Process Guard v3 FINAL BETA released!

I agree with rodsoto for the most part, PG is still very unique and beneficial security solution especially for other software security systems and even though one particular feature isn’t functioning properly on some systems it still however provides ultimate protection against the other methods.

But don’t make a mistake to speculate that there isn’t already something malicious out there that verifies PG users and targets PG.

gkweb you are right indeed...

 

I take it that is speculation on your part?

I doubt if a cracker would choose Process Guard as a target mainly because there are many more easier nuts to crack and you still need a vehicle to get itonto a users machine
Though as an excercise in one upmanship amongst blackhats anything may be possible.

There is not and never will be 100% security but at least we can try to get close.

Pilli

 

Jazzie1,

Most programs that have an "Exit" menu can be terminated with SendKeys so Im surprised you're uninstalling simply because of that! And that typically doesn't even apply to resident/always-on security software because closing interfaces usually doesn't affect the security. For example, if you use SendKeys to close down the GUI of your firewall the firewall itself should still be running, so that's a useless attack - especially as firewalls are the #1 target of trojans. Likewise with Process Guard, you can close the interface down completely so the process isn't even running, but its kernel driver will still be protecting you.

SendKeys is a very unconventional process-specific attack which has several restrictions and requirements in order for it to be used, which makes it possibly the last choice for hackers, especially when they could simply call TerminateProcess(ProcessID) instead and be done in a flash. Even if Process Guard only protected against TerminateProcess it would still be protecting you from the single most common attack vector, and probably something like 99% of trojans we've come across that use termination use TerminateProcess.

We can and may incorporate filtering for SendKeys and other keystroke-related functions in a future build just as we've added new functionality to this version, but at this stage there really doesn't seem much point or need.

Best regards,
Wayne

 

Boy we have the whole "coding cowboy family" posting here! Didn't realise that my complaining would steer up that much of a hornets nest! But as proof again, it shows if you bend over and take it, lifes is grand, but if you try a reach around then you get slapped down... Anyways the CMH, is a joke, like I said. It doesn't work like it should. SO yeah Wayne to disagree and step on your hat, I think it is am important feature that should work. But, it doesn't. SO yeah, as I customer I am upset about the final Beta not having that aspect fixed, even if you think it is irrelevant...

BTW Rod, the sound systems do suck in Ferrari's!

Jazzie

 

Jazzie are you talking about SendKeys, or message handling? (They're both in the same ballpark, but still two distinctly different attacks). If it's the latter, yes it should work correctly (you and 'night' are the only people who've reported it not working as expected), but we'll have a check over things tomorrow anyway to see if we can find anything that might be causing it to fail on your system, although these things are hard to debug when only a couple people experience the problem and we're unable to replicate it here.

Regardless, even if message handling doesn't work on your system, PG is still a solid layer of security that will protect your system and security programs from all common attacks (including TerminateProcess - the most common), as well as crash attempts, as well as rootkit installations (PG is worth it for that alone IMHO), as well as a variety of other attacks that we'll be documenting in detail in the helpfile. Heck - nothing can even run on your computer unless you tell PG it's ok to run.

So far it seems only one attack can slip through on your computer, and that attack is probably the least likely to be used - no trojans to date have ever used it, so don't lose sleep over that just yet.

Cheers,
Wayne

 

PG Close Message Handling Feature prevents applications from the WM_CLOSE usage yes? And so manually exiting out of applications GUI by clicking on an applications icon in titlebar and selecting Close (or pressing ALT+F4) would be to no avail when using PG Close Message Handling feature yea? With SendKeys to exit the applications GUI that way will simply fail because of that PG feature yea? OK and so if you try to exit applications GUI using mouse and clicking the windows X, this also will fail because of that PG feature yea? The problem there are applications with button within the applications GUI to exit isn’t following in the steps of the common WM_CLOSE usage, that being the case two PG alert windows appear with the cancel button usage and of course the application GUI exits along with.

“* although these things are hard to debug when only a couple people experience the problem and we're unable to replicate it here.”

It didn’t take any time for me to reproduce the anomaly and track it down upon installing it for myself. Perhaps you should hire me to reproduce user problems and track it down… ;P

Regards,
Phant0m``

 

heh Phantom, finally someone who isn't afraid to show and see the light!

Power to you man! Seems like a couple of people just grew!!!!

