A new thread for suggestions and wish-list ideas. :)

I would like the learning mode to apply to everything PG protects and I also think an install mode is needed. Something else I would like is the ability to not use no skin at all. The skin that comes with it is nice and all, but I feel that it should be optional. One more thing... I think there should be seperate check boxes for Blocking new/changed applications.

Import and export of the Protection & Security lists. Or maybe this could be rolled into a "Save my settings" menu item ;D

Cheers. Pilli ;D

Something else that would be nice is a feature simular to "Track 'n' Reverse" in Tiny Personal Firewall.

How about a readme explaining what the new release is and a painless way to import our exclusion lists.

Jason's release notes:
http://www.wilderssecurity.com/showthread.php?t=53018 post 2 :)

See my post above regarding the lists.

Cheers Pilli

Reduce the RAM used by Process Guard...

Hi VaMPiRiC_CRoW, If you have noticed a gradual rise in RAM usage of procguard.exe that's easy to fix, simply close the GUI, re-open the GUI and the normal RAM usage will be restored. I believe this is to do with the alert list logging, the logfile.txt will still catch any events whilst the GUI is closed and, of course, providing protection is enabled then it still active with the GUI closed.

HTH Pilli :)

I second AJohn's suggestion for an Install Mode.

-{ Quote: "We will start a new wish list thread for the next version features you guys want. This one will be closed so take any of the newer requests you had to the new thread.
From other PG 3.x wishlist thread that was just closed (http://www.wilderssecurity.com/showpost.php?p=290672&postcount=159)
" }-

Jason,
Why would we need to bring any of the newer requests to the new thread?
Presumably you have seen them and have considered whether any of them are worthwhile or feasible for implementation already ?

For what its worth :
multiple profiles that can also be imported and exported
advanced mode with :
fine grained knobs that we can twiddle [ie: explicit control of the different types of global hooks, including the "low level" ones]
ability to allow execution based on parent process name and flags (and child process flags as well)
flexible logging - text file logs are so 1990's : eventlog & off host logging (snmp traps, syslog, http method etc)
allow log file to be moved to arbitrary directory

Not really sure about the need for this but it would put PG in the same competition space with other anti-keyloggers and anti-screen scrapers
have an option to stop programs reading from windows that they don't own (ie: screen scraping)
It would be interesting to hear your reasoning if/why this isn't required.


You may already do this, but it would be nice to get some feedback every week or three on which of the requested features have made it into the "to be considered list"

Thanks

HI Jason,

For what it is worth,

1) Depending upon your target market, I think there needs to be a much better user manual with examples that will guide users in determining what settings should be used given different types of programs. I have reviewed your program, and it does appear to be excellent. However, I have no idea how to manage the settings and since I do not want to get myself in trouble using settings that I am not clear about, I have decided to wait a while before purchasing the product so that I can watch this forum as others raise questions and in this manner figure out how to use the product. I think a user manual would be far more efficient than this piece-meal approach, but unfortunately, it is the only way I can go right now. In the past, I have used software with inadequate documentation (such as registry cleaners) and have gotten myself into lots of trouble by hitting the enter key a bit too quickly. :-\

2) A full-version evaluation period. The free version unfortunately does not allow for the testing of key facilities that could cause conflicts on my system. Lacking a full-version evaluation product, I would recommend a 30-day money back guarantee along the lines that BOClean offers.

I would put myself in the knowledgeable - but not skilled user - and therefore this is the type of pre-purchase information that I am looking for. Thanks for asking.

Rich

I would like to be able to tell PG to never permanently add .exe's/.tmps that are launched from my desktop or from the Local Settings\Temp folders. These are typically apps that I am installing, and I am finding I spend a fair bit of time "pruning and trimming" my PG protection/security lists removing references to these "one time events"

example, I downloaded a new version of Firefox installer 1.0RC2. It has a unique MD5 hash and a unique filename, winds up on my desktop and I launch it.

YES of course I want PG to block this and alert me asking if I want to run it BUT no sense it adding it to any permanent list, as the installer will only be run once and then thrown away never to be seen again. No sense in cluttering up the GUI with apps that will never run again. Makes it harder to see the "real" stuff you are protecting.

comments?

-{ Quote: "I would like to be able to tell PG to never permanently add .exe's/.tmps that are launched from my desktop or from the Local Settings\Temp folders. These are typically apps that I am installing.

YES of course I want PG to block this and alert me asking if I want to run it BUT no sense it adding it to any permanent list, as the installer will only be run once and then thrown away never to be seen again.
comments?" }-

i think that will happen only when you are in learning mode as it will automatically add any programs you launch into the Protection Tab. if you are not in learning mode anymore, you will be alerted to any program you launch if it is not in its lists yet as well as the options of allowing it to permanently allow or block. it will be included in your Security Tab but not in your Protection Tab....

as for the wish list.....
option not to use a skin...
user guide or a pre-configured settings for some of the most popular appz that needs extra settings...

I miss the PG2 look with colors, my favorite dark color has went away.
The List was perfect. I like much more the PG2 look with the actionbox.

On the whole PG2 was much better in the look, maybe you should create a design switch/option between pg2 design and pg3 design.

Also I think it is much more useful for unskilled people to get a possibility to test the capabilities of the whole programm as a time limited demo maybe.

-{ Quote: "I would like to be able to tell PG to never permanently add .exe's/.tmps that are launched from my desktop or from the Local Settings\Temp folders. These are typically apps that I am installing, and I am finding I spend a fair bit of time "pruning and trimming" my PG protection/security lists removing references to these "one time events"

example, I downloaded a new version of Firefox installer 1.0RC2. It has a unique MD5 hash and a unique filename, winds up on my desktop and I launch it.

YES of course I want PG to block this and alert me asking if I want to run it BUT no sense it adding it to any permanent list, as the installer will only be run once and then thrown away never to be seen again. No sense in cluttering up the GUI with apps that will never run again. Makes it harder to see the "real" stuff you are protecting.

comments?" }-

It is a fair point and something will most likely be done about this in the future builds. When I am programming and making new builds all the time it also pops up quite regularly so it can get quite annoying.

Most likely a "safe" area will be able to be setup where anything run from that directory will never be checked by ProcessGuard's execution protection. Since the area is "configurable" by the user no malicious software will be able to determine where the area is and so it shouldn't represent a threat to security. Obviously if a user starts putting things like the Desktop or C:\ in the "safe" area it will lead to problems, but since it would be an advanced feature I think the user could live with the problems they create. :)

In regards "items run once" which are added to the list, the reason they are added to the list is so you can now check with history when each application was last started. For instance if you have a child on your computer you will be able to find out all the programs they have run whilst they have been on it. I find it not too hard to prune the security list just by sorting by the date and removing all the "old" entries. Though maybe a button which pruned your list for you would be a good thing to have.

it kick's ass i dont want it ever to change mine ;D works perfect

I agree with Mr. Blaze. DCS has fully met/exceeded my expectations on PG V3.0.

I'm ready to turn it over to my brother who has limited experience with computers and see how it integrates into his capabilities to manage.

For non users of the forum routine, it would seem appropriate to have a "Check for PGM Update" feature in the Help menu.

Yes that is something that I diddn't think about, but option to automatically check for updates would be nice for people who cant always use there web browser.

-{ Quote: "I would like to be able to tell PG to never permanently add .exe's/.tmps that are launched from my desktop or from the Local Settings\Temp folders. These are typically apps that I am installing, and I am finding I spend a fair bit of time "pruning and trimming" my PG protection/security lists removing references to these "one time events"" }-While I can understand the reasoning behind this request, this could in my view be a critical compromise of system security. While installers do run programs in the Temp folder, so do many program macros - allowing such execution by default would remove any protection PG may otherwise provide against malicious scripts or ActiveX controls.

Instead, make it easier to delete all "Permit Once"/"Deny Once" entries in the Protection list - or just don't list them at all! (I personally can't see the point in having them displayed since all this tells you is that you will be prompted again).

As for PG logging, I would also like to see more control over the information displayed in Alerts (an option to listed all Allowed actions like PG2 along with the use of colour to highlight Blocked actions).

The ability to launch anti-virus/anti-trojan scanners to check any file reported as modified by Execution Protection is one feature I've mentioned before - but worth repeating. Ideally, this should be able to accommodate multiple scanners (your typical PG user seems to have 5 or 6 of the things anyway ;D) with each being run in turn (to avoid file contention).

Secure Message Handling - add an option to exclude child windows for a protected application (to avoid getting multiple HID prompts when responding to any popup dialogs like Outpost's Rules Wizard for example).

