Process Guard vs Zero Day bugs

Discussion in 'ProcessGuard' started by Rasheed187, Jul 6, 2005.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Hi,

    I just wonder, is PG able to stop Zero day bugs like in IE for example? At the moment I´ve configured IE in a way that it isn´t allowed to terminate, modify, or read other protected applications. Itself is protected against modification, should I also protect it from "Reading"?

    Btw, I installed SSM and I liked the option to deny IE from loading other programs. That´s not possible with PG. I also noticed some other options see the pic. Does PG also offer this and will it protect IE in any way?
     

    Attached Files:

    Last edited: Jul 7, 2005
  2. James Taylor

    James Taylor Guest

     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Yes my mistake (about the starting), I have edited my first post. And yes I use Maxthon but say IE to simplify things. ;)

    But what I´m trying to figure out is how to lock down IE as much as possible, it seems to me that an app like PG can help a lot.

    Let´s say there is a higly critical zero day bug (remote system access risk), if a hacker tries to install malware on your system, then a good AV-AT-AS system will probably be able to prevent that.

    But what if a hacker will try to take over your machine and has access to your file system? Shouldn´t PG be able to prevent that too, so that IE doesn´t have the right to do that. o_O
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rasheed,

    There are many approaches to what you are trying to accompish in defending yourself against zero day bugs. Here is my approach:

    1) I do not use IE, I use Firefox.
    2) As you suggested, I use high detection rate anti-malware tools - in my case Kaspersky and Ewido.
    3) I use ProcessGuard to defend against dll injections, rootkit and keylogger installation and installation against unauthorized services/drivers (real nasties all). These are some of the Zero Day bugs that you are referring to.
    4) I use WormGuard to defend against unauthorized scripts (there are other similar tools).
    5) For further defense, I use RegDefend to defend against unauthorized registry updates, since most malware try to update the registry in order to instantiate themselves in the operating system.
    6) For further protection, some members use a product called Prevx (there are free and licensed versions) to guard their file system (and registry). I do not use this product for several reasons and there are threads that discuss this.

    As you suggest, it would be nice to "close down" entry points into your machine that would protect against malware that somehow gets through your anti-malware tools. ProcessGuard closes does some of these points but not all. Different forum members use different strategies. I think that if you investigate more, you will find the strategy that best fits your needs. I hope the description of my strategy helps you with some ideas.

    Rich
     
  5. James Taylor

    James Taylor Guest

    Why? It's called PROCESSguard not IEguard. :p
    IE is so dangerous, you need a specific app to guard it, not something as generic as Processguard.


    By default if you run as admin, all programs have the right to access any file.

    What you are looking for is a way to 'sandbox' IE, to run it in a restricted environment to limit the damage it can do.

    So you can either run as a non-admin, or use drop my rights http://msdn.microsoft.com/security/.../library/en-us/dncode/html/secure11152004.asp
    to run IE as a non-admin.

    That restricts the damage IE can do if it's somehow compromised since it can't affect system files for example though it can still do quite a bit of damage to the user account it's running on.

    This is one way of "sandboxing" IE.

    Or you could use a third party software to do it http://www.sandboxie.com/

    None of these methods are perfect , since there are exploits capable of privilege elevation, or the sandboxing program might not catch everything the sandboxed program does...
    Eg the app above, allows total READ access, it just accepts writes...

    This is getting way of topic, could a moderator move this out to another forum?
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Even just disabling "3rd party browser plugins" in Advanced IE options is enough for IE ;)
    Free and easy, and works fine if you want to install some first

    Stopping processes running stops an attacker from doing much at all, especially without being detected :)
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,


    As far as i know, ProcessGuard and System Safety Monitor are not a NIPS/NIDS (Network Intrusion Prevention/Detection System) and have not the ability to prevent Oday attacks.

    SSM rules will not be very helpful against zero days: if the browser is launched by an unknown application, then it means that the intruder is in your host and in this case, it's often too late.
    Even by running legitimatelly IE with the exlorer, it can be a communication vector for a stealth backdoor.

    But both PG and SSM have an MD5 integrity protection and can detect a major change in IE.

    There is specific paid and free solutions to protect IE: here's some free ones:

    -a specific integrity protection with AFICK (like Tripwire): http://afick.sourceforge.net/
    But when the change is detected is also often too late.

    -IE monitoring: there's some free tools which can monitor the browser behaviour (FileChecker in this javacool forum for instance).

