sorry for asking but can you PLEASE tell us what will be added or enhanced in the new version?

you guys are making me crazy. please tell us a bit.

Thanx

This new version will have a free version too?

Infinity wrote: -{ Quote: "sorry for asking but can you PLEASE tell us what will be added or enhanced in the new version?" }-
I am sure DCS will rspond to your question in more detail than I :)

The new version includes at least two more recently found possible vulnerabilities, of which there is no known malware, as yet, in the wild.

Many stability issues addressed including full XP SP2 compatibility.

Will work correctly with multiple user PC's.

A new simplified user interface.

You will not have long to wait but I cannot give an exact date.

-{ Quote: "VaMPiRiC_CRoW This new version will have a free version too? " }-

Yes, there will be a new free trial version. :)

Thank you so much alleady Pilli :)

Can't you let us licenced users access the beta version ;) ?

Hi korea boy, Not sure if there is going to be a public beta.
You may get a response from DCS regarding this in just a few hours, when Perth starts work in the morning. :)

Hi Pilli,

Last weeks, staff from DCS have told me that the new version should be ready in two weeks. That mean, that PG 3.0 should be out at the latest next week, ain't he?

Can you or someone from DCS still confirm that the new version will be out before the end of nex week?

Thanks,
Atomas31

We hope to have a public beta for licensed registered users for this week.

-{ Quote: "We hope to have a public beta for licensed registered users for this week." }-
Good news.

Nick

I can't wait to get version 3. PG is one of the best security programs out there. PG and Port Explorer are my favorite DCS programs and the most useful for me.



Starrob

-{ Quote: "We hope to have a public beta for licensed registered users for this week." }-
Jason_DiamondCS,
I just wanted to thank you for this information. I have been adamant about voicing my dissatisfaction with Diamond CS' communication policy regarding communication with customers. I think this is a step in the right direction. Thank you.

That's a good news, cause that means we only have less than 24 hours to wait since we are, all ready, Thursday :-)))

Can wait to finally have a paid version of PG that actually work correctly on my system! WOW!!!!

Thank you Jason for your information,
Atomas31

Hi Jason,

By the way, when you are saying : "We hope to have a public beta for licensed registered users for this week.". How does licensed registered users (like me) would know when the new version is out? Will I receive an email telling me that a new version can be downloaded at dcs websites or else, how will I know when is out????

Thank you for your answers,
Atomas31

Hi Atom, Usually Jason will post a new thread here with download and installation instrutions regarding the public beta.

On full release, licenced ops usually receive an email informing them of the update.

HTH Pilli

<<That's a good news, cause that means we only have less than 24 hours to wait since we are, all ready, Thursday :-)))>>

Whoa, easy there big guy :)

Apparently you do not understand "Australia time" This week means, er, uhh, well, quite frankly no one knows what it means.

In the Port Explorer forum you can note Jason saying "Ok I have fixed this for the next version which will be out in a day or so." This was on September 1st. Nothing yet.

But I guess wrong news is better than no news, eh ???

docfleetwood

Apparently you do not understand "Australia time" This week means, er, uhh, well, quite frankly no one knows what it means.

Ha! Ha! Ha! Good one Docfleetwood!

But hey, if we don't have hope, what do we have!!!

Atomas31

A public beta will be available at about ~5:30pm Perth time (GMT 8+) on Monday, but only to registered members (but it's not too late to register (http://www.diamondcs.com.au/processguard/index.php?page=purchase)) :)

-{ Quote: "Hi Jason,

By the way, when you are saying : "We hope to have a public beta for licensed registered users for this week.". How does licensed registered users (like me) would know when the new version is out? Will I receive an email telling me that a new version can be downloaded at dcs websites or else, how will I know when is out????

Thank you for your answers,
Atomas31" }-

Well it is now definately a Monday, our time, which could be sunday night for the majority of users. A few small things popped up which made it impossible to release it on Friday, however they aren't big issues and will be solved easily.

You will have to know by checking either this forum or the members area where it will be placed. We don't make public announcements through email regarding public betas. We also won't be placing any news on the non members are of the site, only in the forum and in the members area.

Yes !! !!!, i'll sleep extra on Saturday and will be here on Sunday Night ..
With popcorn ... and lots of coffee ...





;)

>:( F@#$ THAT I WANT MINE NOWWWWWWWWWWWWW

OK EVERY ONE LETS GO IN HOT AND HEAVY

Mission get ahold of the new pg befor monday mawhaaaaaaaaaaa

Blazie, Just watch out for the VERY big dog on the gate. Oh and NO back doors ;)

You will also be pleased to know that PG3 is much more newbie friendly -

What a teaser ;D

:o pilli has pg 3 :D get himmmmmmmmmmmmmmm!!!!!!!!!!!!!!!!!!!!

Hmm.. I hope TDS is ready for the onslaught of support requests by hoards of already anxious users jacked up on espresso madly doing everything wrong in a flurry of sleep-deprived mania..

When is the full version of PG to be released? A public beta is mainly to iron out any bugs not found or which slipped through the testers but doesn't constitute the new version. How long will it be beta before we get the complete new version? A beta is ok for those who love to play around but I'd prefer not to risk using beta software so when does DCS anticipate a full release because that's what I'm waiting for.?

Dave

Hi Worldcitizen, The beta is more a Release candidate than a true beta.
Usually DCS do not wait long once a public RC release is made unless there are major issues which I doubt there will be.

-{ Quote: "When is the full version of PG to be released? A public beta is mainly to iron out any bugs not found or which slipped through the testers but doesn't constitute the new version. How long will it be beta before we get the complete new version? A beta is ok for those who love to play around but I'd prefer not to risk using beta software so when does DCS anticipate a full release because that's what I'm waiting for.?

Dave" }-


Hi Dave.

Like Pilli said, DCS will not take long to release a "non-public-Beta" PG version once this Public Beta has been tested - unless there are any probs of course, which is unlikely I think :).

It is just the last "test" before the proper release as there are so many different individual computer set-ups.

It will be well worth your wait though Dave...running purrrrfectly here :)


Regards,
Jade.

Is PROCESSGUARD V3 compatible with both sp1 and sp2? Or is it a update for sp2 only?



Starrob

Hi Starrob, It is a complete new version and is compatible with all versions of windows from W2K up.

8) thud hit pilli on head grab chair tie him up drag pilli to basement

where your stash of of pg-3

oic wont answer

blaze pop in video tape of barney the dinsour

see you in an hour lol

he will talk blaze go up stairs close basement door

one mississippi , two mississippi, three mississippi, :)

-{ Quote: "...blaze pop in video tape of barney the dinsour..." }-Hmm...looks like someone's been reading the wrong news stories (http://news.bbc.co.uk/1/hi/world/middle_east/3042907.stm).

How dcs users may download and try beta version of PG3 and alike? I am very interested to try it over my full licensed PG2 (existing vul. - I am kind of paranoid internet user)
TIA

-{ Quote: "How dcs users may download and try beta version of PG3 and alike? I am very interested to try it over my full licensed PG2 (existing vul. - I am kind of paranoid internet user)
TIA" }-

Hi luccamthu.

Have a read of Wayne's earlier post here (http://www.wilderssecurity.com/showpost.php?p=258838&postcount=17).


Regards,
Jade.

When (if :P) the beta is released tomorrow, would some kind sole post some screenshots of the new user interface and new features.


Thanks

No problem Khaine ;D

8) IS PG COMEING OUT TONIGHT I LIVE IN WASHINGTION USA

WHAT TIME CAN I GET IT

Thanks Pilli :)

As I have no desire to load more beta software onto my laptop.

The last time I installed beta software it crashed my pc and corrupted my hard drive and it took me days to get online again so thanks but no thanks. I'll let you guys play around with this and wait for the full release.

Dave

Process Guard, Firefox, and Thunderbird are the few betas that I am willing to try. Other companies rush out alphas as final versions and let the end users suffer and find all the bugs for them. DCS will provide a real beta. I will let you know how it works.

Just make a backup image. I did that before SP2. No risk that way.

When V3 does come out will we have to unistall V2?

Also, will we have to re-enter our preferences? or will preferences (i.e. processes to protect) have to be entered from scratch?



Starrob

8) All cowards

8) Blaze shall step foward "hold up can i get that trench coat bloweing algaints the wind effect?''

ok thx

I blaze shall test the beta bring it on


i know no fear i will pee algaints the wind

-{ Quote: "i know no fear i will pee algaints the wind" }-
Then I take it Mr. Blaze, you will be wearing one of those yellow rainproof trench coats? ;D

8) damn skipy lol

:o ;D ;) 8)

;D galvin on lol let hit him up for pg3 lol

Yes you will need to remove Process Guard v2.0 before installation.