ProcGuard currently only works if run under an Administrator user - I would like to be able to run this under other users also without having to use "Run As" (perhaps allow "permitted" users to be specified which could have view or modify access to ProcGuard to avoid abuse).

Finally, how about shutdown protection? Since so much malware requires a system restart to take effect, having this intercepted and trapped by PG would give a further indication if malware ever got executed on a system. Legitimate restart/logout requests could either be confirmed by HID or handled by a Logout/Shutdown button on ProcGuard itself (but then ProcGuard would definitely need to be runnable by non-Admin users). This would allow PG to intercept WM_ENDSESSION messages (which I understand are not currently handled so could be used to terminate an application).

-{ Quote: "Instead, make it easier to delete all "Permit Once"/"Deny Once" entries in the Protection list - or just don't list them at all! (I personally can't see the point in having them displayed since all this tells you is that you will be prompted again).

As for PG logging, I would also like to see more control over the information displayed in Alerts (an option to listed all Allowed actions like PG2 along with the use of colour to highlight Blocked actions).

The ability to launch anti-virus/anti-trojan scanners to check any file reported as modified by Execution Protection is one feature I've mentioned before - but worth repeating. Ideally, this should be able to accommodate multiple scanners (your typical PG user seems to have 5 or 6 of the things anyway ) with each being run in turn (to avoid file contention).

Secure Message Handling - add an option to exclude child windows for a protected application (to avoid getting multiple HID prompts when responding to any popup dialogs like Outpost's Rules Wizard for example).

ProcGuard currently only works if run under an Administrator user - I would like to be able to run this under other users also (perhaps allow "permitted" users to be specified which could have view or modify access to ProcGuard to avoid abuse)." }-

I think those are excellent ideas and should be implemented ASAP.

As for the shutdown protection idea, I think that is good also, it would be nice to be able to add a secure shutdown item to the desktop/icon/taskbar.

Here's why:

I know that most people leave Learning Mode On during the beginning but learning mode isn't that very safe at all safe and Process Kill shows this.

While in learning mode, if Process Kill gets added into Process Guard's Security settings, it will be given access to modify and read protected programs.

This means that even if you turn off learning mode, Process Kill will be able to kill ProcessGuard and other security programs to go along with it unless you manually disallow access to modify and read protected programs for the demo.

This brings up an important issue. Shouldn't users be given balloong dialog box similar to Look 'n' Stop or ZoneAlarm whenever a process starts so that users can choose whether what security privileges a process gets when added to the ProcessGuard's program list in learning mode.

If not, then programs like Process Kill can be extremely critical when ProcessGuard is in learning mode.

Here is another weird efect in learning mode that can happen.

Try this:
1. Make sure you are in Learning mode
2. Remove CSRSS.exe from ProcessGuard's Protection List
3. Open up Command Prompt window
4. Try to Close Command Prompt Window
Note: ProcessGuard should successfully blocks CSRSS.exe from closing program)
5. Now try to Close Command Prompt Window again.

If learning mode is on, ProcessGuard will now have given CSRSS.exe the ability to close the window.

Now, I don't know if this is good or bad. But I do know that Learning mode is definitely something to be aware of.

If ProcessGuard is too lenient in learning mode, a dangerous attack could occur. If it's too strict, learning mode becomes useless. All I can suggest for this is to implement a feature to have system pause and show a pop-up box allowing users to configure the programs as they are added to ProcessGuard's list. Maybe you can call it "User Mode" instead of "Learning Mode"...

I can only hope that it get implemented soon before problems start appearing.

"User Mode" sounds like a good idea. Maybe there could be User Mode, Learning Mode, Track Mode and Install Mode?

Hi Wisher

The point you raise is exactly why you need to be perfectly sure your system is clean before installing ProcessGuard. During beta testing we did significant number of uninstall and reinstalls and there was never a problem.

In my case I know my system was clean, my antivirus was running, my firewall was up, and my spyware stuff was running. Also I was probably in learning mode around 5 to 7 minutes.

What I do is after the initial reboot, while in learning mode, I open every program I want to protect. Just open it and immediately close it. I can run thru everything quickly. Then I immediately reboot. This catches a few additional startup items. Then immediately reboot, and learning mode is off.

I just don't see this as a big issue unless you are already infected, and then yes you end up permissioning the nasty.

Pete

-{ Quote: "Hi Wisher

The point you raise is exactly why you need to be perfectly sure your system is clean before installing ProcessGuard.
.....
I just don't see this as a big issue unless you are already infected, and then yes you end up permissioning the nasty.
Pete" }-

Peter,
Not everyone is (or wants to be) a PC security expert, nor do they want to reformat and re-install their machines (in order to be "perfectly sure")

Wisher has brought up a fairly significant point and a confirmation mode would be really useful. The UI designers for PG must have considered this already, simply because it is in all the other products. For the average end user simple tends to be better, but just like cars, some people like automatics and others prefer gears. Something else for expert mode....

Your point that the machine needs to be clean prior to starting is not something that has been added in "big red letters" to the install procedure. Until the support chaps or developers at DiamondCS think that this is something worth promoting as a pre-requisite for the product to work at its best then the majority of users probably won't be doing a reinstall
A rebuild was something that I considered doing but I just don't have the time, so I've had to put up with less than "perfectly sure" and hope that TDS3 and my AV and other anti-malware catch up with any nasties that might be lurking around without me knowing about them

One thing that could potentially be useful to see if your install is "clean" is to compare checksums on the common windows components with a known baseline from a trusted source. There might already be something out there that does checksums and comparisons, but the difficulty is getting updated checksums from a trusted source every time an MS patch comes out

Seeing as PG keeps checksums on programs it sounds like it wouldn't be a particularly onerous task (for DiamondCS staff) to write a small app to make use of this information in creative ways (import/export/compare). Something useful that doesn't need to be lumped into PG but could be used by people that have purchased PG. If the "export" and "import" functions also captured the "updates" that have been installed on the computer that would help identify if the checksums might be suitable

If such a thing happened it probably wouldn't be too long before "trusted" members of the forum had posts with checksums from machines that they knew (or at least thought) to be clean. Given that MS now release patch updates at regular intervals it would be fairly easy to label the checksum listings

In terms of expecting DiamondCS to do something like this it seems a little unlikely (unless its already planned for TDS-4), but it would be very useful and work quite nicely in tandem with PG3

You could make a "Pro Version" of Process Guard that would include a customizable registry monitor. This may be easier to expand the registry keys monitored within PG rather than create a separate "Registry Guard". (I think I saw a company use that name for their registry monitor so you may want to call it something else). The Registry Monitor should allow customizable keys and include all the keys standard in this Registry Monitor Comparison thread (http://www.wilderssecurity.com/showthread.php?t=32823).
There are marketing benefits to both ways (separate Registry Guard product and "Pro Version" of PG).

Hi Gottadit

While I agree a lot of folks don't want to be security experts, unfortunately, just as you can't drive a car without learning some basics I am afraid you also have to do that with PC security.

I certainly wouldn't recommend everyone reformat and reinstall. If someone has been running a firewall, av/at and spyware protection, then if they do new scans and show clean, I'd say they have a high probability of being clean. On the other hand if the have no firewall, no security software, then they have work to do before installing processguard.

Lastly the idea of DCS maintaining a database of checksums, and have a utility to certify your machine clean. I would surmise this is very very unlikely. First of all you can buy machines from different manufacturers and get slightly different flavors of windows. Plus you would have to not only monitor windows but everything on all machines. Somethings I fear, people just have to take responsibility for doing themselves.

Hi Devinco

I think having ProcessGuard monitor the registry is redundant. Stop and think about it. You install PG on a machine you feel sure is clean. You trust everything on your computer, and are comfortable with everything your trusted software does. You now have PG configured. Your only concern in something modifying the registry would be an unknown program doing something you don't want. With all PG protections in place how could the program begin to do that?

Pete

I am against PG monitoring the registry; it is not the purpose of it. DiamondCS has Reg Prot for that which is freeware and works great.

Knowing you're computer is 100% clean of any malicious software is rare. The only case I can think of is when you've started with a fresh system and remembered not to connect to ever connect to the internet and never give anyone but yourself access to the system (assuming that you even trust yourself).

For most people, having all of DiamondCS utilities, is probably the safest you can get to perfect.

However, I feel others who may not have the perfect security solution, should know that Learning Mode can be dangerous in cases where they have hidden trojans, etc. This is why I feel the Learning mode should either be changed or another mode created in order to control what privileges a randomly starting program (that can potentially be harmful) has.

