ProSecurity v1.21 [HIPS software]

Open PS,. go to "Application" tab,... look down the list, and remove SPT. Make sure you are not in learning mode, and try the tests again.

 

I did that with Kerio to try and reset it. With SPT I did not click allow always.

After writing my last message I tried SPT against PS "Alarm" module. I forget now which I tried, think it was 9 or 10, but it took "Alarm" out but there was still some form of protection left. I tried restarting PS but it would not reload the Alarm module. That is where I left it last night. This morning I find it has locked me out of Windows unable to get past the Log In. Have had to do and image restore.

Think I will go back to SSM and see if I have the same problems there.

 

as i understand it from the early development days, Alarm.exe is the process that give you the warnings and user input screens (deny) (allow) etc. if you kill this its just a simple reboot operation or loading alarm to get it working again. If you were locked out of your pc all i can suggest is you did not install and initialise it properly, for example:
best way to use HIPS of any kind, is to install it leave it in learning mode, lock the pc, unlock the pc and maybe switch user accounts in XP if you have more accounts then log off and go bacj to your account then restart PC and leave in learn mode while you load your main usual programs. This way you are teaching PS your normal computer habits and minimising non-needed popups. Also i find its good to let your antivirus update while in learnmode too since this also helps cut down popups.
I once locked my self out of my pc while playing with the settings of Tiny personal Firewall and had to basically hack back into my system through safe mode and preboot enviromnents like ERD Commander to remove the drivers and services that screwed me. Using HIPS software requires you perform a few simple operations to get a solid baseline of your systems nominal operation.

Hope this helps

WG

 

How did this happen - installation - learning - reboot should have covered everything critical?

Did you edit any rules that could have caused this problem?

 

The only rules I edited were to do with my firewall. The learning mode was switched off once it had rebooted.

 

Thanks

There were two modlules listed, Alarm and another I forget now. The other seemed to control the GUI, both of these were able to be killed with SPT but as I said some protection remains in the system. Killing the Alarm module seems to be the source of locking me out.

I have reinstalled SSM this morning and run the SPT kill rules against Kerio. It did kill it on some rules but there is an option in SSM to add extra protection and is logical in the way it presents the rules. The only failure I still have is no. 13 which is by DLL injection. There are several warnings that this is about to happen but if you continue to allow then it will kill Kerio. I did though find another option to automatically reload Kerio if it is stopped and this it does. Cannot see at the moment any other option that would stop it being killed.

 

yea sounds like something either clashed with PS or you broke the application rules somehow, because i have never seen this with PS.

Always remember to do a baseline with ANY HIPS software's

Install, Reboot, learn mode enable, lock pc, un lock pc, start screensaver, switch login or user on the pc, log off go back to previous user then restart pc. After this leave learn mode on until you have loaded every normal pogram you would normally use, and let your softwares like antivirus etc update, THEN feel free to disable learn mode and check your settings.

This is pretty much my guide to successful HIPS instalation it dont matter wether its ProcessGuard or ProSecurity, SSM or any other for that matter

 

Killing alarm.exe would not lock you out of your pc. What is more likely is because you so soon disabled learn mode, you did not get a complete baseline and the system then hangs.
I am not at home and i am working via VNC in a Vmware i keep for personal off-home use, and the connection dropped while typing the other message so i missed your messages after. please remember also our forum www.proactive-hips.com/forum

 

Thanks

I do disable learning mode because unless you are installing a clean O/S you cannot be certain that the machine is clean. Therefore I like to know what is trying to load. I have done this with PG and SSM without any problem.

I note your comment about the PS forum but whilst I am trying to evaluate PS and SSM it is not politic to go there.

 

best thing is to allow a complete baseline and review the resulting setup in PS . Going about it your way may lead to system instibility and freezing

 

Probably quite true but this has not been my experience until PS. One of the things I like about SSM, and this also happened to some extent in PG, is that it gives nag prompts about processes running without rules and you then have the opportunity to go through and allow or deny. There are some legitimate processes running but are not needed so can be blocked.