    NB: SandBoxie will not protect against zero days but will just prevents some agressive scripts, spywares during a surf (like SurfingGuard from Finjan).

    In any case, it's technically very hard to prevent all O days, perhaps impossible: even specialised products can be defeated by a 0 day attack:

    http://secunia.com/advisories/15961/

    For a short info about the subject, here's an article from EEYE:

    http://www.infosecurity-magazine.com/comment/050613_eeye.htm

    Against zero days attacks, prevention measures are more recommended than expensive over-protections:

    -as it was said, never run as an admin during a surf: Aaron Margosis explains how we can limit the impact of zero days by this manner:

    http://blogs.msdn.com/aaron_margosis/archive/2004/06/25/166039.aspx

    -stay aware about Windows/browsers (IE or Mozilla)/softwares latest vulnerabilities (http://secunia.com/advisories/ for instance).
    And then patch anyone of them.

    In all cases, zero day attacks/exploits are not common on home users systems.



    Regards
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,197
    I run IE and I only use medium security setting for the most part. I even have to run with admin privileges, as some of my mission critical software requires it. But with ProcessGuard, Regdefend, Prevx, and PopupCop, I never have had a problem. I have even explorered a few so called high risk sites, with no problem. These programs have consistently caught attempts to play with IE.

    Pete
     
  9. James Taylor

    James Taylor Guest

    Not that these work either....

    A zero day attack doesn't always involve a "major change to IE", in fact some of the most well known involving buffer overflows, cross-site scripting attacks wouldn't be detected.


    Given that the unknown nature of zero day attacks and that zero day attacks can involve a wide range of vulnerabilities and exploits it's a bit hasty I think to claim that only a certain measure (intergrity tools for example) will help against zero days, while running IE in a restricted environment wouldn't.

    In the context of home users , some of the "very aggressive scripts" are in fact or could be the most likely source of zero day attacks. On servers this would not be so important I agree.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,197
    One other thing I do I forgot to mention. Like the other day I wanted to download some new jpg files for desktop wallpaper, and I do consider some of those sites high risk. Sooo.... I boot into my secondary snapshot (First Defense ISR of course), and have at all my surfing and downloading. Then when done, I thorougly scan the jpg files, and if okay set them aside and reboot back to my primary snapshot. That way even if something infected me from one of the websites, it doesn't matter. The FD-ISR copy will get rid of them.

    Pete
     
  11. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    James Taylor: my english is not perfect, but your post means the same conclusion as my previous one: it's impossible to prevent all 0days, even with specialized products like NIPS/NIDS/HIPS which can themselves be victims of a zero day!

    Consequently, all mentioned solutions are not perfect:not running as an admin, hadening the host, Sanboxie (or web filtering), integrity checking, browser monitoring, web application attacks countermeasures (http://www.imperva.com/application_defense_center/glossary/), NIPS and reverse proxy (web servers) and so on.

    Therefore, any solution publisher/vendor who claims to prevent unknown malwares and attaks (then 0days) is only can be considered as pretentious arguments and untruth advertising: there 's no 100% security system.
    Even when we "shutdown" our computer, it's still vulnerable to Tempest during a few minutes...

    ProcessGuard prevents Malwares (from the basic trojan/keylogger to the stealth rootkit) and not Attacks (and Diamondcs never claims anything else).

    And sure, as Peter2150, we can surf for years without being victims of a zero day attack.
    There 's a diiference between decent and logical security and paranoiac one.

    regards
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Well, I´m no expert, but from what I understand is that IE is in fact the "entrypoint" for a hacker, that means if you go to malicious site and a hacker attacks IE (zero day bug), he will only have as much rights as IE has. That´s why I´m already running in "non-admin" mode, because it will make it a lot harder to install malware this way.

    Let´s look at what the risk of a remote code execution vulnerability exactly is:

    "If a user is logged on with administrative privileges, an attacker who successfully exploited a vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges."

    But it seems logical to me that if you restrict IE even more (process launching, file access) there isn´t a whole lot that a hacker can do, am I correct? :)
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    @ James Taylor

    About SandBoxIE, it looks like an interesting app, only problem is that it will cripple your normal browsing too much, and as said before I don´t think it´s the number one solution against zero day bugs. ;)

    @ Gavin

    I´m not sure what you meant, but isn´t that a too simplistic approach? I´m not worried about BHO´s etc. since Maxthon doesn´t even support them (or at least you turn them off). And with all these advanced anti malware tools (AV-AT-AS-IPS), I´m not that worried about other malware too.

