Ok. I finally have a worthwhile idea to pitch for the project. This one is security based and spurred on by the security article here, and in particular, this quote:
How difficult would it be to write a program that monitors all code executed by the system? This would look at programs that run, etc and decide, based on a list of rules, what is allowed to run. Anything else would be prevented and logged with the ability to allow it if it is a legitimate application.One clear symptom that you have a case of "Enumerating Badness" is that you've got a system or software that needs signature updates on a regular basis, or a system that lets past a new worm that it hasn't seen before. The cure for "Enumerating Badness" is, of course, "Enumerating Goodness." Amazingly, there is virtually no support in operating systems for such software-level controls. I've tried using Windows XP Pro's Program Execution Control but it's oriented toward "Enumerating Badness" and is, itself a dumb implementation of a dumb idea.
Not being a programmer, I don't quite know the implications of this task such as processor time, memory usage, etc. but I think this would be a very useful feature for schools. Certainly it would stand as a big barrier to spyware, malware, adware, etc, as well as stopping staff & pupils trying to install unauthorised applications.
Can someone tell me if this is possible, and whether it can be added to the (potential) features list for the Edugeek Project?
Cheers,
Rob.
well project (once i get my net connection sroted) is an admins tool kit in not so many words and adding it as part of project not an issue..
As for program side not sure problem is have to make sure that it very small as it need to run a lot if think of amount of work doing for example just do task list to see amount it would have to check before you start doing anything.
but could be possable...
what do others think?
russ
Certainly on Linux systems, this is possible today. Playing with mount options is an obvious starting point. Then you can move on to more complex measures like Systrace, Tripwire and SELinux or GRSecurity.How difficult would it be to write a program that monitors all code executed by the system? This would look at programs that run, etc and decide, based on a list of rules, what is allowed to run.
Disclaimer: Here be dragons.
I don't believe this is possible on Windows at the moment. You need intimate support from the OS internals to do this kind of thing and it just doesn't exist.
was thinking about this problem being is that got antivirus software that intercepts programs and then this could slow system right down...
russ
It is possible in vb to list all running application and with that information could compare every title against a safe list and the close the program that is not on the list
Tom
Comparing by window title can sometimes be unreliable as there are no strict rules applications adhere to and can change regularly, but it is certainly possible and a lot easier on resources. AFAIK, this is how Ranger does it.Originally Posted by uk101man
i would have to check my coding but i think it possible to pull the programs path and name, which i'm guessing you could use to check against a safe list
using names as a basis for comparison is a bad idea, for instance, i could just rename a malicious piece of code to a process name that has been declared safe to run and voila, md5sums of the exes would be more useful, but would need to be updated when the program version changes
On a side note, doesnt windows group policies have a similar sort of system for safe program execution (which uses the path system and invariably can be bypassed with the method above)
@E1uSiV3: Yes, I know the exact GPO you are thinking of and it goes back to Win9x days, "Only allow the following programs to be executed" or similar wording. In Win9x it was possible to rename an EXE to something that was allowed, but as far as I know, the newer Win2K+ version of this GPO actually makes a hash of the file, which means that users can't rename EXEs they want to run - but secondly, when applications change, you must remember to re-do the hash of the EXE otherwise it might not run at all
I have a nasty feeling that hashes + automatic patching = bad things.
You'd have to be able to easily check which system file hashes have changed, whether the change is legit (or not) and be able to push out the new hashes as part of the patching process.
Is anyone here using this function with success / beyond testing?
I would have thought that the hashing for Windows System patches and the like would be fine just the application software would be the issue? I suppose it depends on how much software you run and how frequently it needs patching. As long as you run the update then make the changes I can't see a problem with that solution?
Wes
Dont exe's or any other file types that are able to run have digital signatures or something to that effect or possibly something else that allow you to determine if it is malware or not ?
In theory, yes, but its voluntary and no bugger uses is apart from microsoft and a few other people.
The whole windows patching issue can be avoided by adding a rule for the whole windows directory as it should be read only anyway for joe public
Indeed. The trouble is you get naff educational software that insists on having write access to .ini files it installs in the windows folder, despite the fact that it only ever reads settings from them.
Asked a Q on EE , here is the URL :
http://www.experts-exchange.com/Prog..._21700066.html
Registration is free ( at least there should be an option to register for free )
If not let me know and I can post back with the info.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote