TDS3 Execution protection

Discussion in 'Trojan Defence Suite' started by frogfoot, Aug 18, 2004.

Thread Status:
Not open for further replies.
  1. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Hi I am running the full version of TDS3 and Process guard, when I inspect the log in process guard I would expect the TDS execprot.exe to be called for each executable run, however it only seems to be called some of the time.
    This is an extract of the log

    18 Aug 19:14:56 - [EXECUTION] c:\windows\system32\wbem\wmiprvse.exe with commandline c:\windows\system32\wbem\wmiprvse.exe -embedding was ALLOWED to run
    18 Aug 19:32:45 - [EXECUTION] c:\windows\system32\wuauclt.exe with commandline "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[504]susdsf89b20517062d946957b67961d2b475d was ALLOWED to run
    18 Aug 19:44:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81483-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
    18 Aug 19:44:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81484-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
    18 Aug 19:44:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {2d787830-1657-44f4-aaae-51788083545e} 0 was ALLOWED to run
    18 Aug 19:44:56 - [EXECUTION] c:\windows\system32\wbem\wmiprvse.exe with commandline c:\windows\system32\wbem\wmiprvse.exe -embedding was ALLOWED to run
    18 Aug 20:09:57 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\outlook express\msimn.exe was ALLOWED to run
    18 Aug 20:09:58 - [EXECUTION] c:\program files\outlook express\msimn.exe with commandline "c:\program files\outlook express\msimn.exe" was ALLOWED to run
    18 Aug 20:10:16 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" -embedding was ALLOWED to run
    18 Aug 20:13:09 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\diamond cs\port explorer\portexplorer.exe was ALLOWED to run
    18 Aug 20:13:09 - [EXECUTION] c:\program files\diamond cs\port explorer\portexplorer.exe with commandline "c:\program files\diamond cs\port explorer\portexplorer.exe" was ALLOWED to run
    18 Aug 20:14:46 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81483-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
    18 Aug 20:14:47 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81484-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
    18 Aug 20:14:47 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {2d787830-1657-44f4-aaae-51788083545e} 0 was ALLOWED to run
    18 Aug 20:14:47 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\internet explorer\iexplore.exe was ALLOWED to run
    18 Aug 20:14:48 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" was ALLOWED to run
    18 Aug 20:14:56 - [EXECUTION] c:\windows\system32\wbem\wmiprvse.exe with commandline c:\windows\system32\wbem\wmiprvse.exe -embedding was ALLOWED to run
    18 Aug 20:17:03 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\sysinternals\process explorer\procexp.exe was ALLOWED to run
    18 Aug 20:17:04 - [EXECUTION] c:\program files\sysinternals\process explorer\procexp.exe with commandline "c:\program files\sysinternals\process explorer\procexp.exe" was ALLOWED to run


    Note how only some of the apps have been scanned by TDS3. Is this by design of is Execution Protection not working on my system

    Thanks
    Tom
     
  2. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Looking at the log files it seems that only programs with no arguments are scanned, the ones with '-embedding' or ' {2d787830-1657-44f4-aaae-51788083545e} 0' or similar are not scanned. Could someone explain what the various arguments mean
    Thanks
    Tom
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi frogfoot, I'm guessing here :) but are the .exe's that are not showing execution protection "executing" also on your PG protection list?
    What I am thinking is that you may not have given TDS3 the correct allow privileges for protected list programs or that TDS3 .exe is not on your PG protection list
    In other words PG is stopping TDS3's execution protection from running. ie. doing it's job :cool:

    Oh, Just checked on my other PC as this one is running the new PG beta - It appears that all programs I run are being scanned by exec prot - Strange

    Regarding the "arguments" I have no real idea but hopefully DCS will comment.

    As I said just a guess. Pilli

    EDited 21:06
     
    Last edited: Aug 18, 2004
  4. FanJ

    FanJ Guest

    Hi,

    Fisrt of all:
    I don't have Process Guard (I can't run it because I'm still at W 98SE).
    So I have to leave that part to others ;)

    However:
    There is a difference between execprot.exe and execprot.dll !

    See this thread:
    https://www.wilderssecurity.com/showthread.php?t=21003

    If I remember me well: there have been one or two long threads about execprot.exe and Process Guard with some discussion about it.

    Maybe, if we can come to a clear explanation for execprot.exe and Process Guard, it might be a good idea to add it to that thread for future reference.
     
