SecureAPlus Forum

Forum Support => Software Problems and Questions => Topic started by: Yuki on July 26, 2014, 10:54:06 AM

Title: Notification or Log for Process Protecter
Post by: Yuki on July 26, 2014, 10:54:06 AM
Not a suggestion and not sure whether this is correct place.

I've added some more executables for process protecter, but can I get a popup when PP blocked code injection?

Or can I see log entry which suggests PP blocked injection in any of log files?
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on July 27, 2014, 11:39:39 AM
Not a suggestion and not sure whether this is correct place.

I've added some more executables for process protecter, but can I get a popup when PP blocked code injection?

Or can I see log entry which suggests PP blocked injection in any of log files?

Sorry Yuki, I have moved your topic to this board which is more relevant.

There is no message popup for the process protector as it is still not one of the protection features for SecureAPlus yet. But it should be reflected in the whitelist log.
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on July 28, 2014, 06:42:59 AM
You mean currently PP is not working?
So this is just for future equipment and does nothing now?
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on July 28, 2014, 12:04:48 PM
You mean currently PP is not working?
So this is just for future equipment and does nothing now?

It is definitely working but we do not show it in SecureAPlus GUI because it is too complex for novice users.
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on July 30, 2014, 10:37:34 AM
Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.

BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on July 30, 2014, 11:12:26 AM
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on July 31, 2014, 02:51:08 AM
Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.

BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?

For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%

If you are not running under User account, this explains why it is empty.
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on July 31, 2014, 03:43:12 AM
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on July 31, 2014, 03:37:15 PM
For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%

If you are not running under User account, this explains why it is empty.
Thanks, I understood what they are and why it was empty.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

There's no hit when I serched "Protected Process".
Does this mean no injection occured?

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.


Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.
Title: Re: Notification or Log for Process Protecter
Post by: Pedersen on July 31, 2014, 05:45:08 PM
Can you suggest some search terms to find PP entry (if any) in the log file?

It's too large to find that entry and some terms I entered picked too many words up.

Thanks.

You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on August 01, 2014, 01:41:32 AM
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D

You are right Pedersen. Thanks for your reminder. I get a bit too carried away... ;)
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on August 01, 2014, 02:10:47 AM
You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.

There's no hit when I serched "Protected Process".
Does this mean no injection occured?

We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.

If you are keen to test process protector further, you can try the following:

1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.

2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.

Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.

Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer ;)
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on August 05, 2014, 06:28:05 AM
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D

Hahaha...you're right!


We check our log again and just realized that we have actually disabled this log detail for quite some time. So you don't get to see it. Sorry for the confusion.

Please ignore my previous suggested testing. Just like what Pedersen said, I shouldn't have mentioned this test. The last thing I want is to ruin a user's computer ;)

Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?

BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to  make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on August 07, 2014, 04:40:43 AM
Then I can't know whether PP blocked sth or not.
It's a problem for me.
Can't you re-enable that log again, or any reason that keep you from re-enabling this?

We will enable it again only after we have decided to publicly include process protector as another feature of SecureAPlus. But currently our focus is to build up the SecureAge Management server which does the whitelist and log management for the enterprise.

Actually there is not much use to enable the log for Process Protector since it is useful only for our troubleshooting purpose. Let's say if something is not working, we can then check the log to see if this is due to the process is being protected. There won't be any indication when anything is blocked.

Here's an example of the log:
"Protected process: c:\windows\notepad.exe (pid 1234) is executed by c;\windows\explorer.exe (pid 432)"

BTW I can't use Metasploit but I'm going to test SAP (and some other tools) against real exploits with Fiddler.
Of course I'll take as much precaution as possible on completely new environment.
But as those who tried to test exploit probably would know, it's very hard to build environment which allow exploit-kit to  make succeessful drive-by-download because it requires narrow range of version for certain software.
If I succeed, I'll report it.

Please do this with caution.
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on August 07, 2014, 12:52:05 PM
Thanks, I'm looking forward to that.
Currently I added some programs such as explorer, iexplorer, firefox.etc.
No problem found so far.

Though it is disigned to complement App-binding which will be implemented far future release, I still believe it can increase my security (assuming malware writer don't know I have SAP) since many malware try to inject code or to inject thread(s) in legitimate (whitelisted) process.
What do you think if I also added e.g. svchost, lsass, spoolsv, winlogon, etc.?
I think those system processes are highly targeted by attacker, but they're very important to normal operation.
Do you know any legitimate program which inject code into those process?
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on August 07, 2014, 11:49:47 PM
I think those system processes are highly targeted by attacker, but they're very important to normal operation.
Do you know any legitimate program which inject code into those process?

Sorry, I can't help you on this. My advice is not to test the process protector as we will not be incorporating it into SecureAPlus so soon. My greatest concern is you may damage your computer.

This is off-topic: I have sent you a few emails about the iPad Mini that you have won. We need more information from you, otherwise we can't proceed with the online purchase. Hope to hear from you soon. If you can't see my email in your inbox, you may try checking your spam/junk folder. Pedersen already received his iPad Air ;)
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on August 12, 2014, 11:49:06 AM
Very sorry for late reply for that email, I replied. :'(
One reason is I was in short trip, but still I had to check my mail box.
Title: Re: Notification or Log for Process Protecter
Post by: Yuki on August 13, 2014, 12:04:00 PM
Did you get my email?


BTW, after adding services.exe, svchost.exe, smss.exe, csrss.exe, lsass.exe, spoolsv.exe, and winlogon.exe to PP, my system went unbootable. lol

Don't worry, I just reverted to previous stable state from backup.
So I confirmed your concern ;D
Title: Re: Notification or Log for Process Protecter
Post by: sinlam on August 14, 2014, 12:06:03 AM
Did you get my email?

Yes, I will email you once we have purchased online :)

BTW, after adding services.exe, svchost.exe, smss.exe, csrss.exe, lsass.exe, spoolsv.exe, and winlogon.exe to PP, my system went unbootable. lol

Don't worry, I just reverted to previous stable state from backup.
So I confirmed your concern ;D

Thank goodness, you are able to revert back...