I'm forgot what mode ProcessGuard starts out with, but if learning mode is on by default, that is also a concern. Maybe it should be off...

I also had another less important feature wish I forgot to mention.

I understand ProcessGuard was intended to protect a computer from viruses/trojans but what about malicious people?

ProcessGuard's Secure Message Handling system won't protect against an average joe user wishing to shutdown a vital security processes (assuming that this vital process did'nt have a password protection feature). So why not add an additional process-password protection feature? That would be nice if it could store different passwords for different processes.

I just wish ProcessGuard could protect process from more ends, that's all.

I would like to say that the DCS Team has done a great job so far, but there is always room for improvements.

In an attempt to group this messy thread together some I created a brief summary of the request made so far:


Learning mode off by default
Learning mode to apply to everything
Import and export of the Protection & Security lists/Save My Settings
Simple way to import exclusion lists
Install Mode
Importable multiple profiles
"explicit control of the different types of global hooks, including the "low level" ones"
"ability to allow execution based on parent process name and flags (and child process flags as well)"
"flexible logging - text file logs are so 1990's : eventlog & off host logging (snmp traps, syslog, http method etc)"
"allow log file to be moved to arbitrary directory"
"have an option to stop programs reading from windows that they don't own (ie: screen scraping)"
Ability to not use a skin
Safe area
Automatic updates
ability to delete all "Permit Once"/"Deny Once" entries in the Protection list or not even log them
more control over the information displayed in Alerts
"ability to launch anti-virus/anti-trojan scanners to check any file reported as modified by Execution Protection"
option to exclude child windows for a protected application from Secure Message Handling
ability to allow permited users, not just Administrator
Shut down protection
dialog box where user can specify security privelages per application while in learning mode (User/Confirmation Mode)
Customizable registry monitor
Baseline of Windows updates


Hope I did not miss any.

It would be nice if someone from the DiamondCS team could update us on the current status of these request every now and then and provide details on why not/when.

I numbered the requests for easy reference.

-{ Quote: "Knowing you're computer is 100% clean of any malicious software is rare. The only case I can think of is when you've started with a fresh system and remembered not to connect to ever connect to the internet and never give anyone but yourself access to the system (assuming that you even trust yourself).

For most people, having all of DiamondCS utilities, is probably the safest you can get to perfect.

However, I feel others who may not have the perfect security solution, should know that Learning Mode can be dangerous in cases where they have hidden trojans, etc. This is why I feel the Learning mode should either be changed or another mode created in order to control what privileges a randomly starting program (that can potentially be harmful) has.

I'm forgot what mode ProcessGuard starts out with, but if learning mode is on by default, that is also a concern. Maybe it should be off...

I also had another less important feature wish I forgot to mention.

I understand ProcessGuard was intended to protect a computer from viruses/trojans but what about malicious people?

ProcessGuard's Secure Message Handling system won't protect against an average joe user wishing to shutdown a vital security processes (assuming that this vital process did'nt have a password protection feature). So why not add an additional process-password protection feature? That would be nice if it could store different passwords for different processes.

I just wish ProcessGuard could protect process from more ends, that's all." }-

Saw a quote on another forum that pretty much covers what you are asking for here. It went along the lines that all the security software put together gives you about 1% protection. The other 99% lies between the ears.

Now that may be an extreme, but if you leave your computer, and security is a problem, then some how it should be secured. It doesn't make sense to me to bloat up a program to try and prevent somethings from being run, when if someone can get to your computer, that really is a marginal solution.

One thing I would like to see is for PG to have a (small) database of the locations of critical system files.. so if an alert for C:\Windows\svchost.exe comes up, it would alert the user that 'this is probably not the Windows system file and is suspicious', advising the user to deny that process and do some scanning. I think this is something that would be especially valuable for slightly less savvy users, but also advanced users during dumb moments :)

-{ Quote: "Hi Devinco

I think having ProcessGuard monitor the registry is redundant. Stop and think about it. You install PG on a machine you feel sure is clean. You trust everything on your computer, and are comfortable with everything your trusted software does. You now have PG configured. Your only concern in something modifying the registry would be an unknown program doing something you don't want. With all PG protections in place how could the program begin to do that?

Pete" }-
Hi Pete,

I did think about it. While registry protection is not as critical as the process protection PG provides, it is still useful to protect the registry from unwanted modification. For example, people using IE (a trusted app) could end up running an activeX component (or other active content) that could modify the registry. PG would not stop this from happening. Things like the drive by downloads should not be allowed to modify the registry. Sure you can harden the browser or use an alternative, but some form of registry monitor/protection would be good, IMO.

Whether a separate registry guard or integrated into a PG pro version, I (and many others here at Wilder's) would be very interested in registry protection (just look at the Registry Monitor Comparison Thread). It is a perceived need in the market (as well as having practical application) and that need can be filled by DCS or by other companies.

Reg Prot while nice (and free) is not sufficient. It does not allow for customizable keys and is therefore limited in its scope of protection. It also does not provide adequate info about the reg change either. I stopped using it a while ago.

Hi,

One thing I have become acutely aware of his how non-integrated products can step on each other, creating system instabilities that are extremely difficult to recover from. This I think may be particularly so with "registry monitors" that may be conflicting with each other and the algorithms that they utilize. For me, a single, integrated process may be more secure and also more stable.

For example, last week I had Prevx running alongside PG 3.0. I am not sure how or why, but my registry got completely corrupted causing instability in my system and many programs - including ZoneAlarm Pro. This problem underscored, for me, an issue that I was very sensitive when I used to work on mainframe computers and PC networks in large corporations. The issue of cross-software testing. Many products available for PC security are released in a relatively untested fashion (KAV 5.0 comes to mind) and any inherent problems are further exassperated by two such pieces of software. It is a difficult problem to resolve.

So after completely restoring XP, I have reloaded a minimal set of security products which include ZA Pro, KAV 4.5. 104, and BOClean. Three programs which have been around a long time and are fairly stable. The other security programs - including any registry monitor - will be benched for the time being. I will run them on demand when I need them - e.g. TDS-3, Giant, Ewido - but given the fact that I was losing my system more often because of "trusted" programs than to viruses or trojans, I have decided to step back and become even more conservative in my surfing behavior, allowing me to become more conservative in the security softare that I feel I need to deploy. Once I get an image copy procedure in place, I may feel a bit more comfortable extending myself again.


Rich

Hi Devinco

I see what you are saying, but still I think it's better to let ProcessGuard, guard processes, and deal with the other threats differently. Quite by accident I discovered when I added PopUpCop to IE, I discovered I had also added excellent ActiveX and driveby download protection.

Richrf's comments about many different app's stepping on each other can be quite valid. But some of the new security suites have the same problem when they try to do it all in one program.

It would be nice if PG would apply settings to system files automatically (like in v2), then hide them from the list, with a check box to toggle hiding (like add/remove programs in XP SP2.) I think this would make it easier for the user to just focus on the security of their chosen apps.

Rolling along in the list of improvements...

Firstly a question on how the application change is implemented, is it just a checksum on the binary being executed or does it also include checks on any DLL's that the process loads ?

The enhancement request :

Increased information should be available when a changed application is executed. The "Extra Information" displayed at the moment is somewhat bare when it comes to making a decision. Company Name and File Size isn't really enough to make a decision

It would be good to be able to click on something to get a "verbose" comparison of the properties both before and after. This would require PG to save the properties...

And if DLL's are also being compared (which I hope is true) then they would also need their propery information stored

-{ Quote: "And if DLL's are also being compared (which I hope is true) then they would also need their propery information stored" }-

They're not. - Another one for the wishlist, but there will have to be a clever way of avoiding high resource loads and an even more clever learning mode to register all the legitimate dlls in the first place....

-{ Quote: "Hi Gottadit
<snip>
Lastly the idea of DCS maintaining a database of checksums, and have a utility to certify your machine clean. I would surmise this is very very unlikely. First of all you can buy machines from different manufacturers and get slightly different flavors of windows. Plus you would have to not only monitor windows but everything on all machines. Somethings I fear, people just have to take responsibility for doing themselves." }-

Peter,
Maybe I didn't express myself eloquently enough in my post...

The idea being expressed was to allow the DCS software checksums to be used in a different way to what has already been provided by the DCS PG3 developer(s). It would be a useful tool for people that are willing to invest time in obtaining and using the checksums (and potentially sharing the results with others).

The suggestion was not made that DCS would provide and/or maintain a database of checksums. I also think that would be highly unlikely to happen and think that it is unreasonable to ask of DCS given the variations in non-core components.

