Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: floste on July 28, 2011, 02:17:30 PM
-
I was using avast free for years and I like it, so i decided to donate some money by buying the pro version.
Then I just wondered: What is that SafeZone and how does it work?
I opened Process Explorer and noticed, that the processes run under the same user account o.O
I tried some simple dll-injection into the browser and the first attempt worked. This really made me laugh.
When I tried to save some screenshots I noticed that the file is created but empty afterwards, when I place it on the system drive. But saving to another drive was no problem at all.
Could you please tell me what this feature is supposed to prevent?
I'm curious to see whether this post will be deleted^^
-
From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info. Nothing else. Nothing goes from out into but you can go from in to out,so that's why they call it safezone. What's a dll injection and how do you do it?
???
-
DllInjection is when one process adds code to another running process. The target usually does not notice, but the code is executed inside the target process and can basically do anything on the behalf of the target. The injected code could intercept any userinput, network traffic, basically everything that is handled by the target process.
Nothing goes from out into
Obviously ANY program code can go into the "SafeZone" from outside (outside=normal desktop) ^^
From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info.
Yes, it is a browser without the usual addons and toolbars. But what is the point in having it on a seperate desktop, if that second desktop is just as secure as the regular one ???
and how do you do it
Ask google: http://lmgtfy.com/?q=dll+injection
-
I'm curious to see whether this post will be deleted^^
Posts are not deleted on this forum unless spam or malicious as far as I can see.
I suspect it would help the program developer to investigate/comment if you posted full details of what you did - and any helpful screenshots.
-
@ floste
Looks like you are German and need help using avast! "SafeZone" browser.
The built in Help is great in English for me but I am not sure what localized language you have installed but what I seeavast! SafeZone
The avast! SafeZone is an additional security feature in avast! Pro Antivirus and avast! Internet Security, which allows you to browse the web in a private, secure environment, invisible to the rest of your system. For example, if you do your banking or shopping online, or other security-sensitive transactions, you can be sure that your personal data cannot be monitored by spyware or key-logging software. Unlike the avast! Sandbox, which is intended to keep everything contained inside so that it cannot harm the rest of your system, the avast! SafeZone is designed to keep everything else out.
Please read:
How to attach a Picture or File on the forum:
http://forum.avast.com/index.php?topic=8982.0
-
I suspect it would help the program developer to investigate/comment if you posted full details of what you did - and any helpful screenshots.
This is a well-known and well-documented technique - every developer interested in windows security should know it. There are thousands of examples, demos and tutorials on the net, even a dedicated wikipedia article.
I think only a few details are important at all:
1. I am using Windows 7 x64 and Avast Pro 6.0.1203
2. Target I used: SafeZoneBrowser.exe, the one with the medium integrity level
need help using avast! "SafeZone" browser.
Not quite, maybe you should read the entire topic twice^^
Actually the developers of avast seem to have a problem, not I.
In deed, I see the german translation of this:
[...] cannot be monitored by spyware or key-logging software [...] the avast! SafeZone is designed to keep everything else out.
It took me 5 minutes to get code from outside to inside without doing anything inside. *giggle*
-
Yes, but can you provide the details/screenshots please.
-
The forum thinks the images are too large, so i use imagebanana
1. Enter SafeZone
-> Screenshot1:
(http://img6.imagebanana.com/img/zkpnpl9p/thumb/screenshot1.png) (http://www.imagebanana.com/view/zkpnpl9p/screenshot1.png)
2. Leave again
3. Do do dll injection
-> Screenshot2:
(http://img6.imagebanana.com/img/amhzhpf3/thumb/screenshot2.png) (http://www.imagebanana.com/view/amhzhpf3/screenshot2.png)
4. Go back and see what happend (I used a dll which starts cmd from DllMain)
-> Screenshot3
(http://img6.imagebanana.com/img/14sceug1/thumb/screenshot3.png) (http://www.imagebanana.com/view/14sceug1/screenshot3.png)
Note that it is technically NOT necessary to leave the SafeZone to do this. It should be easy to write a background program to automate this.
-
Process hacker has kernel level access, from which it can do anything to any process/file/hook/etc, likely including dll injection into application level.
The point is to prevent unknown 3rd party programs from gaining kernel level access, not to try to defend against them after the fact. Sure, you can add certain mechanisms to counter specific kernel program functions, but they can be easily bypassed and can add performance overhead and software incompatibilities.
No protection feature can protect you from a rootkited host.
-
I know it has the ability dude, I am not silly, BUT IT HAD NO KERNELMODE ACCESS when I used it:
1.) I explicitly disabled the kernelmode access in the options.
2.) I did not start it with admin rights, so it had no chance to load the driver
3.) It FAILS against AvastUI.exe
One can easily see whether it has kernelmode acces at the time:
If there are blank fields in "User Name" and "Integrity" columns then the driver is not loaded.
It there are no blank fields, it is likely to have kernelmode access.
Check it out yourself if you do not belive me!
Here are my loaded drivers, sorted by name (You won't find kprocesshacker.sys)
(http://img6.imagebanana.com/img/01xtiwy3/thumb/Screenshot.jpg) (http://www.imagebanana.com/view/01xtiwy3/Screenshot.jpg)
Well, at least you have some technical understanding^^
-
I can confirm your findings (XP SP3, no kernel access from PH). Could you try to inject the dll in SafeBrowser child processes, instead of the parent one?(if you haven't tried already)
I found that it's not possible to inject in child processes, only in the parent one. I could be mistaken, but Chrome is probably built so that child processes are the ones dealing with web content/information sending/processing, so it's being protected from dll injection (or sniffing from parent) so there's no direct danger from information sniffing that way. But that still leaves that it's possible to "remotely" (tentative name, since it's not really a "remote") execute code in SafeZone from host PC (which is infected) which could sniff out info... in some alternate manner.
