Advanced Settings in Defense+

:THNK
* CPU: 32 bit
* Operating System: Windows Vista Ultimate SP1
* Actively-running security and utility applications: CIS, CMF, BOClean, SpywareBlaster, Malwarebytes Anti-Malware
* Specific symptoms of the bug: Defense+ \ Advanced \ Predefined Security Policies \ Windows System Application \ Edit \ Protection Settings \ Windows/WinEvent Hooks set to “Yes”
* Steps you have taken to try to resolve it: set the Windows/WinEvent Hooks protecton type back to “No”
* Brief description of your Defense+ and Firewall+ mode (Custom, Train with safe) plus mention if you modified any setting in ADVANCED section of D+ and F+: self-explanatory based on what was just described
* If you pc reboots or you have a BSOD post in BSODs: Please add your minidump files here: NA
* Report if you are using an Administrator account or a Limited User account. Vista users please Report if you have UAC Disabled or Enabled: Administrator account with UAC Enabled

I would consider the following item to be a bug: When Advanced \ Predefined Security Policies \ Windows System Application \ Edit \ Protection Settings \ Windows/WinEvent Hooks was changed to “Yes”, then the computer would not boot up all the way. It would get to a point where the hard drive was spinning rapidly and would hang there. With this Windows/WinEvent Hooks set to the default “No”, the computer would go ahead and boot up all the way. See the first attachment below for the advanced settings.

Changing this advanced Windows/WinEvent Hooks setting to “Yes” shouldn’t prevent the computer from booting up. Changing all the other advanced settings to “Yes” under Windows System Application didn’t have any major impact on normal computer usage, except that Explorer.exe had to be added to the Exceptions list beside Interprocess Memory Access for Windows Explorer to open. Otherwise Windows Explorer wouldn’t open and a popup message “explorer.exe - The RPC server is unavailable.” would appear. See the second attachment below for the advanced settings in relation to Interprocess Memory Access.

[attachment deleted by admin]

Do you think it D+ could be getting to a point where it needs to prompt you, but can’t, so it just hangs? I would turn the hooks option back on and flip D+ into training mode.

I didn’t really think that changing the Defense+ mode to Training Mode would allow the computer to finish booting up when the hooks option was marked “Yes”, but I tried what you suggested. The computer still hung up before the logon screen and would not finish booting up. The computer GUI is not loaded, so no Defense+ popup can appear. There is only a blank screen at the point where the computer bootup hangs. The only way to solve this is to shut the computer down and reboot into Safe Mode. Then open up CIS and mark “No” to the Windows/WinEvent Hooks option. Then the computer can be restarted and will boot up completely in Normal Mode. I think this is definitely a bug. Even though it is an advanced option, and not the default setting for that option, marking the “Yes” radio button should not cause the computer to hang before bootup is completed.

Have you tried to unset ‘‘Defense+ → advanced → Defense+ Settings -->Block all the unknown requests when the application is closed’’ check-box?

The protection setting of D+ policies are not interactive and usually can be only verified when D+ logging is active and running.

Windows/WinEvent Hooks protection means that said rights will be denied and since Windows System Applications include many core windows services a complete lock-up would be expected if said access rights are needed.

File Group: [Windows System Applications[

---------------------------------------------------------------------------------------
[0] System
[1] D:\WINDOWS\system32\smss.exe
[2] D:\WINDOWS\system32\csrss.exe
[3] D:\WINDOWS\system32\winlogon.exe
[4] D:\WINDOWS\system32\services.exe
[5] D:\WINDOWS\system32\spoolsv.exe
[6] D:\WINDOWS\system32\lsass.exe
[7] D:\WINDOWS\system32\wbem\WMIAdap.exe
[8] D:\WINDOWS\system32\wbem\WMIPrvSE.exe

I guess it would be possible to add Windows System Applications to Windows/WinEvent Hooks protection exceptions but there is no beforehand guarantee that it will work.

If Windows System Applications cannot work without Windows/WinEvent Hooks there is not much left to do other than acknowledging it.

As D+ acts at runtime and some events could be only triggered on particular setups/software combinations, adding the fact that file groups can be modified by end users, there would be no way to prevent this other that forcing an artificial (maybe unneded) restriction.

Yes, I tried that after reading your post. The computer still hangs at bootup. But instead of a totally blank screen, the screen is blank except for the message: 55/55 (\Registry\Machine\System\CurrentControlSet\Control\CMF\Config).
That was new and interesting that 55/55 followed by a registry entry reference showed up.

Could you try to disable Memory Firewall and try again, please?

I disabled CMF by unchecking ‘Automatically start application with Windows’ and rebooted. With the Windows/WinEvent Hooks set to ‘Yes’, the computer still would not boot up. The message that I mentioned previously about 55/55 - - - did not show up. The screen simply stayed blank and the computer never finished booting up.

Gibran,
I tried adding all the Windows System Applications entries that you mentioned. There were two that didn’t exist: the Windows\System32\Wbem\WMIAdap.exe and WMIPrvSE were not listed under Running Processes and were not in the Windows\System32\Wbem folder when I tried to add the two files by browsing to that folder. Those two executables are in the Wbem folder and can be found using Windows Explorer. They just didn’t show up using the Add Running Processes or Browse function under Modify.

I tried rebooting with the listed Windows System Applications executables added that I was able to find, and still had the same problem. The computer would not finish booting up. I guess that the only answer is to leave ‘No’ marked for Windows/WinEvent Hooks. I don’t have any problem at all doing that, since ‘No’ is the default. It just seems that Windows/WinEvent Hooks should not even have a ‘Yes’ - ‘No’ option, if choosing ‘Yes’ is going to prevent the computer from booting up. I appreciate you taking the time to address this issue.

One last test to eventually confirm a related bug could be to add an * (all application) as exception in order to confirm that additional needed exceptions actually exists.
Other vista users may additional confirm this test case to eventually confirm is not setup/configuration dependant.

Preventing Windows/WinEvent Hooks for a specific group could be an alternate solution but IMHO it would be an artificial restriction. In order to be effective those predefined groups should also be prevented from modification adding another restriction. As specific setups could affect the outcome of Windows/WinEvent Hooks protection these restrictions wouldn’t be actually needed in some cases although I guess it could prove useful to add said restrictions as a default option restricting some features from unwilling users.

My system specs are:
P4 HT 3 GHz and over 1gb ram available and XP sp3 32bit, HW DEP Optout.
Other apps: Comodo Safesurf, Unlocker assistant, Speedfan, Daemon tools 4.30.1 , CIS 3.5.55810.432, COMODO Vulnerability Analyzer 1.1.4, Logitech Setpoint 4.60.122, Symantec Software Virtualization 2.1.3062

On my specific setup enabling Windows/WinEvent Hooks protection for Windows System Applications group did not lock the system even without exceptions (I didn’t test normal operations).

To my limited understanding though this could be also caused by Xp Vs. Vista design differences.
Anyway the protection settings can be applied to non critic system processes without causing such issues, provided that the protected application don’t need the disabled (protected) actions.

It’ reproducible for me. we’ll investigate and fix it.
Thanks.

Thanks, dchernyakov

The problem with a Vista Ultimate computer not booting up all the way when Defense+ \ Advanced \ Predefined Security Policies \ Windows System Application \ Protection Settings \ Windows/WinEvent Hooks is set to ‘Yes’ has been solved in the new 3.8.6 Beta version. However, now when this is set to ‘Yes’, Windows Explorer will not open, regedit will not run and gives a popup error, and Windows Install Clean Up utility will not run and gives a popup error. I have added explorer.exe, reg.exe, regapi.dll, regedit32.exe, regini.exe, msicuu.exe, MsiZap.exe, and cmdagent.exe to the exceptions list, but these 3 programs will still not run. If I add the File Groups ‘Executable’ to the exceptions list, then these 3 programs will run, but I think that defeats the purpose of setting Win/WinEvent Hooks to ‘Yes’. I should be able to add only the executables to the exceptions list that allow these 3 programs to run. The problem is that I don’t know what executables, other than the ones that I have already added, to include in the exceptions list. These are the ONLY programs that I have found that are affected by setting this Win/WinEvent Hooks setting to ‘Yes’, but these are all necessary programs that are being blocked by this ‘Yes’ setting. Do you have any idea what other executable(s) need to be added to the exceptions list for these programs to be able to run with this Win/WinEvent Hooks setting on ‘Yes’? The attachments show the Protection Settings and the popup errors.

As you can see from the attached Windows System Application \ Protection Settings, I have all the other settings (Interprocess Memory Access, Process Terminations, and Windows Messages) set to ‘Yes’ without any problems. I did have to add a total of 9 executables to the exceptions list for Interprocess Memory Access to get five or six different necessary programs to run, however. But the executables that I added to the Exceptions list for Interprocess Memory Access in order for these programs to run were all fairly easy to discover. I haven’t been easily able to discover exactly what additional executable(s) to add to the exceptions list for Win/WindowsEvent Hooks to allow Windows Explorer, regedit, and Windows Install Clean Up to run.

[attachment deleted by admin]