standard/limited user has full control to PxSecure.dll

I was checking for write permissions in a relative's system in C:\Windows\* directory, using AccessChk.

I used the syntax accesschk -w -s username "C:\Windows\"

The Users group only had read and execution permissions for PxSecure.dll. As it should be.

The standard user account has FULL control over PxSecure.dll. It's able to delete the file. No UAC alert, due to permissions allowing deletion, etc.

Just to clarify, the is in C:\Windows\System32\PxSecure.dll.

This begs the question: Why does the user (limited user) have FULL access to PxSecure.dll?

It shouldn't. Such permissions should be handled by the prevx.exe running with System permissions and not by the process running with user permissions. (I'm assuming that's the reason why the user has such permissions, in the first place.)

If the user has FULL access, so does malware.

 

Hello,
Thank you for the feedback. This is because PxSecure.dll isn't used by the SYSTEM level components - it is used only by the web browser and user-level applications. If the file is deleted, it is automatically placed back when it is next seen to be used.

We implemented it this way (with lowered required permissions) because of some incompatibilities with sandboxes (not Sandboxie) which were causing the browser to crash. You can change the permissions manually if you like but it could possibly cause browser crashes with some applications.

Let me know your results!

 

Thank you for letting me know why such happens. The testing will have to happen some other day, though.

-edit-

I forgot to ask about something. You mentioned that If the file is deleted, it is automatically placed back when it is next seen to be used.. OK. But, wouldn't Prevx self-protection prevent such deletion? I haven't actually deleted the file, as I didn't want to cause problems in my relative's system. But, I want to believe Prevx self-protection would stop it? It's curious you didn't mention that, though.

One more thing. If anything in user-space can do anything to PxSecure.dll, including writing to it, would Prevx self-protection prevent such? Otherwise, malware running in user-space would get access to System32, when normally it wouldn't. Not only that, it could (I'm just talking about mere possibility) compromise Prevx/Safe Online itself?

Again, I want to believe that Prevx self-protection would stop that.


Thanks

 

Bump for the new Question in the above post because of edit!

TH

 

The self protection intentionally does not place itself over PxSecure.dll to avoid the incompatibilities mentioned. In theory the file could be deleted but there is no negative side-effect of doing so, which is why the engine doesn't try to prevent it.

Note that this is changed in the Cloud AV/SecureAnywhere beta as we've solved the incompatibility with the new architecture in "Prevx" 4

 

I totally forgot about this thread.

What about malware running in user-space that would compromise PxSecure.dll? This is the dll that gets loaded in the browser to allow SafeOnline to work. Wouldn't SafeOnline become compromised?

 

Self protection is applied over its structures on load so there isn't an issue. Although now that SecureAnywhere is released, you could use that if wanted to prevent the issue in the first place

 

Released? I missed the release? I haven't played with latest beta... Damn... I missed the release?

-edit-

Or, are you talking about the beta? I'm not seeing any thread about WSA being released. I associated "released" with final version.

 

Sorry The beta is released (although the final isn't far away )