Would be nice to hear from devs about this.
-
Would be nice to hear from devs about this.
I agree - it would be good if pk (the developer) could chip in.
It's interesting info. I don't have the level of understanding you guys have, but I have been pondering for a while whether the safezone virtual isolated desktop approach or the trusteer rapport block browser mods/logging/capture approach is actually the more secure against malware on the machine.
-
Could you try to inject the dll in SafeBrowser child processes, instead of the parent one?(if you haven't tried already)
Strange: It does not give an error, but no dll is loaded. However: One can read and write the process memory of the child processes from remote, so it is definitively possible to execute code. But I do not have the patience to turn on my compiler today, besides I normally charge people for writing that kind of code.
"remotely" (tentative name, since it's not really a "remote") execute
These kind are my speciality *haha*
It's interesting info. I don't have the level of understanding you guys have, but I have been pondering for a while whether the safezone virtual isolated desktop approach or the trusteer rapport block browser mods/logging/capture approach is actually the more secure against malware on the machine.
Well, such approaches are usually secure... as long as malware writers do not take em into consideration when writing their code. If the malware has admin rights (remember: UAC on standard level in Windows 7 is still broken by design) the machine is lost. If the malware has "only" user rights, a Secured desktop approach could really help, but only if it runs under a different user account! And avast makes the mistake that the secured browser is running under the same user account! That is the root cause of this flaw.
-
I believe browsers are set up to allow dll injection at some level by default (avast behaviour shield employs dll injection on browsers to monitor behaviour - and every time it does trusteer rapport blocks it on my system).
I can't see why the safezone browser should be set up this way though - it doesn't want to let anything else in.
And of course, rapport doesn't run in safezone.
Do any other AIS users find this thread a bit disconcerting - or is this in reality something that malware would struggle to replicate (ie an attack that is really only possible with more or less full control of the host machine)
-
it would be good if pk (the developer) could chip in.
I have send Petr an email with a link to this topic :)
Greetz, Red.
-
I believe browsers are set up to allow dll injection at some level by default (avast behaviour shield employs dll injection on browsers to monitor behaviour - and every time it does trusteer rapport blocks it on my system).
It is not a property of the browsers but the way windows works:
Any program can manipulate any other program running under the same user account at the same Integrity Level in any way it wishes.
The proper and relatively simple solution would be to run the SafeZone under a different user account. :)
I can't see why the safezone browser should be set up this way though - it doesn't want to let anything else in.
Yes, but it is not so easy to block these functions. The best way is to make windows block it for you somehow! As I said, just running it under a different user account using a service as broker would at least increase the security.
Do any other AIS users find this thread a bit disconcerting
Well, thats most likely because you do not understand the technical details ^^
or is this in reality something that malware would struggle to replicate
DllInjection is very common and already in use for:
-Displaying framerates and other info inside games
-Cheats/mods
-Spell checking
-Bypassing firewalls
-Usermode rootkits
-Keyloggers
There are many variations of the technique
Most common for keyloggers is SetWindowsHookEx, this does not work against SafeZone.
Most common for specific targets (e.g cheats/mods) is CreateRemoteThread, this still works.
And some more complicated variations
So a huge percentage of programs using such techniques will not work. But they could be modified to work again^^
I would like to hear from/chat with a developer.
-
Read my previous post :)
Petr Kurtin is the developer of SafeZone, so also the person to discuss it with :)
Greetz, Red.
-
Do any other AIS users find this thread a bit disconcerting
Well, thats most likely because you do not understand the technical details ^^
Well, yes - but I was happier in my ignorance before you posted :(
-
I did not try the dll injection cause too complicated for me. I expect AILWIL to test it. What I found is that I have to thoroughly clear my browsing data before exiting safe zone. Does it solve the problem? Is there still piracy?
:P
-
Actually I thought: This will never ever work and did not even try until today.
But it seems like the so-called sandbox is all about drawing red frames but not preventing anything.
What i did: Start process hacker in sandbox and do dllinjection into random processes (truecrypt, firefox etc)
Result: First attempt worked, sandbox outbreak...
This is so hilarious!
-
(edited, do some more tests)
-
(edited, do some more tests)
Any more news?
Thanks
-
(edited, do some more tests)
Any conclusions yet?
-
Well, after 10 days of silence I'm guessing it has not proven easy for avast to dismiss the OPs claims.
Issues with the sandbox effectiveness wouldn't be much of a problem for me. The only thing I have set up to run in the sandbox is IE9 (which I don't use anyway).
Safezone weaknesses would be more of a concern.
-
Well, after 10 days of silence I'm guessing it has not proven easy for avast to dismiss the OPs claims.
::) What did you expect?
At least somebody of their staff noticed. 2 weeks for a response and several months more for a fix are nothing unusual. ;)
The only thing I have set up to run in the sandbox is IE9 (which I don't use anyway).
IE9 already has a "sandbox" when run under Vista or above. And both sandboxes amend each other very well!
-
I'm wondering if there might be a different way to get someting like safezone.
Run a tiny linux OS (loaded from CD) entirely in memory. No persistence for changes.
It's certainly quick!.
-
(edited, do some more tests)
Any update on this available now that a new version of avast is out?
-
Obviously not...
-
Push
(Nothing happened so far)
-
This was already fixed in avast7 version, thanks for report.