ProcessLasso and Agnitums Acs.exe Process

kuraigu · October 11, 2014, 05:22:31 AM

helllo guys!

i've been using process lasso for 6 years now i think. have been satisfied since.
i've also been using agnitum's outpost firewall pro since years but the latest version
is a big pain in the *ss !!!! their acs.exe process, which is the firewall is causing lags
the more net activity is going on.

if i close google chrome after some usage for exsample, the firewall stalls my system
for a few seconds, up to some minutes sometimes.

i've wrote the support of agnitum that the process is causing lags/issues but no
answer since.

is there any way to actually turn down the lags somehow? i've tried some options but no
luck

thanks in advance!

BenYeeHua · October 11, 2014, 11:48:34 AM

Hmm....
I think you better choose another Firewall then? It sound like a bad optimize Firewall...

For stalling, it can be caused by the Firewall driver, which is not under Process Lasso's control....

Jeremy Collake · October 11, 2014, 01:48:37 PM

This is most likely impossible to fix externally.

Firewalls and other security software in that they block I/O until they are done with their scanning. Once they give the 'all clear', then the I/O can continue.

So, that's probably why you see lags. Something in the firewall is simply not performing optimally.

I hate to say it, but I have no solution here. The author of the firewall really must address the problem.

There may be settings of the firewall that allow you to tune it down in aggressiveness. These *might* make a difference in the overall performance of the firewall.

arcanum · October 16, 2014, 12:27:49 PM

Hi,

I've been using Outpost firewall too. No matter what i do, excludin processes vice versa still causes Outpost logs fullfilled every second that "outpost blocked process to manipulate" or something like that.
Got tired of that and installed another vendor security suite, which has very good firewall too and when exludin processes works.

Maybe JC can hardcode Outposts' kernel driver as a "safe"

Regards,

-arc

Jeremy Collake · October 16, 2014, 12:32:28 PM

Quote from: arcanum on October 16, 2014, 12:27:49 PM
Maybe JC can hardcode Outposts' kernel driver as a "safe"

I may have to do that. I've had to do it with other excessively simple security software. They trigger when Lasso *looks* at their process with read-only rights. But, we all understand that security software is more about scaring users than providing real protection.

I will experiment with this later today and apply an appropriate solution.

Thanks!

arcanum · October 16, 2014, 01:30:35 PM

Hi JC,

Security softwares are "scaring" users? Interesting statement. If this "scaring" is not to protect security softwares processes on ring 0 or even ring 1 process termination techinicues like many sofisticated malwares can do nowadays.

So PL is of course is polling every process it has access to. And i like to know how PL terminate process technique, is it using the basic API calls or even so called force terminate?

-arc

Jeremy Collake · October 16, 2014, 01:38:34 PM

I just mean it is in their best interest to be excessively sensitive and false alarm. This drives sales. Ironically, malware continues to be a huge problem, so apparently their efforts aren't that successful.

There are different levels of polling. Lasso only requests read access to processes, which is why I feel this 'protection' is a bit too far. They trigger as soon as Lasso 'looks at' their process. It would have to re-open the process with higher access rights to do any actual changes.

Lasso is not in the security space. We don't do anti-malware. Therefore, we don't have any special termination procedures. Until recently, Lasso offered both a Graceful Terminate and a Forced Terminate. Now we just offer Forced Terminate, to help unclutter the context menu. After all, a graceful terminate can be initiated by the user by other means. In some places, we do still first attempt a graceful terminate before falling back to a forced terminate.

Jeremy Collake · October 16, 2014, 02:39:17 PM

Version 7.0.3.5 beta will be uploaded in about 30 minutes.

This build adds 'acs.exe' to it's list of tamper-proof processes.

However, I am not satisfied with this solution, so I am going to investigate and see what I can do to keep acs and other tamper-proof processes listed within Lasso. Like I said, I already open with only read-only rights, but perhaps there are additional things I can do -- or maybe contact those companies to get white-listed.

DeadHead · October 16, 2014, 03:54:57 PM

Quote from: Jeremy Collake on October 16, 2014, 12:32:28 PMBut, we all understand that security software is more about scaring users than providing real protection.

Indeed, I fully agree with this statement.

XhenEd · October 16, 2014, 10:37:08 PM

This might be a bit out of topic, but this is still about PL and a security suite.

