Process Guard, a must have!

> Where did I post details about a special vendor
> in a trojan writer board?
We have no need, we email each other. You're the only person I know of that writes security software that publishes exploit code in public forums without contacting the software vendor.

 

Doing the same (if i know it would work). It doesn't work as the past showed it several times. Weak signatures, Donald Dick ... every time I or one of my "co-workers" contacted you and nothing changed until it got public (and some other stuff didn't changed until now).

 

"8 hours ESET, 8 hours a², 8 hours free time/sleep. I mentioned it several times ago I guess"

Interesting, from what I heard the ESET boss said that Andreas doesn't work for them at all. But I guess he doesn't know what's up in his own company...

For me, he is a simple and plain liar who only wants attention from others. As long I haven't seen a beta of A^2 it doesn't exist for me. He is only making a joke out of himself by bragging around with how good A^2 will be - well everyone can brag with imaginary features of an imaginary product. Andreas, I strongly suggest you stop posting silly messages and bashing other products and get your product out. No one with a clue is taking you seriously if you keep this style. Or can you explain to me why you posted here and bash PG if you already "informed" DCS on another forum?

 

trnka@eset.sk ... feel free to send a mail .

Your opinion .

I don't care .

Sooner or later it will be out there - surely.

You are able to read I guess. Someone asked for my opinion and I posted a link to the thread at DSLR . Something wrong with it?

 

Please,

Can we try and keep this thread on topic?
It is not about a² or where Andreas Haak works or spends the hours he doesn't work. It is about Process Guard.

TIA,

Pieter

 

Great idea, Pieter!

When you're putting stuff into PG's list - should it only be the exe's of the programs you want protected? The exe's are the "Processes" that are being protected?

To clarify - by protecting the exe's, you're automatically protecting the "modules'" and the "threads"? And they don't have to be added separately? Pete

Also, should you add the exes for programs such as SBS&D and AA (ones that don't run resident, IOW) to protect them from being shut down when you try to run them?

There are scumware programs that affect those kinds of programs, too, right?

Should the update exes of all those programs be added separately, too?

 

Pete,
That's correct - you only need to add protection for exes, not DLLs (they're automatically protected when loaded under a protected process).

> Also, should you add the exes for programs such as
> SBS&D and AA (ones that don't run resident, IOW)
Couldn't hurt
Just ask - "is a trojan or other malicious piece of software likely to want to terminate or tamper with this program?" - if the answer is yes/probably/possibly/maybe, it can't hurt to add protection for it.

> Should the update exes of all those programs
> be added separately, too
I wouldn't bother adding those. Just system and security processes, that's all you want

Best regards,
Wayne

 

Okay, so far the only one I've had to remove after adding was the MRU-Blaster exe - for some reason, OutPost kept trying to gain access to it and it was making an entry in the PG log every five minutes (which is everytime MRU-Blaster Scheduler runs). See screenie. Pete



- LWM

 

Very strange! I've never run Outpost before, but maybe it's doing some user-mode hooking (which typically involve writing to the memory space of the process, and as such would require Write access which is what youre seeing). You could always just uncheck the Write checkbox for the MRU-Blaster process though (just leaving it with Suspend/SetInfo/Terminate privileges blocked)

 

Thank you, I'll try that! Pete

 

Wayne,

You have asked for features requests, comments etc.:

I believe the most important feature of PG is not the prevention of process termination but the prevention of code & dll injections + malicious api hooking. This is because process termination is not really dangerous. On the contrary, intermediate and experienced user can be happy if malware reveals its presence by terminating security software.

It would be great if PG were able to prevent disabling Windows System File Protection (sfc.dll). Unless you already know, please check out Aphex' webpage where you will find some source code explaining how to dynamically disable SFP. Other ways for disabling SFP (via replacing sfc.dll with a patched .dll) can be found via google. There is also a Virus Bulletin issue of 2003 describing a virus which shuts down SFP.

I believe that temporarily disabling SFP will become a problem soon since this allows an attacker to employ very nasty patching tricks which put into question the effectiveness of tools like SSM or PG: for example, it's not only possible to patch a LoadLibrary into iexplore.exe, an attacker may also "take care" of wsock32.dll and so on.

Thank you for considering these thoughts.

 

Wayne.
I looked in the process list of Task Manager and added all of them into the PG
Is this considered "over done"?

Michael

 

And, while I'm thinking about it - is there any way to have the PG tray icon flash when it's blocking something?

I wouldn't have noticed the above if I hadn't gone back to add something else (IOW, "real-time" warning).

 

MichaelE, Apart from those pe-selected by PG, a good guide would be to add what apps your firewall has listed.

Peter, The flashing icon is a good suggestion

 

aguest,

Regardless of which you think is more important (termination or code injection/hooking), Process Guard takes care of both of them for you

Wouldn't you prefer to be alerted by an alert from Process Guard, rather than being alerted by seeing your security apps all shutting down before your eyes?

Hmm, this is moving over into the side of complete operating-system protection ...
If sfc.dll can be bypassed then that's really an issue that Microsoft need to resolve, as System File Protection is their protection system for files. There was an old registry trick that you could use in old builds of Win2K but they fixed that. Still though, it's a very interesting thought and rest assured we'll have a closer look into this, but at this stage i'd rate it only as a low-level risk.

MichaelE,
Yes that sounds a bit overdone ...
The only processes you should add are system and security ones. For example, there's no need to add notepad.exe as that's just a utility, but if you have an antivirus scanner then add that, and any system processes that are running at startup (like explorer.exe, svchost.exe etc) should also be added. That's basically all there is to it
In the registered version, the first time you run it you'll be asked if you'd like the list automatically populated for you with system processes, so this saves a bit of time

spy1,
Yes realtime warnings are already on the wishlist. A flashing icon could be good, we'll see

 

TDS fella him say...

a² fella him say...

I'm NOT taking sides, but it is a rather funny rejoinder.

Frankly, I feel that the Wilders Mods are great for letting the debate continue. I don't know about you folks, but I am learning from it. Also, although many of the ideas are flying around in the form of daggers flung at one another, they may actually prove helpful to those who are finding ways to deal with this new & thorny security problem.

 

Bellgamin: brainwaves and brainstorming around here, creative processes storming around.
DCS is looking if there are more wishes to fulfill from users' wishlists, and all are just very happy!

 

I'm not really sure if this is what you'd consider a "problem" or not, but OutPost Pro sure does seem to have a lot of interaction with other programs according to PG.

[20:17:27] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\scheduler.exe [1752]
[20:17:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\spywareguard\sgmain.exe [1248]
[20:17:30] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\spywareguard\sgbhp.exe [372]
[20:22:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [1604]
[20:32:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [1332]
[20:37:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [584]
[20:42:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [400]
[20:47:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [1852]
[20:52:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [1244]
[20:57:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [1096]
[21:02:28] c:\program files\agnitum\outpost firewall\outpost.exe [1064] tried to gain WRITE access on c:\defensive tools\mru-blaster\mrublaster.exe [1180]

The second part of this issue is that PG did not - repeat - did not - keep the setting change to to the mrublaster.exe that I made earlier today (UN-checking the "Write" block for that exe).

When I re-started the computer tonight (it's my birthday, I took half the night off from work), you can see by the log that it's not ignoring the "write" attempts by OPP on mrublaster.exe.

Need to check on that, guys. Pete

 

(Gavin beat me to the post) - see his response below.

 

Happy Birthday spy !!

We will fix that in a build out soon - today or tomorrow probably. To force update of the list you can close PG and reopen it for now, while we dont recommend closing PG in normal situations - chances are you wont be attacked in the few seconds that takes

 

Just wanted everyone to know that I've asked over at the OutPost forum about why OutPost seems to want "Write" access to every single defensive program I've got.

This thread: http://www.outpostfirewall.com/forum/showthread.php?s=&postid=61447#post61447

 

since the process guard seems destined for greatness( and into many users pc's )after the dcs guys fix the problems found here & add the features suggested here, would it be a good idea to open a process guard subforum... what do you say Paul?
or do you have one @diamondcs.au.com? haven't been there lately, except when i d/lled pg of course..

 

Hello illukka, It is being discussed at the moment

 

I'm 99% sure it doesnt actually want to USE full access to another processes memory And you should see nothing will stop working.

 

If PG doesn't stop anything from working - Pete