Process Guard, a must have!

Discussion in 'other anti-trojan software' started by DolfTraanberg, Oct 27, 2003.

Thread Status:
Not open for further replies.
  1. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    DiamondCS Process Guard is an advanced security system that protects both system and security processes (as well as user-defined processes) from attacks by other processes, services, drivers, and other forms of executing code on your system. The first program of its kind, Process Guard is made possible by a kernel-mode driver that securely controls process-to-process access in a relatively simple but technically efficient, safe, and secure manner. Although Process Guard is a very powerful program due to its low-level nature, its intuitive graphical interface actually makes it very easy to use for both novice and advanced users alike.

    http://www.diamondcs.com.au/processguard/
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Kudos Dolf, :)

    It is all of what's said above and more.
     
  3. aguest

    aguest Guest

    Can somebody please tell me which firewall leaktests (Firehole, Blackstealth, Atelier ...) are blocked by DCS ProcessGuard? Does PG prevent the installation of API hooks? Will it stop HackerDefender 0.84 Rootkit?

    I assume that PG will not stop DLL injection via AppInitDLLs registry key. Is there a good autostart monitor which you can recommend as an addendum to PG? The monitor should observe most known autostart options (including AppInitDLLs key) by default and it should be easily configurable so that it is possible to add further registry keys which are not covered by default.

    I would also be interested in Andreas Haak's opinion on PG because I expect him to be quite critical. If he can't find too many flaws this new product must be REALLY good.

    Thank you.
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    All executables,dll's,processes and services are protected
    Any injection will be refused. A good and free autostart monitor tool is AutostartViewer:
    http://diamondcs.com.au/index.php?page=asviewer

    And sorry, I don't have Andreas' number :)
    Dolf
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi aguest, To quoteWayne of DCS

    "It's a kernel-mode driver-based application, and yes it blocks DLL injection, code injection, and virtually all known process-to-process attacks, including a variety of termination and suspension techniques"

    You can reach the DCS General forum here where there is a lot more information:
    http://www.diamondcs.com.au/forum/forumdisplay.php?s=&forumid=6

    Also check out Dolf's link above

    HTH Pilli
     
  6. controler

    controler Guest

    HI

    Why is there no link to this software from the main page?

    http://www.diamondcs.com.au/
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can asure you the security world is already aware of this new software and testing it thoroughly.
    Looking forward to comments.
    And although Andreas Haak's opinion is there --the world is still waiting for one complete product of his own! in stead of him hammering down other people's products (like in construction) for which he shouldn't even have time at all hired by another AV vendor-- , he is not the only critical person in security land: how about the DCS developers themselves and the experienced beta testers team, to name but a few?
    Get your d/l and give it a try, see what it does on your system, adding another layer in protection!


    Controler, thanks for the site alert, i'm sure that will be solved soon, webmaster is alerted.
    Here it is again:
    http://www.diamondcs.com.au/processguard/
     
  8. aguest

    aguest Guest

    @Pilli & Dollefie

    I am familiar with the official PG information. But I would like to see an experienced, independent person (not a DCS affiliate) to review this interesting new tool.

    I am not so sure about AppInitDLL because this is not an ordinary "bad" injection technique. It wouldn't be terrible if it is not covered.

    I am looking for an autostart monitor, not a viewer. Is DCS RegistryProt configurable?

    Regarding A. Haak: He has quite some experience in this area and will hopefully jump on the thread sooner or later w/o being called.

    In the meantime, someone else like Anvil could take care of the firewall leaktests? I understand that not all leaktests are covered and would like to know why. (I am terribly sorry for not being able to perform any tests on my own right now.)

    Thanks again.
     
  9. Andreas Haak

    Andreas Haak Guest

    It doesn't block AppInit_DLLs ... it doesn't block Windows messages ... it doesn't block DLL injections using SetWindowsHookEx ... what does it block? *g*

    I already said it at DSLR ... the headline is wrong. It should be:

    Process Guard, must be a joke.

    Further informations and proof of concepts can be found at:

    http://www.dslreports.com/forum/remark,8338505~root=security,1~mode=flat
     
  10. hayc59

    hayc59 Guest

    oh my?? this should be good :blink:
     
  11. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Well, not all leaktest rely on patching/modifying/injecting into/... running processes, so it's quite understandable, that Process Guard (PG) doesn't block all of them.
    Additionally, PG seems to have some flaws, see A. Haak... :rolleyes:

    In particular:
    Tooleaky, Wallbreaker, jdong's_shell_execute_test: 'fail' (for PG) because these leaktests only start the browser in a certain way and don't 'mess' with any running process.

    Firehole: 'fail' because it uses SetWindowsHookEx for dll injection (see A. Haak)

    Copycat, Thermite: 'pass' - obviously, PG can block code injection via "create_remote_thread" and "ntopen_thread".

    AWFT: 'pass' all but test 1, only if the browser _and_ the explorer.exe processes are protected. This is because in all passed tests, at some point "create_remote_thread" is used to patch one of the two processes. In test one, there is no 'running process patching' (browser is patched before execution and then started) - so PG 'fails'.

