Hi,

Just to check how well my security software was safe from being kill by a virus, I try the Advanced Process Termination and at my surprise for almost all my supposed protected program I was able to kill them with at least one of the nine ways to kill a program??? Is this normal? What is the problem since my PG 3 indicated that my system is secured? Does the Advanced process termination, with is nine ways to kill a program, to strong for PG 3?

Thanks for your solution,
Atomas31

I just tried APT also because I saw this post and I wanted to make sure PG v3 actually blocked all the termination attacks. In my case PG v3 was able to block the attacks but.....

I found out something interesting while doing this. I was able to suspend the Yahoo process using the suspend button on APT. I was also able to be able to terminate the process using method 7 until I put a check in the box "securely handle window closure"

I assume method 7 in APT is the one that closes any open windows.

I also tested suspending the internet explorer open window. I was able to suspend the process without the "securely handle window closure" box checked. So does this mean that any process that has a window must have the "securely handle window closure" box checked in order to prevent freezing the window with the suspend button?

I look forward to hearing the answers on how PG 3 failed APT for the original poster also.


Starrob

I installed Process Guard V3 Public Beta onto my AMD Windows XP SP2 system and I ran the Process Kill Demo that comes with Process Guard V3. This Demo found and managed to kill my Procguard.exe and Proxomitron.exe process with no alerts. Both process had terminate protection enabled and Proxomitron had ''securely handle window closure'' enabled as well.

On one occasion, the Process Kill Demo stated that it had been unsuccessful at terminating the processes and when I went to click on their icons in the taskbar, they dissapeared and had in fact been terminated.

Hi Starrob,

Where did you see : the "securely handle window closure" ???

I don't see that in my PG 3 or in my APT?

Thanks,
Atomas31

Hi all,
APT's kill methods 7 and 8 are using windows messages to close the target program. Sometimes clever target programs are dealing with this themselves, sometimes they don't. In these cases Close Message Handling might help. In other cases (far fewer than in PGv2) CMH might lead to some trouble - mostly with getting too many confirmation prompts.

HTHH,
Andreas

-{ Quote: "Where did you see : the "securely handle window closure" ???" }-

In PG, Protection Tab, one of the "Other Options"

Thanks Andreas1 :-)

I'm checking that box for all my applications, if it can make more protected!


Atomas31

it will probably add protection. but i would go about this rather carefully. (one at a time and see how it goes. It can quickly get on your nerves, IMHO, that's why I try to restrict it to as few programs as possible. But your mileage may vary.)

CU,
Andreas

it will probably add protection. but i would go about this rather carefully. (one at a time and see how it goes. It can quickly get on your nerves, IMHO, that's why I try to restrict it to as few programs as possible. But your mileage may vary.)

You are right Andreas1, That's why, just like you, I have put this option for only a very few programs ;-)

Atomas31

-{ Quote: "it will probably add protection. but i would go about this rather carefully. (one at a time and see how it goes. It can quickly get on your nerves, IMHO, that's why I try to restrict it to as few programs as possible. But your mileage may vary.)

CU,
Andreas" }-


Yeah, the Close Message handling sometimes works and sometimes doesn't. It works with some programs better than others too.


Starrob

Learning Mode can be a bit of a trap. Any program started in this mode ended up in the "Protect" section as well as the "Security" section. In the "Protect" section you really only want programs that you wish to protect, not every program that is started while in the learning mode. Consequently you may find programs like PG-Demo and APM ending up there and being protected and given permissions like "Modify" which may allow them to knockout any protected program and defeat the purpose of any security test of PG. After all you wouldn't knowingly give any malware this protection or rights. The moral of this story is to watch what ends up in the "Protect" section during the learning mode.

To All,
Please note that for Securely Handle Windows Closure to work properly the process or service must be stopped and restarted so that procguard.dll can be injected into the process.
Using tools such as Sysinternal's Process Explorer or Faber toys you can check that the .dll file has been successfully injected.

I would also add to Andreas's comment that when considering using Close Meaage handling, if the program has password protection then use that first which considerably increases an application's security without having PG's Human Interface Device always popping up. :)

Thank you. Pilli

-{ Quote: "Using tools such as Sysinternal's Process Explorer or Faber toys you can check that the .dll file has been successfully injected." }-
Our own freeware APM (http://www.diamondcs.com.au/index.php?page=apm) tool (just 110kb) will also show you all DLLs in a process (and even let you load/unload directly) :)

Thanks for the reminder about APM Wayne ;D

Right now, I am finding that some programs load the procguard DLL but others won't for some reason on my computer. Programs that loaded the DLL were Port Explorer and PREVX.

