wishlist for 1.200 (?)

Discussion in 'ProcessGuard' started by Andreas1, Dec 11, 2003.

Thread Status:
Not open for further replies.
  1. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    like with a similar thread over at the CryptoSuite forum, I thought it would maybe be a good idea to start collecting ideas how to further postpone TDS4 ...errrr to further enhance PG i mean :D

    Officially on the list is - AFAIU
    - SetWindowHook(Ex) support
    - Monitor installation of other drivers

    Here's what I have in my notes:
    - Import and Export lists of protected applications and their settings (also import a plaintext listing of files/paths with default flags)
    - Fix removal of all entries when none is selected and the user presses "remove" (i haven't confirmed this myself, but it has been reported in one thread over here)
    - hash exes that have allowances on them (even the MS File-Integrity-protected ones - i don't trust it as much as i would trust PG :D).
    - also hash and keep track of dlls that are being loaded into processes with allowances. Prompt for dlls being loaded for the first time or with a different checksum
    (- allow for a more differentiated tweaking of how and which windows messages are handled by CMH :rolleyes: )

    Possibly some of the items (the hashing and dll monitoring) would introduce quite some ressource strain, what do you think? Worth it? How much of it?

    CU,
    Andreas
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Some nice suggestions there Andreas :D
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    For DLL injection monitoring it would conflicts with any Application Monitoring sotware, and with firewalls too, i don't think it's the purpose of PG.
    PG currently prevent DLL injection and Code injection into protected processes as well as termination, you want in addition that it checks which DLL protected processes with allowed privileges loads ? why ?
    If a trojan want to inject a malicious DLL into a protected process it can't, so i see no need of such feature.

    But to check processes by a hash sounds ok for me, a simple MD5 would be enought.
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi gkweb,

    The reason I'm asking for is this: In PG - and IMHO quite reasonably so - the allowances take precedence over the blocking flags. Thus, if you allow write/termination/SetInfo or Suspend access to any application, this application has a PC at its disposal that is almost (except for general protection options) bare of PG's protection. Okay, provided you have protected that application in turn, then there's no way that some malevolent code can sneak in that process, hijack it and exploit the allowances granted to it.

    But, what if the so-privileged application isn't running at all? As long as the exe is just idling on the harddisk, any other process can come along and plant its own code into it. Thus, when the privileged application is then launched, it goes through PG like through butter, but has changed functionality in a way which probably isn't to our liking. That's why I was asking to hash-verify exes with allowances only.

    But the problem doesn't stop there. Suppose one of your privileged applications is known to load a certain dll. Then the malware can change that dll-file while the privileged app isn't loaded and when it's launched, the modified dll gets loaded and can execute with the privileges of the privileged app, again bypassing much of PG's protection. That's not Dll injection, because the privileged application itself is requesting the dll to be loaded, only it has a different content by now. So you have to monitor and hash dlls that get loaded into privileged applications as well - a bit more complicated since this is often flexibly done at runtime...


    In short: the allow flags introduce a window of exposition (namely modification of the files that make up the running process associated with the flag while this process isn't running at all (yet)), and this should be countered with a hash-verification that the allowed exe is still what we meant to be allowed and that it only loads what was meant to be loaded. It's actually the inverse of the advantage that you don't have to protect dlls from being terminated/unloaded or modified because they "inherit" the protection from the process that loads them.


    Also, I would think these hashes could be a bit stronger than MD5.


    Finally, I for one do think this feature fits better to an application like PG than to a firewall. IMHO, it's not a firewall's task to check if my TaskManager has been modified or not. One can certainly debate whether this should be PG's task instead (or maybe even better that of some file-integrity-checker, they spezialize in this after all)... and probably one can even contest that it's not a firewall's task.
    I'd simply like to hear some feedback by PG users and by DCS about what aspects should be considered with this...
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    For hashing executable i totally agree.

    But, even if i understood your point about DLL, the possibilies to hijack a trusted process by this kind of ways isn't it a never ending ?