The reason you have to always uninstall any version of Process Guard prior to installing a new version is due to how much security Process Guard has. There is no way the installer can upgrade Process Guard if an old version is there, protecting itself.

There will be no PGv2.0 convertors to PGv3.0 for your protection lists. The new learning mode in Process Guard allows you to easily setup your system, so it isn't as big a problem as earlier versions.

Are we there yet?

It's like New Year's eve. LOL

Everybody is waiting for the ball in New York (in this case Perth) to drop. ;D

About 3-5 hours from now, roughly. By that time I guess a lot of you will be in bed. :)

LOL YES IT IS

We can all listen to Clyde Lewis in the meantime http://www.clydelewis.com/

;D OR WE CAN SPY ON WAYNE THREW HIS WEB CAM

8) Hacking

8) hacking.................................................
..............................................................................
.............................................................................
.......................................................


damn lot of security hacking.........................................................
....................................................................
......................................................................
................................................................................
...................................................................................
.................................................................................
.............................................................................................................................grrrrrrrrrrrrrr

hold up i think i got it.....................................................................
.......................................................................
........................................................................
................................


ok a picture is comeing threw


tell me if you can make it out ...........................................................
................................................................................
..............................................................................
................................................................
.....................................................................................

:o he has been hoging tds 4 all this time for himself

ROFL ;D ;D

I have just updated the members area for Process Guard registered users to now show your unlock code for the beta.

If you want to verify that you do have an unlock code in there that would be great, but don't post your unlock code anywhere, it is basically your new license and contains your personal information. Any BETA unlock codes which are made public will be removed from the database, effectively voiding your Process Guard license.

*edit* You may also notice once you use your unlock code in the program that the license type shown may be incorrect if you have a business license. This will be changed in later builds.

I SEE UNLOCK CODE BUT NO PG3 IT SAYS IN 3 HOURS OR SO

is this beta workeable?? are there any known issues with this one? and was the first a alpha release??

Thanx in advance

Well personally, if I had to choose between ProcessGuard v2.0 and this BETA v3.0 to use on my system, it would be the BETA. Even though it is a "BETA" (ie. unfinished) it is a lot better than ProcessGuard v2.0 in every aspect. That includes stability, useability and functionality. :)

I'm sure the official beta testers would agree with this.

is it out yet all i see is damn long code

Yep:). Stability is definately great, useability is much nicer now and well, functionality is superb here.

Regards,
Jade.

The natives are getting restless!

We want Process Guard 3!!

So is their any reason why you guys are moving to unlock codes, and away from keyfiles ?

Will the new Process Guard 3.0 cost $25. US dollars? Or More? And will i have to pay for updates? Thanks.

-{ Quote: "Process Guard, Firefox, and Thunderbird are the few betas that I am willing to try. Other companies rush out alphas as final versions and let the end users suffer and find all the bugs for them. DCS will provide a real beta. I will let you know how it works.

Just make a backup image. I did that before SP2. No risk that way." }-

Yeah I use Thunderbird, and Firefox but they are based on very mature code in the Gecko trunk and so are less beta than other software.

The only other beta I am running at the moment is Adobe Acrobat Reader 7, which is miles better than version 6.

Not long to wait, I have had PG3 working fine on XP pro SP2 - This PC, my laptop with SP2 and Server 2003.
Looking forward to the new public beta ... ;D

I think the price for v3.000 is going to be raised to $29.95 or thereabouts once it is finally released (after the beta testing has finished).

We are using unlock codes now instead of keyfiles due to the inherent problems in sending keyfiles to people. A lot of ISPs are blocking email file attachments, etc, so it is just so we can make things more transparent for the people who purchase our software. :)

One small thing I noticed on the members page

-{ Quote: "If you need to email us about your Process Guard keyfile (procguard.pkf) or any other issue use this email address :- jason@diamondcs.com.au
We will quickly respond to all emails during working hours." }-

the email address jason@diamondcs.com.au has a mailto link of :

mailto:support@diamondcs.com.au

-{ Quote: "One small thing I noticed on the members page



the email address jason@diamondcs.com.au has a mailto link of :

mailto:support@diamondcs.com.au" }-

Well you have the best of both worlds that way. :D

I will change that, thanks for pointing it out.

No problem :)

:o >:( what the hell no no no

look i love dcs company do not i reapeat do not use unlock codes

piraters have been waithing for dcs company to make that mistake since damn last cracked your protection

the key files are the only way to go

dcs you may know alot about security but when it comes to illigal stuff kinda naive if you go to unlock codes

you do that and every damn piratyer will have all your programs out on a server with key gens

they have not been able to crack the keyfile nore want to because its a paine in the ass

but if you go unlock code your bandwith will be stolen ass thousands of piraters link your products and servers on there website with a keygen next to it

lets not forget boclean that will look like a day in the park

your software is well knowen and they been waiting in the dark for a mistake like that

just put the keyfile in zip folders most pc can handle unziping

Pirates can crack anything Blaze. The new unlock codes have at least the same amount of protection as our keyfiles. Except now it is easier to store the "license" for everyone.

OH REALLY JASON THEN YOU MIND TELLING ME WHY THE KEYFILES HAVENT BEEN CRACKED FOR OVER 3 YEARS SINCE DAMN one of the most legendary crackers of all time?

you take ucf and pardox and a few big major players and still to this day they havnt missed with dCS

jason you may be god of malware and trojans but Blaze is Kevin Mitnick of that darkside of cyberspace

you use unlock codes and you will see a plague of crackers and hacked keys unlike the world has seen.

dCS is like the honey pot for crackers its the sweet spot of a ritiouse crack

Damn was the only one that could do it

and after your last upgrade to the keyfiles he stoped he just wanted to prove it could be done

no one since then has come close
so it up to you guys but in this fild i know what im talking about

Jason is right, keyfiles can be cracked just as easily as keys. Diamondcs is lucky in that it is small and most (if not all) pirating groups don't bother with its software.

Simply put any security protections, whether DRM, keyfiles or CD-Keys can all be broken

You know this reminds me of a story long long Time Algol.

It was before windows xp came out

actually it was called by a different name back in my day

anyways microsoft invited a guy over to talk about a security issue with whistler i think that was the name for xp

so they want to know about the security problems with xp

the guy goes threw every problem and then he tells them how to fix it

one of the microsoft guys says this i **** you not

why put security on it if a hacker wants in your pc bad enough why bother

security consultant almost falls out of his seat

he cant believe these top programmer's and microsoft people are agreeing with this guy not to fix the bugs

he flat out says because do you want to leave your car doors unlock and the key in your cars ignition with a sign on it say steal me.

he argued with them try to make them see the light

years later how many patch's and service packs for xp is out there a **** load

this is a true story

if i told you the guys name you security guys would know who I'm talking about and your mouths would drop

this a true story i may of got names wrong but it happened.

so that if a cracker wants to crack it bad enough attitude is what this reminds me of lol

do you really want to go that route

yeah there were a few keyfiles to other programs cracked because of weak encrpytion

as for dcs being to small of a company they dont bother well your out right wrong

piraters now a days go even after donation software with keys im talking 5 doller software

they dont discreminate lol

any one who pirates knows dcs software as being the best software

every one there like at the hentai bords knows what tds is

Blaze, if you take a look at how long the unlock code is, you will realize it is quite substantial. Now tell me, does it matter if the "data" in the license is given as text, or stored in a file? :)

Hackers will never be able to make a key that we ourselves will be fooled by. There is protection in the key which is unbreakable for this particular aspect. That is our biggest problem, and we have solved it.

yeah i seen the key it might be a littile longher then hyper snap dx 5 lol but ehhhhhhh

its your guys company i know i cant spell and i know alot of you dont think im sharpest tool

but in this fild im i dont know resonably knowledgeable i like to think

but ok sigh

:(

-{ Quote: "Blaze, if you take a look at how long the unlock code is, you will realize it is quite substantial. Now tell me, does it matter if the "data" in the license is given as text, or stored in a file? :)

Hackers will never be able to make a key that we ourselves will be fooled by. There is protection in the key which is unbreakable for this particular aspect. That is our biggest problem, and we have solved it." }-

Have you seen how long the Alcohol 120% unlock code is ?