Jazzie

 

Hi there

Have been following this thread with interest and, for the record, have been unable to re-create the problem that Jazzie & Night have been reporting. However, and I don't know if this will help in anyway, but I picked up on the point Night made "The problem there are applications with button within the applications GUI to exit isn’t following in the steps of the common WM_CLOSE usage,....." and I went looking for such an application. Found that jv16 PowerTools v1.3.0.195 (freeware version before it went commercial under the Macecraft banner) seems to work in that way.

I therefore ran the program (to set it up under Security) and then exited using an Exit button within the application GUI.....and it closed down correctly as expected. I then dutifully logged it under 'Protection' and ticked the Securely Handle Window Closure check box. I then tried to run it again but this time it did not even appear to load, ie, no GUI visible. I tried clicking several times on the releavnt shortcut to launch but to no available. I then checked the Alerts which recorded that jv16 power tools.exe was alloed to start....several times. Hum! I then unchecked the Securely Handle Window Closure check box, clicked on the shortcut again and this time the GUI appeared.

I don't have the relevant technical competences of most of the posters to this thread but IMHO there is definitiely something not right with regard to "...applications with button within the applications GUI to exit ...".

I will see if I can find another but I hope that in the mean time this helps.

Apart from that specific case for me the Securely Handle Window Closure function seems to work very well!

Best regards



Baldrick

 

Hey Baldrick

The problem you experienced was due to the fact the first instance still existing, and many programs are coded to verify upon execution that there isn’t already another instance running otherwise it just ends procedure and exits, so we can’t put fault on PG. And of course, you actually didn’t get far enough to actually reproduce that anomaly, however I quickly coded up little PG Demonstration executable and archived it into .Zip format along with the .icon file. This offers Exit button within the GUI, also offers Exit via Systray menu when clicking on it, two known ways that allows one to reproduce the anomaly Jazzie reported.

http://www.fluxgfx.com/looknstop/store/PG-Demonstration.zip size: 9,60KB

 

Hi Baldrick,
Just in regards to this:

I'm not very familiar with that particular program, but it doesnt sound like the sort of program that a hacker or malicious program would try to target on your system?

It's usually system processes (explorer.exe, iexplore.exe etc) and security processes (firewalls, antivirus etc) that are targeted, so they're the processes you need to ensure are secured. For example, a trojan might terminate or try to modify your firewall so as to clear a path so that it can transmit data to the Internet without getting blocked by the firewall, so it's critically important that your firewall is secured from such attacks. There's not really any need to secure other software (non-system/non-security) from attacks because it's unlikely they'll ever be attacked - an attacker (be it a person or malicious program) can't really gain anything from it, nor has any need to do so.

Best regards,
Wayne

 

Yea but the whole idea is to reproduce the anomaly Jazzie is experiencing, and of course I assume his current software didn’t offer Exit button within the GUI to offer person the capability of reproducing the anomaly.

 

OK, this should be obvious to the coders, but i'll just make sure, WM_QUIT is where the problem exists with PG... Good Luck

 

Actually that isn't where the problem exists. The problem exists in the fact that any application can terminate itself anywhere it likes. WM_QUIT has nothing to do with the fact that an application can enter its cleanup routine prior to the WM_QUIT.

For instance imagine a silly application which terminates itself when the mouse moves over it's window. Is ProcessGuard expected to be able to determine that the mouse move message which is used correctly in most other applications is used to terminate this application?

Some applications when the user clicks on the File -> Exit menu, call their own cleanup function then PostQuitMessage, without calling WM_CLOSE. The reason you get CMH windows with ProcessGuard because it is detecting that Windows are being closed, but since the application is in its cleanup routine there is nothing I can return to it to say "don't cleanup, the user doesn't really want to close the application".

So the issue exists that for some applications you need to be able to intercept the message which causes the program to begin cleaning itself up so it can close. In your demonstration it would have to be that button click which would need to be intercepted. In a lot of other programs it would need to be the File -> Exit which gets intercepted.

The only way to realistically handle these sorts of things is to either have a database for the applications which don't currently work correctly with CMH, or allow the user to specify in some manner which actions can close the program.

 

Yea, I understand what you saying, but I still have to say applications using WM_QUIT is where PG screws up at, it is only logic that this is where the problem begins.

