Protecting processes against one of the stealthiest attacks: code modification

A common concern of security experts is "how do I prevent my security processes from being terminated?". Until the release of Process Guard there was no protection available - processes were considered vulnerable and it was assumed that there was nothing that could be done about that (we weren't even sure ourselves if we'd be able to make Process Guard a reality - the six months worth of research was very much a gamble, especially as other security companies had already said that it couldn't be done - we have since proved them wrong, and created a new class of security software in doing so: process integrity protection). And just in creating a new class of security software gains an added element of security, because nobody was expecting the creation of such a program, not even trojan authors - most of whom still don't even know about Process Guard.

However, termination is only one attack vector that a rogue process can use against a security process (for example, a remote access trojan vs. a firewall) ... there's an even stealthier attack that trojans can launch - code modification. Termination can sometimes be a giveaway, especially if windows are visible and suddenly disappear, but code modification attacks are usually without any visual effects. As an example of this, somewhere in the program code of your anti-virus scanner is a statement that essentially reads "If a virus was detected, jump to the Alert subroutine". A rogue trojan or virus could modify this statement so that it executed as "If a virus was detected, DON'T jump to the Alert subroutine" - effectively silencing the anti-virus scanner. Likewise with a firewall it could change the program code so that no Block rules are applied, essentially turning off the firewall. Such code modifications typically only require changing one or two bytes so the changes are very subtle and not easy to detect, but Process Guard can easily render this attack null and void, simply by denying WRITE access to protected processes. IMHO Process Guard would be worth having just for this protection capability alone, yet this is only the tip of the iceberg as far as protection goes

For a more detailed example of this type of attack, see the Process Guard helpfile, "Known Attacks\Code Modification" section.

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

Excellent post!!!!! I won't do without PG. Its a relaxing thought to know that it is on the "guard". hehe I can't say enough good things about the DiamondCS folks. Give yourselves all a pat on the back. Way to go

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

Eliot, I am pleased to report that the latest PG beta1.200 is now underway and working very well on this PC with some very nice new protection added, such as SetWindowsHookEx amongst other things,
Also driver contention errors corrected & better logging

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

I would like to be a beta tester for PG if you folks are interested in one. Gladly help out on the new ones. I have bought the latest PG if that is needed

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

Usually users are made beta testers after 150? posts on the DCS forums - Although sometimes posts in these forums are also taken into account

Anyway, thanks Eliot for your offer.

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

Yep, although not 150 as such (there's no specific limit), users are typically only admitted into the beta team (a very exclusive club) after making significant contributions to helping others with DiamondCS software at either the DiamondCS and/or Wilders forums.

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

[me=Eliot]takes notes. [/me]

 

Rerotecting processes against one of the stealthiest attacks: code modificatio

just a firewall & PG combined increase dramatically your security as it has never be seen, don't miss it !
The current beta stops even far more like rootkits...