Which hooks to allow?

As we all know, a lot of aplication try to install a global hook, write into memory etc. Simple question, which could result into a kind of yes/no list.

Which hooks do you allow from which 'basic' aplication and which are nececarry for running a OS?

 

There's no set answer for your question. I use SSM, which has "this time only" options on the alerts for system hooks. What I normally do is to block the hooks the first time and see how well the requesting app works without them. Many will work normally. If the app works without the hooks, I block them permanently. If it doesn't, I have to decide if I trust the app enough to allow it to set hooks or replace it with something else.
Rick

 

I think such a master list is sorely needed. The DiamondCS list isn't enough.
If the programs and components don't need the privilege for normal operation, why allow it?
I mean just printing to a network printer makes spoolsv.exe want to install a driver/service. It prints just fine without this privilege.
Adobe PhotoShop is the same and works fine without the privilege.
I think FireFox needs access to physical Memory for its password feature.
Whether it needs global hooks, access physical memory, install driver/service, connect to the internet, etc. This would be very helpful if there was a list like this that included at least the most popular programs and components.

Things like MS Intellitype (a utility that enable special keys on MS keyboards) needs global hooks otherwise the special keys don't work.

 

Hi Pete,

I think the company who makes the program (DiamondCS, SSM, etc.) should start the list and make it with as many popular programs as possible. But I think the editing of the list should be open to registered users of the program. Like a Wiki? This way little by little end users could add our own knowledge to it so the list would become comprehensive in a short time. If there are mistakes or improvements then that could be done as well.

Learning mode is great, but it leaves holes open. The same way that using an application based firewall leaves holes open.
This would be like a tweaking guide (company hosted/end user maintained) not unlike Black Viper's and TweakHound's Services guide or Paranoid2000's Outpost Configuration guide, or BlackSpear's NOD32 config guide.
It's not essential, but it can take your security up to the next level.
I have no clue how such a thing would be set up though and I am not volunteering. Athough I would contribute what I learned.

 

About the best I would expect to see for a list would be one for OS components, and even that would require regular updating. Even with that, what some users consider acceptable, others don't. Since support for Win98 is done, this no longer directly applies, but could serve as an example for XP. I did all my updating manually, so I didn't allow wupdmgr.exe to run. I don't allow iexplore.exe to automatically parent most of the executables involved in the update process, whereas most users will want to. Most of the updates come as executables which will be unknown to the HIPS program. They have no way of knowing what they'll be called so they can't allow for them in any "approved list". The only way (with SSM) that I see to make the process work automatically would be to use the "allow this process to execute any unclassified program" for executables involved in the update process. I won't use that setting on anything, including SSM. All code is exploitable, and anything that has that much unlimited permission can be used to completely take over a PC, so no executable gets a blanket approval to do whatever it wants on my PC. On XP units giving this level of access to the update processes means that you will get IE7 when it comes out. If you want it, all is fine. If you don't, or don't want something else like WGA being passed off as a security patch, you take control of the update process and set up your HIPS to enforce it. Once Vista comes out, all bets are off. They don't plan on giving users or security-ware that level of access or system control and the user loses the control over his system he now enjoys. Without the ability to access the kernel and control hooks, the user no longer has the final say.
Rick

 

I came upon this thread a little while ago wondering if there was an answer to a specific query I've been getting involving the browser Firefox. I invariably get a query from PG saying that Firefox has attempted to add a driver, whenever I do a printout of a case on Westlaw. I always allow the block and Firefox doesn't appear to be the worse for the denial.

Also, I started a thread two weeks ago on the issue of what global hooks to allow.

The reader may wish to check out responses to my thread titled "General Query RE: Allowing Global Hooks ET.AL" that I posted on August 18, 2006.