Set to Permit Once

Discussion in 'ProcessGuard' started by INTOXSICKATED, Feb 1, 2005.

Thread Status:
Not open for further replies.
  1. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    noob question about the "set to permit once" setting in the security tab. is this only once ever? or is it once a day?
     
  2. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    oh yea, and which type of programs should be set to "install drivers/services"? i did read andreas' page, but still a littlke fuzzy.
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi INTOXSICKATED,

    "Permit Once" stays in effect until the next time the file is executed and then you will prompted to allow/deny, etc. No time frame involved.

    Nick
     
  4. dog

    dog Guest

    That would be "once" period. You'll will always get a PG Pop up asking you to "Allow" every time you run this entry.

    You can set it to always "Allow" by either right clicking that entry in the security tab and changing/setting it to always "allow". -or- click the always "allow" option box on the pop up the next time you run that program.

    It's fine to leave it at "once" and is recommend in some cases. ;)

    Steve
     
  5. dog

    dog Guest

    Check your logs ... to see what apps, are requesting this ... if the app is "Trusted" allow it for that app. Or ask away here. ;) :)

    IE. Sysinternals "Process Explorer" - procexp.exe = will try and install a driver, it needs this driver to retrieve various OS information .etc, and needs to be allowed for Process Explorer to run correctly. ;)

    Steve
     
  6. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    iiiiiiiiiiiiiiiii see. thank you both.
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    After leaving Learning Mode, you will be prompted when an executable attempts to install drivers/services (if you have that protection enabled). If you trust the executable, you can add it to the Protection list with a permission to install drivers/services. If you don't trust the executable, then you need to do some research. As the ProcessGuard Application Database grows, it will become easier to identify trusted processes/executables that require permission to install drivers/services.

    Nick
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    There is one caveat to the advice given so far, and that is if the program is executed during startup prior to when the ProcessGuard GUI has started it can be executed without asking

    In that case it is allowed to execute on the basis that it cannot interact with you to ask you the yes/no question so it just allows the program to run

    This won't happen initially because learning mode will cover all the programs you are using when you set up PG

    You will see entries like this in the Security tab with a Last Action of "Permit Once (Unable to ask user)"
    The "unable to ask" information isn't recorded in the logfile so you have to look at the GUI to see it

    NB: Yes I do think its a flaw that could be used by a very specific trojan that wanted to target PG, but as many ppl will point out you need to execute a program before startup registry entries could be changed and then a swift reboot performed to run another unauthorised executable that could race and try to take PG out of the registry before it starts up...
     
  9. INTOXSICKATED

    INTOXSICKATED Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    485
    Location:
    Suburbia Hell
    i see what ur saying, so processguard would be better if it was able to freeze all traffic until it has started? or else something could slip by during boot-up.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Gottadoit is correct that if you did allow such a .exe to run then it may be possible to get malware to stop PG but there is more to it than that. When windows boots there is a sort of race for drivers and services to install so any such malware still might not function if PG loaded before it. I do not know what the probabilities are and I imagine it would be hard to test. This would cause a real headache for the malware writer and as PG is such a small target then I doubt it would be worthwhile except as a proof of concept.

    Pilli
     
  11. Ean

    Ean Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    23
    Location:
    LA, CA
    Maybe silly followup Q: but isn't there some way to control the ORDER in which things startup, at least to some extent?

    Or even if one was doing a fresh install of the OS (mine is Win2K), maybe would there be an order of installing things that might be more beneficial?

    That would be great info to have, if any of the great forum community here has an of the skinny on it. With ZoneAlarm, AdAware, PG, TDS, and PortExplore, maybe there would be a "best" way to do it all?
     
  12. PG#1

    PG#1 Guest

    Thanks for bringing this up. As an users, I feel not liking to have exe one(s) run once (& not be able to ask) implemented in the current PG3x releases. Yet DCS concerns for some situation (new installation, updating os,..) might be problem if not letting that happen once since PG-Users forget to update new/modified exe md5 signatures to PG's MD5 protection list.
    Wow! how about to be better than ever?
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I am not a coder so Jason will have to answer this properly but I do know that XP's startup is dynamic i.e. self adjusting at a very low level so creating a solution to set the start up might be a very hard nut to crack which may cause instabilities in other areas.