    PcAudit: 'fail' because it uses SetWindowsHookEx

    Well, quite a mixed result... it seems, when a protected process is _directly_ tried to be modified, PG can block it. :)

    In any other tested case, it fails. :(
    (but again: not all leaktests can be considered as a "target" of PG, so it's no shame that it 'fails' them.)
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Its quite clearly not complete yet and we were simply waiting for attacks :) we know all about them already and are going to add full protection. Andreas Haak, ever heard of responsible disclosure ?

    Oh wait, of course you haven't. You're the guy who posts THIS on a forum full of trojan writers

    Don't have a conscience ? :) There's only one word for Andreas Haak - immoral. Ok 2 words, immoral and irresponsible. You posted SOURCE code which trojan users can add to upcoming trojans.

    NOT saying they wont be able to do it, but by the time anyone did find any flaws v 1.1 would be out which means they are useless :D

    So thanks for weakening the security of those who downloaded the free version :) Those who have, dont worry - new version soon.
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Time for a constructive post, then back to important stuff

    > does Process Guard block Hacker Defender

    YES. Its quite possible, however it only does part of the job at this time. I protected services.exe and a few others, then the rootkit cannot start immediately, it remains visible. The service key IS written to the registry, so rebooting will cause it to go live and disappear. But so far so good, please dont run any rootkit unless you know how to remove it and want to take the risk on an old machine :)

    More information following upcoming versions and more testing vs rootkits :D enjoyable testing that is
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    With that quote Gavin, a win9x version in future! Hey, didn't that easy solution spare lots of trouble of finding it, if it really made sense for the further steps to take as well? Great! Looking forward to those implementations.
     
  15. Andreas Haak

    Andreas Haak Guest

    I did. But in fact it doesn't work for you. Tried it several times in past. Just remember the Donald Dick stuff or your weak signatures etc. . You will simply disclaim the issue. So the best way to force you to improve your products is by making the flaws public. Its a sad fact.

    *lol* ... yes posted this some time ago inside the techboard.

    I have one ... do you have one?

    I posted source code so everyone - especially you - can look how it works (and how easy it is). I don't think security by obscurity works. Keeping a bug or vulnerability "secret" won't work.

    Good to hear that.

    In fact I would weak the security (well ... is it secure? don't think so - so speaking about security isn't a good idea ... found 4 new ways to fool process guard) only for one or 2 days. After this they have improved security they would either never get or get it later.
     
  16. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    At least one question was answered. ;)
    Thank you for the time you spent beta-testing the competition's software, Andreas.
     
  17. Andreas Haak

    Andreas Haak Guest

    No problem ... beta testing is one of my hobbies ;).
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Wrong, you dont bother sending us an email asking if we know about a few small things. Where is the email now ? Continue, only you look bad. Where is A² ?

    Exactly, so well done helping the trojan writers.

    We already know how to do these things and you know that. Where is A² ?

    More rubbish. You know nothing of our schedule. We promised a version on Monday, we released it. Soon we will release much better versions :)

    Again.. Where is A² ?
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Ah² > NOD32?
     
  20. Andreas Haak

    Andreas Haak Guest

    Regarding PG i never wrote an email. Regarding the missed Donald Dick servers I pleased Angelo to write one (and actually he did). Regarding your weak signatures I had some major discussions with Wayne via mail.

    They still have to reverse engineer the KERNEL32.DLL to find the API (and they would find it very easyly if they look how Windows injects DLLs to applications).

    Defnitly wrong.

    You promised it to release it until Sunday ;). But well ... don't want to be too pedantic.

    On my hard disk? Why are you so keen on trying it? ;) Are you tired using TDS? :)
     
  21. Andreas Haak

    Andreas Haak Guest

    Defnitly not.
     
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    First you say its finished. Finished ready to release. Then you have all these "problems" that you cant allow downloads. If you have it finished, release it months ago instead of getting everyones hopes up.

    Now you say you wont release something unless it has no problems.. so thats whats holding it up ? It has huge flaws ? not unlikely :)

    End of story.. you've released nothing so get over it please :)

    If you have ways to attack PG when the next version comes out, send us an email. Your choice if you do or not, you've been given the chance.
     
  23. Andreas Haak

    Andreas Haak Guest

    Not huge. But several testers reported some that has to be fixed. I am not you. I don't release software if I know there are some issues.
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Quote from the DSLR thread:
    >--------------------------------------------------------------------------------
    I thought you were so busy with A^2?
    --------------------------------------------------------------------------------

    I am . About 8 hours a day - and about 12 every free day.<

    That doesn't leave you much time for your job at Eset if you also are debugging other vendors software and posting it in trojan writers boards --- can't imagine that is the job at Eset's.

    >Quote:
    *lol* ... yes posted this some time ago inside the techboard. <

    >Exactly, so well done helping the trojan writers.<
     
  25. Andreas Haak

    Andreas Haak Guest

    Where did I post details about a special vendor in a trojan writer board? :eek:

    Just told that there is a CreateRemoteThread API inside the Windows 9x kernel32.dll .

    8 hours ESET, 8 hours a², 8 hours free time/sleep. I mentioned it several times ago I guess.
     
Thread Status:
Not open for further replies.