ProSecurity v1.21 [HIPS software]

Discussion in 'other anti-malware software' started by PSDeveloper, Oct 28, 2006.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Open PS,. go to "Application" tab,... look down the list, and remove SPT. Make sure you are not in learning mode, and try the tests again.
     
  2. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    I did that with Kerio to try and reset it. With SPT I did not click allow always.

    After writing my last message I tried SPT against PS "Alarm" module. I forget now which I tried, think it was 9 or 10, but it took "Alarm" out but there was still some form of protection left. I tried restarting PS but it would not reload the Alarm module. That is where I left it last night. This morning I find it has locked me out of Windows unable to get past the Log In. Have had to do and image restore.

    Think I will go back to SSM and see if I have the same problems there.
     
  3. TECHWG

    TECHWG Guest

    as i understand it from the early development days, Alarm.exe is the process that give you the warnings and user input screens (deny) (allow) etc. if you kill this its just a simple reboot operation or loading alarm to get it working again. If you were locked out of your pc all i can suggest is you did not install and initialise it properly, for example:
    best way to use HIPS of any kind, is to install it leave it in learning mode, lock the pc, unlock the pc and maybe switch user accounts in XP if you have more accounts then log off and go bacj to your account then restart PC and leave in learn mode while you load your main usual programs. This way you are teaching PS your normal computer habits and minimising non-needed popups. Also i find its good to let your antivirus update while in learnmode too since this also helps cut down popups.
    I once locked my self out of my pc while playing with the settings of Tiny personal Firewall and had to basically hack back into my system through safe mode and preboot enviromnents like ERD Commander to remove the drivers and services that screwed me. Using HIPS software requires you perform a few simple operations to get a solid baseline of your systems nominal operation.

    Hope this helps

    WG
     
  4. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046
    How did this happen - installation - learning - reboot should have covered everything critical?

    Did you edit any rules that could have caused this problem?
     
  5. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    The only rules I edited were to do with my firewall. The learning mode was switched off once it had rebooted.
     
  6. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    Thanks

    There were two modlules listed, Alarm and another I forget now. The other seemed to control the GUI, both of these were able to be killed with SPT but as I said some protection remains in the system. Killing the Alarm module seems to be the source of locking me out.

    I have reinstalled SSM this morning and run the SPT kill rules against Kerio. It did kill it on some rules but there is an option in SSM to add extra protection and is logical in the way it presents the rules. The only failure I still have is no. 13 which is by DLL injection. There are several warnings that this is about to happen but if you continue to allow then it will kill Kerio. I did though find another option to automatically reload Kerio if it is stopped and this it does. Cannot see at the moment any other option that would stop it being killed.
     
  7. TECHWG

    TECHWG Guest

    yea sounds like something either clashed with PS or you broke the application rules somehow, because i have never seen this with PS.

    Always remember to do a baseline with ANY HIPS software's

    Install, Reboot, learn mode enable, lock pc, un lock pc, start screensaver, switch login or user on the pc, log off go back to previous user then restart pc. After this leave learn mode on until you have loaded every normal pogram you would normally use, and let your softwares like antivirus etc update, THEN feel free to disable learn mode and check your settings.

    This is pretty much my guide to successful HIPS instalation it dont matter wether its ProcessGuard or ProSecurity, SSM or any other for that matter
     
  8. TECHWG

    TECHWG Guest

    Killing alarm.exe would not lock you out of your pc. What is more likely is because you so soon disabled learn mode, you did not get a complete baseline and the system then hangs.
    I am not at home and i am working via VNC in a Vmware i keep for personal off-home use, and the connection dropped while typing the other message so i missed your messages after. please remember also our forum www.proactive-hips.com/forum
     
  9. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    Thanks

    I do disable learning mode because unless you are installing a clean O/S you cannot be certain that the machine is clean. Therefore I like to know what is trying to load. I have done this with PG and SSM without any problem.

    I note your comment about the PS forum but whilst I am trying to evaluate PS and SSM it is not politic to go there.
     
  10. TECHWG

    TECHWG Guest

    best thing is to allow a complete baseline and review the resulting setup in PS . Going about it your way may lead to system instibility and freezing
     
  11. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    Probably quite true but this has not been my experience until PS. One of the things I like about SSM, and this also happened to some extent in PG, is that it gives nag prompts about processes running without rules and you then have the opportunity to go through and allow or deny. There are some legitimate processes running but are not needed so can be blocked.
     
