Which hooks to allow?

Discussion in 'other security issues & news' started by Tommy, Aug 26, 2006.

Thread Status:
Not open for further replies.
  1. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    As we all know, a lot of aplication try to install a global hook, write into memory etc. Simple question, which could result into a kind of yes/no list.

    Which hooks do you allow from which 'basic' aplication and which are nececarry for running a OS?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    If you trust the application.... all of them.

    If you don't trust the application.... why are you running it.
     
  3. herbalist

    herbalist Guest

    There's no set answer for your question. I use SSM, which has "this time only" options on the alerts for system hooks. What I normally do is to block the hooks the first time and see how well the requesting app works without them. Many will work normally. If the app works without the hooks, I block them permanently. If it doesn't, I have to decide if I trust the app enough to allow it to set hooks or replace it with something else.
    Rick
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I think such a master list is sorely needed. The DiamondCS list isn't enough.
    If the programs and components don't need the privilege for normal operation, why allow it?
    I mean just printing to a network printer makes spoolsv.exe want to install a driver/service. :rolleyes: It prints just fine without this privilege.
    Adobe PhotoShop is the same and works fine without the privilege.
    I think FireFox needs access to physical Memory for its password feature.
    Whether it needs global hooks, access physical memory, install driver/service, connect to the internet, etc. This would be very helpful if there was a list like this that included at least the most popular programs and components.

    Things like MS Intellitype (a utility that enable special keys on MS keyboards) needs global hooks otherwise the special keys don't work.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    Question is who is going to do it to begin with and then who will maintain it. I was beta testing back early in the Process Guard program when that idea came up. I started to do a list for just what's on my computer, and gave up. It is just plain to time consuming. Also bout the time you finish you will get an upgrade to a program, and it may well change things. Reality is you just aren't going to see a "list". Thats why there is learning mode. It works, and if you use the settings you will be fairly well protected. If you want things tighter, it will be from trial and error as herbalist suggested.

    Pete
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Pete,

    I think the company who makes the program (DiamondCS, SSM, etc.) should start the list and make it with as many popular programs as possible. But I think the editing of the list should be open to registered users of the program. Like a Wiki? This way little by little end users could add our own knowledge to it so the list would become comprehensive in a short time. If there are mistakes or improvements then that could be done as well.

    Learning mode is great, but it leaves holes open. The same way that using an application based firewall leaves holes open.
    This would be like a tweaking guide (company hosted/end user maintained) not unlike Black Viper's and TweakHound's Services guide or Paranoid2000's Outpost Configuration guide, or BlackSpear's NOD32 config guide.
    It's not essential, but it can take your security up to the next level.
    I have no clue how such a thing would be set up though and I am not volunteering. :D Athough I would contribute what I learned.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    Hi Devinco

    I suspect that won't happen. Problem is say DCS puts out a preliminary list. They become obligated to maintain it. It would be very risky to allow users to make changes as someone with malicious intent could post false stuff. Sad, but a software company would be ill advised to do this. I am afraid this respsonsibility will fall on the user. Someone posted in the DCS forum asking about ctfmon.exe. They could google it and find out what it is, and then make a decision. That will probably remain the best course.

    Cheers,

    Pete
     
  8. herbalist

    herbalist Guest

    About the best I would expect to see for a list would be one for OS components, and even that would require regular updating. Even with that, what some users consider acceptable, others don't. Since support for Win98 is done, this no longer directly applies, but could serve as an example for XP. I did all my updating manually, so I didn't allow wupdmgr.exe to run. I don't allow iexplore.exe to automatically parent most of the executables involved in the update process, whereas most users will want to. Most of the updates come as executables which will be unknown to the HIPS program. They have no way of knowing what they'll be called so they can't allow for them in any "approved list". The only way (with SSM) that I see to make the process work automatically would be to use the "allow this process to execute any unclassified program" for executables involved in the update process. I won't use that setting on anything, including SSM. All code is exploitable, and anything that has that much unlimited permission can be used to completely take over a PC, so no executable gets a blanket approval to do whatever it wants on my PC. On XP units giving this level of access to the update processes means that you will get IE7 when it comes out. If you want it, all is fine. If you don't, or don't want something else like WGA being passed off as a security patch, you take control of the update process and set up your HIPS to enforce it. Once Vista comes out, all bets are off. They don't plan on giving users or security-ware that level of access or system control and the user loses the control over his system he now enjoys. Without the ability to access the kernel and control hooks, the user no longer has the final say.
    Rick
     
  9. ESQ_ERRANT

    ESQ_ERRANT Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    72
    I came upon this thread a little while ago wondering if there was an answer to a specific query I've been getting involving the browser Firefox. I invariably get a query from PG saying that Firefox has attempted to add a driver, whenever I do a printout of a case on Westlaw. I always allow the block and Firefox doesn't appear to be the worse for the denial.

    Also, I started a thread two weeks ago on the issue of what global hooks to allow.

    The reader may wish to check out responses to my thread titled "General Query RE: Allowing Global Hooks ET.AL" that I posted on August 18, 2006.
     
    Last edited: Sep 3, 2006
Loading...
Thread Status:
Not open for further replies.