    What I´m basically worried about (and maybe I´m missing the point) is that a hacker could view, change, or delete data, because even non admins can do this. Or can a hacker only do this by installing malware (trojans, RAT´s) first? o_O

    I mean how exactly can a hacker do all this stuff (remote code execution), I assume he will have to use some kind of tool, and have to be able to run stuff (executable files and scripts) on your system?
     
    Last edited: Jul 8, 2005
  14. James Taylor

    James Taylor Guest

    kareldjag

    Yes, your english is not perfect. The way I read your post, you were saying that intergrity check tools and Netbased intrusion detection tools were much better than sandboxing tools (which merely stop aggresive tools according to you) for detecting and stopping zero day attacks.

    In fact, you know and I know that all these tools are hardly perfect.

    And I don't appreciate being calling paranoid.

    Every program you run as the same rights as IE except for network outbound access. Every network enabled program has the same rights as IE.

    So what? If you are so scared of using Maxthon, just drop it and be done with it.

    The point is a "zero day exploit" is something 'magical', by definition it allows you to break the rules. So even with all these tools , it's still possible for a zero day exploit or a combination of to hurt you.

    You want to use IE, you take the risk, even if you ask these questions in a million security forums, no one can teach you a method to gain 100% assurance against zero day exploits.

    But yes, if you restrict the files IE can access, restrict the processes it can spawn, carry out intergrity checks to ensure IE and it's related dlls arent' compromised, then you should be fairly safe.

    kareldjag will tell you about NIDS but most of them are meant for servers.
     
  15. James Taylor

    James Taylor Guest

    Sure and, a skilled hacker can read your mind by snapping his fingers. LOL.


    Without getting into details , essentially correct. How else would a attacker hurt you, by sheer willpower? Either he has managed to modify/ compromise an existing process on your computer, or he managed to "inject" one of his own.

    In the context of getting "hacked" by visiting web pages, if you turn off all the active content (Scripts,Java,ActiveX), it gets harder to damage you.

    Of course, even then you can be hurt, by other ways, such as flaws in the rendering Trident engine... But this is much rarer.

    There is where your other safe guards come into play, intergrity checking tools, restricting IE's access to files, preventing it from spawning other processes, restricting its ability to modify processes in memory, hooks etc.

    But the magical genius hacker who is out to get Rasheed, would probably research and come up with zero day attacks that could overcome these methods too, so you are dead anyway :)
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    First of all, I´m not scared to surf the web with IE, if I was I would have already switched to Opera or Mozilla. I´m just trying to figure out how to make IE as safe as possible. I already run it in non admin mode, have closed the known attack vectors (with tools like Samurai, Secure-It) and use anti malware tools (AV-AT-AS-IPS and firewall). I´m also aware of the fact that zero day exploits are not that common.

    And I know that PG already is a powerful tool against malware with its ability to block services/drivers, global hooks, process modification/termination etc. but I think it should also be able to restrict process spawning and file access. However, I don´t know if it will make PG more difficult to use/configure, I´m hearing a lot of bad stuff about Tiny Firewall which in fact is a full blown IPS.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    About zero day bugs, I understand that they might still hurt you even with anti malware tools installed, because 100% security doesn´t exist. However, as said before, it will be a lot harder for a hacker to do any damage, if faced with all kind of restrictions on a system.

    And about my (perhaps silly) question, I understand that if a RAT is installed, hackers are in control, but if I read the security bulletins, they in fact imply that a hacker can take control by just hacking IE. So without even installing RAT´s he can perform certain actions (remotely) via IE´s process. I´m clearly no hacker, so I have a bit difficulty visualizing this.
     
  18. Processguard

    Processguard Guest

    Well , it seems to me that every post you make is about IE this, IE that, sure sounds scared to me.

    PG cares only about processes starting, while something like Tiny allows you to restrict processes access to files and folders, that is a much higher level of complexity.

    Also PG doesn't keep track of dlls so that's yet another level of complexity removed.

    Even so, a lot of people find this white listing of processes confusing.

    You clearly are confused, an exploit generally allows the hacker to run any piece of code they want , and it's generally assumed that once this is done you are finished.

    Running as a non-admin minimises the damage, because at best the attacker will gain the same level of previlages as you, unless he applies another elevation of previlage exploit.
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    Well I might sound scared, but then why haven´t I switched to another browser yet? Because I don´t think the chance of being hacked via IE is big enough. But I obvious care about security.

    About my request, if it will make PG too complex to use or configure (and if it´s hard to program), maybe its not such a good idea. But I just thought that it would be a nice addition to PG.

    And yes it´s a bit confusing, I never really understood the whole concept of remote code execution. This is the way I saw it:

    Most of the time, hackers will just try to install malware on your system via (known or unknown) holes. But anti malware should be able to stop malware from installing (or prevent changes to your system), so in fact they can protect against zero day exploits.

    But that´s not the case according to you, so you can´t do anything against zero day exploits? I wonder why tools like Prevx claim that they actually can protect you against them then. o_O
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Rasheed,

    In a very affirmative way, behavioral monitors such as ProcessGuard, RegDefend, Prevx, Safe N' Secure, all help to defend against zero day exploits since they are attempting to prevent malicious software from accessing operating system resources, and instantiating themselves as an "infection". A malicious program that cannot complete its intended work (e.g.access install its files, drivers, services, registry updates, access protected memory, update or terminate other programs, etc.) can not infect your system (at least not in the way the malicious program intended). So I am entirely in your camp.

    The reason IE is a target, is because malicious programs usually need some "target" program that they know will exist on a target computer in order to "jump start" its own code. IE is a nice place for malicious programs to begin because it is so ubiquitous, so vulnerable and has so many nice and powerful features that can be exploited by malicious programs (e.g. ActiveX). Changing to a different browser removes this nice lauch pad for malware.

    Rich
     
  21. James Taylor

    James Taylor Guest

    You know yourself best anyway. But clearly you love Maxthon too much to switch, and yet you 'care about security' (but not enough to switch).

    First thing, you seem to think that exploits exist only for IE, but not for security software. Take Prevx, one of its function is to detection modifications of sys files in c:\windows\sys32.

    However did you know that by using symbolic links you can bypass this protection? Not to mention other methods?

    Second thing , Prevx and other security software try to prevent zero day exploits in IE by observing the behaviour of worms and exploits.

    Eg A lot of exploits in the past, was able to automatically download and then execute all by themselves. What technical flaw it uses doesn't matter. When such a thing happens, it will generally run in the temp internet folders. This is a very common class of explots, each exploit achieves this via a different method, but the end result is the same.

    Prevx tries to prevent this class of exploits by warning you when a file runs from the temp folders. It doesn't matter what technical method it uses as long as it runs from the temp folders.

    In that sense , Prevx protects you from "zero day exploits" that do this. But you are very naive if you think this is the only way zero day exploits can work.

    However, if someone was out to get you, and knew that you used Prevx, he would clearly work out an exploit that worked differently, or one that exploited prevx's vulnerabilities (see above).

    That is why there is no 100% protection from zero day exploits.

    Reading secunia to bash other browsers besides IE is fine, but it's much better to understand what is going on.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    @ richrf

    Yes, I mean that´s what proactive defense is all about, if you monitor a lot of important stuff (Process, Service/Driver, Global Hook, Physical RAM, File System, Registry, LSP) and use an executable/script file sandbox (I´ve disabled Windows Script Host), it´s a lot harder for a hacker to do any damage, zero day bug or not.

    Also, if you run in non-admin mode and have locked down IE/Windows (Samurai/Secure-It/Safe XP + Popup-Script-ActiveX-Java blocker) I don´t think the threat is that big. In addition, if I´m correct, anti malware tools are also capable of catching malware that tries to install via the web, through zero day bugs or not.
     
    Last edited: Jul 12, 2005
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,749
    Location:
    The Netherlands
    @ James Taylor,

    I think the conlusion is that there is no 100% protection against zero day exploits, but that doesn´t mean that IPS systems can´t stop them at all. I mean an exploit will let attackers run arbitrary code, but if the attacked application isn´t allowed to do a whole lot on your system, that must surely decrease the chance of a succesful hack attempt.
     
    Last edited: Jul 12, 2005
  24. James Taylor

    James Taylor Guest

    Who are you trying to convince? Yourself?

    All this would sound a lot more convincing if you didn't keep asking for apps to secure IE in every other post :p
     
  25. Jame Taylor

    Jame Taylor Guest

    LOL. If any system can "stop them all", it sure sounds like 100% protection. Care to clarify again?
     
Thread Status:
Not open for further replies.