Component Control in Outpost 2.5.

[Manny Carvalho]

Below is a FAQ that offers guidelines and resources for using Outpost 2.5 Component Control features. Images in this FAQ are hosted in a different location on this server and some users might not see them unless they modify their use of Active Content's External control.

This FAQ is split in two sections due to post size limitations.

Questions and/or suggestions on this FAQ are invited and should be posted in the General Discussions forums.

Copying This Guide
You may take and distribute copies of this FAQ, in full or in part, subject to the following conditions:

• You must include mention of the FAQ original location by linking to this thread.
• You may make additions, but not modifications of existing content, which must be clearly labeled as such and include your contact information to allow anyone with questions to raise them with you.

For your convenience a MS Word Document is enclosed so that it may be read off line.

My thanks to chrisretusn for helping me make section 3 so much better. Thanks also go to the forum leaders and beta testers who where kind enough to make many positive comments.

[Manny Carvalho]

Component Control in Outpost v. 2.5

1.0 Introduction

In addition to monitoring applications, Outpost v2.5 also checks the components or modules used by applications. Since applications may use dozens of components, such monitoring increases safety by making sure that none of these components is malicious. On the other hand, this also increases complications because the user must now determine whether or not a component legitimately belongs to an application. Outpost will ask permission to allow a connection for any application whose components have changed in order to assure it is legitimate. Repeated popups for the same component implies the possibility that malicious software is present and that further scanning for parasites is indicated. The log viewer has a section that shows Component Control activity.

The purpose of this guide is to provide guidelines for using Outpost’s Component Control function and provide resources in responding to such requests.

2.0 Settings

Component Control (CC) is accessed by clicking Options and then on the Applications tab, the Components button (Figure 1) pressed to show the Component Control Settings. Here (Figure 2) three sections of settings are available as follows:

Figure 1. Application tab of Outpost Options. Figure 2. Settings Panel for Component Control.

2.1 Component Control Level

Outpost allows for three levels of component control.

• Normal: This looks at updated components and accepts components located in the program folder as legitimate. Most users will use this as it offers a good balance between safety and fewer popups.
• Maximum: This option yields the most safety, and the most popups, since it monitors all changes. Advanced users may want to use this setting particularly if they are comfortable with the recommendations in A Guide to Producing a Secure Configuration for Outpost. On some systems this setting might have a negative impact on system performance.
• Disabled: You can turn the whole thing off and not worry about how to respond. This is not recommended since CC offers significant protection from injection of malware into normal components.

2.2 Shared Components

To simplify programming, applications often share components. Repeated popups for the same component by multiple applications indicates that component is shared. Windows shared components are added to this list automatically by Outpost since so many applications use them. Other examples of software that used shared components by adding their DLLs to other programs are mouse/touchpad drivers, eye candy programs like WindowBlinds, security software such as AVG, Sun Java, etc. If you know of such components you may add them when answering CC or you can modify existing list components. To make changes press the Edit List button in the CC settings panel (Figure 2) to access the trusted Shared Components list (Figure 3).

To manually add a component, click the Add button and browse to the specific component to add it. To remove a shared component select it in the window and click remove. A reason to remove a shared component might be due to an erroneous entry that occurred when all components listed in the popup were accepted but only some needed shared status.

Figure 3. The Shared Components List

Since shared components change dramatically when the operating system or other software is upgraded, rebuilding the data base, by pressing the button by the arrow, allows Outpost to recognize those changes. Although this will remove manual modifications, it will save you considerable time in answering popups and will not modify the application component list. Only the shared components will be impacted. Of course, you should make sure that your system is not infected before rebuilding the database. Otherwise, you may give permission for malware to operate without restrictions by Outpost.

Similarly, unshared application specific components may be modified using the Components button in the Rules dialog box for each specific application.

2.3 Open Process Control

The last setting in Figure 2 is the Open Process Control (or Process Memory Control as mentioned in the OP help file). It’s possible for malware to alter the code, known as code injection or copycat vulnerability, of a trusted application running in memory. Outpost 2.5 monitors and prevents the injection of code into the address spaces of a trusted application.

To enable this option, tick the “Block network access if application memory was modified by another process,” radio button in Figure 2.

It is possible that legitimate calls may be blocked by this function. Some users may legitimately call a program from within another program and be blocked. For example, calling MSN Messenger from within a program that aids the visually impaired will result in CC telling you “Network access for msnmsgr.exe was blocked because its memory was modified by another process.” This will result in blocking network connectivity for MSN Messenger. In addition, software that monitors processes in memory, such as TrojanHunter Guard, may also cause loss of internet connectivity.

Since there are no options to modify this setting and allow for an exclusion list, you must untick this option to allow such legitimate programs to function. Disabling this feature will, however, leave you vulnerable to these specific vulnerabilities. If you visit mainstream sites and have other layered protection in place, then disabling the Open Process Control feature should pose a minimal risk. Otherwise you will need to investigate alternative means of opening such a program.

2.4 Hidden Processes

Component Control monitors hidden processes. Briefly, some processes (called the parent) do not access the network directly. Rather they initiate another process (called the child), hidden from the user, that performs the network activity. This hidden spawned child process, although designed for convenience, may bypass firewall restrictions because it’s not the initiating parent process. Malware can utilize this mechanism for malicious purposes.