In my post I suggested that it was possible that people would use this feature when interacting on the forums

For people that use Windows Update and keep their machine up to date with the latest MS patches the "core" windows components are limited to Win 2000, XP and 2003. 3 sets of checksum data isn't really a huge set of variations.
Its a pity that there isn't something like http://www.knowngoods.org/ for Windows (if anyone else knows of something feel free to speak up...)

As luck would have it whilst looking around I found something that looks like it does something along the lines of what I am asking for and is open source (a nice bonus) although no GUI yet so its not likely to have a big Windows installed base
http://osiris.shmoo.com/index.html
It didn't take much effort to setup and I guess I will see how useful it is over the coming weeks

The main reason to have the checksum functionality included with PG3 and/or TDS-4 is to make it easier to support people (including self-support).

By just considering checksums for programs in the protection list it is eliminating a lot of potential noise, even using those in the security list wouldn't add too much noise (if the run once's executables could be excluded, seeing as at least some of these are likely to be temp files from installs, unless you are like Jason and carefully go through and prune it by hand...)

Once PG3 is installed and running, there is a self-maintaining list of executables to check, there is no need to perform any special actions to keep the list up to date and that is a good way to mimise the information collected and checked to things that are significant.

-{ Quote: "Rolling along in the list of improvements...

Firstly a question on how the application change is implemented, is it just a checksum on the binary being executed or does it also include checks on any DLL's that the process loads ?

The enhancement request :

Increased information should be available when a changed application is executed. The "Extra Information" displayed at the moment is somewhat bare when it comes to making a decision. Company Name and File Size isn't really enough to make a decision

It would be good to be able to click on something to get a "verbose" comparison of the properties both before and after. This would require PG to save the properties...

" }-

I believe it is just a checksum comparison. The information that PG shows now is what is available in the exe file itself. Just curious as to where you think PG(or DCS) would get this verbose information on the how many different exe files there are out in the world. Do you have any idea what it would take to store all this.

This is where the computer between the ears comes in. I upgraded my zone alarm last night. Therefore no surprise that PG would show that the exe's have changed and I simply allowed them. Don't need anymore info. On the other hand if I make no changes I am aware of and something pops up as changed, then I as the user need to investigate. To expect PG to give you a detailed explanation of why there was a change is just not realistic.

There is another piece of software Abrusion Protector whose sole function is the same as PG's execution protection. One difference is it does also check DLL's and other forms of binary executables. BUT... it is a much larger program, takes more resources as there is constant activity as parts of the program communicate with each other, it takes an hour to install as it has to catalog all the files, and in the end does nothing more than PG does. It simply tells you something changed. No more detail then you get from PG.

Couple of minor points:

1) It's not possible to create a QuickLaunch icon for PG during installation. TDS has this option.

2) The Security List does not automatically refresh (ie. you have to switch tabs before it is updated, which is not ideal).

-{ Quote: "I believe it is just a checksum comparison. The information that PG shows now is what is available in the exe file itself. Just curious as to where you think PG(or DCS) would get this verbose information on the how many different exe files there are out in the world. Do you have any idea what it would take to store all this.
<snip>." }-

Peter,
I was referring to the information that you see by doing a "properties" on a file
Nothing overly complex or non-local to the machine that PG is running on...

-{ Quote: "I would like to say that the DCS Team has done a great job so far, but there is always room for improvements.

In an attempt to group this messy thread together some I created a brief summary of the request made so far:
<snip>
8 ability to allow execution based on parent process name and flags (and child process flags as well)"
<snip>
I numbered the requests for easy reference." }-

Sigh, after poking around a bit more I found that I am basically asking for PG to have the program control features of SSM.
Have a read here (http://www.wilderssecurity.com/showpost.php?p=282971&postcount=127) in a registry monitor comparison thread (of all things)

For anyone interested that doesn't already know about it System Safety Monitor (homepage) (http://maxcomputing.narod.ru/ssme.html?lang=en)
Its been mentioned in this forum before (by Pilli I think) and elsewhere on Wilders, its an alternative on Win 95/98/ME machines where PG3 won't run
Downloadable from Zeroplus2 freeware site (http://zeroplus2.tripod.com/av3.html) or Freeware4u site (http://freeware4u.com/modules/mydownloads/singlefile.php?lid=204)

One thing that would make me less inclined to use SSM is that it is still in Beta and doesn't have the support that PG3 does.

DCS do a good job with their support and responsiveness from everything that I have seen, not to mention the excellent support (and commentary) from everyone else on this forum.

-{ Quote: "...there will have to be a clever way of avoiding high resource loads and an even more clever learning mode to register all the legitimate dlls in the first place...." }-This was an issue with Outpost which has a Component Control feature that does check DLLs. To reduce the performance overhead, only the DLL headers, filesize and export data are checksummed so maybe this could be a useful halfway point? (see the Outpost forum MD5 Checksum Security Problem (http://www.outpostfirewall.com/forum/showthread.php?t=11030) thread for more on this).

-{ Quote: "This was an issue with Outpost which has a Component Control feature that does check DLLs. To reduce the performance overhead, only the DLL headers, filesize and export data are checksummed so maybe this could be a useful halfway point? (see the Outpost forum MD5 Checksum Security Problem (http://www.outpostfirewall.com/forum/showthread.php?t=11030) thread for more on this)." }-

yes, something like that could be a reasonable approach. I've not yet thought that much about it. One other point to consider, apart from the performance overhead, would be IMHO that there will be plenty of difficulties and complexities in getting a baseline in the first place. That's why I was wondering if it would take a(nother) learning mode to register all those dlls and simply assume they're all legit.

Looking forward to how the saga continues...
Andreas

PS. 8) Maybe there are plans in the works to have an on-access memory module scanner in tds-4 which would help somewhat. Or something along those lines. And which would be a reason for DCS not pursuing this in the PG context. But I really don't know, and actually don't want to raise a discussion about tds-4. ::)

-{ Quote: "yes, something like that could be a reasonable approach. I've not yet thought that much about it. One other point to consider, apart from the performance overhead, would be IMHO that there will be plenty of difficulties and complexities in getting a baseline in the first place. That's why I was wondering if it would take a(nother) learning mode to register all those dlls and simply assume they're all legit.

" }-

That is exactly what Abtrustion Protector did on install. It assumed all exe,dll, and other binary executable files, where okay. It then went ahead and did an sha checksum. On my system it took about 45 minutes to do the install.

Hi I had a problem yesterday with a process which Port Explorer picked up on which had no File name and when I set to show file path, had no file path either. It caused me a bit of panic, but all seems OK now.

Port Explorer was only able to give me the Process ID and port numbers being used etc. However on looking into Process Guard (and Zone Alarm Security Suite) I could find no information about process ID's, or any way of relating this info to programs or files, or any entry in the help file. So I was left blind.

8) It would be nice if Process Guard (and Zone Alarm) gave me the info about process ID's for programs. 8)

In this case it would have been most useful on the protection tab as the anonymous process was being protected by Process Guard and I merely wanted to check out if it should be protected or perhaps blocked! It would probably also be useful on the Security tab too

I'm afraid I don't know enough to know if the Process ID stays the same on different sessions? But even if difficult to achieve it would still be very useful and enable more information/control over wayward (and badly programmed?) applications!

Process Guard is Great:- but things can always get better! ;D

Regards Jo M

Hi Jo M,

-{ Quote: "
8) It would be nice if Process Guard (and Zone Alarm) gave me the info about process ID's for programs. 8)

...

I'm afraid I don't know enough to know if the Process ID stays the same on different sessions? But even if difficult to achieve it would still be very useful and enable more information/control over wayward (and badly programmed?) applications!" }-

Unfortunately the PIDs are assigned by the OS whenever a new process starts, so, while there is a certain order there (processes that start later have higher PIDs), there's still no way to predict a PID for a given process or vice-versa.

You can see the PID of a process that triggered an event (attempted to install a global hook, to terminate another process, start another process etc) in PG's textfile logs (click "View Logfiles" in the Alerts Tab):


Wed 03 - 11:09:45 [DRIVER/SERVICE] c:\programme\tools\sysinternals\procexp.exe [860] Tried to install a driver/service named PROCEXP
Wed 03 - 11:10:19 [EXECUTION] "c:\programme\tools\xpt\2004\memview.exe" was allowed to run
[EXECUTION] Started by "c:\programme\tools\shell\blackbox\blackbox.exe" [284]
[EXECUTION] Commandline - [ "c:\programme\tools\xpt\2004\memview.exe" ]


But I agree that there is room for improvement - the PIDs of the processes that are starting could be logged (and not only their "parents"), and those PIDs could make an appearance in the "alerts tab" directly (and not only in the logfiles). (Unfortunately it doesn't make any sense to have PIDs in the protection or security lists.)

