything else that's a good idea to run in conjunction with PG?

    I figure an antivirus scan, spyware scan, trojan scan, and rootkit scan are all good ideas. But scanning isn't preemptive. I'd like to close the holes. PG seems to be pretty comprehensive, but what is it missing?

    Or would PG usually be able to fend off most attacks on its own?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi NoHolyGrail, ProcessGuard is not a firewall as such more a system protector and will not protect you from external attack. If you have a hardware firewall that uses NAT etc. then you are much safer than not having a software firewall at all but you are still vulnerable to outbound access from say spyware if you were are unlucky enough to allow it to run.
    At Wilders we recommend a layered defence and ProcessGuard does not change that although it does offer a much higher protection layer than without it.

    HTH Pilli :)
     
  3. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Pilli, thanks for the reply.

    I figured a firewall would be necessary, I was just looking at how it would need to be configured. I'm just trying to get as thorough a picture as I can of what is still left vulnerable, so I'm not leaving anything open.

    Also, wouldn't all attacks rely on running some executable/process? So that choosing the option in PG to block all new processes should prevent them. I know that sounds too easy...
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If possible, delete these programs from the SECURITY list, so you'll know when someone has run them ! If any of them are set as ALWAYS ALLOW, they can be run and used by malware to *do* something nasty.

    Hopefully NONE of these run during your normal PC operation, and you can bear to press PERMIT now and then IF you CHOSE to run it and want to allow once..

    CMD.EXE
    FTP.EXE
    NET.EXE
    NET1.EXE
    NETSH.EXE
    TFTP.EXE
    REGSVR32.EXE
    REGEDIT.EXE

    Those are the main ones.. but you can take it further

    WSCRIPT.EXE
    CSCRIPT.EXE
    RUNDLL32.EXE
    IPCONFIG.EXE

    And probably further still :)
     
  5. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    Gavin, thanks for your input. So those are all processes which could be used maliciously without even being modified? This makes the "block new processes" option even more versatile than I realized.

    So am I correct in my conclusion that if I have NAT on a router, then beyond that, I would need to one of the following:

    1)configure a software firewall for the sole purpose of restricting which applications have outbound access
    2)use the "block new processes" option of PG3 which will alert me and give me a permit/deny option if anything new tries to run

    With the first option, something malicious could still run on my computer, it just couldn't connect outbound.

    The second option seems more versatile. PG3 would notify me before anything malicious or maliciously modified could even run, let alone connect to the internet. The firewall would be redundant, though redundancy is generally a good thing when it comes to security.

    I'm aware that the "block new processes" option will result in potentially "annoying" notifications, but I don't mind. I like to be informed of what's taking place on my computer.

    So, beyond human error, what vulnerabilities remain at this point? What sort of attacks are not process-based (scripts, perhaps)?
     
  6. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    If you set PG to block new and changed then you will not get an alert, the process will just be blocked. You can see the blocks in your log though if you're interested.
     
Thread Status:
Not open for further replies.