    I explain : ok, you do a hash of all DLL used by PG trusted processes, but a DLL can load another DLL, which in his turn can call also another one.
    So, you have to hash all dependencies when a trusted process start (to ensure his integrity) which could results in my opinion to a huge number of files (all the system DLLs can be involved).
    If you do that, you must check too all dependencies, even drivers.
    If i am not really right on this point and that an executable only load "few" DLLs, i will just say that with "TaskInfo 2003" i can see that "explorer.exe" loads 90+ DLL, i don't say it's the case for any executable, but imagine 50 protected processes loading each a high number of DLL ( i counted 79 DLLs loaded by "ccapp.exe" from NAV, and 54 by my browser)

    So this is not that i really disagree of the need of this feature since the risk is real, but i doubt it would be doable (not sure of this word) ensuring 100% integrity (i mean all the ways covered) without eatting a lot of ressources.

    In fact, i agree with the idea, but not in this way and not by PG.
    I should cross post the following to "CryptoSuite feature request thread".
    If in the future CS can add a "tripwire like" feature, which means to have a database of vital files or any chose files with their fingerprint, you can be warned when a file is modified.
    A better feature would be to have in addition of the "on demand scanner" a real time scanner which would run with the lowest process priority to permanently beeing checking system files.

    As you said the possibility to hijack trusted PG processes exists, but which way is the better to handle that i don't know.
    If what you suggested is possible in a proper way, so i second your whish :)
    But if so, you would have in fact to check even other trusted processes without allowances, since they can via modified DLL be shutdowned.
    Indeed, as you noticed, PG protects of injecting DLLs but can't do nothing if the process isn't started.

    At the end, we could "may be" supposed that usually used DLLs are also used by many others processes, so even if our particular trusted process isn't running, chance is probably that his DLLs are nevertheless is use.

    EDIT : another feature request would be a check box enable us if checked to have a popup when an entry is added in the log window.

    EDIT2 : i had to edit my post i don't remember how many time to correct english errors (don't laught in seeing the thousand i missed...)
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi again,
    Good point. I didn't think of that.
    Also I get the impression that this sort of checks is better handled by another service after all. A pity. Well, maybe one day we can have a ss3 script that will be run from TDS4 and coordinate CSE and PG so to achieve this functionality. ;)

    CU,
    Andreas
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    yes may be :)

    it's to DCS to play now ;)
     
  8. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Look at this another way: if you have a list of approved and guarded applications and PG checks every process before being executed, you don't have ho have an AT,FW,AV or any security program loaded anymore, because any unapproved executable will not be able to load.
    By then it would be a must to integrate PG as a part of Windows. Goodbye, back/white hats, no more work left
    DCS sells PG to Microsoft and they will be able to spend their lifetime on producing nice games, freeware utilities, and enhancing CS. :D
    Dolf
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    But PG isn't a "System Safety Monitor" or an "Abstrusion Protector", it is just meant to prevent chose processes to be attacked i think :)
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    gkweb, You have to get used to Dolf's rather good "droll" humour

    Droll : Amusing in a facetious sort of way
     
  11. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I was serious :'(
    Because this is about a wishlist I mentioned those possibilities. Adding SSM like features, you're not having only active processes guarded but also prevent unauthorized executables from being executed, so no trojan, virus or worm will have any chance to do any damage because they are not listed in the "approved list"
    Dolf
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ih thaat case I am sorry. :) Wayne has often said his fight is mainly against Trojans.
    If this new technology can be harnessed using your possiblities (wishlist) it would be rather interesting to see the reactions of the big AV players let alone MS. Let's just hope that any DCS copywrite on this technology is watertight!
     
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    thanks for the explanation Pilli :D

    @Dollefie

    For the following, "Application Monitoring" means software like SSM or AP.