@Mr Blaze ...

Don't keep DCS off their work, i am waiting all night
for the link to download V3 and i have drunk 50 Liters of coffee

let them work, the only thing left to do is to make the Beta available.

:-\

One Question about the Beta

Will previous versions pguard.dat files be compatible ?

;D LOL Alcohol 120% IM SURPRISE THERE NOT BANKRUPT YET FROM ALL THE BANDWITH STEALING AND PIRATING LOL

Yeah i guess it dont matter i just like dcs like i liked kevin and nancy except they listhened hmmmmmmmmm

sometimes the very young do not listhen

blaze stroll over to tenford

Hi Khaine, I would advise complete uninstall including the .dat files, the new learning mode goes a long way to solving the pain IMHO :)

Ok thanks Pilli :-)

I plan to wait until the final version is released. So I really want to see some screenshots of the new features and gui

I recommend you DONT wait, its worth updating right NOW :) Plus you could give us some valuable feedback..

Old PGUARD.DAT and PGHASH.DAT files are NOT compatible, but the enhanced learning mode can set up everything for you. Choose your protection level, run your system in Learning mode and it will set itself up ;)

-{ Quote: "I recommend you DONT wait, its worth updating right NOW :) Plus you could give us some valuable feedback..
" }-

You talked me into it

Wish me luck :)

I'll post some screenshots for all you people wanting to see the new features

Looks really good, has a more "solid feel" to it, faster, much easier to change protection options, overall great! :)

Only a couple minor things come to mind after using it a whole 10 mins; changeable color schemes like the last version (another option besides pastel pink and purple... please... ;D ), a right click menu, and automatic scrolling on the alerts window.

Is there no more human verification dialog and "disabled" tray icon?

8) Clean uninstall
reboot

clean install
reboot

registration of product just copy and paste but its a bit tripy as the key inserted places the registration in a layout difrent then the one in your notepad from left to right to middile

The interface is clean easy to understand check

The interface is cool in a none sherlaunt way check

The interface is extreamly newbie friendly check

bug 1 pg went to task bar like normal i went to look in it closed it afterwards with x did not return to task bar

bug 2 called pg 3 out worked went to minimize - but did not dissapeared no confirmation code required for change

bug 3 cant call pg 3 out no more interface will not display

i am on celeron 700 mhz 120 gig ext hd 80 gig int hd 20 gig intr hd
gateway essinthial pc 512 sd ram

All dcs products zap nav 2002 system works juno 7

does pg protection work if not on task bar

or did you put the hide icon feature i requested where pg is on start up but no icon needed on system tray?

pg still cant be called out

8) pgaccount on start up
processguard on start up

two new things on start up?

this useally means longher to start up

i was shock not to see code confimations nore a options menue for how to handle start ups

process gurad not working no more it is in the process section but no cpu ussage 00

i also see exec.exe 00 cpu exec.exe 00 cpu

rebooting to see if pg3 is working looked like it crashed but does not effect the pc

crashing bad but not effecting the pc thats a good thing

I have a question? Is there any reason to allow any program to access the physical memory? For instance...should I allow antivirus programs or AT programs like TDS-3 to access physical memory or is that not necesarry?

The program looks good. Looks like there might be a few minor issues but I will know that over the next few days. On my second reboot...the program would not initialize at first. I was getting ready to uninstall and re-install again but first I clicked on the program again and it was running.....sort of a delayed effect.

We will see how it plays out.



Starrob

Some initial observations from me.

1) Block Global hooks seems to work better on my system, My Wacom Tablet now works when I allow the process 'Allow global hooks ' priv. (It didnt work previously)

2) After the initial install, I disabled Learning mode (no check in box), and applied the changes. However when I run new programs they are allowed to run (no confirmation box). It seems that Learning mode is stuck on!
I then rebooted and things seemed better. But after a few minutes I am getting no prompts.

3) Closed message handling still not working on my system. I gave Agnitum Outpost 'Securly handle Closing' option and then tried to close it, A verification dialogue popped up. I pressed Cancel without (typing the verification string in) A second Verification window was displayed, I pressed cancel again and Outpost closed.
I would not expect a second verification window after pressing cancel and would certainly not expect the application to close.

4) Assuming that the CMH will work as expected , when I shut down the system It is annoying to have to enter the verification string for all protected apps, Is it possible to give winlogon the privs to shut down the protected apps without a verification window? (ie give Winlogon Terminate privs) ans is this safe?

5) Disabling all protection in the main window (Clearing 'Enable Protection' box) does not prompt for a verification dialogue box, is this correct?
Thanks
Tom

2:55am pg is on task bar algain
rigtclick on icon just as i suspected no start up or hide icon option or exit
turn on zap turn on juno acessing internet
curently 4 icons on systemtray
process guard nav juno zap

3:02 am processguard pop up
svchost.exe
genric host process for win 32 services
folder c\system32\ folder

process guard pop up for hypersnap lol
trying to take pic of first pop up

not good i seem to be geting alot of these pop ups

seems to be a cross between boclean's exclude fuction just nicer desghien and a firewall
these pop ups freez ever program untill you either deny or permit the application

this will be hard on newbies

since there no toggle switch i have moved this up to intermidiate status
not a beginer application but the interface is easy and newbie friendly

but its other features can be hard on a beginer

Frog foot. I assume as it is your firewall that it was running when you tried CMH?
Close message handling needs to be enabled when the program is not running, once running the file pguard.dll should be injected into the process allowing CMH to work properly

---Process Guard Log Started---
Mon 20 - 02:11:55 [EXECUTION] "c:\windows\system32\psdrvcheck.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\windows\system32\psdrvcheck.exe" -checkreg ]
Mon 20 - 02:11:57 [EXECUTION] "c:\progra~1\maxtor\onetouch\utils\onetouch.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\progra~1\maxtor\onetouch\utils\onetouch.exe" ]
Mon 20 - 02:11:57 [EXECUTION] "c:\progra~1\common~1\symant~1\script~1\sbserv.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ c:\progra~1\common~1\symant~1\script~1\sbserv.exe ]
Mon 20 - 02:11:58 [EXECUTION] "c:\windows\mxoaldr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\windows\mxoaldr.exe" ]
Mon 20 - 02:11:59 [EXECUTION] "c:\program files\photodex\proshowgold\scsiaccess.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\program files\photodex\proshowgold\scsiaccess.exe" ]
Mon 20 - 02:11:59 [EXECUTION] "c:\god's shild\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\pgaccount.exe" ]
Mon 20 - 02:12:00 [EXECUTION] "c:\progra~1\norton~1\speedd~1\nopdb.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ c:\progra~1\norton~1\speedd~1\nopdb.exe ]
Mon 20 - 02:12:00 [EXECUTION] "c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe" ]
Mon 20 - 02:12:01 [EXECUTION] "c:\windows\system32\wdfmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ c:\windows\system32\wdfmgr.exe ]
Mon 20 - 02:12:02 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" -minimize ]
Mon 20 - 02:12:02 [EXECUTION] "c:\program files\hhvcdv5sys\vc5secs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\program files\hhvcdv5sys\vc5secs.exe" ]
Mon 20 - 02:12:03 [EXECUTION] "c:\program files\hhvcdv6sys\vc6secs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\program files\hhvcdv6sys\vc6secs.exe" ]
Mon 20 - 02:12:08 [EXECUTION] "c:\windows\wanmpsvc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\windows\wanmpsvc.exe" ]
Mon 20 - 02:12:10 [EXECUTION] "c:\program files\virtual cd v6 fs\system\vc6fserv.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\program files\virtual cd v6 fs\system\vc6fserv.exe" ]
Mon 20 - 02:12:17 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Mon 20 - 02:12:19 [EXECUTION] "c:\program files\common files\symantec shared\ccpwdsvc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ "c:\program files\common files\symantec shared\ccpwdsvc.exe" ]
Mon 20 - 02:12:20 [EXECUTION] "c:\windows\system32\alg.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ c:\windows\system32\alg.exe ]
Mon 20 - 02:12:22 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\symantec shared\ccpwdsvc.exe" [2084]
[EXECUTION] Commandline - [ regedit.exe /e "c:\program files\common files\symantec shared\ccreg.dat" "hkey_local_machine\software\symantec\ccreg" ]
Mon 20 - 02:12:35 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\symantec shared\ccpwdsvc.exe" [2084]
[EXECUTION] Commandline - [ regedit.exe /e "c:\program files\common files\symantec shared\commonclient.dat" "hkey_local_machine\software\symantec\commonclient" ]
Mon 20 - 02:12:43 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\documents and settings\god\desktop\processguard v3.0.txt ]
Mon 20 - 02:13:06 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1024]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[400]susdsf34599a511888a4caac2ee6ae87cf365 ]
Mon 20 - 02:14:43 [EXECUTION] "c:\program files\zone labs\zonealarm\zlclient.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\program files\zone labs\zonealarm\zlclient.exe" ]
Mon 20 - 02:14:56 [EXECUTION] "c:\windows\system32\zonelabs\vsmon.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [676]
[EXECUTION] Commandline - [ c:\windows\system32\zonelabs\vsmon.exe -service ]
Mon 20 - 02:15:46 [EXECUTION] "c:\program files\juno\exec.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\program files\juno\exec.exe" ]
Mon 20 - 02:15:51 [EXECUTION] "c:\program files\juno\exec.exe" was allowed to run
[EXECUTION] Started by "c:\program files\juno\exec.exe" [2820]
[EXECUTION] Commandline - [ exec 95db625hsjl ]
Mon 20 - 02:16:44 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" ]
Mon 20 - 02:17:14 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\juno\exec.exe" [2832]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome "http://my.juno.com/s/sp?r=al&cf=sp&mem=yourblazey&key=5f01e12aafecc718161f8efd83fbfd20&ts=414ea0b8&a=353309640000699&b=1073289600000&c=1044345600000&d=0&i=7.jh4&n=pl&o=i" ]
Mon 20 - 02:18:22 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" ]
Mon 20 - 02:19:00 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" ]
Mon 20 - 02:19:39 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [940]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 02:28:13 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" ]
Mon 20 - 02:34:38 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [632]
[EXECUTION] Commandline - [ taskmgr.exe ]
Mon 20 - 02:36:48 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [940]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 02:38:06 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" ]
Mon 20 - 02:38:37 [EXECUTION] "c:\windows\pchealth\helpctr\binaries\msconfig.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\windows\pchealth\helpctr\binaries\msconfig.exe" ]
Mon 20 - 02:39:31 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [940]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 02:42:55 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [632]
[EXECUTION] Commandline - [ taskmgr.exe ]
Mon 20 - 02:46:10 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [632]
[EXECUTION] Commandline - [ taskmgr.exe ]
Mon 20 - 02:47:26 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1388]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" ]
Mon 20 - 02:47:29 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [940]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 02:48:48 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [940]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 02:50:32 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [940]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 02:51:19 [EXECUTION] "c:\windows\system32\logonui.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\winlogon.exe" [632]
[EXECUTION] Commandline - [ logonui.exe /status /shutdown ]
Mon 20 - 02:51:50 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1024]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[400]susds9326e837ee113841900363853cc41e5f ]