I use ESET Smart Security 8. But in its HIPS logs, I can see that most records are about PL (ProcessLasso.exe most of the time, but there are also records with ProcessGovernor.exe) prevented by ESET from accessing egui.exe, ESET's User Interface process. I also see that it prevents PL from accessing ekrn.exe, ESET's main process.
The action applied by ESET is "some access blocked", and its Rule is "Self-Defense Protect ekrn and egui processes".

I also just noticed that it logs every second about PL.
I run my laptop's system through Windows 8.1 standard non-admin account.

Jeremy Collake · October 16, 2014, 11:25:00 PM

What I'm going to do is add those processes to the 'tamper-proof ignored processes' as well.

And you bring up another bone of contention I have with the implementation of these tamper detection technologies on security software. They seem to have absolutely no concept of throttling their alerts. There is no need to repeatedly log the same detection event every second. Oh well.

Of course, tamper *protection*, actually blocking abusive calls, is something that makes sense, but this tamper *detection* is alerting on entirely benign read-only access to the process(es).

But, it's not a perfect world, so I'll continue working to improve interoperability with these tamper detection systems.

XhenEd · October 17, 2014, 01:19:35 AM

Quote from: Jeremy Collake on October 16, 2014, 11:25:00 PM
What I'm going to do is add those processes to the 'tamper-proof ignored processes' as well.

And you bring up another bone of contention I have with the implementation of these tamper detection technologies on security software. They seem to have absolutely no concept of throttling their alerts. There is no need to repeatedly log the same detection event every second. Oh well.

Of course, tamper *protection*, actually blocking abusive calls, is something that makes sense, but this tamper *detection* is alerting on entirely benign read-only access to the process(es).

But, it's not a perfect world, so I'll continue working to improve interoperability with these tamper detection systems.

I actually support you on this one.

Security softwares are just being paranoid.

arcanum · October 17, 2014, 03:57:25 AM

I always support so called "one man" programs. JC, if i were you, do release PL Gamer version and left PL for geeks. Might be good for sales?

Im first one that gonna buy PL gamer version

-arc

BenYeeHua · October 17, 2014, 11:52:56 AM

Quote from: XhenEd on October 17, 2014, 01:19:35 AM
I actually support you on this one.
Security softwares are just being paranoid.

Ya, but I love they inform that they can now block new vulnerabilities, this is much useful than telling you:"We has protected ourselves by blocking all programs access to us".
For example, CVE-2014-4114 which is zero-day vulnerability that getting used before 1 day that Microsoft release the patch.(which is October 14)

Anyways, the best quiet Security software is still MSE, Windows Defender and any other MA family.
Just too bad they don't kill virus that is low threat, even they has the best engine very long time ago, they just don't wanna "steal" the money from other security software, and they choose to block the source of the virus.

(even it is rarely they do that(block the source), unless it is too much, for example, they just control a free DNS service provider to do that, and I am not sure how is the story now.)

Quote from: arcanum on October 17, 2014, 03:57:25 AM
I always support so called "one man" programs. JC, if i were you, do release PL Gamer version and left PL for geeks. Might be good for sales?
Im first one that gonna buy PL gamer version
-arc

If you has search on the forum, you will know that he is doing it now, just it is not done yet, and nope, no more information.

Jeremy Collake · October 17, 2014, 12:25:12 PM

Quote from: arcanum on October 17, 2014, 03:57:25 AM
I always support so called "one man" programs. JC, if i were you, do release PL Gamer version and left PL for geeks. Might be good for sales?
Im first one that gonna buy PL gamer version
-arc

Thanks! I think micro-businesses are the future. We don't need the monolithic organizations of the past. Of course, it's not for everyone, and takes a level of drive and self-discipline.

After seeing first-hand how development is done at some of the larger software companies in the PC Optimization space, I can say that certainly a one man show has more advantages than disadvantages, and the quality of the product is usually superior. I certainly don't need some accountant who has no understanding of the software driving my development decisions .. or some egotistical manager destroying my inspiration and limiting my ambition.

As BenYeeHua mentioned, I am working on a Gaming App, along with another secret project. I think people will like them.

And, as you say, Lasso will continue to improve, targeted towards advanced users and server administrators. It's a niche market that the bigger companies don't want to enter, and I'd eat their lunch if they did.