    Application Monitoring and Process Protection _should_ be two different features in my opinion.
    Indeed, you seems to believe that to allow only trusted executables to launch is 100% secure, but in fact, it is only if you never do mistakes :)
    The example i always give, is that you could allow mistakenly something to load believing it's a screen saver or a game, and then, this malicious program which is in fact a trojan (let's say "the beast") will inject itself into your processes.
    Another example, even in runing an application monitoring software, spywares or malicious scripts which are triggered from your browser itself (which is trusted) can attempts why not too to access your process (i think it's possible with so many browsers vulnerabilities, that it was IE or another one).

    This is why to have two layer of security is better than just one, application monitoring software does their job, PG does his own ;)

    Just my point of view on the subject.
     
  14. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    gkweb you are right, human error causes most security to fail. Sure, a lot of things have to be resolved, but I think it must be possible.
    Why not use a global "approved application database", for example.
    I know, this is only a thought and I'm sure there are better ways. Just start thinking this way.... ;)
    Dolf
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    This is what "Pest Patrol" does, but it sounds unsufficient alone to my developpers hears :)
    Indeed each day i have different executables on my hardrive that can't be in any database.
    Moreover, do you really think that a database could have all executables that you can download on the Internet ?
    What if i download lastest driver for my network card of the lastest Matrix screen saver ? :)

    This is why i always end to the same fact : a good security is a multi layered security, one software alone will never be able to ensure your computer security to 100% by handling _alone_ all possible ways that can be used to damaged your computer.

    I know this kind of "super mega security software" would be a dream but i don't think it's possible.

    BTW, i think by using DCS products plus few others like application monitoring
    (that TDS or WormGuard does in a kind of way) and firewall you can reach the security of your dream, it is just less easy to configure than a single product :)

    keep going, who knows, may be you'll have the idea of the century ^^
     
  16. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    what about a (guarded) developers area without restrictions?
    everyone, who makes a program available can send a copy to the "database maintainers" for evaluation. More developers use certificates these days.
    hmmm :rolleyes:
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    lol

    you make me remember a movie where two person disagree about a subject, and where the discussion is :

    - I said No
    - No it's Yes
    - No
    - Yes
    - No !
    - Yes !!!
    - Nooooooo
    - Yessssss

    etc... :D
     
  18. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    :D
    I make the presumption that PG is already a part of Windows and that the "database maintainers" will be a trusted company where a couple of hundred Gavins are working.
    What about the cost? Not important. Think about the savings!
    I'm sure a lot of major companies will sponsor this thing
    Still dreaming on.... :D
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I like the way you think sir ! :D :D
     
  20. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    do you laugh at me ? :'(

    or is it really you like ? :D
     
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I like ! :) Just noticed your webpage too from another thread, very good work !
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Thanks you Gavin ;)

    @DolleFie
    I think the cost to "clone" Gavin would be too much expensive and in addition, to clone humans is prohibited :doubt:
    Besides that it's a good idea ;)
     
  23. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Re:wishlist for 1.(?)

    Would it be possible to add the date to the Window and PGlog.log file. I don't open these frequently, since I can rely on DiamondCS software to preform as expected, but it would help to see when an event entry was made.

    Congratulations on another very fine product.
     
  24. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    another thing:

    whatcha think of this: once the computer is set up fine, remove PG.exe. Then nothing and no one can mess with pguard.dat - only you won't get logs (how about adding eventlog support to PG?).
    If you keep it on a floppy, you can bring it back when you really want to change something. (now it's getting even more crazy: If pg.sys and pg.exe would share some authentifiation secret, only your personal copy of pg.exe would have access to the configuration. Right now you have the keyfile, but if you take that away, pg.sys won't work either...)

    Maybe just for the paranoid. After all, the most essential options in PG are protected - but that protection only verifies that it's a human and not a program that makes changes, not if that human should be allowed to do so, and changing options of programs in the list of protected programs - or even removing them completely - isn't protected this way.

    Anyway: whatcha think?

    Andreas
     
  25. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Password protect the HIDs? No, no it's driving me crazy! :D
     
Thread Status:
Not open for further replies.