---Process Guard Log Started---
Mon 20 - 02:53:30 [EXECUTION] "c:\program files\dantz\retrospect\retrorun.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\dantz\retrospect\retrorun.exe" ]
Mon 20 - 02:53:32 [EXECUTION] "c:\program files\maxtor\onetouch\utils\onetouch.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\progra~1\maxtor\onetouch\utils\onetouch.exe" ]
Mon 20 - 02:53:33 [EXECUTION] "c:\windows\mxoaldr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\windows\mxoaldr.exe" ]
Mon 20 - 02:53:34 [EXECUTION] "c:\god's shild\processguard\pgaccount.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\pgaccount.exe" ]
Mon 20 - 02:53:35 [EXECUTION] "c:\program files\common files\symantec shared\script blocking\sbserv.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\progra~1\common~1\symant~1\script~1\sbserv.exe ]
Mon 20 - 02:53:35 [EXECUTION] "c:\program files\photodex\proshowgold\scsiaccess.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\photodex\proshowgold\scsiaccess.exe" ]
Mon 20 - 02:53:36 [EXECUTION] "c:\program files\norton systemworks\speed disk\nopdb.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\progra~1\norton~1\speedd~1\nopdb.exe ]
Mon 20 - 02:53:37 [EXECUTION] "c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe" ]
Mon 20 - 02:53:38 [EXECUTION] "c:\god's shild\processguard\procguard.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\god's shild\processguard\procguard.exe" -minimize ]
Mon 20 - 02:53:38 [EXECUTION] "c:\windows\system32\wdfmgr.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\windows\system32\wdfmgr.exe ]
Mon 20 - 02:53:38 [EXECUTION] "c:\program files\hhvcdv5sys\vc5secs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\hhvcdv5sys\vc5secs.exe" ]
Mon 20 - 02:53:39 [EXECUTION] "c:\program files\hhvcdv6sys\vc6secs.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\hhvcdv6sys\vc6secs.exe" ]
Mon 20 - 02:53:45 [EXECUTION] "c:\windows\wanmpsvc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\windows\wanmpsvc.exe" ]
Mon 20 - 02:53:47 [EXECUTION] "c:\program files\virtual cd v6 fs\system\vc6fserv.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\virtual cd v6 fs\system\vc6fserv.exe" ]
Mon 20 - 02:53:54 [EXECUTION] "c:\windows\system32\imapi.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\windows\system32\imapi.exe ]
Mon 20 - 02:53:55 [EXECUTION] "c:\program files\common files\symantec shared\ccpwdsvc.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ "c:\program files\common files\symantec shared\ccpwdsvc.exe" ]
Mon 20 - 02:53:56 [EXECUTION] "c:\windows\system32\alg.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\windows\system32\alg.exe ]
Mon 20 - 02:53:58 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\symantec shared\ccpwdsvc.exe" [2088]
[EXECUTION] Commandline - [ regedit.exe /e "c:\program files\common files\symantec shared\ccreg.dat" "hkey_local_machine\software\symantec\ccreg" ]
Mon 20 - 02:54:16 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\symantec shared\ccpwdsvc.exe" [2088]
[EXECUTION] Commandline - [ regedit.exe /e "c:\program files\common files\symantec shared\commonclient.dat" "hkey_local_machine\software\symantec\commonclient" ]
Mon 20 - 02:54:36 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[3f4]susds6669facabe3bea469a1a5fcf92d5df0c ]
Mon 20 - 02:55:18 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" ]
Mon 20 - 02:56:58 [EXECUTION] "c:\program files\zone labs\zonealarm\zlclient.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\zone labs\zonealarm\zlclient.exe" ]
Mon 20 - 02:57:08 [EXECUTION] "c:\windows\system32\zonelabs\vsmon.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\windows\system32\zonelabs\vsmon.exe -service ]
Mon 20 - 02:59:06 [EXECUTION] "c:\program files\juno\exec.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\juno\exec.exe" ]
Mon 20 - 02:59:07 [EXECUTION] "c:\program files\juno\exec.exe" was allowed to run
[EXECUTION] Started by "c:\program files\juno\exec.exe" [2876]
[EXECUTION] Commandline - [ exec 95db625hsjl ]
Mon 20 - 02:59:20 [EXECUTION] "c:\program files\juno\exec.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\juno\exec.exe" ]
Mon 20 - 02:59:21 [EXECUTION] "c:\program files\juno\exec.exe" was allowed to run
[EXECUTION] Started by "c:\program files\juno\exec.exe" [2876]
[EXECUTION] Commandline - [ exec 95db625hsjl ]
Mon 20 - 03:06:00 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [680]
[EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]
Mon 20 - 03:06:00 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [928]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 03:06:08 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:06:09 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
[EXECUTION] Started by "c:\program files\juno\exec.exe" [2932]
[EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -nohome "http://my.juno.com/s/sp?r=al&cf=sp&mem=yourblazey&key=1b54678f35083785a8cac05982169612&ts=414eaaf2&a=353309640000709&b=1073289600000&c=1044345600000&d=0&i=7.jh4&n=pl&o=i" ]
Mon 20 - 03:06:11 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [1012]
[EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[3f4]susdsfedc27a7c26602459e062378b95e77c8 ]
Mon 20 - 03:06:12 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:06:14 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:06:16 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\program files\hypersnap-dx 5\hprsnap5.exe" [3420]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:06:18 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\program files\hypersnap-dx 5\hprsnap5.exe" [3568]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:06:41 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\program files\hypersnap-dx 5\hprsnap5.exe" [3588]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:10:37 [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [928]
[EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]
Mon 20 - 03:10:38 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [928]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 03:10:38 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:10:40 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\program files\hypersnap-dx 5\hprsnap5.exe" [1408]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:14:51 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [928]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 03:19:42 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:19:43 [EXECUTION] "c:\program files\hypersnap-dx 5\hprsnap5.exe" was allowed to run
[EXECUTION] Started by "c:\program files\hypersnap-dx 5\hprsnap5.exe" [2104]
[EXECUTION] Commandline - [ "c:\program files\hypersnap-dx 5\hprsnap5.exe" ]
Mon 20 - 03:22:27 [EXECUTION] "c:\program files\microsoft money\system\urlmap.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\svchost.exe" [928]
[EXECUTION] Commandline - [ "c:\program files\microsoft money\system\urlmap.exe" -embedding ]
Mon 20 - 03:22:29 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1376]
[EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\god's shild\processguard\logs\pglog_09_2004.txt ]

Thanks Pilli, Will try that now.
Tom

Hi frogfoot :). If you use a program like Process Explorer (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml), you should see pguard.dll loaded in any program with CMH enabled. See screeny.

