ProcessGuard v3.xxx Suggestions / Wishlist

Discussion in 'ProcessGuard' started by Jason_DiamondCS, Nov 3, 2004.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Gottadit

    While I agree a lot of folks don't want to be security experts, unfortunately, just as you can't drive a car without learning some basics I am afraid you also have to do that with PC security.

    I certainly wouldn't recommend everyone reformat and reinstall. If someone has been running a firewall, av/at and spyware protection, then if they do new scans and show clean, I'd say they have a high probability of being clean. On the other hand if the have no firewall, no security software, then they have work to do before installing processguard.

    Lastly the idea of DCS maintaining a database of checksums, and have a utility to certify your machine clean. I would surmise this is very very unlikely. First of all you can buy machines from different manufacturers and get slightly different flavors of windows. Plus you would have to not only monitor windows but everything on all machines. Somethings I fear, people just have to take responsibility for doing themselves.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Devinco

    I think having ProcessGuard monitor the registry is redundant. Stop and think about it. You install PG on a machine you feel sure is clean. You trust everything on your computer, and are comfortable with everything your trusted software does. You now have PG configured. Your only concern in something modifying the registry would be an unknown program doing something you don't want. With all PG protections in place how could the program begin to do that?

    Pete
     
  3. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I am against PG monitoring the registry; it is not the purpose of it. DiamondCS has Reg Prot for that which is freeware and works great.
     
  4. Wisher

    Wisher Guest

    Knowing you're computer is 100% clean of any malicious software is rare. The only case I can think of is when you've started with a fresh system and remembered not to connect to ever connect to the internet and never give anyone but yourself access to the system (assuming that you even trust yourself).

    For most people, having all of DiamondCS utilities, is probably the safest you can get to perfect.

    However, I feel others who may not have the perfect security solution, should know that Learning Mode can be dangerous in cases where they have hidden trojans, etc. This is why I feel the Learning mode should either be changed or another mode created in order to control what privileges a randomly starting program (that can potentially be harmful) has.

    I'm forgot what mode ProcessGuard starts out with, but if learning mode is on by default, that is also a concern. Maybe it should be off...

    I also had another less important feature wish I forgot to mention.

    I understand ProcessGuard was intended to protect a computer from viruses/trojans but what about malicious people?

    ProcessGuard's Secure Message Handling system won't protect against an average joe user wishing to shutdown a vital security processes (assuming that this vital process did'nt have a password protection feature). So why not add an additional process-password protection feature? That would be nice if it could store different passwords for different processes.

    I just wish ProcessGuard could protect process from more ends, that's all.
     
  5. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I would like to say that the DCS Team has done a great job so far, but there is always room for improvements.

    In an attempt to group this messy thread together some I created a brief summary of the request made so far:

    1. Learning mode off by default
    2. Learning mode to apply to everything
    3. Import and export of the Protection & Security lists/Save My Settings
    4. Simple way to import exclusion lists
    5. Install Mode
    6. Importable multiple profiles
    7. "explicit control of the different types of global hooks, including the "low level" ones"
    8. "ability to allow execution based on parent process name and flags (and child process flags as well)"
    9. "flexible logging - text file logs are so 1990's : eventlog & off host logging (snmp traps, syslog, http method etc)"
    10. "allow log file to be moved to arbitrary directory"
    11. "have an option to stop programs reading from windows that they don't own (ie: screen scraping)"
    12. Ability to not use a skin
    13. Safe area
    14. Automatic updates
    15. ability to delete all "Permit Once"/"Deny Once" entries in the Protection list or not even log them
    16. more control over the information displayed in Alerts
    17. "ability to launch anti-virus/anti-trojan scanners to check any file reported as modified by Execution Protection"
    18. option to exclude child windows for a protected application from Secure Message Handling
    19. ability to allow permited users, not just Administrator
    20. Shut down protection
    21. dialog box where user can specify security privelages per application while in learning mode (User/Confirmation Mode)
    22. Customizable registry monitor
    23. Baseline of Windows updates

    Hope I did not miss any.

    It would be nice if someone from the DiamondCS team could update us on the current status of these request every now and then and provide details on why not/when.

    I numbered the requests for easy reference.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Saw a quote on another forum that pretty much covers what you are asking for here. It went along the lines that all the security software put together gives you about 1% protection. The other 99% lies between the ears.