    Pilli
     
  14. Ean

    Ean Registered Member

    Joined:
    Jan 29, 2005
    Posts:
    23
    Location:
    LA, CA
    Thanks Pilli! I don't know if that's even possible, but I just always wondered if it was possible that by proper order of things while building/installing a system that one could maybe have things be more optimal!
     
  15. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pilli,
    It seems that there is malware that makes use of the race condition... so as expected its not just as easy as brushing off the attack vector as "a proof of concept" exploit

    Take a look at https://www.wilderssecurity.com/showthread.php?p=368727#post368463
    lynchknot experienced a java exploit that disabled ProcessGuard on reboot
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi gottadoit, Interesting post by lynchknot:
    It would be interesting to know what version of ProcessGuard, his settings and the same would apply to his other security software. However, browser exploits are dangerous and not what ProcessGuard's protection is for.
    There certainly is no easy answer that's for sure.

    Cheers. Pilli
     
  17. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Here's the thread: https://www.wilderssecurity.com/showthread.php?t=58274&highlight=virus firefox


    Yep, i'm infected I think. So far:

    C:\WINDOWS\system32\APIHookDll.dll - PWS:Win32/Hooker.P -> Infected

    All security apps failed. I should have been using "Winrollback" I would not be having trouble right now this is a true "drive by" infection that Firefox has no protection from - other than turning off Java.

    Most all my startups are missing. Does anyone know what I should do?
    http://img9.exs.cx/img9/8352/startups9lo.jpg[/QUOTE]
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Lynchnot, You can use DelLater from here: http://www.diamondcs.com.au/index.php?page=products This will work providing that you know the filen name.
    ProcessGuard full would stop .dll injection unless you gave firefox or another app to enable modification, it will also stop the installation of services and drivers, an executable would have had to run before reboot for it to be able to do as you have described.

    HTH Pilli
     
  19. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pilli,
    By your response I don't suppose you read the thread that lynchknot posted or looked at the dates of the posts, before offering to help him solve a problem that is long gone.... ;-)

    However lynchknot still didn't say which version of processguard he was using and whether it was the free version or the full version, that would be good to know
     
  20. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I have an app called GiPo@MoveOnBoot that, I think, does the same thing. However, I did not realize I was infected until I performed a reboot.

    **edit - i'm not sure which version of PG I was using either. If PG1.0 was available at that date then I was using the full version.**edit - In fact, I'm pretty sure I was using the full version of PG.

    All this virus(?) did was shut down/delete all my startups (but one)
     
    Last edited: Feb 10, 2005
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I did read it hence my question about the version of PG in use and what was allowed :)
    It is sometimes very difficult to analyse such a problem after the fact, especially for a non techie like me.

    Cheers. Pilli
     
  22. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Around dec must have been version 1.0. I just use PG as it comes as I have not learned how to program it.I usually set everything but "block new and changed"

    I suppose I should study this as I have no idea whether or not these settings are corrrect:

    http://img210.exs.cx/img210/9825/correct2od.jpg
     
    Last edited: Feb 10, 2005
  23. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Ok,
    Given that lynchknot was most probably running the full version, then it seems likely that the exploit was written in Java and hence didn't require another executable to be run (other than java which would already have been allowed)

    I've read about the fact that some java vulnerabilities existed by I updated when secunia reported it and haven't looked at the details (if anybody else has feel free to correct me) but it sounds like bytecode was allowed to run outside of the java sandbox and have access to any system resources (ie: mess with the registry and filesystem)

    Given that this probably isn't the last java vulnerability we will see I wonder if the time has come to put the java executable onto permit once and do a few experiments to see what happens after it has already been loaded (for a legitimate site)

    Some days...

    NB: Offtopic, but have a look at the IDN vulnerability reported on by the Reg (and probably elsewhere as well)
     
  24. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    You do know that I was using the beta version of Java 5.0, correct? This may have been fixed. At any rate, what I was hit with seems very rare. I now disable Java in Firefox.
     
  25. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
Thread Status:
Not open for further replies.