Author Topic: Notification or Log for Process Protecter (Read 94711 times)

Yuki · « **on:** July 26, 2014, 10:54:06 AM »

Not a suggestion and not sure whether this is correct place.

I've added some more executables for process protecter, but can I get a popup when PP blocked code injection?

Or can I see log entry which suggests PP blocked injection in any of log files?

sinlam · « **Reply #1 on:** July 27, 2014, 11:39:39 AM »

Quote from: Yuki on July 26, 2014, 10:54:06 AM

Not a suggestion and not sure whether this is correct place.

I've added some more executables for process protecter, but can I get a popup when PP blocked code injection?

Or can I see log entry which suggests PP blocked injection in any of log files?

Sorry Yuki, I have moved your topic to this board which is more relevant.

There is no message popup for the process protector as it is still not one of the protection features for SecureAPlus yet. But it should be reflected in the whitelist log.

Yuki · « **Reply #2 on:** July 28, 2014, 06:42:59 AM »

You mean currently PP is not working?
So this is just for future equipment and does nothing now?

sinlam · « **Reply #3 on:** July 28, 2014, 12:04:48 PM »

Quote from: Yuki on July 28, 2014, 06:42:59 AM

You mean currently PP is not working?
So this is just for future equipment and does nothing now?

It is definitely working but we do not show it in SecureAPlus GUI because it is too complex for novice users.

Yuki · « **Reply #4 on:** July 30, 2014, 10:37:34 AM »

Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.

BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?

Yuki · « **Reply #5 on:** July 30, 2014, 11:12:26 AM »

Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

sinlam · « **Reply #6 on:** July 31, 2014, 02:51:08 AM »

Quote from: Yuki on July 30, 2014, 10:37:34 AM

Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.

BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?

For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%

If you are not running under User account, this explains why it is empty.

sinlam · « **Reply #7 on:** July 31, 2014, 03:43:12 AM »

Quote from: Yuki on July 30, 2014, 11:12:26 AM

Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.

Yuki · « **Reply #8 on:** July 31, 2014, 03:37:15 PM »

Quote from: sinlam on July 31, 2014, 02:51:08 AM

For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%

If you are not running under User account, this explains why it is empty.

Thanks, I understood what they are and why it was empty.

Quote from: sinlam on July 31, 2014, 03:43:12 AM

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

There's no hit when I serched "Protected Process".
Does this mean no injection occured?

Quote from: sinlam on July 31, 2014, 03:43:12 AM

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.

Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.

Pedersen · « **Reply #9 on:** July 31, 2014, 05:45:08 PM »

Quote from: sinlam on July 31, 2014, 03:43:12 AM

Quote from: Yuki on July 30, 2014, 11:12:26 AM
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.

Care sinlam

Dont give users some bad ideas that can ruin their pc

sinlam · « **Reply #10 on:** August 01, 2014, 01:41:32 AM »

Quote from: Pedersen on July 31, 2014, 05:45:08 PM

Care sinlam Dont give users some bad ideas that can ruin their pc

You are right Pedersen. Thanks for your reminder. I get a bit too carried away...

sinlam · « **Reply #11 on:** August 01, 2014, 02:10:47 AM »

Quote from: Yuki on July 31, 2014, 03:37:15 PM

Quote from: sinlam on July 31, 2014, 03:43:12 AM
You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

There's no hit when I serched "Protected Process".
Does this mean no injection occured?

We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.

Quote from: sinlam on July 31, 2014, 03:43:12 AM

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.

Quote from: Yuki on July 31, 2014, 03:37:15 PM

Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.

Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer

Yuki · « **Reply #12 on:** August 05, 2014, 06:28:05 AM »

Quote from: Pedersen on July 31, 2014, 05:45:08 PM

Care sinlam Dont give users some bad ideas that can ruin their pc

Hahaha...you're right!

Quote from: sinlam on August 01, 2014, 02:10:47 AM

We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.

Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer

Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?

BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.

sinlam · « **Reply #13 on:** August 07, 2014, 04:40:43 AM »

Quote from: Yuki on August 05, 2014, 06:28:05 AM

Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?

We will enable it again only after we have decided to publicly include process protector as another feature of SecureAPlus. But currently our focus is to build up the SecureAge Management server which does the whitelist and log management for the enterprise.

Actually there is not much use to enable the log for Process Protector since it is useful only for our troubleshooting purpose. Let's say if something is not working, we can then check the log to see if this is due to the process is being protected. There won't be any indication when anything is blocked.

Here's an example of the log:
"Protected process: c:\windows\notepad.exe (pid 1234) is executed by c;\windows\explorer.exe (pid 432)"

Quote from: Yuki on August 05, 2014, 06:28:05 AM

BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.

Please do this with caution.

Yuki · « **Reply #14 on:** August 07, 2014, 12:52:05 PM »

Thanks, I'm looking forward to that.
Currently I added some programs such as explorer, iexplorer, firefox.etc.
No problem found so far.

Though it is disigned to complement App-binding which will be implemented far future release, I still believe it can increase my security (assuming malware writer don't know I have SAP) since many malware try to inject code or to inject thread(s) in legitimate (whitelisted) process.
What do you think if I also added e.g. svchost, lsass, spoolsv, winlogon, etc.?
I think those system processes are highly targeted by attacker, but they're very important to normal operation.
Do you know any legitimate program which inject code into those process?

Author Topic: Notification or Log for Process Protecter (Read 94711 times)

Yuki

Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

Yuki

Re: Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

Yuki

Re: Notification or Log for Process Protecter

Yuki

Re: Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

Yuki

Re: Notification or Log for Process Protecter

Pedersen

Re: Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

Yuki

Re: Notification or Log for Process Protecter

sinlam

Re: Notification or Log for Process Protecter

Yuki

Re: Notification or Log for Process Protecter