  5. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Thanks for the quick reply, but execprot.exe has all available privs (excluding driver install, global hooks and CMH)
    Thanks
    Tom
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi agian, I only have the tds-3.exe on my protection list with the normal four blocks no allows and CMH - Exec prot works fine, so I guess tds-3.exe starts / sporns the exec prot process ie. the hook.

    18 Aug 20:57:13 - Window Log Started
    18 Aug 20:57:21 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\lavasoft\ad-aware 6\ad-watch.exe was ALLOWED to run
    18 Aug 20:57:23 - [EXECUTION] d:\program files\lavasoft\ad-aware 6\ad-watch.exe with commandline "d:\program files\lavasoft\ad-aware 6\ad-watch.exe" was ALLOWED to run
    18 Aug 20:57:25 - [P] d:\program files\lavasoft\ad-aware 6\ad-watch.exe [2080] tried to gain READ access on d:\program files\processguard\procguard.exe [484]
    18 Aug 20:57:25 - [P] d:\program files\lavasoft\ad-aware 6\ad-watch.exe [2080] tried to gain READ access on d:\program files\agnitum\outpost firewall\outpost.exe [1824]
    18 Aug 20:58:05 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\port explorer\portexplorer.exe was ALLOWED to run
    18 Aug 20:58:06 - [EXECUTION] d:\program files\port explorer\portexplorer.exe with commandline "d:\program files\port explorer\portexplorer.exe" was ALLOWED to run
    18 Aug 20:58:26 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\cryptosuite\cryptosuite.exe was ALLOWED to run
    18 Aug 20:58:29 - [EXECUTION] d:\program files\cryptosuite\cryptosuite.exe with commandline "d:\program files\cryptosuite\cryptosuite.exe" was ALLOWED to run
    18 Aug 21:12:20 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\internet explorer\iexplore.exe was ALLOWED to run
    18 Aug 21:12:21 - [EXECUTION] d:\program files\internet explorer\iexplore.exe with commandline "d:\program files\internet explorer\iexplore.exe" was ALLOWED to run
    18 Aug 21:12:47 - [EXECUTION] d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe tds|tdsdll-test:d:\program files\eset\nod32.exe was ALLOWED to run
    18 Aug 21:12:47 - [EXECUTION] d:\program files\eset\nod32.exe with commandline "d:\program files\eset\nod32.exe" was ALLOWED to run
    18 Aug 21:12:49 - [P] d:\program files\eset\nod32krn.exe [1396] tried to gain READ access on d:\program files\processguard\procguard.exe [484]
    18 Aug 21:12:49 - [P] d:\program files\eset\nod32krn.exe [1396] tried to gain READ access on d:\program files\agnitum\outpost firewall\outpost.exe [1824]
     
    Last edited: Aug 18, 2004
  7. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    I notice that none of the applications in your log extract have arguments, it seems to only be the ones with arguments which dont get checked by TDS3

    (see my second post).

    Thanks again
    Tom
     
  8. FanJ

    FanJ Guest

    Hi Tom,

    I really doubt whether this proves that TDS-3 Execution Protection (which is the hook execprot.dll) did not check those !

    Once again I would like to point to the difference between execprot.exe and execprot.dll
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again frogfoot, Please remove execprot.exe from your protection list, then add, if you have not already, TDS-3.exe with the default settings and CMH if you like. execprot.dll is sporned from TDS-3.exe - You can see it in process explorer. As stated by Fanj, this creates the necessary hook.
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Interesting. I also have TDS3 and PG, but I never see anything in my PG log file like "d:\tds3\ext.sys\execprot.exe with commandline d:\tds3\ext.sys\execprot.exe .....". :'(

    I have setup TDS-3 execution protection enabled (or so it says so), and have enter TDS-3 into the protected programs list as stated above. I was unaware these entried into the log file were a way of checking to see if Exec Protection were working. What might I be doing wrong?
     
  11. FanJ

    FanJ Guest

    Hi Daisey,

    As I posted earlier in this thread:
    I absolutely doubt whether the fact that you don't see those entries in your ProcessGuard-logfile, does prove that those files are NOT scanned by TDS-3 !

    I really think that it does not prove it !!!

    I could try to prove that TDS-3 DOES check them by Execution Protection, but I guess that makes not much sense here (cause I don't run PG; you know: W 98 SE ;) ).
    I really have to leave the PG-issues here to others ;)

    I cannot tell enough that execprot.exe and execprot.dll are NOT the same things.

    Well, I leave it further up to the DCS guys and mods and to the more experienced users of both TDS-3 and PG.