My firewall would not load it (I suspect it has it's own protection), My antivirus would not load it, TDS3 would not load it, Adaware would not load it, Spybot would not load it.

I just tried loading the procguard DLL into Adaware using APM with Processguard turned off and it would not load.

All of this is not too important as I am just playing around to see the capabilities of APM and PG v3. PREVX was the one I really wanted the "close message handling" on. I suspect my antivirus and firewall can take care of itself as they are password protected.

The one thing I am concerned about is I am able to suspend and freeze the GUI of all my applications that have windows using the suspend feature in APT. I can even freeze the GUI of my firwall and antivirus. I suspect that the underlying programs of AV's, AT's and FW's are well protected but their Window GUI programs are not and can be frozen. On my computer, Processguard V3 is not stopping this. I never tested this on version 2. I wish I had but it is too much of a pain to switch back, especially since I like PG v3 better. Is this happening with anyone else?


Starrob

-{ Quote: "The one thing I am concerned about is I am able to suspend and freeze the GUI of all my applications that have windows using the suspend feature in APT. I can even freeze the GUI of my firwall and antivirus. I suspect that the underlying programs of AV's, AT's and FW's are well protected but their Window GUI programs are not and can be frozen. On my computer, Processguard V3 is not stopping this. I never tested this on version 2. I wish I had but it is too much of a pain to switch back, especially since I like PG v3 better. Is this happening with anyone else?" }-

On my comp. I've tested this only with one app but there PG prevented the target from being suspended. Can you specify what OS you are running and what settings (general options and security options for the resp. target/"victim" program) you have (I'm on W2k.) ?

Andreas

-{ Quote: "On my comp. I've tested this only with one app but there PG prevented the target from being suspended. Can you specify what OS you are running and what settings (general options and security options for the resp. target/"victim" program) you have (I'm on W2k.) ?

Andreas" }-

XP sp1
Adaware
Protect application from termination, modification
authorized to modify, read protected applications
securely handle windows closure

Starrob

I suppose you don't have APT listed with modify privileges, have you :-X ::) ?
then I'm afraid it's up to someone else to shed light on this one

Thanks for the details, nonetheless
Andreas

-{ Quote: "I suppose you don't have APT listed with modify privileges, have you :-X ::) ?
then I'm afraid it's up to someone else to shed light on this one

Thanks for the details, nonetheless
Andreas" }-


Yes, I did. In the learn mode, APT was given modify priviledges. I guess I missed that one. Everything is working perfectly now. It works better than v2 on my computer.



Starrob

Whoops...I spoke too soon. I am able to get the Close Message Handling to work better but I am still able to freeze programs interface using the suspend feature in APT.

I might email in to find out if I am doing something wrong.



Starrob

I have Proxomitron added to my Process Guard V3 protection list with Termination and Modification protection.

Advanced Process Termination has not been added to the protection list and has no privilages.

Worryingly I am able to suspend Proxomitron as well as other protected process with no alert from Process Guard. I am even able to suspend the Process Guard GUI (procguard.exe).

Process Guard V3 prevents all of the other termination attempts so perhaps there is a problem with suspend/resume.

Same here, All termination halted (except 7 and 8 which require CMH) but can suspend all protected programs.
Tom

-{ Quote: "I have Proxomitron added to my Process Guard V3 protection list with Termination and Modification protection.

Advanced Process Termination has not been added to the protection list and has no privilages.

Worryingly I am able to suspend Proxomitron as well as other protected process with no alert from Process Guard. I am even able to suspend the Process Guard GUI (procguard.exe).

Process Guard V3 prevents all of the other termination attempts so perhaps there is a problem with suspend/resume." }-


I guess this is not just a problem with my computer then.




Starrob

so, frogfoot and frieza, are you on XP as well? (Which SP?)
(feeling a bit awkward to aks you this all knowing that I won't be able to learn anything helpful out of your answers, but maybe Jason will...)

TIA,
Andreas

XP Pro SP2 here

Hi Frogfoot I'll give suspend a go here a bit later om my SP2 box but it was OK with the previous beta.

Pilli

XP HOME sp1 for me


Starrob

APT suspends Proxomitron and other protected apps here as well. XP Pro SP2.

Nick

Windows XP Pro SP2 here as well.

Thread suspension is going to be added before the final, it is missing from this current build.