TracksEraserPro

Discussion in 'ProcessGuard' started by spy1, Feb 1, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I notice that TEP is stopped dead in its' tracks (<g>) if it can't create global hooks.

    Is it the general consensus that it would be okay to double-click te.exe in PG, go to "Options" in the drop-down menu and put a check-mark into "Allow Global Hooks"?

    Because otherwise, the only alternative is to shut down PG to run TEP (which is okay if there's a problem with allowing it global hooks). Pete
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I don't know TEP, but if it is a trusted app which can't work without allowances, give them to it :)
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I ran into so many hassles with applications needing global hooks, I disabled the option entirely. I even had one case where my system rebooted spontaneously, which it had never, ever done before. (I can't definitively trace that to the global hook setting specifically, but it hasn't happened since.)
     
  4. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I have only those apps which need Global Hook :

    IE
    SSM
    a video game
    pg_msgprot
    procguard.exe


    only 5 allowances to set up :)

    How many have you to have been so much annoyed ?
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I finally got disgusted after having to set up 21 (procguard.exe, explorer.exe, boclean.exe, katmouse.exe, admunch.exe, fileex.exe, hndythng.exe, point32.exe, winshade.exe, girder.exe, wcat.exe, systrayx.exe, regedit.exe, wintv2k.exe, psp.exe, plus 6 others that use GH but for which I did not grant access). Then, with all the general protection options enabled, my system crashed hard. That did it for me.
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    That's funny - out of the 42 items in PG's protection list on my computer, I only had to allow - 1 (one).

    I've also "Allowed" one other - but I didn't really have to for the program to work, I just did it because I got tired of seeing the log entries.

    When I get everything fine-tuned when the next version comes out - I won't even need to see the log entries (I'll be getting real-time, attention-getting, solve-it- right-then-and-there input from PG's tray icon.

    Sorry to hear you're giving up on the program over something like this - Were I you, I'd change my approach to the utilization of the program rather than dumping it. Pete
     
  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Nice programs nameless :) , I see you must be a using a TV card and remote, I use Girder too. The more programs you run on your system the more configuring that may be required. Hopefully the next version will fix any issues you are experiencing, in the time being you might want to turn off the new General Protection Options (Global Hooks and Service/Driver) and see if that solves your problems.

    -Jason-
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Thanks. The thing is, if I don't enable global hooks on all those applications, the log entries that pour forth drive me clinically insane. I also live in fear that my applications won't behave properly--even if they seem to. (Code is a funny thing.) And after allowing 15 or 20 applications to use global hooks, I start wondering, "What's the point?"

    I'm not dumping PG; I only meant that I was dumping the use of the general options (and especially global hook blocking). :)

    Thanks Jason!
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    allowing GH means that any trojans can inject a DLL into any of your protected process and terminate them.
    A GH can also be used by Keyloggers.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    gk - that's a pretty broad statement (not that I don't agree with it totally).

    I'd really like to see a response to it from Gavin or Jason confirming it - because if it is totally correct, it makes following a 'minimalist" approach with regard to PG even more important (and the info should be added to that thread).

    We're all going to feel really funny if playing with PG's settings and protections winds up making us more (rather than less vulnerable. Pete
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    EDIT : i think you misunderstood me.
    I mean "if you don't enable the GH protection" it allow trojans to use it ;)





    i don't know what is a "broad" statement, i just know that it works like that.

    In addition you can read this in the PG help file :

    About keyloggers :

    This is why GH blocking feature has been added, because processes can be terminated like that.

    I'm sure DCS can explain it better than me.
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Sorry Pete I'm in a bit of a rush tonight and it's very late here in Perth (1:30am and I've still got an analysis to finish) so I don't have much time to answer any threads comprehensively here at the moment, but just in regards to this query I have to respond! ...
    There is NOTHING you can do with PG that could make you MORE vulnerable than you are without PG (I'm not quite sure how you came to that conclusion?!?) :)

    Regardless of how you use PG, it definately adds some level of protection. For example, even if you just have the freeware version and only protect one process, and even if you only protect it against one process privilege such as Terminate, you're still making your system MORE secure than it was without PG. The more things you add to PG's protection list, the more secure your system becomes, but there's nothing you can do that could possibly make your system more insecure than it was without PG.