HTHH,
Andreas

-{ Quote: "<snip>One other point to consider, apart from the performance overhead, would be IMHO that there will be plenty of difficulties and complexities in getting a baseline in the first place. That's why I was wondering if it would take a(nother) learning mode to register all those dlls and simply assume they're all legit." }-

The whole problem of having a "baseline" is one that simply cannot be solved without significant effort being expended on an ongoing basis (which normally implies costs..) and more importantly that you *trust* a single source to not be compromised and be able to keep its information up to date

If people are interested in finding out whether a particular dll or set of dll's are compromised and they are running PG then it could become easy for someone to ask and provide some context [O/S ver + patches] and md5 hashes for the exe's and dll's concerned (sounds a bit like provide some HiJackThis output...)

Then number of kind people on the forum would probably have a look (if they had equivalent O/S installs) and help out. After a while a forum search would probably provide the hash that people were looking for without having to make a post. Once several trustable people have provided the same hash value it becomes more likely that it is probably clean (or that they are all infected...)

It all works by consensus and trust and costs nothing as long as a handful of people participate every now and then. It does assume that posts on this forum are not compromised so that the posted md5 checksums could be altered. Even that would be self-correcting to some degree because the next person to check would think that they were trojan'ed and several ppl would check again...

My 2c

[Edit: ZoneAlarmPro also has in its Program Options an "Authenticate components" for detecting changed dll's, so its not just Outpost that does it]

Thanks Andreas,

I've found those Process IDs in the log files. Thats good. :)

But I still think that it is important that they are somewhere in the GUI too (which you agreed).

It could be in the protection or security tabs:- as a field that only has content for active processes.

This would have the added benefit of making it immediately obvious which processes are running currently. (yes I know that info is available using TDS's Process List and other ways, but it would be useful here in Process Guard too). The only downside I can see to this would be using up more RAM and processor time. But I could spare a little more out of 1Gb for something as important as Process Guard!

Regards Jo M

I know that the helpfile says that learning mode takes some time to get Process Guard set up just right.

BUT I for one don't want to keep Learning Mode on for long and certainly not at all when I'm "on line"!!

I think that Learning Mode is of limited value, since it is essentially a great big hole in the Defence the whole time it is on.

I feel stongly that Process Guard should be preconfigured with the basics for Windows. It just gives the feel of a lack of professionalism given that it is not.

To have to either:-
1) leave Learning Mode on and then DO absolutely everyting that can be done on your PC and then turn Learning Mode off is VERY VERY TEDIOUS! as well as being unsafe if you then forget to turn Learning Mode off!
2)To set it up the other way and respond to constant alerts as each function you use is blocked is the safer way. But it is also very tedious if you have to do this for loads of BASIC WINDOWS ABSOLUTE ESSENTIALS!

I have no problem with needing to set up the various applications that I have installed on the PC. Fine everyone has different needs and different applications. You CAN'T set that up for us!!!

But:-
the Windows Help System? All the kinds!
resuming after a Power Saving event? with block new and changed apps setting:- very nasty - needed a hard reset!!
the Taskmanager?
logon.scr?
defrag.exe?
dfrgfat.exe
etc

Can these not be preset. Other security software does preset configuration for Basic Windows Stuff. I don't think it is good enough to say that everybodies machine is different. All indications show that XP is here for the long haul! That means that you only have to preset for XP, sp1, sp2, NT and 2000! I for one don't think that is so much to ask!

An added benefit of having presets for basic Windows stuff (with a clear flag indicating that they are presets) is that it would be more difficult for bogus applications to pose as legitimate windows functions and fool the more gullible! If it didn't have that flag then it isn't ms windows! Given that any security software is only as secure as the n.. person who uses it, this cannot be irrelevant ("as Process Guard can't be beat") Just imagine a user (without TDS 3) who gives a Trojan permission to run thinking that it's windows cause it says
;D "I'm very safe to run.bill.gates.exe.vbs.pif" ;D
or says in the Properties box
;D "© Microsoft Corporation. All rights reserved." ;D

These Windows Presets would need to be changeable by the user! It wouldn't be good to force acceptance of any service or server that MS wishes to foist on us! But most of these could better be stopped elswhere (or removed with XPlite!)

Then there is all the other DCS software!
It really feels unprofessional for Process Guard not to be preset for the other DCS software, including various TDS 3 scans!!! (I could state this a lot less tactfully but I'd better not!)

Process Guard is Great, just let down by this a bit. :'(

Regards Jo M

Hi gottadoit, -{ Quote: "[Edit: ZoneAlarmPro also has in its Program Options an "Authenticate components" for detecting changed dll's, so its not just Outpost that does it]" }-
I think you will find that ZA, Sygate & OP2 all do a very limited look at changed .dlls but by no means all of them.
As to what .dlls they check I have no idea :-\

Cheers. Pilli

My $ 0.02:

I would like a persistent password for the lock feature in PG full. When I lock it, thinking I have everything configured correctly and then need to respond to an alert, after unlocking it to make a change I need to double enter a new password again just to lock it. Maybe I'm missing something but this is pretty tedious - can we make the PWD persistent and offer a "change password" checkbox if we're worried about PWD security?

Suggested change to the "PG" tray icon color scheme:
Alert = red (same as now)
Learning = blue (change from green)
Enabled = green (change from blue)

Reason: Green = on, good, no problem, etc. to me and blue has no defined meaning, so I think blue is a better "learning mode" color and green a better "its on and working; everything's fine" color.

Definitely would like to be able to save/export/import all of the protection and security settings. After a couple of uninstalls/reinstalls (due to another problem app, not PG) the "schooling" of PG is pretty tedious.

-{ Quote: "Hi gottadoit,
I think you will find that ZA, Sygate & OP2 all do a very limited look at changed .dlls but by no means all of them.
As to what .dlls they check I have no idea :-\

Cheers. Pilli" }-

Pilli,
Thanks for the info, I haven't tried Sygate

I suppose we could check easily enough using Filemon if we really wanted to know what files were being checked (unless it is being done by a file open intercept so it doesn't look like different behaviour...)

-{ Quote: "<snip>
I think that Learning Mode is of limited value, since it is essentially a great big hole in the Defence the whole time it is on.
I feel stongly that Process Guard should be preconfigured with the basics for Windows. It just gives the feel of a lack of professionalism given that it is not.
<snip>
3) who gives a Trojan permission to run thinking that it's windows cause it says
;D "I'm very safe to run.bill.gates.exe.vbs.pif" ;D
or says in the Properties box
;D "© Microsoft Corporation. All rights reserved." ;D
<snip>" }-

Jo,
Couldn't agree more with regards to having the "ability" to have presets, although I think learning mode would be hard to do without
Its debatable as to the need for DCS to supply them with the product as they *will* change over time and that just dates what they distribute (and makes it less likely for them to implement some form of solution).

One thing that is missing more than having a preset list is a compilation of all the good advice given on the forum about what to (or not to) allow programs do. It would be very useful if there was a way to organise what is being posted into a list of programs with links to the various threads

I also agree that simply displaying the company name from the executable is not nearly sufficient to base a decision on. Its nice to see someone else making the point as well. Its not like you can leave the dialog there (or move it aside) and go and investigate for yourself then click "ok" later on...

The whole point of having profiles that can be exported and imported is to allow that part of the user community that wants presets or shared config across machines to have the functionality without imposing our preferences on anybody else

If the checksums are also exported and checkable then you can do an initial check, see that the checksums are ok then import a baseline list for the common components. Along the way people are very likely to learn just how much different vendors customise various little bits in the OEM installs (when various checksums don't match and there are more/less files than expected)

As many people have said before, security comes from how you approach what you do on the computer
Having the ability to check what you are doing and compare with others is a convenient and repeatable way to do that based on verifyable information

ProcessGuard DOES come preconfigured with the default processes you need to run Windows - services.exe, winlogon.exe, svchost.exe and more !

It cant come preconfigured for everybody, thats just not possible. The list of known programs for it to check if you have, would be many MB. Even then it would miss things..

I might add if I havn't already, we are planning an application database for the ProcessGuard website, which will be compiled from our beta testers, forum members, and us.

The database will list which flags specified applications need and also a short description if needed.

-{ Quote: "ProcessGuard DOES come preconfigured with the default processes you need to run Windows - services.exe, winlogon.exe, svchost.exe and more !