  12. TECHWG

    TECHWG Guest

    Well its my beliefe that running live right after reboot is a bad idea, but if you wish what i would suggest is this:

    Install HIPS, reboot . . Run your software and deal with popups as you would want to. then when you are satisfied turn learn mode on and switch user accounts or load screensaver and reboot with learn mode enabled. then disable.

    I very hesitant to run any HIPS live like that because i want my ystem to work as normal, then i can review what has access and what the system has allowed to run. its better to let the system learn its self instead of being a mavrick and doing it manually. This is why you can change settings and block things that were not supposed to run like this. IE you having to cone back to previous install of windows.the fact that PS only has frozen your pc, tells me that its probably going to be better than the other HIPS for the simple reason its proved it is doing its job. If you do things manually then you can expect that since nobody is perfect you will make mistakes that later on may cause you trouble or freezups. If you let PS learn from what actually is going on then you get the correct protection and thus a more stable computer system with less unnessasary popups.

    WG
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,... after you have installed, and re-booted,.... as mentioned,.. you should run all your applications while still in learning mode. You then need to re-boot, while still in learning mode.

    PS is different, in the fact it gives complete control of the system to the user,..... PG will allow certain windows application to "run once" even without user input,.... SSM has hard_coded rules for certain windows apps. I would prefer that PS does not take this direction by placing hard_coded rules, and leave all rules for the user,... yes it is possible to lock yourself out of the system,.. but it only requires an extra re-boot in learning mode, once you have ran your main applications to prevent this. It is very easy to review the application list once this is done.

    But this is showing you that the user is not in complete control of the system. Allowing programs to start up without rules to allow, well for me,... is not somthing I like. I do prefer to be told that an application without rules is attempting to start, not that it is already running.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I agree.
    SSM is also nice in this regard that after install when u reboot, it will not load at first windows start up so that u can launch it manually and put in learning mode, just to avoid any problem during boot. Does prosecurity has such a feature?
    Secondly is there a feature like disconnected user interface of SSM?

    Thnaks
     
  15. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    Stem & TECHWG

    I take your points and I obviously will have to try PS again and let it learn as you suggest. Be interesting to see if it will then protect Kerio as well as SSM does.
     
  16. TECHWG

    TECHWG Guest

    why would you want to disconnect the interface ?
     
  17. TECHWG

    TECHWG Guest

    i believe it will.
    and also please do not forget, the developer will take all your suggestions on board and will make any changes to make PS even better. if you can make a suggestion please post it on our forum in the proper section. Thanks


    WG
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is only an option to start with windows boot (or not)
    There is a lock function (password protected)
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It,s infact no pop up mode for SSM.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Thanks Stem! That has no pop ups as well.
     
  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    From my testing,... my firewall (jetico at that time) could not be "killed" by any attempt (unless I allowed). Have you removed both SSM and PG before installing PS (I know you did run PG and SSM together)

    I will install Kerio2 later this afternoon,.... and perform all kill tests directly at Kerio2.
     
  22. TECHWG

    TECHWG Guest

    I would just like to thankyou stem for helping us test PS and taking the time to give us feedbackand help others.

    Damn Decent of you !
    i lookforward to your next results

    cheers

    WG:thumb:
     
  23. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,563
    Stem - not sure if I am testing the same way as you. You infer that you are denying further progress by the kill routines when you recieve a warning pop up. I was seeing what happens if you allow and ignore the warnings. May seem silly but I want to allow for others that might accept these. With SSM I could keep allowing and it still protected.

    All previous HIPS were cleaned out. The SSM/PG was just out of curiosity.
     
  24. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,046

    Not a very fair test - if PS prompts and you ignore it - why should it block... Your approach just tests the default privilges of the app? ~These could be changed

    If there is no rule ie a new app the default action (lower pane of - app without rules ) is mostly prompt user - you could change this to block ...
     
  25. TECHWG

    TECHWG Guest


    Umm doing this means you are not testing the security of PS, you are testing how good PS can detect an attempt and how efficiant PS is at letting the action take place. This makes no sense to me at all. Cars have seatbelts we know if you dont wear them you crash and go through the windscreen. If you allow a terminate, you end up with a terminated app . . Why would you do it as a test ? what are you exactly testing ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.