standard/limited user has full control to PxSecure.dll

Discussion in 'Prevx Releases' started by m00nbl00d, Jul 14, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I was checking for write permissions in a relative's system in C:\Windows\* directory, using AccessChk.

    I used the syntax accesschk -w -s username "C:\Windows\"

    The Users group only had read and execution permissions for PxSecure.dll. As it should be.

    The standard user account has FULL control over PxSecure.dll. It's able to delete the file. No UAC alert, due to permissions allowing deletion, etc.

    Just to clarify, the is in C:\Windows\System32\PxSecure.dll.

    This begs the question: Why does the user (limited user) have FULL access to PxSecure.dll?

    It shouldn't. Such permissions should be handled by the prevx.exe running with System permissions and not by the process running with user permissions. (I'm assuming that's the reason why the user has such permissions, in the first place.)

    If the user has FULL access, so does malware.
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    Thank you for the feedback. This is because PxSecure.dll isn't used by the SYSTEM level components - it is used only by the web browser and user-level applications. If the file is deleted, it is automatically placed back when it is next seen to be used.

    We implemented it this way (with lowered required permissions) because of some incompatibilities with sandboxes (not Sandboxie) which were causing the browser to crash. You can change the permissions manually if you like but it could possibly cause browser crashes with some applications.

    Let me know your results!
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thank you for letting me know why such happens. The testing will have to happen some other day, though.

    -edit-

    I forgot to ask about something. You mentioned that If the file is deleted, it is automatically placed back when it is next seen to be used.. OK. But, wouldn't Prevx self-protection prevent such deletion? I haven't actually deleted the file, as I didn't want to cause problems in my relative's system. But, I want to believe Prevx self-protection would stop it? It's curious you didn't mention that, though.

    One more thing. If anything in user-space can do anything to PxSecure.dll, including writing to it, would Prevx self-protection prevent such? Otherwise, malware running in user-space would get access to System32, when normally it wouldn't. Not only that, it could (I'm just talking about mere possibility) compromise Prevx/Safe Online itself?

    Again, I want to believe that Prevx self-protection would stop that.


    Thanks
     
    Last edited: Jul 14, 2011
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Bump for the new Question in the above post because of edit!

    TH
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The self protection intentionally does not place itself over PxSecure.dll to avoid the incompatibilities mentioned. In theory the file could be deleted but there is no negative side-effect of doing so, which is why the engine doesn't try to prevent it.

    Note that this is changed in the Cloud AV/SecureAnywhere beta as we've solved the incompatibility with the new architecture in "Prevx" 4 :)
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I totally forgot about this thread. :ouch:

    What about malware running in user-space that would compromise PxSecure.dll? This is the dll that gets loaded in the browser to allow SafeOnline to work. Wouldn't SafeOnline become compromised?
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Self protection is applied over its structures on load so there isn't an issue. Although now that SecureAnywhere is released, you could use that if wanted to prevent the issue in the first place :)
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Released? I missed the release? :D I haven't played with latest beta... Damn... I missed the release? o_O :eek: :D :thumb:

    -edit-

    Or, are you talking about the beta? I'm not seeing any thread about WSA being released. I associated "released" with final version. :D
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Sorry :D The beta is released (although the final isn't far away ;))
     
Thread Status:
Not open for further replies.