 

Well its my beliefe that running live right after reboot is a bad idea, but if you wish what i would suggest is this:

Install HIPS, reboot . . Run your software and deal with popups as you would want to. then when you are satisfied turn learn mode on and switch user accounts or load screensaver and reboot with learn mode enabled. then disable.

I very hesitant to run any HIPS live like that because i want my ystem to work as normal, then i can review what has access and what the system has allowed to run. its better to let the system learn its self instead of being a mavrick and doing it manually. This is why you can change settings and block things that were not supposed to run like this. IE you having to cone back to previous install of windows.the fact that PS only has frozen your pc, tells me that its probably going to be better than the other HIPS for the simple reason its proved it is doing its job. If you do things manually then you can expect that since nobody is perfect you will make mistakes that later on may cause you trouble or freezups. If you let PS learn from what actually is going on then you get the correct protection and thus a more stable computer system with less unnessasary popups.

WG

 

Hi,... after you have installed, and re-booted,.... as mentioned,.. you should run all your applications while still in learning mode. You then need to re-boot, while still in learning mode.

PS is different, in the fact it gives complete control of the system to the user,..... PG will allow certain windows application to "run once" even without user input,.... SSM has hard_coded rules for certain windows apps. I would prefer that PS does not take this direction by placing hard_coded rules, and leave all rules for the user,... yes it is possible to lock yourself out of the system,.. but it only requires an extra re-boot in learning mode, once you have ran your main applications to prevent this. It is very easy to review the application list once this is done.

But this is showing you that the user is not in complete control of the system. Allowing programs to start up without rules to allow, well for me,... is not somthing I like. I do prefer to be told that an application without rules is attempting to start, not that it is already running.

 

I agree.
SSM is also nice in this regard that after install when u reboot, it will not load at first windows start up so that u can launch it manually and put in learning mode, just to avoid any problem during boot. Does prosecurity has such a feature?
Secondly is there a feature like disconnected user interface of SSM?

Thnaks

 

Stem & TECHWG

I take your points and I obviously will have to try PS again and let it learn as you suggest. Be interesting to see if it will then protect Kerio as well as SSM does.

 

why would you want to disconnect the interface ?

 

i believe it will.
and also please do not forget, the developer will take all your suggestions on board and will make any changes to make PS even better. if you can make a suggestion please post it on our forum in the proper section. Thanks


WG

 

This is only an option to start with windows boot (or not)

There is a lock function (password protected)

 

It,s infact no pop up mode for SSM.

 

Thanks Stem! That has no pop ups as well.

 

From my testing,... my firewall (jetico at that time) could not be "killed" by any attempt (unless I allowed). Have you removed both SSM and PG before installing PS (I know you did run PG and SSM together)

I will install Kerio2 later this afternoon,.... and perform all kill tests directly at Kerio2.

 

I would just like to thankyou stem for helping us test PS and taking the time to give us feedbackand help others.

Damn Decent of you !
i lookforward to your next results

cheers

WG

 

Stem - not sure if I am testing the same way as you. You infer that you are denying further progress by the kill routines when you recieve a warning pop up. I was seeing what happens if you allow and ignore the warnings. May seem silly but I want to allow for others that might accept these. With SSM I could keep allowing and it still protected.

All previous HIPS were cleaned out. The SSM/PG was just out of curiosity.

 

Not a very fair test - if PS prompts and you ignore it - why should it block... Your approach just tests the default privilges of the app? ~These could be changed

If there is no rule ie a new app the default action (lower pane of - app without rules ) is mostly prompt user - you could change this to block ...

 

Umm doing this means you are not testing the security of PS, you are testing how good PS can detect an attempt and how efficiant PS is at letting the action take place. This makes no sense to me at all. Cars have seatbelts we know if you dont wear them you crash and go through the windscreen. If you allow a terminate, you end up with a terminated app . . Why would you do it as a test ? what are you exactly testing ?