 

Well since you are only beginning at programming I can see it is easy for you to make such mistakes. I suggest you look at MSDN and keep it bookmarked for future reference, read what it says on WM_QUIT. Also sending WM_QUIT to an application, or posting that message to an application does not close the application unless the application specifically has a handler for it. WM_QUIT never gets to the wndproc.

It is your flawed logic which thinks it is where the problem begins.

 

If the button for instance didn’t send WM_QUIT, instead it sends WM_Close PG wouldn’t freak, but since button for instance sends WM_QUIT PG freaks, it is only logic that is where it starts.

 

And by your information, I wouldn’t speculate that I’m only beginning to programme…

 

Yes well I am not here to teach you how to program Windows, so please stop posting mis-information regarding this matter. You can talk about what you think the problem is in another forum, where maybe you can find someone who knows even less about the issue and will believe you.

 

This is the gratitude I get? Of all I done and you have the nerve to try belittling me? You sure set a fine example for the rest DCS Team. This won’t go without consequences, enjoy

 

Why doesn't somebody take this idiot out and shoot him?

 

Didn't realise you were that bored. Settle down mate, go for a walk clear your head and come back and lets discuss this in a civil manner. Thanks for taking the time to put that demo together, and seeing as you seem so worried by this attack vector you'll be happy to hear that Jason has already developed a countermeasure for it, even though it's a process-specific attack that doesn't apply to all programs. This is obviously brand new so it's not set in concrete yet, but he just set up PG so that he could hold down a particular key, and then the next thing he clicks on (such as a File | Exit menu or Exit button) would be defined as a termination method for that particular program. It's very easy for the user to do and it took Jason no time at all to implement, he's already tested it successfully against your demo, Internet Explorer and several other apps, but really you are trying to make mountains out of molehills with this - the attack has never been used before because 1) there are so many better attacks that can be used, 2) it's program specific, 3) it only works on some programs, 4) its useless against drivers/services etc, just to name a few reasons, and PG3 already protects against every one of those attack vectors.

Regards,
Wayne

PS. PG3 is currently only available to registered users, before we continue this discussion can you please private message me either your registered username or email.

 

Hey Wayne – DiamondCS!

Finally someone little more civilize, I don’t even use PG, I can’t afford it, and the Free version is just to limited. I knew Jazzie who had registered, been trying to get you guys for the longest time to check into this and fix it. I participated to assist not only because of Jazzie but to help you guys out which helps the customers. But obviously anyone who tries on here gets pack of wolves on their case; you guys sure have a reputation, but seeing for myself I can really say Jason is one loose cannon on DCS team.

 

He obviously didn't mean to offend so please dont be offended, he was just trying to set you straight in regards to WM_QUIT and exactly how it works as you did give us the impression that you didn't have a full understanding of the Windows message system (and no, his implementation has nothing to do with WM_QUIT or WM_CLOSE). Jason is one of the leading experts in this field (don't take my word for it, Process Guard speaks for itself) - I certainly don't argue with him about these issues . So don't be offended, instead just take it as an opportunity to squeeze a bit of free info out of an expert, and hopefully now you can stop worrying about SendKeys-related attacks as Jason has already established and tested a working countermeasure for that (one hour ago you probably thought it was impossible ... ).

Cheers,
Wayne

 

Most companies wouldn't have even responded. Where else can you actually have direct communication with the actual developers? Developers may not have the same time & patience for customer service as a dedicated tech support rep, but you know you're getting direct and credible answers.

I've never understood how someone can put so much time and effort into finding, and bringing attention to, a product's flaws without spending any time at all organizing their thoughts and presenting a clear argument.

 

Wayne, it seems it took something like this to get the (hive) team to put somethng to gather (so fast! but this issue has existed since version 1. All I was trying to show was that this anomaly existed (still) and just like Phantom and night say, you get beet down for opening your mouth and to even try to spread vegimite on your bread and butter!!! WHich I am not trying to do at all.. It just shows the atmosphere... So, bottom line is, it is more important to put sub-standard software out to gather as much money as you can, then to release a quality controlled product!! (That fully works) where everyone is the Guinea pig... And the end result is a piece of software that gives a false sense of security (if not fixed!).. Even if you felt
it was irrelevant... It was never the less a feature that was in PG that
should work.. So I am a out a few bucks, big deal, I have spent that
much on worse things!!!!! Was just trying to prove my point without kissing any *ss

The Unsatisfied customer