Yet another way to beat PG

Discussion in 'ProcessGuard' started by Devil's Advocate, Oct 11, 2006.

Thread Status:
Not open for further replies.
  1. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    The latest DFK Threat Simulator seems to point to a very serious weakness in PG far for serious than a termination method.

    http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

    It is able to take down a lot of HIPS and security programs using keystroke/mouse automation (e.g Online armor, GSS) , though PG is immune to that if you lock the interface.

    However it can take down PG and the rest by a 'replacement attack', replacing the files on disk...

    I'm not sure if this is considered a problem for PG, and I think this has being discussed before how PG doesn't protect it's own files but i think the following is very interesting...

    "** ProcessGuard is especially vulnerable because once the "pgaccount.exe" file is replaced with the dummy placeholder, ProcessGuard will allow any new process without prompting but will appear to be functioning normally! The only thing worse that no security is the illusion of security. In addition, ProcessGuard will protect the new dummy placeholder executable as its own and not allow it to be terminated."

    In other words, PG's will appear to be running but it's will be totally useless!!
    This is a very serious problem. The rest will just shut down which at least gives you a sign something is wrong, but with PG it will appear normal, even when it is totally useless!
     
  2. LeeH

    LeeH Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    25
    Location:
    West London, UK
    More problems reported, hey?

    You must be the Devil's advocate!

    Only joking....


    However, the security problems are not a joke.

    It seems that PG is beginning to need some radical work. I hope some of it can be done soonish.


    THANKS FOR REPORTING. APPRECIATED.


    Best regards,
    Lee
     
  3. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    You're welcome Lee

    However, I'm not saying much that is new..... as the people here will no doubt tell you.
     
  4. Chubb

    Chubb Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    1,967
    Hope that Wayne or Gavin will investigate the issue and make necessary revision to PG, if necessary.
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yeah, who doesn't know how to patch a file to modify a program's behaviour. I'm sure someone can make a file and replace PG's original file for eg. a novice user downloads a piece of malware, PG will rub salt into the wound by popping out a message: You idiot! You've just downloaded a piece of malware. You're very smart indeed.

    So simple, a piece of cake. Or set the files to read-only.
     
  6. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Set files to read only?

    Why didn't you say so earlier? What genius! lol.
     
  7. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I don't understand that. All it is doing is making it invisible, however MS Task Manager still lists it and gives a PID number so that surely lets any malware carry on regardless.
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    "Set the files to read-only"? How useless is that? :rolleyes: Very.
     
  9. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    To me, PG is flawless (or close) when coupled with something like Sandboxie. Although I don't have experience with programs terminating/defeating PG's protection, the fact that a program or exploit can successfully trash the system by destroying/overwriting important files is just as much a concern as PG's execution/termination protection (if not more). If an exploit is launched in Sandboxie and you have PG, you'll both prevent it from writing on the real system and executing a malware.
     
  10. LeeH

    LeeH Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    25
    Location:
    West London, UK
    I don't think anybody is an idiot for reporting a problem old or new which is not fixed yet.

    Anybody can replace a file but not all of us are coders. If we were then we should make our own security applications.

    Actually it is not the job of the user to test out that the basic security programmers have written works; but it helps. We have to put our trust to some extent in the security experts who write the inital software.


    Also, why should we need to tweak security applications that have very weak vulnerabilities to make sure they work? That makes the paid for version useless under certain circumstances.

    PG generally offers very powerful protection. A weak vulnerability makes a mockery of its abilities. This is a shame that DiamondCS should want to correct to keep the integrity of their GOOD name.


    I am the first to say that we can't expect PG to protect all future vulnerabilities right now. If that were the case we would only ever need ONE security application.

    It just seems that DiamondCS are generally slow to make corrections and don't communicate their intentions that well or keep to timescales.


    Sorry guys at DiamondCS. The truth is that I have a massive amount of respect for you. I only have the few gripes mentioned. PG has provided a high level of protection up until now and given me confidence knowing that. Thanks for allowing us to have greater security against advanced threats.

    Best regards,
    Lee
     
    Last edited: Oct 11, 2006
Thread Status:
Not open for further replies.