    Take care !
    Cheers, Jan.
     
    Last edited by a moderator: Aug 18, 2004
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Daisie,
    Hmm, Are you sure that Execution protection is installed? You can see this in the console window after TDS3 has started. TDS3 must be a running process as a desktop item ie. GUI showing, minimised or iconised in the sys tray.
    If you are using Process Explorer you can see that execprot.dll is loaded in the .dll view.
    The DLL view shows the image file, DLLs, and data files mapped into the address space of the selected process.

    HTH Pilli
     
  13. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    In the ext.sys folder in the TDS-3 directory you should see many executables, including execprot.exe.
    Question: which of the many executable files in this folder(and other TDS folders too as far as that goes) should be given full allow permissions in Procguard in order to get the maximum protection when TDS is running in the tray?
     
  14. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    I have removed execprot.exe from the protected items list, TDS3 was already added to the list, with the blocks and allows you sugest, there seems to be no change, some applications still do not have a pre-ceeding TDS entry in the PG log when run.

    This makes interesting reading. If execprot.exe is nothing to do with execution protection but simply used for dde exchange why is it called prior to running some aplications. It seems it is related in some way to execution protection.

    Pilli, in your process guard log do you see any applications start without being preceeded by a call to execprot.exe? especialy ones with an argument in the command line like the one below. (note the {21e81483-745b-11d5-83f7-0050ba6dbfd6})

    19 Aug 09:12:50 - [EXECUTION] c:\program files\sophos\remote update\iupdate.exe with commandline "c:\program files\sophos\remote update\iupdate.exe" {21e81483-745b-11d5-83f7-0050ba6dbfd6} 0 was ALLOWED to run
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Bluekey, As far as I know only the main .exe ie. tds-3.exe. The other .exe's are started by TDS so, when run, the checksum part of Process Guard will demand a permission therefore they do not need to be be on your protection list. Also many will not run unless TDS3 is running.

    HTH Pilli
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    No, not on the pc I was checking it on which uses Windows 2003 server OS and has very few program changes except for updates.

    This PC is running the new beta :) which quite different.

    Hopefully DCS may get time to answer your question.
     
  17. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    I think I understand what is going on now. If the process is started by the user (ie you click on a shortcut, start menu item) the TDS eceprot.exe process runs, with or without an argument following it, however if the application is spawned from another application then exeprot.exe is not run
    I did the following simple test
    1) Run media player from start menu item - exeprot runs
    2) Run Media player (with argument) by clicking on an AVI file on my HDD -exeprot runs
    3) Run Media player spawned from iExplorer by clicking on a link to an AVI - exeprot does not run
    see below

    19 Aug 09:36:45 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\windows media player\wmplayer.exe was ALLOWED to run
    19 Aug 09:36:46 - [EXECUTION] c:\program files\windows media player\wmplayer.exe with commandline "c:\program files\windows media player\wmplayer.exe" /prefetch:1 was ALLOWED to run
    19 Aug 09:36:52 - [EXECUTION] c:\program files\tds3\ext.sys\execprot.exe with commandline "c:\program files\tds3\ext.sys\execprot.exe" tds|tdsdll-test:c:\program files\windows media player\wmplayer.exe was ALLOWED to run
    19 Aug 09:36:53 - [EXECUTION] c:\program files\windows media player\wmplayer.exe with commandline "c:\program files\windows media player\wmplayer.exe" /prefetch:8 /shellhlp_v9 play /dataobject:nefepehfbaaaaaaaoabaaaaaaaaaaaaaamaaaaaaaaaaaageaaaaaaaafaaaaaaakbgchhpacogofpgplafhobaboidalpoloaijaaaaaccamcpadlmhahjciindapceaaaaaaaa was ALLOWED to run
    19 Aug 09:37:03 - [EXECUTION] c:\program files\windows media player\wmplayer.exe with commandline "c:\program files\windows media player\wmplayer.exe" /ocx /nolibraryadd /play "http://www.teamspeed95.nu/images/ny%20mapp/wmmplt.wmv" /prefetch:10 was ALLOWED to run


    Does this mean that TDS will not scan an application spawned from another process? if so then isn't that a bit of a vulnerability.

    I am sure however that I am barking up the wrong tree, maybe someone from DCS could explain what I am seeing and put my mind at rest.
    Thanks
    Tom
     
  18. FanJ

    FanJ Guest

    Last edited by a moderator: Aug 20, 2004
Thread Status:
Not open for further replies.