Problems

Discussion in 'Ghost Security Suite (GSS)' started by Mark Klomp, Jun 22, 2007.

Thread Status:
Not open for further replies.
  1. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    The program is great, and I can tell you that I have 165 applications being add to the AppDefend list. You know... you have to add them all which is quite a time consuming job, only windows alone already has many application exe's which got to be added. For this reason it would be more relaxed if the program included some sort of scanner, which scan's for application exe's. Or maybe just all legitimate windows exe's have to be added already in the .Default app rule. Then I can tell that it would be handy if the program includes an auto updated database from example: http://www.processlibrary.com/ . So that the program can identify the process which is trying to execute in the alert window. Maybe you could include a ''legitimate'' or ''not''-routine based on the www.processlibrary.com, so that legitimate apps automatically get added and the harmfull apps also automatically get blocked, so that only the zero day threat's can be let over to the human brain decisioning system/process. Furthermore it would be handy if the program can know when a program is automatically run, or by hand. You know, the chance of being infected is higher with an automatic run, than a manual run of an exe. These could be some features that might be added in prospective. On the contrary Appdefend doesn't crash when many apps are added, while ProcessGuard did. This already is a huge plus for me.

    Thanks for listening to my post,

    Greet's,
    the one and only Mr. Klomp


    Hello believe it or not but now I have 168 apps being add to the app permission list, but now Ghost Security begins to act strange when I want to install a new program. It sais the following:

    Window title: ''AppDefend Confirmation: gss.exe - No disc''

    ''There is no disc in the station. Place a suitable medium in the station G.''

    ''Annulate, Retry, Continue''


    and:

    ''Window title: C:\Documents and Settings\Prive\Bureaublad\Classic_0.91.7\Classic_0.91.7\ImgTool.exe'' (it shows the app's path your trying to start)

    ''Can't get access to the given device, path or file. Possibly you don't have authority for the item.''

    From now on with 166 apps being added you get when opening exe's these messages (of the file your trying to open referring to the second message.)

    So this does maybe mean GGS can't handle more than 166+ apps.
    Although this is much more than PG was able to handle it's still handy if the GGS can handle about 300 application's maximum because I'm still adding apps when time goes by.

    Thanks
     
  2. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
    I never heard about that AppDefend can handle a limited amount of applications only. :eek:
    I have currently 187 applications added. No problems so far.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The problem with such a feature is that it relies on a system being clean of malware. If you have an infected file, then any "initial scan" option would result in it being allowed to damage your system. In addition, it would require a database of permissions for known legitimate files - such permissions would have to be overly broad (and therefore less secure) in order to accommodate different system setups.

    System Safety Monitor does offer a similar feature (Learning Mode, which behaves much like Process Guard's did) though.
    Won't work - legitimate applications cannot be identified by name alone (plenty of malware uses names like svchost or winlogon in order to appear legitimate). The only way that such a "whitelist" could function safely is if SHA256 fingerprints were used and that would require GhostSecurity to maintain and update (in Windows' case, with every Windows Update released) a list of every known legitimate program.

    There is another program, PrevX, that tries to go this route with a "community-based" whitelist/blacklist, but even that has its downsides with many community members allowing malware because of click-fatigue or lack of knowledge on suspicious behaviour.
     
  4. Mark Klomp

    Mark Klomp Registered Member

    Joined:
    Sep 30, 2005
    Posts:
    61
    Ok thanks for the info guys.

    But does someone have one of these informative videos : http://www.solsem.com/videos.html?wt.svl=videolib (it's a pity they are quite expensive). This way you can get to know everything about the internals of Windows, and how it works at kernel level etc. I think this is a must for programmers as Jason_R0 as he has to do with the internals of Windows when working on AppDefend. What do you think? I would want to own this DVD's too, but they are too expensive for me. Maybe someone can share who has it.
     
  5. MsFluffyMuffin

    MsFluffyMuffin Registered Member

    Joined:
    Jun 4, 2003
    Posts:
    67
    Location:
    UK
    Those videos look really interesting, I'm sure I have seen them before, but honestly, what would Jason do with them....haha....I'm sure he knows all the information in them anyways, lets face it, Jason could create his own that would match or even surpass them, hmmm.....I wonder if Jason has a lead role in them :D

    Fluffy
     
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    I have thought about a whitelist database, and there are other projects already doing such things. Problems exist such as "how many priveleges" do you give these processes automatically just because they are "good". It is quite easy for all legitimitate applications to be tied up into executing some bad code. Internet Explorer is a good example of that, as it isn't malware by itself, but launches a lot of it.

    Applications like GSS are really always going to have to be used in somewhat experienced hands I feel just because of this issue, as soon as you go "assuming more" you let things past just like a conventional virus scanner does. As I've said before though I want to at least give the option of loosening up AppDefend and RegDefend so they can be used by more inexperienced people effectively.

    In regards to the videos, I already own quite a few books on kernel coding, windows development, etc. They can only take you so far before you actually need to do your own research about how things work. Those sorts of resources are really helpful when first starting out in kernel development but I have been doing low level kernel development on Windows for over 6 years now. What I know on kernel development could probably fill a small book, but it would be quite boring to most people. ;)
     
Thread Status:
Not open for further replies.