Protecting WFP

Discussion in 'other anti-trojan software' started by Starrob, Dec 9, 2004.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Does anyone know of any application that protects the Windows File Protection from being disabled?



    Starrob
     
  2. Optimist

    Optimist Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    90
  3. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I am not sure about that. According to more than a few people PG does not protect against the disabling of Windows File Protection.


    Starrob


     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    AFAIU, PG protects against some methods to disable WFP, but there are others where I'm not sure. It surely doesn't do it as its main job, so full protection for WFP might be - if at all - a lucky side-effect.
    Of course it would be interesting to know which methods are not covered by PG and if there is some software dedicated specially to protecting against all attacks on WFP...

    Andreas
     
  5. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Just to let PG users know...one method to disable WFP that I found on the internet (I can't post the link because it is probably against the TOS) can probably be stopped by protecting Winlogon.exe from "Read" access. I got that solution courtesy of Wilders Member gottadoit.

    I only said probably because no one has tested it to see if it works for sure but in theory that will protect PG users from one method of disabling WFP that has been published in a article on the internet.

    However, there maybe more dangerous ways to disable WFP. There is a virus that was written in 2003 that can do exactly that.

    I guess it will have to be tested but I wonder if RegRun http://www.greatis.com/security/download.htm#beta can protect against this.

    These are the type of "future" threats that I would like protection against. This is a HUGE hole in Windows that it does not look like MS is doing anything about. Anyone that has read any of the articles that I have read about the disabling of WFP will realize there are not many applications out there that would probably protect against this.



    Starrob

     
  6. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I also wonder whether PREVX can protect against these type of attacks.


    Starrob
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Starrob,

    RegRun has a File Protection feature that runs in conjunction with its Secure Start feature, and does its work before the shell starts. It compares MD5 signatures and will alert and prompt you to accept/deny the replacement. If you deny, then the system will reboot and the original file will be replaced from storage. After you protect sfc_os.dll (sfc.dll in W2K) and enable Secure Start, I suppose you can go a step further and add the Secure Start executable (onsecure.exe) to PG's Protection List and protect it from termination. I don't know what the consequences would be of read-protecting winlogon.exe. If I feel brave, I try it out.

    I enabled PG read-protection for winlogon.exe and rebooted with no errors and no alerts from PG. Running with no problems so far.

    Nick
     

    Attached Files:

    Last edited: Dec 11, 2004
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Regrun looks like a good product even though I have not tried it yet. I think I am going to try it. I am looking at both PREVX and Regrun.

    The advantage of Regrun is that it appears to give the end user more control over what they want to protect against on their computer. Also, it appears that Regrun does not phone home.

    From your description of Regrun file protection feature, it seems that it would provide protection of the WFP against these types of exploits.

    How does Regrun work with PG. Are they very compatible or do you get many alerts from one interfering with the other?

    It appears the pro version of PREVX is much better at protecting itself in many situations....however, on my computer I got many alerts from PREVX about PG "attempting to modify a PREVX file". It appears the newest PREVX Pro and PG might conflict in certain areas. I had to take PREVX off PG protection list in order to get PREVX to work without alerting.

    PREVX Pro can defend itself pretty well. It defends against most of the termination methods using APT. The only ones that work against PREVX are the termination methods that shut down the
    windows (I believe that is methods 7 & 8?)

    I know other companies are developing variations of "system firewall" products beside PG, PREVX, and SSM. It will be interesting to find out if others implement better solutions to their products because right now, it appears that you have to buy several products to cover many areas. Some defend the registry better and other defend the Process better. I am looking for a product that is a complete package...maybe one that is simply a module integrated into a AV or AT product that defends the registry, WFP and is a system firewall for processes.



    Starrob


     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You can disasble the phoning home in Prevx Pro (by disabling PAWS, I'm doing so now for performance reasons.) As far as the alert saying PG is trying to hijack Prevx, just set the protection in Prevx titled "Prevx Misuse - Hijack" to 'prompt', then when the alert comes up, set it to remember decision and allow all for that process/action.

    Prevx would stop anything from affecting the SFC DLLs, PG would protect Winlogon from read attempts, and the Winlogon registry keys are another way something could disable WFP (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon), this is watched in RegRun's Registry Tracer.
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I have used the two together since PG 1.* without any issues. Although I understand your desire for an all-in-one solution, I believe all-in-one solutions attract too much attention and simplify the task of compromising your system.

    Nick
     
  11. ,.-

    ,.- Guest

    Surprise. Surprise. Process Guard does stop WFPAdmin from disabling windows file protection.
     
  12. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Do you know whether PREVX Pro protects the Winlogon registry keys too or does only Regrun protect against that?