It cant come preconfigured for everybody, thats just not possible. The list of known programs for it to check if you have, would be many MB. Even then it would miss things.." }-

I have just added two to my currentl list of important but basic windows functions which have been blocked by PG

the Windows Help System All the kinds!
resuming after a Power Saving event, very nasty!
logon.scr
defrag.exe
dfrgfat.exe
sysocmgr.exe
mmc.exe
etc

;D I'm not asking you to preset all of everybodies software. I HAVE MADE THIS QUITE CLEAR! ;D

I am asking, and I still think that this is the MINIMUM to be considered Professional:-

::) That each and every *.exe, *.com, service and every potential process from any of the Microsoft Windows versions supported should be preconfigured. ::)

::) That each and every *.exe from the DiamondCS stable be preconfigured ::)

EVERYTHING ELSE is the customers responsibility! This includes all printers, modems, scanners... ie ALL periferals with their own software and drivers (even if included within windows) ALL extra software that the customer loads.

The Database which Jason mentions would be very helpful, not strictly required to be called professional, but certainly giving lots of extra "professional Ponts" !!!

Don't make excuses, just get properly professional

What I would like to see :

- Start using SHA-256 / SHA-512 as a replacement of md5, as md5 is starting to crack at the seams
-DLL Hashing
-Force a check of all hashes, and alert you of the changed / deleted ones
-A way to get ProcessGuard to update all of the hashes which have changed
-A way to get ProcessGuard to remove the hashes of programs that cannot be found
-A way to backup settings / lists and migrate them with little effort
- Greater control over each function i.e. allow only allow the loading of a certain driver etc

-{ Quote: "the Windows Help System All the kinds!
resuming after a Power Saving event, very nasty!
logon.scr
defrag.exe
dfrgfat.exe
sysocmgr.exe
mmc.exe" }-Windows Help should not need an entry (I have none for it on my setup), nor should MMC. The only processes that require entries to function are those that need to install drivers/services or modify other processes (though of course, you would want to add others like security software and anything allowed Internet access).

Keeping "default" entries to only the critical ones is better in my view and more secure. As for including other DiamondCS programs, this would require the ProcessGuard install to scan the system to identify what was installed and which folder it was in. A further check would then need to be made to ensure that the programs were legitimate (i.e. not trojans named to take advantage of this feature). It's possible, but it would requre a fair amount of work on DCS' part.

I think maybe different preconfiguration needs should be considered regardning either protection or security list:

I agree on "always allow to run" preconfigured for logon.src and default.scr, as well as those programs mentioned above, including mmc (altho I don't have XP and haven't seen some of them). I would not include the help system, but if it was there, I would like to also have it protected (because some of the help exes can use the internet, either directly or via an IE component).

And I do think that it is an open question as to whether the scheduling service (tskmgr.exe?), the printer spool service, the scanning service should be included or not (and where? protected? or just allowed to run?), since they are MS apps running permanently on lots of systems, but not on all, and they normally can't do much that running malware cannot do by itself already.

Andreas

JO and others

Some of the preconfiguration issues are solved by running thru some of these things in learning mode. If they don't need other protections, like the help stuff, when you run it the first time you just give it a permit to run always and thats it. If you don't think this is professional, then run Abtrusion Protector, and see what you have to do to install new software.

Also it hit me this morning that your comment that Learning mode is a big weakness because you are not protected just doesn't hold up. When you first learn about PG your system is protected. You have to buy it for protection. So while it is learning true your system still is protected, but you certainly are no worse off then if you didn't discover it. Just requires the same cautions you hopefully were employing before you found it.

Pete

"trusted instalation" would be handy . So that any new software being loaded that we trust will miss tha barrage of pop ups .

Same skins as in PG V.2 would be sooo GREEAAATTTT :P ....

I want my sexy black logs :o back !! *puppy*

;D Cheers

-{ Quote: ""trusted instalation" would be handy . So that any new software being loaded that we trust will miss tha barrage of pop ups ." }-

You already have it. It is called learning mode. Just turn protection off, do the install. Then turn learning mode on and run the program, and all aspects of it. Then turn off learning mode. Bingo

-{ Quote: "You already have it. It is called learning mode. Just turn protection off, do the install. Then turn learning mode on and run the program, and all aspects of it. Then turn off learning mode. Bingo" }-

What if like TDS 3 the program has a host of plugins and functions, some of which run from within the main *.exe but most seem to run from seperate *.exe's! In this case it is most tedious! Also I don't want to run a trace right now!

I found a better way (till DiamondCS catch on and Preconfigure for the DiamondCS stable). Leave Process Guard in full protection mode

Protection enabled,
Execution Protection enabled
Block New and Changed Applications enabled
Learning Mode (permanently) disabled.

Then click on the various modules. They won't actually run, (so you wont be doing a traceroute that you don't want or anything else that will take up time before you can close it down again)

But the programs WILL be listed in the log of alerts and better than that they WILL be listed on the Security Tab. Scan down and right click on each program that is listed as Denied. Check its file path. If it is what you think it is then change the last action to "Permit always"

This will be both faster and more efficient. It will also be safer. The only problem is if a few of the modules run require special priviledges. Then when you actually use that module you will have to go back into the Protection Tab this time and give it the extra priviledge required. This will probably add back onto the time a little bit. But this way you are at least more informed about what programs require what priviliedges.

I HAVE tried both methods! I don't like the Learning Mode method at all! If you have to wait for scans to finish, a module to fully load before you can close it, or have to go through several dialogue boxes before shutting the module down, it does take some time using Learning Mode on a program such as TDS 3!!!

I have said some strong things on this issue. I think that this point of being better informed, and therefore perhaps a safer computer user, is the only advantage to the current situation of BASIC Windows function and DiamondCS products not being properly preset in Process Guard.

Regards Jo M

Hi Jo M

Now what you came up with is very clever. :D I can see for some app's that's a lot easier way to go. Thanks for the idea.

I suspect(purely a hunch on my part) that some of the wish list stuff for PG may go on the back burner as I am sure DCS will want to devote it's effort to other programs.

Pete

-{ Quote: "ProcessGuard DOES come preconfigured with the default processes you need to run Windows - services.exe, winlogon.exe, svchost.exe and more !

It cant come preconfigured for everybody, thats just not possible. The list of known programs for it to check if you have, would be many MB. Even then it would miss things.." }-

Gavin,
You are of course correct that you can't do everything or cater to everyone

Look at it on the flip side, give us the ability to create and share (export) a bunch of settings that can be imported (either as an addition to the current set or a replacement that discards the current rules)...
Then Jo will create the settings that are being discussed, share them on the forum and that will be the end of the discussion

Someone else will no doubt choose to do the same for other applications (as/when they decide that they want to buy a 25 user pack and roll it out on 25 machines without opening each program on every computer one at a time....)

-{ Quote: " Re: Why Not A Scanner Instead of Learning Mode? (http://www.wilderssecurity.com/showpost.php?p=299251&postcount=5)
<..snip..>3. Just simply start and then stop every program you have.<..snip..>
" }-
This would be a somewhat tedious chore for someone in a medium size organisation to do (assuming that the support person actually knows what the person runs on their PC). I don't know how many companies have purchased 25 licenses (or more), but what you can choose to do at home is harder to justify in larger environments

-{ Quote: "I might add if I havn't already, we are planning an application database for the ProcessGuard website, which will be compiled from our beta testers, forum members, and us.
The database will list which flags specified applications need and also a short description if needed." }-

You could even get fancy and add the ones that you like to the application database that Jason referred to, that would potentially cater for point and click install of settings straight from your webpage

Excellent that you are doing the reference database, will it be open access to everyone or for "paid up" people only ?
It would be good to have a right click "lookup database" for any alert or program so that its all integrated together

For that matter it would be really good to have a "Forum" button on the Main tab to encourage people to come to the forum and learn more about security and share their experiences with the product

Hi,

just a quick and less controversial one from the pain in the arse!

On the Security tab it would be nice if it auto refreshed whenever you entered the tab. I can't think of a time when I have opened the tab and havn't needed to refresh it straight away to see what I need to know!

Jo M

Hi,

I like gottadoit's suggestion about right click access to a database, so that any alert can be given proper consideration and correct treatment! Great Idea!

I had another idea if there was more preconfiguration.

Other people are right in saying that different treatment would be required for the protection and security tabs. Yes I wouldn't want to add eveything to the protection tab either. It might be unnecessarily complicated and might slow the program down and the PC?