    Now that may be an extreme, but if you leave your computer, and security is a problem, then some how it should be secured. It doesn't make sense to me to bloat up a program to try and prevent somethings from being run, when if someone can get to your computer, that really is a marginal solution.
     
  7. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    One thing I would like to see is for PG to have a (small) database of the locations of critical system files.. so if an alert for C:\Windows\svchost.exe comes up, it would alert the user that 'this is probably not the Windows system file and is suspicious', advising the user to deny that process and do some scanning. I think this is something that would be especially valuable for slightly less savvy users, but also advanced users during dumb moments :)
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Pete,

    I did think about it. While registry protection is not as critical as the process protection PG provides, it is still useful to protect the registry from unwanted modification. For example, people using IE (a trusted app) could end up running an activeX component (or other active content) that could modify the registry. PG would not stop this from happening. Things like the drive by downloads should not be allowed to modify the registry. Sure you can harden the browser or use an alternative, but some form of registry monitor/protection would be good, IMO.

    Whether a separate registry guard or integrated into a PG pro version, I (and many others here at Wilder's) would be very interested in registry protection (just look at the Registry Monitor Comparison Thread). It is a perceived need in the market (as well as having practical application) and that need can be filled by DCS or by other companies.

    Reg Prot while nice (and free) is not sufficient. It does not allow for customizable keys and is therefore limited in its scope of protection. It also does not provide adequate info about the reg change either. I stopped using it a while ago.
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    One thing I have become acutely aware of his how non-integrated products can step on each other, creating system instabilities that are extremely difficult to recover from. This I think may be particularly so with "registry monitors" that may be conflicting with each other and the algorithms that they utilize. For me, a single, integrated process may be more secure and also more stable.

    For example, last week I had Prevx running alongside PG 3.0. I am not sure how or why, but my registry got completely corrupted causing instability in my system and many programs - including ZoneAlarm Pro. This problem underscored, for me, an issue that I was very sensitive when I used to work on mainframe computers and PC networks in large corporations. The issue of cross-software testing. Many products available for PC security are released in a relatively untested fashion (KAV 5.0 comes to mind) and any inherent problems are further exassperated by two such pieces of software. It is a difficult problem to resolve.

    So after completely restoring XP, I have reloaded a minimal set of security products which include ZA Pro, KAV 4.5. 104, and BOClean. Three programs which have been around a long time and are fairly stable. The other security programs - including any registry monitor - will be benched for the time being. I will run them on demand when I need them - e.g. TDS-3, Giant, Ewido - but given the fact that I was losing my system more often because of "trusted" programs than to viruses or trojans, I have decided to step back and become even more conservative in my surfing behavior, allowing me to become more conservative in the security softare that I feel I need to deploy. Once I get an image copy procedure in place, I may feel a bit more comfortable extending myself again.


    Rich
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Devinco

    I see what you are saying, but still I think it's better to let ProcessGuard, guard processes, and deal with the other threats differently. Quite by accident I discovered when I added PopUpCop to IE, I discovered I had also added excellent ActiveX and driveby download protection.

    Richrf's comments about many different app's stepping on each other can be quite valid. But some of the new security suites have the same problem when they try to do it all in one program.
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    It would be nice if PG would apply settings to system files automatically (like in v2), then hide them from the list, with a check box to toggle hiding (like add/remove programs in XP SP2.) I think this would make it easier for the user to just focus on the security of their chosen apps.
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Rolling along in the list of improvements...

    Firstly a question on how the application change is implemented, is it just a checksum on the binary being executed or does it also include checks on any DLL's that the process loads ?

    The enhancement request :

    Increased information should be available when a changed application is executed. The "Extra Information" displayed at the moment is somewhat bare when it comes to making a decision. Company Name and File Size isn't really enough to make a decision

    It would be good to be able to click on something to get a "verbose" comparison of the properties both before and after. This would require PG to save the properties...

    And if DLL's are also being compared (which I hope is true) then they would also need their propery information stored
     
  13. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    They're not. - Another one for the wishlist, but there will have to be a clever way of avoiding high resource loads and an even more clever learning mode to register all the legitimate dlls in the first place....
     
  14. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Peter,
    Maybe I didn't express myself eloquently enough in my post...

    The idea being expressed was to allow the DCS software checksums to be used in a different way to what has already been provided by the DCS PG3 developer(s). It would be a useful tool for people that are willing to invest time in obtaining and using the checksums (and potentially sharing the results with others).