    Also, I am wondering if PREVX Pro, Regrun and PG are all compatible on the same system. It would be a shame to have to use 2 or 3 programs to fully cover protecting against attempts to disable WFP. I wish one program would protect against this. I actually wish Microsoft would do something about this. There is no reason to have to pay money to protect something like WFP. It should be a given that this should be well protected.

    I have too much security software on my computer protecting against specific things. I could use a little consolidation on my computer. There is such a thing as too many layers on a computer making a computer too slow to do anything. I continue to believe there has to be a better way.



    Starrob


     
  13. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Perhaps there are other methods you are thinking of, in which case you can probably ask Jason or Wayne via email or PM (if you are concerned about disclosing too much here). If there is, it is probably one of those situations where PG would stop the execution of such a program (that has capabilities to disable WFP), through its execution protection. Again one of those things where user interaction to stop the execution would probably be required.

    The only thing I can recommend is to educate yourself (and I do not mean educate yourself to paranoia). But read what a threat is about and compare it with your security setup. Think logically about the likelihood of even encountering such a threat. And if there is a possibility that you will encounter such a threat, think about how your current setup will react to such a threat. If your setup is not equipped at all to handle the threat and you see it as a growing legitimate threat, that is when i would take action. Just be sure to keep in mind that you do not need 100% protection for every threat. That would be impossible, and no software in the world would/will make such a claim. Even OpenBSD an operating system which is regarded as one of the most secure operating systems there is only makes a claim that it will... "Try to be the #1 most secure operating system." Sometimes knowledge and the understanding of how a threat could even be introduced on your system is security and prevention enough for that particular threat.
     
  14. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I probably educate myself on security more than the average user which is among the reasons I get concerned about keeping malware off of my computer.

    I do get paranoid because I have educated myself to what is out there. My real job is working as a engineer on ships which means I have a great work schedule. I work every day for 4 months and then I get 4 months vacation. I usually spend my vacation traveling....half the time is spent traveling virtually on the internet and the other half is spent traveling in real life. I mostly go to Asia...I just love it there.

    When I am home, though, when most people are sitting at their desk at work or turning over on their bed in the middle of the night....I am out here on the internet searching for every bit of knowledge I can on many different subjects.

    One of those subjects is computer security. I read many forums, even forums written in different languages. I am slowly learning.

    What concerns me most about computer security is that money has entered the game. Some very, very intelligent people are increasingly being hired to write code to defeat the defenses that most people are putting on their computer.

    I, for one, like staying ahead of the game. I actively search out what could be vulnerabilities on my system. Some of the things I found out shocked me at first. I was very surprised at exactly how insecure windows is and I realized those are only the vulnerabilities that people are writing about.

    I really don't mind writing in a public forum any of the things about malware that I can find because if I can find it on the internet then any "Joe Blow" user can also find it. There is nothing that I can write about that is a big secret....whatever I write about is usually already well known to malware writers. Usually the only one that doesn't know is poor "Joe Blow" user that keeps wondering why he gets infected.

    One of the things that shocked me the most is that anyone can become a script kiddy. All they need is Google and only a tiny bit of research. One of the reasons that I think malware might become worse is that I don't believe the really intelligent coders have become involved in the scene yet. I mean the coders that find vulnerabilities on their own and don't publish anything about it or tell anyone about it. They just keep it in their bag of tricks for maybe later use.

    These are the real "Hackers"...the ones that don't use automated tools but write their own code. I am talking about guys that know how to find undocumented areas of windows and write code to exploit them....guys that have the skill to write drivers (As opposed to some security companies out there that don't even write the drivers for their own products)

    If people start hiring these type of guys to create real zero day exploits to get malware on computer then the malware scene could get bad real fast.

    I got another thought for you. I heard it through the grapevine that some people that now work for the AT companies were once malware coders themselves....how does anyone know that they don't leave intentional holes in their products to let their friends in? I know that is a extreme paranoid thought but it is just a thought. I don't personally believe that......

    .........but I will say that I know many foreign governments don't really trust American made software on computers that will be used to store sensitive information because I heard once upon a time certain software companies intentionally left backdoors in their products for people like the NSA and CIA to access as they pleased..anything for money, I guess...so I really don't trust anyone when it comes to computer security except for my own mind and common sense.

    My biggest worry is the zero day exploit....code written specifically to bypass certain programs. That is why I would like PG to be as close to unbeatable as possible. If I find a way that it might be beaten then I will speak up because if I find it then chances are that it is already widely known because the real "zero day" exploits are not written about...they just happen. So, I won't be telling malware writers or people that use malware something they don't already know but alerting other people that they may have a potential way on to their computer....maybe that way people won't think their personal "pet" software is invincible and they might use the greatest defense...One's own intelligence and common sense.



    Starrob




     
    Last edited: Dec 13, 2004
  15. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I read what you are saying Starrob. And I think it is great you have so much enthusiasm for the subject of computer security. But sometimes it just does not make any sense to me what direction you are going.

    Watch closesly as i spin everything around heh...

    I am sure you are familiar with the concept that no one is 100% secure. With an understanding of this you still feed off the paranoia of "the elite hacker", "the zero day exploit", "the backdoor", "the abc", and "the xyz." Sure it is great reading about these things, and in the right context are all a legitimate concern in the computer world (except for the abc and xyz ;) ). But what is the point of worrying and overloading your computer with the "best" security software when you know that there is no "best," and when you know all your security measures can be exploited and bypassed?

    I say this jokingly but it is a question I would really like to pose to you...
    But why even use your computer if you do not trust anyone? To me it seems like you trust/base your security more on what you read from "blackhat" sites than anything else. But you rarely consider the motives of the people who communicate through "blackhat" sites. Do you even consider the risks of visiting such sites? Instead you question more the integrity of AT developers, American software companies, the NSA, and the CSI. How does that work? Or do you go to "blackhat" sites too and tell the coders "i question the trojan you developed, it could very well just be a backdoor for you to get into my system." Or better yet "I question your analysis of how well abc software can detect this trojan because i believe you work for abc software." Beyond computers and the computer security world you can still have your mind and common sense without all the worries... can you not?

    If you put all my silliness aside, I hope you see my point.

    But if we get back on topic I wonder if you have any comments about the two quotes in my previous post and my response. Do you still think it is a threat that PG is not capable of handling? If it is, how do you think it can be exploited? Maybe an example?
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    VERY good point made in the above post. The users actions are still the most important :)

    If a real world danger comes about to PG - especially if it targets PG protected systems, then we will do our best to deal with it as soon as possible. For trojan writers (even the really dangerous ones), there aren't many attack vectors left at all. Thats the whole point, we closed the door on DLL injection in one move, they spent years developing better and better ones.. bang its all useless for attacking PG owners ;)
     
  17. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    First, Most of the people communicating on blackhat sites in the public forums are not really all that smart. I have thought about joining a few private forums but I don't really think I won't learn too much more there simply because the ones that really know anything aren't talking....

    I take a lot of what the script kiddies say with a grain of salt because most of them are simply searching for people to teach them how to break into computers or how to use some automated tool. Some of the guys on those boards have intelligence but others are so dumb that they sometimes infect themselves.

    Usually the ones that have any real type of knowledge usually just laugh and tell them hacking is learned by doing it and not by simply asking questions about it.

    I learn about security from more than just the blackhat sites too. I read just about every forum that you can think of that has to do with security and I read a lot of articles too. The current articles I am reading are "Concepts for the Stealth Windows Rootkit (The Chameleon Project)" and "Malicious Code in Depth".

    Most of the stuff I don't understand because my background is not in computers, it is in being a shipboard engineer. If you ask me to change a injector on a big Caterpillar diesel engine then I do that very well but I only recently had a interest in computers and there is much to learn.

    The first computer I saw was in 1979 in college...we had a connection to some college like Harvard or Yale...I 4get which....but I just remember we could chat with the students there...the internet then was just all text and it was sort of like some strange combination between email and instant messaging when communicating to others. Any way, the teachers at my school tried to teach me how to write code..and..I hated learning how to write code. I did not think I would ever have a use for it. Computers were not big in 1979....we still had teachers in my school that wanted to ban the calculator and use only slide rules on tests. I bet many don't even know what a slide rule is,,,LOL....I think I got a D in that class. That is unfortunate because things I take a interest in I do extremely well. If I had learned to code back then, well, 25 odd years later, I would not even be bothering with these security companies, I would be writing my own code to keep my computer safe.


    You are right....I should not have so many security programs on my computer. The operating system was not designed with a lot of security in mind. If the operating system was designed properly, it would be damn near impossible to programatically break in to any computer....some don't believe in 100% solutions and I don't either but I believe the operating system could be designed in such a way that it would take too much effort to make it worthwhile to break into Joe Blow's computer. Right now, it is too easy. The way things are now, some 15 year old brat with pimples can break into most people's computers just by knowing how to Google. It should not be that easy. I am a optimist and I believe things can be better. So, I am on a search for solutions...not the same ole, same ole things that are not working.

