Author Topic: Notification or Log for Process Protecter  (Read 107134 times)

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Notification or Log for Process Protecter
« on: July 26, 2014, 10:54:06 AM »
Not a suggestion and not sure whether this is correct place.

I've added some more executables for process protecter, but can I get a popup when PP blocked code injection?

Or can I see log entry which suggests PP blocked injection in any of log files?
« Last Edit: July 27, 2014, 11:32:57 AM by sinlam »
It's not real security to protect only from malware.

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #1 on: July 27, 2014, 11:39:39 AM »
Not a suggestion and not sure whether this is correct place.

I've added some more executables for process protecter, but can I get a popup when PP blocked code injection?

Or can I see log entry which suggests PP blocked injection in any of log files?

Sorry Yuki, I have moved your topic to this board which is more relevant.

There is no message popup for the process protector as it is still not one of the protection features for SecureAPlus yet. But it should be reflected in the whitelist log.
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #2 on: July 28, 2014, 06:42:59 AM »
You mean currently PP is not working?
So this is just for future equipment and does nothing now?
It's not real security to protect only from malware.

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #3 on: July 28, 2014, 12:04:48 PM »
You mean currently PP is not working?
So this is just for future equipment and does nothing now?

It is definitely working but we do not show it in SecureAPlus GUI because it is too complex for novice users.
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #4 on: July 30, 2014, 10:37:34 AM »
Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.

BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?
It's not real security to protect only from malware.

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #5 on: July 30, 2014, 11:12:26 AM »
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.
It's not real security to protect only from malware.

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #6 on: July 31, 2014, 02:51:08 AM »
Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.

BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?

For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%

If you are not running under User account, this explains why it is empty.
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #7 on: July 31, 2014, 03:43:12 AM »
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #8 on: July 31, 2014, 03:37:15 PM »
For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%

If you are not running under User account, this explains why it is empty.
Thanks, I understood what they are and why it was empty.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

There's no hit when I serched "Protected Process".
Does this mean no injection occured?

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.


Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.
It's not real security to protect only from malware.

Offline Pedersen

  • Newbie
  • *
  • Posts: 14
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #9 on: July 31, 2014, 05:45:08 PM »
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #10 on: August 01, 2014, 01:41:32 AM »
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D

You are right Pedersen. Thanks for your reminder. I get a bit too carried away... ;)
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #11 on: August 01, 2014, 02:10:47 AM »
You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

There's no hit when I serched "Protected Process".
Does this mean no injection occured?

We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.

Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.

Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer ;)
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #12 on: August 05, 2014, 06:28:05 AM »
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D

Hahaha...you're right!


We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.

Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer ;)

Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?

BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to  make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.
It's not real security to protect only from malware.

Offline sinlam

  • Jr. Member
  • **
  • Posts: 67
  • Kudos +2/-0
    • secureaplus.secureage.com
Re: Notification or Log for Process Protecter
« Reply #13 on: August 07, 2014, 04:40:43 AM »
Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?

We will enable it again only after we have decided to publicly include process protector as another feature of SecureAPlus. But currently our focus is to build up the SecureAge Management server which does the whitelist and log management for the enterprise.

Actually there is not much use to enable the log for Process Protector since it is useful only for our troubleshooting purpose. Let's say if something is not working, we can then check the log to see if this is due to the process is being protected. There won't be any indication when anything is blocked.

Here's an example of the log:
"Protected process: c:\windows\notepad.exe (pid 1234) is executed by c;\windows\explorer.exe (pid 432)"

BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to  make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.

Please do this with caution.
« Last Edit: August 07, 2014, 06:59:05 AM by sinlam »
_____________________________________
SecureAPlus - It is not just another antivirus!
Free download at secureaplus.secureage.com

Offline Yuki

  • Newbie
  • *
  • Posts: 44
  • Kudos +0/-0
Re: Notification or Log for Process Protecter
« Reply #14 on: August 07, 2014, 12:52:05 PM »
Thanks, I'm looking forward to that.
Currently I added some programs such as explorer, iexplorer, firefox.etc.
No problem found so far.

Though it is disigned to complement App-binding which will be implemented far future release, I still believe it can increase my security (assuming malware writer don't know I have SAP) since many malware try to inject code or to inject thread(s) in legitimate (whitelisted) process.
What do you think if I also added e.g. svchost, lsass, spoolsv, winlogon, etc.?
I think those system processes are highly targeted by attacker, but they're very important to normal operation.
Do you know any legitimate program which inject code into those process?
It's not real security to protect only from malware.