Regards,
Jade.

8) 1 lol cool

Blazie on trusteds apps when you get a pop up click the permit + always tickbox and it will not bother you again unless the .exe is changed :)

8) yup newbie interface

;D yup just runing it threw the blaze test lol

Restarting Outpost firewall made no difference, neither did a reboot. :-(

Process explorer does not show procguard.dll injected into process.

8) way cool interface

process guard crashed algain under same way

no stall on pc

no crash pc

another bug windows xp start menue keeps telling me theres a new program and no mater how many times i go to start thrn processguard folder to show it i seen the new program it wont shut up

really anoying other programs do it once i look and it shuts up

processguard always seems to be new

the interface is way cool and easy on my bad eyes

its really clean and to the point

needs option to hide icon on system tray

has few bugs

i hope this has helped

i ran it into the guter

if you need more testing let me know

has bugs but nothing im sure cant be paned out

also when pg crashs it dosent take the whole pc with it

thats a good thing

no matter what it wont crash your pc

so its safe

I think I am going to uninstall this beta. On my system it always allows a new application to run and adds it to the Security list with a 'Permit once' flag. I feel I was better protected with Version 2.
:'(

EDIT:
This effect only seems to happen when the drivers for my Wacom Tablet are installed. If I disable the TabUserW.exe executable from running on startup in msconfig, I am prompted to allow/deny all new programs.
Tom

I put this post in the wrong thread by accident so sorry.

Some questions.

1. How SHOULD PG3 be configured?

2. I install and try a lot of programs so if I install a program with a driver or graphics drivers will PG3 block the installation or will I get a pop up requesting permission?

3. How are Windows XP updates affected? Do I have to turn off something before installing Windows updates?

4. How will I know if PG3 is not working properly or if it IS working properly?

5. If PG3 blocks something how do I know if it is a normal Windows process or something malicious as I don't have technical knowledge of all terms, processes and program names?

Dave

-{ Quote: "1. How SHOULD PG3 be configured?" }-
When you first fire up Process Guard it goes into learning mode, this puts normal system and start up files on to the protection list and checksum list.
After the first reboot learning mode is turned off. Add your trusted security and Internet apps slowly and watch the alerts for any necessary Allows that may be needed.

-{ Quote: "2. I install and try a lot of programs so if I install a program with a driver or graphics drivers will PG3 block the installation or will I get a pop up requesting permission?" }-
You will be alerted that something is trying to do this if you have a General block on say Driver/rootkit/service installation.

-{ Quote: "3. How are Windows XP updates affected? Do I have to turn off something before installing Windows updates?" }- -{ Quote: "1. How SHOULD PG3 be configured?" }-
Service packs will require all other programs to be disabled as is the case with many other software updates etc.

-{ Quote: "4. How will I know if PG3 is not working properly or if it IS working properly?" }-

If the Driver is not installed you get a warning that there is a problem
You can also test it with Advanced Process Termination available from the DCS downloads page, it is free

-{ Quote: "5. If PG3 blocks something how do I know if it is a normal Windows process or something malicious as I don't have technical knowledge of all terms, processes and program names? " }-
For the non technical user anything can be dangerous and it would be very difficult to make a "follproof" program of this nature.
Common sense is probably the best thing to use. If for instance you have installed a trusted program then you would expect PG to pop up a question, if however, you are not installing or updating then it would be wise to investigate before allowing.

HTH Pilli

You should setup ProcessGuard for your system while it is clean, and not put it in danger. This way, you can use the learning mode to set it up for you :) Dont install any new programs yet, just leave learning mode on and use your PC for a couple of hours, running all the programs you use most commonly. These programs will get their required configuration no matter what setup you have chosen, even all 4 general options ticked.

By not putting your PC in danger I mean not getting online and not running any unknown untrusted programs since you are in learning mode. You can quickly add all the common programs and get them protected then reboot once and be all set up. This is how I like to get it set up quickly and easily and knowing everything is compatible and ready to go.

When installing new programs just choose to allow them, they should install fine. Most program installers just install files. If you suspect a driver will get installed you can disable PG - if you trust the installer completely. OR you could leave protection enabled and watch the alert screen - if it tries to install a driver you can either allow it or abandon the install, at worst you would have to disable protection and then reinstall.

XP updates should work fine while not in learning mode, just allow the execution of the update. All most updates do are replace files..

You will know PG is working in everyday use because learning mode should be OFF as soon as possible, and you will receive alerts often. We've tested the protection side of things extensively to ensure it wont just "break" all of a sudden or anything like that

I hope to write a very easy to understand portion of the help file about executions and what to allow and what NOT to allow. Part of this might include the suggestion to deny a new program and then examine the file, and update the virus scanner before allowing it to run next time. Most programs dont just run "out of the blue" so if learning mode is allowed to set the machine up properly then these sort of incidents should never occur.

-{ Quote: "I think I am going to uninstall this beta. On my system it always allows a new application to run and adds it to the Security list with a 'Permit once' flag. I feel I was better protected with Version 2.
:'(

EDIT:
This effect only seems to happen when the drivers for my Wacom Tablet are installed. If I disable the TabUserW.exe executable from running on startup in msconfig, I am prompted to allow/deny all new programs.
Tom" }-

You wouldn't be using KAV5 by any chance would you ? Please email processguard@diamondcs.com.au with some config info and we should be able to fix this. On all but 2 machines so far everything has been perfect..

No not KAV5
Firewall - Agnitum Outpost 2 Pro
Anti Virus - Sophos AV
Anti Trojan - TDS3 Full

What info do you need?
Tom

-{ Quote: "I have a question? Is there any reason to allow any program to access the physical memory? For instance...should I allow antivirus programs or AT programs like TDS-3 to access physical memory or is that not necesarry?


Starrob" }-

Hi Starrob

Reading the thread backwards so if your question was answered I apologize. The answer is somethings will need it. For instance. On Microsofts site which I consider a trusted site, I wanted to run their test for my machines ability to run Flight Simulator. IE kept on crashing. Turns out it needed permission to access physical memory and once I allowed IE that privilege the test ran fine.

Pete

Hi Tom -{ Quote: "What info do you need?" }-
In alerts open your logfile and copy / past into an email to support@diamondcs.com.au
It may also be helpfull if you can list your Operating sytem and resident programs.

Thanks. Pilli

frogfoot : Ok thanks ! will get Jason to look and let you know :)

Thanks very much Gavin and Pilli for all that info.

When I used PG2 I noticed that during a defrag some files could not be defragged so should I have PG3 turned on/off during defrag and how does this affect the drive if I can't defrag it - i.e. will it eventually get corrupted? Also a couple of times PG2 crashed it wiped or changed my anti-virus beyond recognition and caused disk errors so is this new one as dangerous too?

One other thing is that I am like many people and when I'm surfing or installing something new I'm engrossed in what I'm doing and WON'T remember to turn off PG3 during driver installs (or too late after clicking on the install buttom - that's me!!) or updating Windows or defrag etc so I hope that to a certain extent PG3 is 'idiot proof' or 'set it & forget it' because I almost always forget to turn it off until it's too late and that poses problems unless PG3 has an inbuilt 'idiot proof scanner' that will just let me go on my merry way and forget it's there!!

I hope you don't mind me asking all these questions because they are from the standpoint of the average ignorant user who knows almost nothing and needs to get some simple basics to feel confident to use the program.

With user switching how does it work now?. My wife and I both have separate accounts in XP Home and both are administrator accounts. Can we both acces it?

I really appreciate your super fast replies because I want to install it but am a lot hesitant because of problems I had with PG2 and I just got a new motherboard so I don't want to have to re-install Windows again as I have everything running just great and this is beta software. I'm a 'set it & forget it' type of user that doesn't want to get bogged down with all sorts of problems arising. I basically just want the protection without any hassels.

Regards

Dave

-{ Quote: "I think I am going to uninstall this beta. On my system it always allows a new application to run and adds it to the Security list with a 'Permit once' flag. I feel I was better protected with Version 2.
:'(

EDIT:
This effect only seems to happen when the drivers for my Wacom Tablet are installed. If I disable the TabUserW.exe executable from running on startup in msconfig, I am prompted to allow/deny all new programs.
Tom" }-


I am sort of glad you are experiencing this problem, because one of our beta testers also has, but no-one else at this stage. It shouldn't be that difficult a problem to fix once the issue is found I think, but finding the issue is the hard part here. :)

-{ Quote: "

I hope to write a very easy to understand portion of the help file about executions and what to allow and what NOT to allow. Part of this might include the suggestion to deny a new program and then examine the file, and update the virus scanner before allowing it to run next time. Most programs dont just run "out of the blue" so if learning mode is allowed to set the machine up properly then these sort of incidents should never occur." }-

I think Gavin that something needs to be written for the 'mainstream user' who has the 'set it and forget it' mentality and doesn't want to get bogged down with technical problems and trouble-shooting. If this program can appeal as much to the mainstream user as the DCS tech savvy guy then it will be a great win for PC security as well as sales.

My sister looks after 3 kids so all she's got time for is to install a program and then forget about it so if you can fashion your programs for simplicity and ease of use for people like her then it's a great step to getting people like this interested in this kind of software. She bought a new PC and I TOLD HER to get an AV immediately and she ignored me and then got hacked and infected so badly that she eventually went out and bought an AV at once but she still can't get some spyware off her machine and I couldn't get it off either so now she knows about the need for installing SP's!! She picks me up once every so often and drives me 20km to her place & treats me to Big Mac's to fix her PC because she's got no time or patience and this is the kind of people that need your program but as long as it is no hassel to run. She rings me up to do her internet banking because everytime she tries to access it her PC logs off her account and logs onto another account called 'Mark'. Everytime she wipes it, it comes back again and anti-spyware says it's coolwebsearch but I tried to detelete it and it came back and nothing helps so looks like I'll be in for some more Big Macs to re-install Windows for her.

The point here is I could probably talk her into buying PG as long as it leaves her alone and she doesn't have to worry about it.

Dave

-{ Quote: "Some initial observations from me.

1) Block Global hooks seems to work better on my system, My Wacom Tablet now works when I allow the process 'Allow global hooks ' priv. (It didnt work previously)

2) After the initial install, I disabled Learning mode (no check in box), and applied the changes. However when I run new programs they are allowed to run (no confirmation box). It seems that Learning mode is stuck on!
I then rebooted and things seemed better. But after a few minutes I am getting no prompts.

3) Closed message handling still not working on my system. I gave Agnitum Outpost 'Securly handle Closing' option and then tried to close it, A verification dialogue popped up. I pressed Cancel without (typing the verification string in) A second Verification window was displayed, I pressed cancel again and Outpost closed.
I would not expect a second verification window after pressing cancel and would certainly not expect the application to close.

4) Assuming that the CMH will work as expected , when I shut down the system It is annoying to have to enter the verification string for all protected apps, Is it possible to give winlogon the privs to shut down the protected apps without a verification window? (ie give Winlogon Terminate privs) ans is this safe?

5) Disabling all protection in the main window (Clearing 'Enable Protection' box) does not prompt for a verification dialogue box, is this correct?
Thanks
Tom" }-

There could be some problems with software that protects itself from DLL injection, like some firewalls may. I will have to investigate the latest Outpost and other firewalls. Secure Message Handling does require a lot of tweaking to get it to work well with a lot of applications, however some applications which I personally don't think have well-coded exit routines are hard to add secure close handling to.

Most applications can be shutdown in a variety of ways, not just by pressing the close button, which is what causes the issues sometimes. For instance, there might be a menu item called "Exit" which has it's own exit routine separate from pressing the X button. You get request dialogs saying windows are being shutdown, and regardless if you say cancel to these requests the application doesn't care and eventually quits anyway. At least with these abnormal methods there needs to be specific shutdown methods to close them down, not just generic ones (which Process Guard would catch).

There is no good way to determine which application sent the message. However there might be some alternative ways around handling shutdown.

Human Verification Dialogs will be added to the ProcessGuard GUI when making changes very soon, they are not in the current BETA.

-{ Quote: "...something needs to be written for the 'mainstream user' who has the 'set it and forget it' mentality and doesn't want to get bogged down with technical problems and trouble-shooting. If this program can appeal as much to the mainstream user as the DCS tech savvy guy then it will be a great win for PC security as well as sales." }-With all due respect, unless DCS can add a mind-machine interface to PG this is not going to be a realistic possibility. First of all, PG's settings will have to be altered for special circumstances (e.g. installing a new application or Windows patch) at least temporarily and since the user is doing the installation/upgrade, only they will know when settings should be relaxed and tightened again. Secondly, it is not practical to build a database of "good" (to be allowed) and "bad" (to be denied) programs due to the huge amount of software available (even just keeping track of specialised malware like trojans is enough of a struggle) - the user will have to make the decision here also.

The only way for a novice to achieve trouble-free security is to allow someone else to administer their PC - to decide what gets installed and when. Software like PG does provide greater control over Windows' internals, but just like a firewall, the user has to empower themselves with the knowledge of how best to use it.-{ Quote: "I gave Agnitum Outpost 'Securly handle Closing' option and then tried to close it, A verification dialogue popped up. I pressed Cancel without (typing the verification string in) A second Verification window was displayed, I pressed cancel again and Outpost closed.
I would not expect a second verification window after pressing cancel and would certainly not expect the application to close." }-Outpost does pop up another dialog to request confirmation that you want to shut it down so that could be the problem. Perhaps the best solution is a "special CMH" option where PG could actually terminate the process itself after verification to avoid having to deal with any such prompts - or alternatively PG could send a user-defined keystroke sequence to the application to close it cleanly (a more civilised option).

-{ Quote: "I think Gavin that something needs to be written for the 'mainstream user' who has the 'set it and forget it' mentality and doesn't want to get bogged down with technical problems and trouble-shooting. If this program can appeal as much to the mainstream user as the DCS tech savvy guy then it will be a great win for PC security as well as sales.

My sister looks after 3 kids so all she's got time for is to install a program and then forget about it so if you can fashion your programs for simplicity and ease of use for people like her then it's a great step to getting people like this interested in this kind of software. She bought a new PC and I TOLD HER to get an AV immediately and she ignored me and then got hacked and infected so badly that she eventually went out and bought an AV at once but she still can't get some spyware off her machine and I couldn't get it off either so now she knows about the need for installing SP's!! She picks me up once every so often and drives me 20km to her place & treats me to Big Mac's to fix her PC because she's got no time or patience and this is the kind of people that need your program but as long as it is no hassel to run. She rings me up to do her internet banking because everytime she tries to access it her PC logs off her account and logs onto another account called 'Mark'. Everytime she wipes it, it comes back again and anti-spyware says it's coolwebsearch but I tried to detelete it and it came back and nothing helps so looks like I'll be in for some more Big Macs to re-install Windows for her.

The point here is I could probably talk her into buying PG as long as it leaves her alone and she doesn't have to worry about it.

Dave" }-

I think every security company in the world is trying to do something like this, but it is really impossible with the current technology how it is. The problems of security on computers is roughly caused 5% by the computer and 95% by the person using it. Until we can attach upgrades to people's brains I think we are going to continue having problems for the people who refuse to learn such things. :)

ProcessGuard is here for people who at least want to learn something, or haved learned some things, and know that even if you know it all your computer is still at risk (that 5% I mentioned).

ProcessGuard users could almost (I stress almost) use it entirely for the security on their computer due to how well it works. It blocks the really bad programs from installing on your computer (rootkits), it alerts when new programs run (things like Blaster worm would be stopped), it alerts when programs change, it alerts when something tries to modify/terminate/read something else, etc. Even if a program gets beyond the first level of ProcessGuard's protection, there is not much a program could do to the system that ProcessGuard does not protect against.

-{ Quote: "For the non technical user anything can be dangerous and it would be very difficult to make a "foolproof" program of this nature.
Common sense is probably the best thing to use. If for instance you have installed a trusted program then you would expect PG to pop up a question, if however, you are not installing or updating then it would be wise to investigate before allowing." }-

Also:

-{ Quote: " Most programs don't just run "out of the blue"" }-

I agree. However (on pgv.2 / Windows XP Home) i often every now and again get a pop from pg out of the blue, (nothing prompting it), asking whether to allow HelpSvc.exe to run (C:\WINDOWS\PCHealth\HelpCtr\Binaries) with the command line: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe" /embedding.
Then about 1 second after that asking whether to allow wmiprvse.exe to run (C:\WINDOWS\system32\wbem), with command line: C:\WINDOWS\system32\wbem\wmiprvse.exe -embedding. These two are the ones that occur most frequently, and interestingly they seem to run when the pc has been idle for a while. They are both Microsoft programs with helpsvc.exe being Microsoft Help Center Service, and wmiprvse.exe being Windows Management Instrumentation. So i usually allow them to run. But it's strange that they are running at all, as i am not prompting them to run. I could understand a program running on it's own, out of the blue, if it were like a program registration reminder dialog or the desktop clean up wizard, which runs every 60 days, but not this helpsvc & wmiprvse.

Another program that sometimes runs out of the blue by it's self with no prompting is the ms defrag tool, it's not in the pg event log at the moment, so i can't give any more details, but i have seen it run befor when that system is just siting idle. When these programs, helpsvc, wmiprvse, defrag thing run, nothing happens. No box's pop up or anything, the only thing is they get added to the wintaskman process list, then disappear off the list alittle while later. Strange, what do you think ?

Cheers, Meed.

Hi Meed, Windows runs quite a few housekeeping programs such as those you have mentioned. Personally I do not have a problem with them as I know they are legitimate. If for some reason they were changed then the check sum would change and I would be alerted, then I would investigate. :)

You can turn off a lot of these services with SafeXP or XP-Antispy if you so desire.

Pilli

:P yup im uninstalling it today

no complaints about the interface

miss the the confirmation change this by typing in letters should be an option

crashs

no option to hide icon on taskbar

no right click on icon option list

off to recycling bin

I noticed on the Main screen that the status always reads "Status:System Secure". Is this supposed to change at all? When I disable protection it still reads system secure.

Hi se7engreen, I think this will be addressed for the full release.
What DCS want to test mainly is the driver and protection stability before adding the bells and whistles :)
Plus the fact it gives all something to look forward to. :)

Cheers. Pilli

Thanks Pilli, it's good to know that there are even more improvements to look forward to. Things have been running smooth for me for the past several hours with PG running with all my other apps. The only other anomaly I noticed is when I permit an app to run only once, I am able to run the app over and over again without any warning. Is this something that still needs work or am I the only one experiencing this?

-{ Quote: "The only other anomaly I noticed is when I permit an app to run only once, I am able to run the app over and over again without any warning. Is this something that still needs work or am I the only one experiencing this?" }-
Ther have been several reports of this behaviour and Jason is aware of it.
You may find that the next re boot it works fine, obviously some minor contention that needs addressing.

Thanks for your report. Pilli

am i only one where pg3 crashs if you open and close it 3 times?

how can i get a report of process guard crashing to submit


any monitoring software i can use on pg 3

Maybe this has been asked......no time to read all of the thread now...will my old key file work on this beta or must i use the other as for some reason i am having a problem with copy/paste.

TIA

Hi Rainwalker. :)

Short answer: NO. :(

No such thing as a Keyfile now. You have to copy/paste the unlock Code on your members area at DCS to get it to work.

Cheers, TAS

edit: Just a thought, you don't have trouble highlighting the code do you, if not, highlight and then right click and 'Copy' that way, instead of going Ctrl/C if that's the problem, then in the reg box, right click and Paste. See if that works.
:)

-{ Quote: "The only other anomaly I noticed is when I permit an app to run only once, I am able to run the app over and over again without any warning. Is this something that still needs work or am I the only one experiencing this?" }-

I had the exact same problem as you describe. I have just done a bit of investigating and found a cure on my machine

What I did was to remove the 'Install Global Hooks' option for the CTFMON.EXE process.

The Reboot

This is an extract from the log
-{ Quote: " [EXECUTION] Commandline - [ "c:\windows\system32\ctfmon.exe" ]
Tue 21 - 19:36:31 [GLOBAL HOOK] [1464] was blocked from creating a global Shell hook
Tue 21 - 19:36:31 [GLOBAL HOOK] [1464] was blocked from creating a global GetMessage hook
Tue 21 - 19:36:31 [GLOBAL HOOK] [1464] was blocked from creating a global CBT hook" }-



Give this a try an see if it sorts the problem, if it does then post here and one of us can inform DCS

Hope this helps
Tom

Good work Frogfoot, This has been reported to DCS directly for Jason assess.

Cheers. Pilli

-{ Quote: "Hi Rainwalker. :)

Short answer: NO. :(

No such thing as a Keyfile now. You have to copy/paste the unlock Code on your members area at DCS to get it to work.

Cheers, TAS

edit: Just a thought, you don't have trouble highlighting the code do you, if not, highlight and then right click and 'Copy' that way, instead of going Ctrl/C if that's the problem, then in the reg box, right click and Paste. See if that works.
:)" }-

Hey Tas :) ....thanks for responce :'(
No , highlights fine just won't copy/paste ....my puter for sure ...i'll mess with it later. Have a great day !

I know it's a bell (or maybe a whistle?), but could you please enable mouse wheel scrolling in your tables for FCS.

-{ Quote: "I know it's a bell (or maybe a whistle?), but could you please enable mouse wheel scrolling in your tables for FCS." }-
PG3 already supports this! :)
Simply click on the list/table you want to scroll first to set focus on it, then go crazy with your mouse wheel

Does PG3 still use MD5 for checksumming? If so, are there any plans to upgrade that now that they are talking about being able to defeat it?

-{ Quote: "Does PG3 still use MD5 for checksumming? If so, are there any plans to upgrade that now that they are talking about being able to defeat it?" }-

There is no need for what ProcessGuard uses it for. To try and get around the MD5 protection , something would need to modify one of the EXE files on disk. The method to cause a collision in MD5 would most likely corrupt the EXE file, making it unable to load in the first place.

IF more vulnerabilities are found with MD5 we will have to look at each of them and determine if they do compromise ProcessGuard's security. But at this stage the current ones don't.

PG3 does seem a notably improvement over PG2 both in interface and in resource (CPU) utilisation.

On the user interface side, there are 2 improvements I would suggest. On the Protection screen, there should be Confirm and Cancel buttons for any changes to application privileges - as it stands, it is too easy to inadvertently alter them for an application just by clicking within the window. This is exacerbated by having too large a click region (e.g. if you click just within the right-hand border at the same height as one of the options, you change that option's settings) - this should be restricted to the checkboxes only.

Another interface improvement would be to have the option to use flags (T, M, R, etc) in place of words (Termination, Modify, Read) in the Protection list. Currently, you need to stretch the window quite a bit to see all the permissions if the full set is enabled for an application.

One problem I have encountered with ProcGuard is that if it is not run with an Administrator user (I tried with a power user), it shows Status: Initializing for a minute then Status: Error. Failed to initialize. Check dscuserprot.exe. If it does need Admin access, could a more descriptive error message be given?

A better option would be to be able to run ProcGuard without Admin access to remove the chance of an escalation of privilege exploit. It is easy to get a command prompt window with Admin user privileges via ProcGuard and possibly attempt a buffer overflow using the techniques documented in Next-Generation Win32 exploits: fundamental API flaws (http://security.tombom.co.uk/shatter.html) (these seem to work even if ProcGuard is protected from Reading), so requiring Administrator access does pose a risk on shared machines.

No one jumps in yet, so let give some input.
anyway, this is windows design problem and to make it exploited, users must let shatter.exe run successfully.

Well since any other limited user account is run in another session, it isn't possible for them to attack the ProcessGuard GUI with a shatter attack. It is possible if a SERVICE creates windows (like ProcessGuard v2.0 does), however v3.000 doesn't so shatter attacks and things like that aren't of concern.

-{ Quote: "Well since any other limited user account is run in another session, it isn't possible for them to attack the ProcessGuard GUI with a shatter attack." }-I was able to use shatter to modify the File Open dialog (via Protection/Add Application) to paste the shell code in (lacking a debugger I didn't take things any further). I can also get a command-line prompt with Admin access (this can be fixed by disabling the right click menu in the File Open dialog). Either option could be used for an escalation of privilege - though XP SP2's Data Execution Protection should prevent exploit code from being run in the first case.

-{ Quote: "I was able to use shatter to modify the File Open dialog (via Protection/Add Application) to paste the shell code in (lacking a debugger I didn't take things any further). I can also get a command-line prompt with Admin access (this can be fixed by disabling the right click menu in the File Open dialog). Either option could be used for an escalation of privilege - though XP SP2's Data Execution Protection should prevent exploit code from being run in the first case." }-

Could you give the exact details of what you are doing here?

As far as I am aware, if you are running as a Guest or Limited User you won't be able to enumerate the Windows on an admin desktop. So I'm not sure how you are using Shatter to exploit the ProcessGuard GUI unless you are also running Shatter on the administrators desktop?

The only program which runs in every account started on the system is pgaccount.exe which runs with the user supplied privileges, the same as any program already running or about to be run in that session. So there is no point for a program to try and attack pgaccount.exe since it has as many privileges as the attacking program already does.

Originally, PG has been designed to protect users' boxes from harmful of malicious codes even they accidently/unknownly let it run on theirs. PG should protect important system process already in place assumed all are good ones (not bad ones replaced the legitimate ones). Is it wrong?
Now with "Shatter", if let it run and with security flaws of windows, as "Paranoid" said shatter can attack successfully even with PG2/3 in place?

Thanks for helping.

-{ Quote: "Originally, PG has been designed to protect users' boxes from harmful of malicious codes even they accidently/unknownly let it run on theirs. PG should protect important system process already in place assumed all are good ones (not bad ones replaced the legitimate ones). Is it wrong?
Now with "Shatter", if let it run and with security flaws of windows, as "Paranoid" said shatter can attack successfully even with PG2/3 in place?

Thanks for helping." }-

I'll have to take a look at preventing this, but it might be possible.

-{ Quote: "Could you give the exact details of what you are doing here?" }-I was logged in as a Power User using the Run As option to run Procguard with administrator access. Hope that helps.

Another thing I have noticed is that PG3 does not appear to block all programs from installing drivers (I have all 4 Global Protection options checked). It did block PageDefrag (http://www.sysinternals.com/ntw2k/freeware/pagedefrag.shtml) (from SysInternals) from loading its PAGEDFRG driver but did not stop Drive Snapshot (http://www.drivesnapshot.de/en/) (trial download available) from loading its SNAPSHOD driver (this was blocked by PG2 Free and prompted for by SSM 1.9.5 - snapshot.exe had no entry in PG3's Protection list).

-{ Quote: "I was logged in as a Power User using the Run As option to run Procguard with administrator access. Hope that helps.

Another thing I have noticed is that PG3 does not appear to block all programs from installing drivers (I have all 4 Global Protection options checked). It did block PageDefrag (http://www.sysinternals.com/ntw2k/freeware/pagedefrag.shtml) (from SysInternals) from loading its PAGEDFRG driver but did not stop Drive Snapshot (http://www.drivesnapshot.de/en/) (trial download available) from loading its SNAPSHOD driver (this was blocked by PG2 Free and prompted for by SSM 1.9.5 - snapshot.exe had no entry in PG3's Protection list)." }-

Blocked fine by me. However services.exe is the one which installs the driver for snapshot, you most likely have services.exe with allow drivers.

This is an issue with services.exe that I hope to fix in later versions of ProcessGuard, there isn't an easy solution to this problem.

-{ Quote: "This is an issue with services.exe that I hope to fix in later versions of ProcessGuard, there isn't an easy solution to this problem." }-
Thanks for that Jason, Looking at my protection list I do not have Allow services / driver install for services.exe and have not had any alerts that indicate that it is required by anything. The same applies to my laptop and to Windows 2003 server machines.
So I assume it is normally best not give services.exe the Allow services /driver flag? Or maybe only allow it for a particlar trusted program?

Pilli

-{ Quote: "Blocked fine by me. However services.exe is the one which installs the driver for snapshot, you most likely have services.exe with allow drivers." }-Services.exe did have the Install Drivers option but removing this made no difference - Snapshot still ran (I do have to use "Run As" to give it administrator rights when logged in as a power user). However thanks for the update. :)

-{ Quote: "Services.exe did have the Install Drivers option but removing this made no difference - Snapshot still ran (I do have to use "Run As" to give it administrator rights when logged in as a power user). However thanks for the update. :)" }-

It runs fine here too, just when you click backup drive, or one of the options which makes it drop and install it's driver, it will fail.

-{ Quote: "Thanks for that Jason, Looking at my protection list I do not have Allow services / driver install for services.exe and have not had any alerts that indicate that it is required by anything. The same applies to my laptop and to Windows 2003 server machines.
So I assume it is normally best not give services.exe the Allow services /driver flag? Or maybe only allow it for a particlar trusted program?

Pilli" }-

I myself would only add that privilege to services.exe temporarily to solve any issues an application was having. I know some people with AOL and various other things like it have to pretty much always allow services.exe to install drivers because they continually install a driver on every bootup.

-{ Quote: "It runs fine here too, just when you click backup drive, or one of the options which makes it drop and install it's driver, it will fail." }-No failure here, even when I start a backup. ??? The only entry in the PG log was:

Thu 30 - 07:02:43 [EXECUTION] "d:\program files\drivesnapshot\snapshot.exe" was allowed to run
[EXECUTION] Started by "c:\winnt\system32\services.exe" [268]
[EXECUTION] Commandline - [ "d:\program files\drivesnapshot\snapshot.exe" ]

Hi, Paranoid2000

Have you taken it out of the Security Options.

Take Care,
TheQuest 8)

Do you have snapshot.exe in your protection list? And if so what privileges does it have?

Here are my results :-

Here's my results - here is Snapshot taking a backup with the PG Alerts screen (BTW I did try removing Snapshot from the Security list - aside from bringing up the Execution Protection prompt to run it, it made no difference):

Show your protection and main tabs also. :)

And here's my PG Protection settings - nothing for Snapshot and no drivers for Services...

...and here's my PG Main settings.

BTW this is on Windows 2000 SP4 - your screenshot Jason suggests you tested on Windows XP. If so, could that make the difference?

Ok, we will do some testing tomorrow to ensure. In the meanwhile try the new version. :)

Well, I've installed the final beta and encountered the same problem...sort of. ;)

Basically, ProcessGuard can catch the first attempt to install SNAPSHOD - but if it is allowed, further attempts will not be blocked if permissions are revoked. This is a different situation from other programs that install drivers (e.g. PageDefrag or DbgView - remove their Install Drivers privilege and subsequent attempts are then blocked) and appears to be down to services.exe doing the driver install (revoking driver install permissions for services.exe does not seem to block subsequent installs - or maybe services.exe is smart enough to detect previously installed drivers and do nothing on subsequent attempts ;)).

This I presume is the services.exe issue you were referring to earlier Jason. If any program can use it to install drivers, is there any chance of being able to restrict it to specific programs/drivers only? Allowing it to install anything seems to open the door to mischief while blocking it totally may cause other utilities to fail.

-{ Quote: "Well, I've installed the final beta and encountered the same problem...sort of. ;)

Basically, ProcessGuard can catch the first attempt to install SNAPSHOD - but if it is allowed, further attempts will not be blocked if permissions are revoked. This is a different situation from other programs that install drivers (e.g. PageDefrag or DbgView - remove their Install Drivers privilege and subsequent attempts are then blocked) and appears to be down to services.exe doing the driver install (revoking driver install permissions for services.exe does not seem to block subsequent installs - or maybe services.exe is smart enough to detect previously installed drivers and do nothing on subsequent attempts ;)).

This I presume is the services.exe issue you were referring to earlier Jason. If any program can use it to install drivers, is there any chance of being able to restrict it to specific programs/drivers only? Allowing it to install anything seems to open the door to mischief while blocking it totally may cause other utilities to fail." }-

Please see a few posts back. It isn't going to be an easy finding a solution to this problem, but hopefully there will be one.

I also use Drive Snapshot, but given my overall experimenting with lots of backup and imaging software, and several E-Mails back and forth with Tom Ehlert the author of Drive Snapshot, I have gotten into the habit of Disabling Process Guard, Worm Guard, and my Virus Software before doing any imaging/backup stuff. Then I just leave the system alone, even though supposedly you can continue working. Just avoids conflicts and potential restore problems.