However I would still like all Window's functions preconfigured in the security tab so that they are all "permit always". Plus of course all the DiamondCS stable also preconfigured on the security tab. So that both windows and Other DiamondCS products run without being blocked and without alerts.

Gottadoit is also right about this being MUCH better for any corporation or business use of your products!

However this WOULD clutter up the Security tab quite a lot!!!

8) Solution would be to to have three options on the security tab.
1) Main one:- Customer Programs.
2) Windows functions and services.
3) DiamondCS other programs and scans etc etc. 8)

If they were ALL preconfigured then you would not need to open no 2 or 3 much if at all, except for interest!

If the three Windows compatible versions were preconfigured then it might slow down installation somewhat if each one is checked against the database and checked for integrity before being logged onto the security/windows sub-tab. Fine I woulnd't mind the wait! Security is imoportant! It would add yet another raft of intensive checking of the OS, that would enhance the security of the installation! It would be slick and impressive! 8)

Regards Jo M

-{ Quote: "ProcessGuard DOES come preconfigured with the default processes you need to run Windows - services.exe, winlogon.exe, svchost.exe and more !" }-

I have just upgraded to the new Process Guard 3.050. As far as I can see what you said here is simply not true! Yes Process Guard started in Learning Mode. It had "forgotten" all my previous Settings. (Was that because I had done the uninstall as instructed and deleted those *.dat files?) The processes that populated the protection and security tabs were ONLY the programs and services that autostart on my system. ABOLUTELY NOTHING ELSE!

So there is NO PRECONFIGURATION HERE! It started with a "blank slate" and relies on "Learning Mode" to do any configuration!

This is not "Pre-configuration"! This is simply and solely "Learning Mode"!

My feelings on "Learning Mode" are already well known! Like its colour its rather green! L. L.. L... L.... "Lazy developer mode"?

Regards Jo M

Hi Jo M, Learning mode does what it says, pre-configuration is not an option at this time as you well know re. this wish list.

The installation instructions for users are posted here:
http://www.wilderssecurity.com/showthread.php?t=54499 post#2 With explicit instructions for those that wished to keep their V3.000 configuration

Pilli

Hi Pilli, I am dissapointed that I hadn't read Jason's good post before installing 3.050. Especially as the topic would have helped with just the issues I have been addressing! Unfortunately I was following the advice of another moderator!

I have a new definition for learning mode "Let everything run and give everything the priviledges it wants mode". Is this not right?

I certainly won't go on the web in that mode, so I will HAVE to manually configure many web programs and tools. I wouldn't want to run in that mode if I had the slightest suspicion that there was anything "on" my machine before install. It can only reasonably be used on a clean PC!

Other than that it does seem to do its job, it allows everything to run and gives every priviledge to any program that requests it!

Jo M

Hi Jo M, I am glad that Learniing Mode did as you expected at least.
Whenever we install security programs on our PCs there are risks as you correctly state. Practising Safe Hex is the best way to secure your machine whilst using all the security tools that you can to assist you.
As stated many times here at Wilders, nothing is 100% secure but having a good layered defence makes you a much harder nut to crack :)

Cheers. Pilli

Hi,

I was pleased to see my suggestion in #69 already in PG 3.050!

Another less controversial suggestion is to do with the Alerts tab.

What is required here mostly is the "deny" messages or notifications that "*.exe tried to gain some hook" or other or "tried to install some service" or other! The plain vanilla "*.exe was allowed to start" is almost not needed?

8) So how about a check box or button for "only the denials of service". If it was a button it could use for its icons:
"All" - for All
"X's" for only the denials of service
with an appropriate description in the ballon help. 8)

;D This would draw attention to the issue better and would help to avoid missing something if your eyes are tired. ;D

8) PG already has the red taskbar icon to inform you of an issue - excellent! - I don't think it does this just for a denial issue? Perhaps it could? Also if there had just been a denial then perhaps it could auto open direct to the "Alerts" tab. I checked this and it doesn't. Now that would be slick! 8)

Regards Jo M

PS I will officially shut up about "preconfiguration" at least for a month or two! I DO like Process Guard. I have just wanted it to be better!

Rolling along with the suggestions....

During a boot I got the log entries below in the PG logfile, the issue I have here is that the logfile refers to a process id without telling what the process is

It would be good to make sure that a process was not logged by process id alone without having first given the process name (at some point earlier in the logfile)

I can guess as well as the next person, in this case the process is still running so there was no need to guess

C:\>tasklist /FI "PID eq 2728"
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
HydraDM.exe 2728 0 2,144 K


The other oddity was the process logged as having been started by "Unknown Process", presumably this is because the parent wasn't there when the child actually started up
That could be solved by logging the process id when a process starts so that we could search backwards in the startup logfile if we really wanted to know

If nothing else it is quite interesting to see exactly what is being started up at boot time

Log Entries

Wed 17 - 00:53:18 [EXECUTION] "c:\program files\ati technologies\hydravision\hydradm.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [520]
[EXECUTION] Commandline - [ "c:\program files\ati technologies\hydravision\hydradm.exe" ]
Wed 17 - 00:53:19 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\symantec shared\ccpwdsvc.exe" [2680]
[EXECUTION] Commandline - [ regedit.exe /e "c:\program files\common files\symantec shared\ccreg.dat" "hkey_local_machine\software\symantec\ccreg" ]
Wed 17 - 00:53:22 [GLOBAL HOOK] [2728] was blocked from creating a global GetMessage hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global CallWndProc hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global Mouse hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global CBT hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global Call Wndproc Return hook


Also a bit further on I saw

Wed 17 - 01:03:00 [EXECUTION] "c:\program files\symantec\liveupdate\aupdate.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3820]
[EXECUTION] Commandline - [ "c:\program files\symantec\liveupdate\aupdate.exe" ]

A SMH suggestion:

Enabling SMH for an application gives the confirmation prompt when any window belonging to that application is closed, including prompts. For applications that prompt frequently (e.g. some firewalls, System Safety Monitor) this makes SMH a painful experience since multiple prompts have to be answered (or cancelled) regularly.

To counter this, either add the ability to restrict SMH to "main" windows only (i.e. exclude any created after the first one) or allow protection to be restricted by window title (this is constant for almost all applications so should be more workable, though a wildcard facility should be available for programs which include variables like filenames in the title).

-{ Quote: "Rolling along with the suggestions....

During a boot I got the log entries below in the PG logfile, the issue I have here is that the logfile refers to a process id without telling what the process is

It would be good to make sure that a process was not logged by process id alone without having first given the process name (at some point earlier in the logfile)

I can guess as well as the next person, in this case the process is still running so there was no need to guess

C:\>tasklist /FI "PID eq 2728"
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
HydraDM.exe 2728 0 2,144 K


The other oddity was the process logged as having been started by "Unknown Process", presumably this is because the parent wasn't there when the child actually started up
That could be solved by logging the process id when a process starts so that we could search backwards in the startup logfile if we really wanted to know

If nothing else it is quite interesting to see exactly what is being started up at boot time

Log Entries

Wed 17 - 00:53:18 [EXECUTION] "c:\program files\ati technologies\hydravision\hydradm.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [520]
[EXECUTION] Commandline - [ "c:\program files\ati technologies\hydravision\hydradm.exe" ]
Wed 17 - 00:53:19 [EXECUTION] "c:\windows\regedit.exe" was allowed to run
[EXECUTION] Started by "c:\program files\common files\symantec shared\ccpwdsvc.exe" [2680]
[EXECUTION] Commandline - [ regedit.exe /e "c:\program files\common files\symantec shared\ccreg.dat" "hkey_local_machine\software\symantec\ccreg" ]
Wed 17 - 00:53:22 [GLOBAL HOOK] [2728] was blocked from creating a global GetMessage hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global CallWndProc hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global Mouse hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global CBT hook
Wed 17 - 00:53:23 [GLOBAL HOOK] [2728] was blocked from creating a global Call Wndproc Return hook


Also a bit further on I saw

Wed 17 - 01:03:00 [EXECUTION] "c:\program files\symantec\liveupdate\aupdate.exe" was allowed to run
[EXECUTION] Started by "Unknown Process" [3820]
[EXECUTION] Commandline - [ "c:\program files\symantec\liveupdate\aupdate.exe" ]
" }-


It looks like HYDRADM.EXE might have been blocking access to finding its processname.

The being started by unknown program is as you specified, the parent process is gone by the time the process name is being resolved.

-{ Quote: "It looks like HYDRADM.EXE might have been blocking access to finding its processname.

