Secure Message Handling Bug

Discussion in 'ProcessGuard' started by Dazed_and_Confused, Nov 9, 2004.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I have added Secure Message Handling to a number of my security apps. After doing so, I tried to manually shut one of these (MJ RegWatcher) down. I then received the customary PG conformation screenie prompting me to enter the 5-letter code. I then changed my mind about shutting down the app, and proceeded to hit the CANCEL button on the PG SMH dialog box. It prompted me again for the 5-letter code. I had to hit CANCEL 5 times. Afterwards MJRW was terminated. o_O o_O I thought this might be an isolated error and tried again. I was able to duplicate this behavior two more times. Is PG SMH supposed to act this way? I assumed hitting cancel on the PG SMH screen would keep the app from closing.
     
  2. Wisher

    Wisher Guest

    Just a guess, but maybe you were in learning mode. If that's the case, the ProcessGuard probably learned that you wanted to close the process instead of getting the Secure Message Dialog. It's one of the reasons why I think learning mode should be changed.

    But if it's not, then yes, you probably found a bug.
     
  3. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    hmm. I hope we won't get the discussion about whether this is to be named a bug or not again. Anyway, everyone agrees that SMH doesn't work as you'd expect it to in a couple of cases. While there have been lots of improvements in v3, there might persist problems for some reason or other (you could even call it incompatibility of the SMH part with certain apps - but it's an incompatibility which doesn't break much otherwise).

    Here are the things to try: When pressing cancel, select "to all" and hope that then it will catch every (program internal) movement towards exiting; secondly, you can tell PG what action it is exactly that is leading your program to shutdown - hold down the INS key while doing it (i.e. while clicking on "x", and/or while clicking on "Exit" in the File menu etc.) and the next time you start this application it should have these actions protected better.

    There is also a thread around here somewhere where Jason described this, but I don't have the time to look it up now.

    HTH,
    Andreas
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Daisie, Please read the help file regarding SMH as Andreas said it can be taught what action to take for given X, exit & quit actions.

    Also remember for this to occurr adding SMH to a program will normally best be done before the application is running, some low level programs may even need a reboot for SMH to be anabled.

    To clear actions taught, if your should make a mistake, simply disable SMH for the application then re-enable.

    HTH Pilli
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I'd agree here - a similar issue exists with Outpost in that selecting Cancel still results in it shutting down. However SMH does (a) alert you to this shutdown and (b) delays it until you have responded to the prompt, so it is still a valuable option.

    DiamondCS did include documentation in PG2's help on how programmers should handle WM_CLOSE messages to ensure compatibility with SMH but this does not appear to be present in PG3's help. I wonder why?
     
  6. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I had and still had this problem with some apps as seen here https://www.wilderssecurity.com/showthread.php?t=53454 but others work great. I think it depends on the program you are trying to use smh with. Hopefully there will be a solution to this problem in the future.


    Thanks,

    Chris
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Nope. But good try, Wisher. ;) My name may be Dazed_and_Confused, but I'm not that confused. :D

    Not exactly sure what you suggesting Andreas. :) I thought doing what you suggest above would teach PG what actions warrant bringing up the SMH dialog box. I don't have a problem with the SMH dialog box appearing. It appears as it's supposed to. But when I press CANCEL, the app still closes. I assume that pressing CANCEL means "hey, I've changed my mind, as blondes have a habit of doing on occassion, and I don't really want to close this application. So let's go back to where we were before I tried to close it."

    Hello, Pilli. I'll give this a try. I did add it after it was running. :oops:
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Daisey,

    :D

    Without knowing exactly what the problem could be in your case, I might perhaps add some general details here.

    When an application closes, it has to perform all kinds of tasks (saving changes, clearing variables and buffers, destroying windows etc.). Normally you have one event that, when happening, triggers the whole chain of these other procedures. Or, let's admit, a few of these events that could be in that position. And, of course these events are what PG's SMH is after - whenever one of them occurs, you get the confirmation prompt. (And since in such an application shutdown procedure, several of the events may happen, you sometimes get several prompts.)

    The main problem arises when you have applications that do their cleaning up in a not-so-orderly way. Maybe the initial event is not one that PG normally catches. In that case, the app-shutdown sequence would start, and maybe at a later point one (or more) of the events that PG recognizes by default happens. Then you get a confirmation prompt (or several), but then it's too late - the shutdown sequence is in full swing already. (And even when you cancel one of the events, then either another, non-cancelled aspect of the shutdown procedure takes care of what you've just meant to block, or you have effectively blocked something, but will end up with the application gone, only some uncleared buffer still hanging around or so.)


    That's why it (sometimes) helps to teach PG with the INS key. In order for SMH to work properly, it has to catch the very first of the shutdown events. And in most cases, you can tell it that a certain event should count as one of them.

    BTW, in what way did you shut down MJRW? Normally, PG catches the "x" window icon quite well, but actions you perform on an app's systray icon often have to be taught to it with the INS trick.


    HTH,
    Andreas
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    I think your training is complete. :)
     
  10. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    heh :D
    I was hoping you're satisfied, master. When will you start teaching me the next level, those ASM lessons? ;) *puppy*
     
  11. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Thanks for the excellent info, Andreas1. :)

    I did try holding down the INSERT key while clicking on EXIT in the MJRW icon in the systray. Again, it promted me with multiple PG SMH windows. Pressed cancel every time. MJRW closed. Restarted MJRW and repeated this exercise again two more times. Same effect. MJRW continues to close after pressing cancel on SMH challenge screens.

    By the way, I also tried removing SMH protection within PG, closing MJRW, and reapplying SMH while MJRW was closed. Made no difference.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Daisie, You may have to accept that this particular program cannot be cancelled once the closedown process has been initiated.
    It is no real problem because if malware did target MJRW you would certainly know about it and that is what ProcessGuard was designed to do.
    Graphic Equaliser might also be able to explain why his program behaves in this manner. I am sure there will be other programs with similar shutdown routines, this is not bad BTW but just the way things are :)

    HTH Pilli
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Pilli. Not a problem. You are right that I can live with it. Just wanted to make DCS aware of the issue. Otherwise, PG working just fine! :D An extremely minor and acceptable inconvenience to live with.
     
  14. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I think Ewido 3 is the same way. So it's not just MJRW. Hope this helps.

    Thanks,

    Chris
     
Thread Status:
Not open for further replies.