This setting is located, as it own separate button, in the Applications tab of Options in Figure 1. Pressing the Hidden Process button leads to a settings panel where the user may:

• Allow network activity according to predefined rules for the parent process
• Block all network access for hidden processes.
• Prompt every time hidden network activity occurs.

An example of a hidden process is using the right click thesaurus option of the Merriam-Webster online toolbar for Internet Explorer. When using this browser plug-in with Maxthon, essentially an Internet Explorer overlay browser, it triggers a hidden process. That is, the plug-in causes Internet Explorer to activate in order to use the thesaurus. This means that Internet Explorer is called silently from within the Maxthon browser. If Hidden Processes is set to prompt, it will trigger the popup in Figure 4. Such requests should be initially blocked if not recognized. When it’s determined that the request is safe allow it. In this case, blocking the request causes the thesaurus lookup to fail. Since it’s a known safe process, it may be allowed the next time.

Most users will use the Allow option for Hidden Processes since this will follow the existing parent process rules. Network activity may be blocked if such rules are inadequate or tight, depending on your viewpoint. For example, in the above situation with the thesaurus, if Internet Explorer had no rules then in addition to the Hidden Process popup additional requests for rules might be made depending on firewall policy. Such a rules request for Internet Explorer would be made if operating in the wizard mode or network activity blocked (using the Block All Activity reason in the blocked logs) in the Block Most mode. To determine hidden process activity on your system, select the Prompt option. For a tight configuration, use the Block option, if conveniences such as the thesaurus are not a consideration.

Figure 4. The Hidden Process Popup.

[Manny Carvalho]

3.0 Answering Popup Requests

By far, most users know CC by the popups that occur when a changed or a newly used component is detected by Outpost. When seeing, as in this real life example, a popup like the one below the question becomes, “now what do I do?”

Figure 5. The typical Component Control Popup.

Component Control is asking to verify the authenticity of msspell3.dll being used by Outlook 2003. At this point, Outlook is blocked from making a connection until a selection is made. The details of this component, msspell3.dll, indicate that it’s a Microsoft speller and version 1.1.6215. Additionally the component is located in C:\Program Files\Common Files\Microsoft Shared\PROOF folder, which seems to be a likely place for a spell checker module.

As Outlook was being used at the time, at first glance, this seems acceptable. However, because Outlook had been in use for a while without this particular component being questioned, it required further checking. As a first quick check, a Google search can be used to determine if there’s a possibility that this might be some type of malware. Finding nothing significant, a further check at ProcessLibrary.com indicates that this component is indeed a spell checker used by Word. Since Word is currently being used as Outlook’s default editor, this adds further evidence that this is a legitimate component.

To further verify the legitimacy of this component, Microsoft’s DLL Help Database is used. There, the file version, description, size and date exactly match the component being questioned. Therefore, msspell3.dll, with a high degree of certainty, is most likely a legitimate Microsoft component.

In this case, the file path listed in the Database is not identical. However, since the installation was not to the default directory and the Exchange server is not being used, it could not be expected to match. Therefore, this piece of non-matching data is not considered germane and ignored.

As to why this component was triggered at this particular moment may not be so obvious. Components change when software is updated. Possibly, either Outlook or Word needed a specific function in msspell3.dll that had not been previously used, so CC was triggered. It is very common to find, especially with Microsoft Office, multiple DLL files that contain the same functions. Identifying the exact reason why msspell3.dll triggered CC at this particular moment, would be extremely difficult so say the least.

However, since the file has all indications of being legitimate, it is reasonable to decide to accept it and allow Outpost to update the information for this component. Further, since both Outlook and Word are most likely sharing this file it can be accepted as a shared component.

Had no information been found regarding msspell3.dll, then, the prudent thing is to block Outlook until it’s determined if this file is malware. To make that determination the protocol listed in The Parasite Fight! article may be followed.

Conversely, had this component been recognized and caused by an immediate action taken to trigger CC, accept it right away and without further research.

Is this troublesome and a pain? Yes. Unfortunately, given the state of the internet security problem, this is something that needs to be done in order to maintain your system clean. Common sense and a little study will make for a more reasoned decision and enjoyable internet experience. With a bit of practice, assuring the legitimacy of a component can be done in a few minutes. As you understand your system in greater depth it’s possible to know the reason why a component just changed and accept it right away without any additional investigation. Possible reasons why components change are:

• A recent windows update.
• New software installation or update.
• A new Outpost install.
• Using a function for the first time.
• A malware infestation.

With time, you should begin to recognize the pattern of your system. Generally, component control should settle down a few days after changes are made. It is at this point, that the CC becomes a useful sign of possible malware infestation and its warnings need to be taken seriously and investigated using an approach similar to the one illustrated in this section.

As a final note, there are alternatives to Component Control. Programs like Process Guard or System Safety Monitor offer application/process protection but are beyond the scope of this FAQ.

4.0 Resources

Sites that may be used to determine the legitimacy of components are:

ProcessLibrary.com
Microsoft’s DLL Help Database

Additional sites that list common Windows processes and malware files:

Bugs, Glitches & Stuffups
Castle Cops Startup List
Dangerous files database
File database index
List of Browser Helper Objects (BHO)
LI Utilities
M. Preslar’s Startup Applications List
Task List Programs
Windows Startup Online® Search

5.0 Document History

5.1 New Issue: 6 November 2004