    Hope that makes sense - if not, please don't hesitate to ask about what you're not sure about.

    Cheers,
    Wayne
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Scenario - ProgramX (SuperDuperAV/AT/Anti-Scumware/Anti-Keylogger/Firewall program extraordinaire) has been your mainstay program for years. You love it, trust it, wouldn't be without it, runs even before you turn the computer on! ( <g> ).

    Only problem is, this new-fangled program called PG's log is filling up with requests from this program for Write, Terminate, Suspend, Set Info privileges - it also wants to create a global hook and install some drivers and services

    To make this favorite program happy (and to keep your PG logfile from taking over your entire HD) - you give it everything it wants!

    Unfortunately, one of the following things happen shortly thereafter:

    Your "favorite" software makers" author decides he wants to put one over on everyone (or simply goes insane due to the lack of monetary gratitude he gets from his users) and his very next program update or revision of the program contains - you guessed it! - the mother of all malware - keylogs; propagates itself; mails itself to all your friends; makes their (and your) computers all its' "bots' for its' next DDOS against the backbone of the Internet servers; sends nasty, threatening letters to government officials chosen specifically from YOUR area and country (with YOUR address plainly visible!); and then, it shows you a picture onscreen of Monty Python giving you the bird and then it destroys your HD (and everyone else's!).

    Scenario II - Your favorite softwares' author, due to his amazing popularity (or because he ticks off someone with some know-how and a big enough axe to grind) has his update server hacked and his enemy or competitor somehow manages to take over his update server and plants (go back and read up above).

    Or, take Scenario III - a simple mistake in an update or a revision change results in (go back and read up above).

    Of course - PG could have prevented this planet-wide catastrophe - except - you gave your favorite program permissions to do all that.

    Get some rest, Wayne. Pete
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Pete,

    Pete, rewind the clock back five years .... everything you've described is still possible, but Process Guard wasn't invented then, so are you how can what you're describing be a Process Guard vulnerability when the vulnerability existed before Process Guard ever did? Or how can running Process Guard make you any more vulnerable?!? :)

    And remember - when you give something ALLOW privileges in Process Guard, you're not giving it extra powers or anything, you're just allowing it to do something that it would normally be able to do anyway if Process Guard wasn't securing the system. For example, you might allow Task Manager to access the TERMINATE privilege... that might sound like youre giving it a powerful capability, but if you don't have Process Guard protecting your system then Task Manager (and all other programs - trojans and viruses included) are free to access the TERMINATE privilege anyway. So by ALLOWING processes in Process Guard, essentially all you're doing is allowing them to access system functions that those processes could normally access anyway if Process Guard wasn't protecting the system.

    In any case, you're referring to an extreme worst-case-scenario here, and a very unlikely one at that. However, even if PG cannot protect against such a particular extraordinary attack, this doesn't mean that by running PG you're any less secure, it just means that PG isn't protecting you against one specific attack -- but that would be an attack that _NO_ other software on your system would protect you against anyway (not your firewall, or antivirus, or anything else), so what you're describing isn't a PG vulnerability - it's a system-wide vulnerability, and PG shouldn't be blamed for not providing protection because no programs would provide protection against such an attack, especially if you've given "Allow" privileges to the program (as you typically would for a trusted program, as in the attack you described).

    At the end of the day, if you give a program "Allow" privileges to do something, then it's allowed to do that -- if the author suddenly releases a malware version of the program, then it would still be allowed to do whatever you've allowed it to do. This is the reality of software - software can basically do EVERYTHING unless it has been restricted (for example, by a firewall, or Process Guard, or user logon privilege restrictions, etc).

    In other words, if you give something the license to kill, and it kills something, that's not a vulnerability ... :)

    Regards,
    Wayne
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Wayne - I'm not really saying that by running PG you'll be any less secure - I am saying that deviating from the standard default protections built in to the program can result in seriously unforeseen circumstances and could very well result in your not being protected as WELL as you could have been had you NOT screwed with default protections.

    Sure, I took it to the extreme for illustrative purposes - but it's still true.

