ProcessGuard's Kernel Driver Vs. SandBox Rootkit

Discussion in 'ProcessGuard' started by KoreanBoy, Sep 19, 2004.

Thread Status:
Not open for further replies.
  1. KoreanBoy

    KoreanBoy Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    11
    Maybe this has been discussed before, and last post I saw said something like "Process Guard would still be doing it's job, because it was there first".
    I have to comment on this, saying "precisely, but not really".
    I'll explain.
    I installed Tiny Firewall Full professional, and Process Guard 2.000 Full was still installed.
    Tiny would contantly crash, and I read inumerous violations in ProcessGuard 's Window's Log.
    After a million of crashes of tiny, for "privilleges error", I manages to add all the "required" files of Tiny into Process Guard, so they'd have access onto explorer and drivers, so Tiny could implant his rootkit. 1 restart later I noticed right away: ProcessGuard's Driver was not loaded. Is this the consequences of rootkit preventing adicional kernel drivers ? Or is this some anti-ProcessGuard conditions on Tiny Firewall. I know Tiny firewall as good as I know Pg, so I didn't forget to add file, driver and system privileges from Tiny to ProcessGuard. I event tryed with Tiny *personal* Firewall (with exactly the same configuration) and it worked fine. Why doesn't Tiny 6 (Tiny Firewall) cooperate with process guard. Any one noticed this ?
    Ps. Sorry for the long doubt and long post.
     
  2. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Korean Boy, with 6.100 I had no problems using it together with PG. I changed for another reason (learning curve) but it works ok if you give them both all the privileges. and what about rootkit??

    can you explain what you are saying with tiny and rootkit??

    Thanx
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi KoreanBoy, DCS will be around in the next few hours and may be ablle to help you.
    I am not familiar with the latest Tiny software but maybe other Tiny users will have an idea.

    Pilli
     
  4. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    I had the same problem with tiny 6 & procguard, there is a conflict.

    I guess he means rootkit , because tiny pf6 and process guard implants their driver similar like techniques of a rootkit. Basically using kernel driver at system startup. The difference is that procguard.sys can´t be disabled except if you restore the Kernel ServiceTable.

    Tiny installs about 4 Drivers and 5 Services. The KmxIds can cause problems, blue screen or reboot with installed service pack 2. This occured on my system. I used latest tiny pf6.xxx release and pgfree 2.00.
     
  5. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    772
    On my system i am running TPF 6 and PG 2 never had any problem with that.

    It does, perhaps something else is causing the conflict.
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi MEGAFREAK,

    Was this the Proof of Concept PG exploit that was described in the past?
    If it is, then that exploit will be void in 1 day when DCS releases PG 3.0 beta.
    If it is something different, please explain.

    Thanks
     
  7. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    maybe but before I installed SP2 tiny & pg2 had had no problems, I finally needed to disable Tiny incl. all his drivers. Could also be a problem only concerning incompatibility issue of tiny and xp sp2.
     
  8. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi Devinco :).

    Yes, this is the vulnerability discovered by Tan Chew Keong.

    Source = http://secunia.com/advisories/12033/


    This exploit/vulnerability is succesfully fixed with the next release of PG, along with many new enhancements :).


    Regards,
    Jade.
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks Jade! :)
     
  10. KoreanBoy

    KoreanBoy Registered Member

    Joined:
    Sep 16, 2004
    Posts:
    11
    It's probably that Windows XP Sp2 incompatibility with Tiny. I am sorry to have bothered you all, and thanks for the replies :) .
    Looking foward to PG3!
     
Thread Status:
Not open for further replies.