    Right now, patches and security software must be used to fill the gaps where the operating system and the programs designed to operate on the system are lacking. Another reason, I use multiple security systems is I don't really trust one specific vendor fully, for whatever reason.

    There is a potential gap in PG coverage. Up until now, DCS chose not to answer the question posed by gottadoit here in which he also offers a potential solution:

    https://www.wilderssecurity.com/showthread.php?t=57384&page=2



    Starrob
     
  18. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    It's not about choosing not to answer, it's about only having 24 hours in a day and a lot of work to do, providing free daily forum support is very time consuming. I hope you understand.

    Regards,
    Wayne
     
    Last edited: Dec 14, 2004
  19. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    Computers can be used without trusting anyone. About the risks of visiting such sites....whenever I do travel to a Blackhat site, I am very, very aware and careful. Javascript and Java are turned off and I visit in a alternative browser to Microsoft. Everything, I got on my computer is turned on full blast. I don't get as worried about things when I am aware of the danger.

    I am worried about getting hit when my guard is down and I am wandering around the internet with java enabled and javascript enabled and I go to a "innocent" site for information like the following thread:

    https://www.wilderssecurity.com/showthread.php?p=323390#post323390
     
  20. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Understood...I know you have probably been working on TDS4 but it just seemed that was a fairly important question. I am interested in the answer when time is available.


    Starrob


     
  21. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    No, Prevx does not watch the Winlogon registry keys, you'll need a dedicated registry watcher for that, like RegRun or MJ RegistryWatcher.

    Some things to keep in mind here are 1) WFP wasn't designed as a security tool, it was meant to counter all the stability problems created in 9x when different programs kept trying to replace system files with their own versions. and 2) anything that's going to disable WFP isn't going to stop there. If it's stopping WFP, that's because it's going to replace system files. To protect against that you can use RegRun (selectively), Prevx, or an integrity monitor. After that it's probably going to want to run the files somehow.. whether it's executing, injecting a dll, installing a driver, or what have you, which would all be covered by PG. Wanting to cover as many bases as possible is understandable, but don't get too lost in the details.. you can always clean up an infection.
     
  22. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Notok, you've made some excellent points there. :) In particular that WFP was made to prevent version instability issues between Windows OS's, rather than actual security.

    It's also worth noting that it has never been PG's goal to prevent WFP from attack, even though this is one of the capabilities it makes available to the user. PG is not a dedicated or specific WFP protection system. The protection it does provide is an indirect result of securing other areas such as code/DLL injection, and that probably makes it the strongest protection available for WFP in its own right, but it's important not to get too carried away - ie. we won't be turning ProcessGuard into a full-on WFP protection system.
     
  23. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Thank you and Notok for your answers. Now, I and others (if they so desire) can explore alternative solutions or decide to do nothing all but at least everyone knows where the situation stands.


    Starrob


     
    Last edited: Dec 14, 2004
  24. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I do have a question about this. If a exploit disables Windows File Protection and then replaces a dll on the disk...Let's just say it replaces a internet explorer dll with a trojanized version then it would not need to install a driver or inject a dll because the trojanized dll would be loaded by internet explorer and if the trojanized dll is not in the signature of your favorite AT or AV or AS then the end user would not even know it is there. Am I correct in this or am I missing something. I am here to learn.

    Is this a way to do a static dll injection that Nautilus has talked about? I do believe that this could be a threat at some point in time.

    Everyone can defend or not defend against this as they will but I already have ideas about what I am going to do.


    Starrob
     
    Last edited: Dec 14, 2004
  25. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Hmmm, just started reading this thread...
    A lot of useful information here :)

    Wayne, thanks for the answers I was figuring that you guys would get around to answering the question sometime and I do recognise that you have better things to do than living in a forum...

    Now we need someone to write WFPGuard to protect those API's from misuse and we should be right... that is assuming that the AV vendors don't do it. It would have been a useful addition to PG...

    I'll use one of the other products to protect the other avenues of attack... sigh I might have to go and purchase a SoftIce (or whatever its been renamed to these days) so I can perform proper analysis so I can assess the threat levels for myself (seeing as that seems to be the "done thing")

    And its still worth saying that I like PG and use it because its a good solution, I think that there would be some value in outlining somewhere exactly what it does and doesn't cover so that ppl would know which other feature sets that they might need to address to protect against other threats. Maybe Andreas1's writeup would be a suitable place for it

    The hard part is to get someone trusted/respected without vendor bias and with the spare time and desire to do it
    I'm happy enough with DCS so I think I probably have some bias towards them, especially given that I'm not likely to go and purchase the competeting products just to test them out for an extended period of time

     
Thread Status:
Not open for further replies.