    The suggestion was not made that DCS would provide and/or maintain a database of checksums. I also think that would be highly unlikely to happen and think that it is unreasonable to ask of DCS given the variations in non-core components.

    In my post I suggested that it was possible that people would use this feature when interacting on the forums

    For people that use Windows Update and keep their machine up to date with the latest MS patches the "core" windows components are limited to Win 2000, XP and 2003. 3 sets of checksum data isn't really a huge set of variations.
    Its a pity that there isn't something like http://www.knowngoods.org/ for Windows (if anyone else knows of something feel free to speak up...)

    As luck would have it whilst looking around I found something that looks like it does something along the lines of what I am asking for and is open source (a nice bonus) although no GUI yet so its not likely to have a big Windows installed base
    http://osiris.shmoo.com/index.html
    It didn't take much effort to setup and I guess I will see how useful it is over the coming weeks

    The main reason to have the checksum functionality included with PG3 and/or TDS-4 is to make it easier to support people (including self-support).

    By just considering checksums for programs in the protection list it is eliminating a lot of potential noise, even using those in the security list wouldn't add too much noise (if the run once's executables could be excluded, seeing as at least some of these are likely to be temp files from installs, unless you are like Jason and carefully go through and prune it by hand...)

    Once PG3 is installed and running, there is a self-maintaining list of executables to check, there is no need to perform any special actions to keep the list up to date and that is a good way to mimise the information collected and checked to things that are significant.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I believe it is just a checksum comparison. The information that PG shows now is what is available in the exe file itself. Just curious as to where you think PG(or DCS) would get this verbose information on the how many different exe files there are out in the world. Do you have any idea what it would take to store all this.

    This is where the computer between the ears comes in. I upgraded my zone alarm last night. Therefore no surprise that PG would show that the exe's have changed and I simply allowed them. Don't need anymore info. On the other hand if I make no changes I am aware of and something pops up as changed, then I as the user need to investigate. To expect PG to give you a detailed explanation of why there was a change is just not realistic.

    There is another piece of software Abrusion Protector whose sole function is the same as PG's execution protection. One difference is it does also check DLL's and other forms of binary executables. BUT... it is a much larger program, takes more resources as there is constant activity as parts of the program communicate with each other, it takes an hour to install as it has to catalog all the files, and in the end does nothing more than PG does. It simply tells you something changed. No more detail then you get from PG.
     
  16. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,108
    Couple of minor points:

    1) It's not possible to create a QuickLaunch icon for PG during installation. TDS has this option.

    2) The Security List does not automatically refresh (ie. you have to switch tabs before it is updated, which is not ideal).
     
  17. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Peter,
    I was referring to the information that you see by doing a "properties" on a file
    Nothing overly complex or non-local to the machine that PG is running on...
     
  18. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Sigh, after poking around a bit more I found that I am basically asking for PG to have the program control features of SSM.
    Have a read here in a registry monitor comparison thread (of all things)

    For anyone interested that doesn't already know about it System Safety Monitor (homepage)
    Its been mentioned in this forum before (by Pilli I think) and elsewhere on Wilders, its an alternative on Win 95/98/ME machines where PG3 won't run
    Downloadable from Zeroplus2 freeware site or Freeware4u site

    One thing that would make me less inclined to use SSM is that it is still in Beta and doesn't have the support that PG3 does.

    DCS do a good job with their support and responsiveness from everything that I have seen, not to mention the excellent support (and commentary) from everyone else on this forum.
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This was an issue with Outpost which has a Component Control feature that does check DLLs. To reduce the performance overhead, only the DLL headers, filesize and export data are checksummed so maybe this could be a useful halfway point? (see the Outpost forum MD5 Checksum Security Problem thread for more on this).
     
  20. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    yes, something like that could be a reasonable approach. I've not yet thought that much about it. One other point to consider, apart from the performance overhead, would be IMHO that there will be plenty of difficulties and complexities in getting a baseline in the first place. That's why I was wondering if it would take a(nother) learning mode to register all those dlls and simply assume they're all legit.

    Looking forward to how the saga continues...
    Andreas

    PS. :cool: Maybe there are plans in the works to have an on-access memory module scanner in tds-4 which would help somewhat. Or something along those lines. And which would be a reason for DCS not pursuing this in the PG context. But I really don't know, and actually don't want to raise a discussion about tds-4. :rolleyes:
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That is exactly what Abtrustion Protector did on install. It assumed all exe,dll, and other binary executable files, where okay. It then went ahead and did an sha checksum. On my system it took about 45 minutes to do the install.
     
