Friday, July 28, 2006

Protecting Windows Processes

In our on-going review of ways you can guard your system from rouge attacks, inside and out, let's focus now on protecting Windows system processes.

The idea behind these kind of attacks is that by gaining control of a trusted application/process, an attacker can attempt to slip by standard security protections and let their activity walk out the door in plain sight.

Think of it as kind of like social-engineering the operating system. A thief opens up a whole into a bank via the next-door building's basement. Once inside they have a number of things they can do. If he gets into the bank president's office, he can issue commands behind the closed door to the bank employees without anyone catching on. Or, if he can grab the cash, change into a security guard or trusted employee's uniform and walk right out the door.

Process guard applications act like independent auditors. They are constantly checking to see if something is authenticated to be allowed to happen and alerting the user to breach attempts.

Now, most users will find it a rare need to install these types of applications on their computers for an ongoing basis. I don't run any of these on my own systems. however, they are good for doing test-bed and malware research to see what is going on, but (hopefully) if you are making wise choices in computing, you shouldn't normally need this level of security.

However, if you want one more level of protection, there are some very good programs out there that will monitor and protect your Windows processes.

Monitoring Windows Processes:

There are a lot of sotware solutions to allow you to quickly get a glimpse of what is happening "real-time" on your system.

NirSoft offers a ton of freeware utilities--all of which should probably be somewhere on every sysadmin and techie's USB stick.

Nirsoft highlights:

CurrPorts: TCP/IP Connections Viewer - list all open TCP/UDP ports on your pc
AdapterWatch - find out various info on your network card
ShellExView - view/modify shell extensions installed on your pc
SysExporter - copy text data from almost all window displays on your system
ActiveXHelper - got ActiveX on your system? Manage it with this tool
RegScanner (Registry Scanner) - specialized registry search tool
ProduKey - Recover Office/Windows CD-Key - grab certain Microsoft product keys off your system for audits.

SysInternals has always been offering up a slew of top-drawer system utilities for free. Mark Russinovich recently announced that Microsoft gobbled up Sysinternals. This may be a brilliant move by Microsoft. The tools are still offered (for the time-being) but you might be wise to keep the latest versions downloaded in case the site/support ends suddenly.

Mark's Sysinternals' Creme de-la-Creme

Diskmon v2.01 - log and display all hard drive activity
Filemon v7.03 - shows/filters file system activity, real-time
Autoruns v8.53 - shows and allows enable/disable/removal/backup of system auto-run items
Process Explorer v10.2 - display active processes and their threads
RootkitRevealer v1.7 - scans for system rootkit and specially hidden files
Tokenmon v1.01 - display and monitor system file/rights related activity
TCPView v2.4 - monitor all open TCP/UDP ports on your pc
TDIMon v1.01 - monitor all open TCP/UDP ports on your pc
Portmon v3.02 - display, monitor and filter all parallel and serial port activity on your system
BgInfo v4.07 - displays customizable system info on your desktop at boot.

Windows Process Guard Software

TruPrevent Personal 2005 - Panda Software - ($) This program provides anti-virus/trojan type protection by monitoring the running/executing of programs and attempts to find malicious code and activity, blocking the action and alerting the user. It is being incorporated into Panda's security suite software. More information at PC Flank's review.

Prevex1 - ($) This software solution takes a slightly different method. Once the free software is downloaded, it runs a scan on your system looking and cataloging executable files. Once done, it then compares the list against a community maintained database and flags any hostile applications found. You can also set custom rules and actions. Take a well documented tour of Prevex1. The program is free to use to monitor your system. Pay for system cleaning after first 28 days once an infection is found.

ProcessGuard - DiamondCS - ($) If I did have to have one of these class of programs on my system, this would be it. ProcessGuard monitors your system and alerts the user to any processes attempting to run on your system. You then set rules to allow or block the activity. It's similar in concept to how a firewall will challenge Internet activity and prompt the user to allow/block. This application will work to keep processes (known and hidden) from slipping by the user without their knowledge. More info here.

Anti-Hook 2.5 - InfoProcess - (free) This program applies Host Intrustion Prevention System (HIPS) techniques to lock down your system. It gives kernel mode protection and blocks and alerts the user to suspicious activity attempting to hook into trusted system level processes and hijack them for malicious purposes. The website mentions a program registration problem in the current version 2.5 on XP Home OS. No word if it has actually been resolved yet.

DefenseWall HIPS - ($) - Another HIPS model protection application.

AppDefend - Ghost Security - ($) - Process based application monitoring program.

RegDefend - Ghost Security - ($) - Process based registry monitoring program. Alerts user before registry changes are made.

WinPatrol Free / WinPatrol Plus - (free / $) - A multi-element utility, WinPatrol's "Scotty dog" monitors various elements on your system, including the autorun group, IE plugins, cookies, hidden files, scheduled tasks, Windows services, displays active processes, and file type associations. It will give a user alert when critical changes are made to your system. Cute, free and useful.

For system administrators looking to enforce policy control of application installation and execution on systems--and maybe not utilizing Active Directory, Faronics provides some interesting small office/enterprise level software solutions including Anti-Executable and Deep Freeze.

Bonus Find: Portable Ethereal

I found a link the other day to a portable version of Ethereal. As you know, the packet capture program Ethereal is now being developed under the name Wireshark. However, it usually requires the need to be fully installed on a system. This version has been optimized to run in a portable manner so you can carry it on your USB stick and use on most all XP/2000 systems. Handy!

See you in the skies,

No comments: