Execution control & key protection inactive for processes exempted from BO [NBZ]

Defense+ doesn’t react to some running processes. :o

The bug/issue

  1. What you did:
    I installed “bitvise WinSSHD 5.20” and ran “WinSSHD Control Panel” (“sshdctrl.exe”, SHA1: 5E82A74F55D9A03B9A4F49F555D1EBBE463B01E5)

  2. What actually happened or you actually saw:
    CIS doesn’t create a Defense+ rule for “sshdctrl.exe” and doesn’t show any alert when “sshdctrl.exe” for example changes protected registry branch (“HKCU\Software\Microsoft\Windows\CurrentVersion\Run”).

  3. What you expected to happen or see:
    I want to have the Defense+ control over “sshdctrl.exe”.

  4. How you tried to fix it & what happened:
    Half-success if I manually add the “sshdctrl.exe” to the D+ rules.

  5. If its an application compatibility problem have you tried the application fixes?:
    I added exclusion to “buffer overflow protection” for all WinSSHD files and for cmd.exe.

  6. Details (exact version) of any application involved with download link:
    bitvise WinSSHD 5.20 – link: http://dl.bitvise.com/WinSSHD5-Inst.exe or http://dl.bitvise.com.s3-external-3.amazonaws.com/WinSSHD5-Inst.exe

Files appended

  1. Screenshots illustrating the bug: screen capture video in sshdctrl.mp4.zip

  2. Screenshots of related CIS event logs and the Defense+ Active Processes List: Active Process List.png

  3. A CIS config report or file: used_config.cfgx.zip

Your set-up

  1. CIS version, AV database version & configuration used:
    CIS: v5.0.163652.1142, AVdb: 7037, used_config.cfgx

  2. a) Have you updated (without uninstall) from CIS 3 or 4: NO

  3. a) Have you imported a config from a previous version of CIS: NO

  4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
    Defense+:
    Paranoid Mode
    Create rules for safe apps: ON

  5. Defense+, Sandbox, Firewall & AV security levels:
    D+= Paranoid, Sandbox= Enabled , Firewall = Safe , AV = Stateful

  6. OS version, service pack, number of bits, UAC setting, & account type:
    XP SP3 ENG 32-bit, administrator account

  7. Other security and utility software installed: NO

  8. Virtual machine used (Please do NOT use Virtual box):
    VMware Workstation 7.1.3 build-324285


Regards, bazolo O0

[attachment deleted by admin]

[attachment deleted by admin]

An exemplary bug report, thanks

OK this is a complex one, and this note is as much to devs as bazolo.

I think what is probably happening here is that BO exclusions now excludes from guard32 as well as BO tests. Devs have been forced to do this beause incompatibility issues with some apps restisted all attempts to resolve them. Accordingly any executable running under BO exclusions is operating at a generally lower security level.

Obviously this is undesirable, but because it is limited to one application, not as serious as some.

So I think its a valid issue, but I’m not sure what priority will be given to fix it. It will probably get fixed with a heap of others when they work out how to finally resolve the guard32 issues. I think my FAQ should be amended to point out the risks.

Hope this helps a bit. Forwarding now.

Best wishes

Mike

As a further reflection maybe this report might be re-expressed.

“Clearer description of implications of BO exclusion needed”. THat would be easy to fix.

Hi,

Unfortunately, even if I removed all exclusions from BO, the “sshdctrl.exe” still freely runs without own rule and e.g. it changing protected reg branches. :confused:

I think, inside the “sshdctrl.exe” is secret of bypassing the CIS, and this mechanism can be used e.g. with a hack tools to take control over attacked computer.

Regards, bazolo

By your screenshot have you set it as installer/updater?

This would give it all the rights it needs.

Dennis

CIS automatically runs “sshdctrl.exe” as installer/updater. I have not created any rule treats it this way. CIS does not even asking about it.

Regards, bazolo

Because the files is trusted.

Hm yes but the “sshdctrl.exe” isn’t an installer :confused: It should be treated as normal (trusted or not) executable (to have control in Paranoid Mode) but if it is automatically recognized and it runs all time as installer it can do anything without any control and any log.
I think, a good idea would be that although CIS wrote in log such a general activity of installers (e,g, start time and end a process).

Regards, bazolo

Well noticed Dennis! So I think this is resolved, what remains are help issues about how to keep control in paranoid mode?

Mouse

Thanks for the help :slight_smile:

  • bazolo