  22. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Process Guard should show Process IDs

    Hi I had a problem yesterday with a process which Port Explorer picked up on which had no File name and when I set to show file path, had no file path either. It caused me a bit of panic, but all seems OK now.

    Port Explorer was only able to give me the Process ID and port numbers being used etc. However on looking into Process Guard (and Zone Alarm Security Suite) I could find no information about process ID's, or any way of relating this info to programs or files, or any entry in the help file. So I was left blind.

    :cool: It would be nice if Process Guard (and Zone Alarm) gave me the info about process ID's for programs. :cool:

    In this case it would have been most useful on the protection tab as the anonymous process was being protected by Process Guard and I merely wanted to check out if it should be protected or perhaps blocked! It would probably also be useful on the Security tab too

    I'm afraid I don't know enough to know if the Process ID stays the same on different sessions? But even if difficult to achieve it would still be very useful and enable more information/control over wayward (and badly programmed?) applications!

    Process Guard is Great:- but things can always get better! :D

    Regards Jo M
     
    Last edited: Nov 10, 2004
  23. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Re: Process Guard should show Process IDs

    Hi Jo M,

    Unfortunately the PIDs are assigned by the OS whenever a new process starts, so, while there is a certain order there (processes that start later have higher PIDs), there's still no way to predict a PID for a given process or vice-versa.

    You can see the PID of a process that triggered an event (attempted to install a global hook, to terminate another process, start another process etc) in PG's textfile logs (click "View Logfiles" in the Alerts Tab):

    Code:
    Wed 03 - 11:09:45 [DRIVER/SERVICE] c:\programme\tools\sysinternals\procexp.exe [860] Tried to install a driver/service named PROCEXP
    Wed 03 - 11:10:19 [EXECUTION] "c:\programme\tools\xpt\2004\memview.exe" was allowed to run
                      [EXECUTION] Started by "c:\programme\tools\shell\blackbox\blackbox.exe" [284]
                      [EXECUTION] Commandline - [ "c:\programme\tools\xpt\2004\memview.exe"   ]
    
    But I agree that there is room for improvement - the PIDs of the processes that are starting could be logged (and not only their "parents"), and those PIDs could make an appearance in the "alerts tab" directly (and not only in the logfiles). (Unfortunately it doesn't make any sense to have PIDs in the protection or security lists.)

    HTHH,
    Andreas
     
    Last edited: Nov 10, 2004
  24. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    The whole problem of having a "baseline" is one that simply cannot be solved without significant effort being expended on an ongoing basis (which normally implies costs..) and more importantly that you *trust* a single source to not be compromised and be able to keep its information up to date

    If people are interested in finding out whether a particular dll or set of dll's are compromised and they are running PG then it could become easy for someone to ask and provide some context [O/S ver + patches] and md5 hashes for the exe's and dll's concerned (sounds a bit like provide some HiJackThis output...)

    Then number of kind people on the forum would probably have a look (if they had equivalent O/S installs) and help out. After a while a forum search would probably provide the hash that people were looking for without having to make a post. Once several trustable people have provided the same hash value it becomes more likely that it is probably clean (or that they are all infected...)

    It all works by consensus and trust and costs nothing as long as a handful of people participate every now and then. It does assume that posts on this forum are not compromised so that the posted md5 checksums could be altered. Even that would be self-correcting to some degree because the next person to check would think that they were trojan'ed and several ppl would check again...

    My 2c

    [Edit: ZoneAlarmPro also has in its Program Options an "Authenticate components" for detecting changed dll's, so its not just Outpost that does it]
     
  25. Jo M

    Jo M Registered Member

    Joined:
    Sep 10, 2004
    Posts:
    53
    Re: Process Guard should show Process IDs

    Thanks Andreas,

    I've found those Process IDs in the log files. Thats good. :)

    But I still think that it is important that they are somewhere in the GUI too (which you agreed).

    It could be in the protection or security tabs:- as a field that only has content for active processes.

    This would have the added benefit of making it immediately obvious which processes are running currently. (yes I know that info is available using TDS's Process List and other ways, but it would be useful here in Process Guard too). The only downside I can see to this would be using up more RAM and processor time. But I could spare a little more out of 1Gb for something as important as Process Guard!

    Regards Jo M
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.