Forum Support > Software Problems and Questions
Notification or Log for Process Protecter
sinlam:
--- Quote from: Pedersen on July 31, 2014, 05:45:08 PM ---Care sinlam :D Dont give users some bad ideas that can ruin their pc :D
--- End quote ---
You are right Pedersen. Thanks for your reminder. I get a bit too carried away... ;)
sinlam:
--- Quote from: Yuki on July 31, 2014, 03:37:15 PM ---
--- Quote from: sinlam on July 31, 2014, 03:43:12 AM ---You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.
--- End quote ---
There's no hit when I serched "Protected Process".
Does this mean no injection occured?
--- End quote ---
We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.
--- Quote from: sinlam on July 31, 2014, 03:43:12 AM ---If you are keen to test process protector further, you can try the following:
1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.
2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
--- End quote ---
--- Quote from: Yuki on July 31, 2014, 03:37:15 PM ---Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.
--- End quote ---
Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer ;)
Yuki:
--- Quote from: Pedersen on July 31, 2014, 05:45:08 PM ---Care sinlam :D Dont give users some bad ideas that can ruin their pc :D
--- End quote ---
Hahaha...you're right!
--- Quote from: sinlam on August 01, 2014, 02:10:47 AM ---
We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.
Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer ;)
--- End quote ---
Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?
BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.
sinlam:
--- Quote from: Yuki on August 05, 2014, 06:28:05 AM ---Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?
--- End quote ---
We will enable it again only after we have decided to publicly include process protector as another feature of SecureAPlus. But currently our focus is to build up the SecureAge Management server which does the whitelist and log management for the enterprise.
Actually there is not much use to enable the log for Process Protector since it is useful only for our troubleshooting purpose. Let's say if something is not working, we can then check the log to see if this is due to the process is being protected. There won't be any indication when anything is blocked.
Here's an example of the log:
"Protected process: c:\windows\notepad.exe (pid 1234) is executed by c;\windows\explorer.exe (pid 432)"
--- Quote from: Yuki on August 05, 2014, 06:28:05 AM ---BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.
--- End quote ---
Please do this with caution.
Yuki:
Thanks, I'm looking forward to that.
Currently I added some programs such as explorer, iexplorer, firefox.etc.
No problem found so far.
Though it is disigned to complement App-binding which will be implemented far future release, I still believe it can increase my security (assuming malware writer don't know I have SAP) since many malware try to inject code or to inject thread(s) in legitimate (whitelisted) process.
What do you think if I also added e.g. svchost, lsass, spoolsv, winlogon, etc.?
I think those system processes are highly targeted by attacker, but they're very important to normal operation.
Do you know any legitimate program which inject code into those process?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version