    And, the scenarios above aren't nearly as unlikely to occur as you might think (you read it here first). Pete
     
  16. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Pete I'm glad you mentioned that, because this statement essentially applies to all security software (especially rule-based) :)

    When you install a security program you (the user) automatically makes assumptions about what the program can and can't do ... there's a very, very good chance that those assumptions aren't 100% accurate, so you might be protected against some things that you think you're vulnerable to, and likewise, you might be vulnerable to some things that you think you're protected against, and even if you've read the help file back-to-front there are probably still some undocumented protection features you're not made aware of :)

    ... this is another good time to remind everyone that no security software is (or ever will be) 100% secure, and if a software vendor ever makes such a claim, don't buy their software - instead, report their claim to a forum such as Wilders or DSLReports and their claim will be properly analysed. :)

    Security software exists only to INCREASE security - it cannot guarantee it.

    Btw - your argument for 'keeping the default config' is a good one, and in regards to Process Guard, most users should be able to leave the auto-generated config 'as-is' - they shouldn't really need to remove anything, but it's also usually the case that security can be enhanced in such programs by adding to the configuration, especially in such rule-based programs like firewalls and Process Guard. :)
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    pls wayne, don't tell so early my argues which are in my upcoming paper about security and leaktests... :'(

    thx you ;)
     
  18. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    gkweb - we look forward to it! :)
     
  19. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    It's easy to imagine a malware application that totally defeats Process Guard. Just replace pguard.dat with a nullified copy, using PendingFileRenameOperations. I replaced my pguard.dat file with a different copy using that exact method. I could have just as easily replaced it with a neutered copy.

    Or the malware could use a driver that loaded before procguard.sys, by way of the system reserved load order.

    Everything helps, but nothing is 100%, for sure.
     
  20. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    And blocking GH means I spend my life configuring Process Guard, rather than using my computer for the reasons I really want to. That's a security trade-off I'm not willing to make. If I ran a system where only 5 or 10 processes at a time were running, sure PG would be a breeze, but I typically run with 50 or 60 processes running.
     
  21. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Well Process Guard stops MoveFileEx (what dellater uses) from working with pguard.dat and procguard.sys/procguard.exe . Of course protection needs to be enabled (in Process Guard) for this protection to be in place, otherwise you can do what you want with the .DAT the .SYS the .EXE , etc.

    I would like to know which method you are using nameless so I can verify that what you did does delete/move pguard.dat

    -Jason-
     
  22. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    And since you can block services/drivers from installing with Process Guard, how will this "imaginery" driver which blocks Process Guard get installed in the first place? :D

    -Jason-
     
  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Jason - On nameless' system, it'll get installed because he won't have "Block Services/Drivers" - "Block Global Hooks" activated (<g>). (Hey, ya' gotta keep that tv card and those 50 or 60 running processes happy - right?)

    A little dichotomy here, wouldn't you say? In the "minimalist" thread, you posted this: "I think there are issues with Block Services/Drivers AND Block Global Hooks that are causing issues for some people in v1.200, simply untick those protections and it should work just as well as earlier versions."

    This would allow exactly whatever the type of attack he's talking about to work, correct? And it's also precisely the wrong course to suggest if you're wanting to get the full benefit of the protections built-in to PG!

    Quite a conundrum.

    I'm sticking with "minimalist" and happy all-to-pieces that it's working just fine for me here that way. Pete
     
  24. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    That option isn't enabled by default. And you yourself advised me (in another thread) to keep it disabled for now, due to possible problems arising from it. And since I was having serious problems attributable to PG, I was happy to comply.

    I happened to use InstallFile to create the PendingFileRenameOperations key, but it could be done in a number of other ways, including silently (using the /s Regedit switch) with a REG file.

    After I created the PendingFileRenameOperations value and rebooted, I verified that my altered pguard.dat settings were in fact in place. It did work, and I think I had PG enabled at the time. If I am wrong on that, I am prepared to eat crow. ;) I have since uninstalled PG, so I can't immediately duplicate the effort.
     
  25. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Yes, I have to keep my TV card and other processes happy. Why is that worthy of derision? Why are you being flip to me? Aren't I just a fellow DCS customer who has reported bugs and gotten them corrected, and who is here trying to close some potential holes in Process Guard's security?

    BTW, the steps I mentioned can be done with the default Process Guard settings.
     
Thread Status:
Not open for further replies.