The being started by unknown program is as you specified, the parent process is gone by the time the process name is being resolved." }-

Jason,
That would seem to be quite an achievement for a process with no special privileges, after all PG blocked all of its attempts to do anything tricky
And if that were the case why would I be able to list it using tasklisk ?

Either way my comments still stand, displaying the process id at startup solves both of the issues I just gave an example for, which is something that I'm sure you didn't overlook :-)

Just so it doesn't seem like I am *just* criticising PG all the time, I do like it and the extra security it offers (and I did buy it after all).

I'd like to be able to recommend it for enterprise use (and I have already) but it could do with a few tweaks to have more of a chance at meeting justifications for adding to the mix with other competing enterprise level tools.

Centralised logging is a fairly key feature, and this can be achieved by putting things in the eventlog so that a plethora of other tools can take it out and centralise it or a variety of other methods (mentioned earlier)

Hi P2K,
-{ Quote: "Enabling SMH for an application gives the confirmation prompt when any window belonging to that application is closed, including prompts. For applications that prompt frequently (e.g. some firewalls, System Safety Monitor) this makes SMH a painful experience since multiple prompts have to be answered (or cancelled) regularly." }-
Usually, after you have trained SMH, you should get an option to click "Ok to All" In the HID window, click that and your app and sub-windows should close down.
Clicking cancel can sometimes cause multiple HID windows and the App will close anyway, this has been explained in other threads and cannot be prevented in some programs.
For more information about SMH training please read the Help file.

Thanks. Pilli

-{ Quote: "Hi P2K,

Usually, after you have trained SMH, you should get an option to click "Ok to All" In the HID window, click that and your app and sub-windows should close down.
Clicking cancel can sometimes cause multiple HID windows and the App will close anyway, this has been explained in other threads and cannot be prevented in some programs.
For more information about SMH training please read the Help file.

Thanks. Pilli" }-

Pilli,
He does have a point as I'm sure that you recognise, it might be a non-trivial one to solve but its still valid and sometimes can be a little annoying. Its not particularly hard to live with after all, just a minor annoyance

I'm sure it would be possible to find something in common with the various dialog boxes using something like Winspector (or whatever your tool of choice is for viewing information about windows and event messages)
It may be too much effort to solve a minor problem but it would enhance the overall "feel" of the product


NB: For anyone interested Winspector can be found at http://www.windows-spy.com/
If you are bored you can use it to move scrollbars around in programs from left to right, turn them on and off etc...

Hi gottadoit, Jason has done much research into the problems concerning SMH & methods used by programs to close down.
Close Message Handling is highly complex and unfortunately there is no simple solution. HID's are not perfect but they are a very hard problem for Trojan writers to get around.
Having said that, I am sure that DCS will make improvements as these become apparent over time.

Cheers. Pilli :)

Wish List (where previously requested, count me +1)

#1) Specify which specific types of global hooks a program can install.
#2) Specify which drivers/services are installable by services.exe (svchost.exe?).

#3) Procguard.exe running from a "User" account -- Instead of runas/admin-name/password.
#4) New button (on Alert-tab): "Empty Log File" -- Instead of runas/admin-name/password. Better yet, see #5.

#5) New Option: "Minimal Logging" ----- Minimal logging could be as simple as, "Don't log successful hash-code checks". Without "[EXECUTION] XXX was allowed to run" entries, my logfile wouldn't need constant clearing. In fact, an ongoing log of important alerts would be a reference worth preserving. Moreover, minimal logging should also eliminate the need to manually "Remove All" Alerts (to recycle memory). Of course, a more flexible and comprehensive set of logging options would always be welcome, too. :)

Jason, thanks for describing the "safe area" you're hoping to implement. It really made my day! :D

:-\ hmmmmmm i still cant break process guard

i havnt spoted anything wrong am i doing something wrong?

it works perfect on my pc

maybe im not trying hard enough :(

-{ Quote: ":-\ hmmmmmm i still cant break process guard " }-
hmmmmmmm, good point ;)

Hi,
I seem to remember seeing some entries in the protection tab which were 'allowed to run once' without any popup dialogue, due to the fact the they were run prior to the GUI part of PG3 loading. (I cant remember the exact wording of the entry in the protection tab)
It would be nice is to have a baloon pop up as soon as the GUI loads to say that a process was allowed to run without authorisation, so the operator could check the logs and grant/deny future access.
Tom

-{ Quote: "Clicking cancel can sometimes cause multiple HID windows and the App will close anyway, this has been explained in other threads and cannot be prevented in some programs. " }-Pilli, can you provide links to those threads, please.
-hojtsy-

Hi Hojsty , OK Here Goes:
http://www.wilderssecurity.com/showthread.php?t=54890&page=1&highlight=Secure+Message+Handling
http://www.wilderssecurity.com/showthread.php?t=54857&highlight=Secure+Message+Handling
http://www.wilderssecurity.com/showthread.php?t=54697&highlight=Secure+Message+Handling

And one today:
http://www.wilderssecurity.com/showthread.php?t=55309&highlight=Secure+Message+Handling

As mentioned in all these threads reading the help file is important regarding Secure Message Handling.

HTH Pilli

-{ Quote: "
#1) Specify which specific types of global hooks a program can install.
#2) Specify which drivers/services are installable by services.exe (svchost.exe?).
#3) Procguard.exe running from a "User" account -- Instead of runas/admin-name/password.
#4) New button (on Alert-tab): "Empty Log File" -- Instead of runas/admin-name/password. Better yet, see #5.
#5) New Option: "Minimal Logging" " }-
I have to echo earth1's suggestions, particularly #1 and #2.

-{ Quote: "Wish List (where previously requested, count me +1)

#2) Specify which drivers/services are installable by services.exe (svchost.exe?).
" }-

This does not need to be done. Even though services.exe has "Allow Install Drivers" ProcessGuard now blocks applications from using services.exe in a way that you will get the REAL application asking for "install driver privileges" before it gets to services.exe . There is no need to remove "Install Driver" privileges from services.exe anymore, it should be left on by default otherwise you will get issues with ProcessGuard blocking driver installations in 2 places instead of one.

-{ Quote: " ProcessGuard now blocks applications from using services.exe in a way that you will get the REAL application asking for "install driver privileges" before it gets to services.exe." }- That's fantastic, Jason, your solution sounds much more elegant and transparent. I'll enable services.exe as suggested. Thanks a bunch.

Jason, Gavin & all who advised with my problem,

Jason, I was unable to locate the thread that was started with regards to my problems (I thought were) with Process Guard. That thread appears to have been deleted from the forum. As the thread was missing and there was not an appropriate place to put this post, I am just putting it here. You might direct it where you feel is appropriate.

I can not protest the action of removing the thread, but instead must complement that action. I must explain. I first would like to apologize for pointing to Process Guard, as the cause of my problems, when in fact it was not. I doubt seriously that it caused me to have to re-install my system, as one of the responders pointed out, that it was probably caused by my uninstalling my security applications, installing PG then re-installing those security programs. And probably, as he suggested. the re-installation of my system was likely unnecessary. At any rate I did re-install my system and the problems that I attributed to PG after that re-installation, it turns out, was not PG at all. I have discovered that my problems were not gone with the uninstall of PG. I got another blue screen startup after PG was removed. Which got me looking for the cause, which I still thought was PG and I had a bad uninstall. A friend suggested that I use Administrative Tools/ Component Services/ Event Viewer/ System (as it was a System Error I was getting). There I found that an Error was showing and its cause was my Ultra 160 SCSI controller card driver. During the installation of the OS that driver had not been installed. I suppose that Windows XP had SCSI drivers on board to just get me by, but at boot time the controller wanted the driver that was designed for it.

Anyway I installed, the driver and used the computer enough to discover that system error had been eliminated. I next thought, should I give PG another try. I decided I would, as all of my problems that I had been attributing to PG may have been the missing driver all along after the re-install of the OS. So I finished installing all my programs on my system, then installed PG. And so far, (knock on wood) it is working great. I did as suggested Jason and ran all of my applications with PG in learning mode. When I switched off learning mode and rebooted I was most apprehensive. But that apprehension was in vain, as it has worked flawlessly since that reboot and I am not getting all of those, system files coming up asking me to allow or deny. I think that I have only had one of those since the re-install of PG, but it was obvious what it was for, so I allowed it, with no apparent problems resulting.

Like I say it is working great. There is one thing though that keeps coming up (not causing any problems though), it is a little balloon notice by the system tray, which says that a Global Hook to the Mouse and Keyboard has been blocked that msmsgr (Windows Instant Messenger I assume) is attempting to install. It gives me the same message for yhmsgr (guess Yahoo Instant Messenger). But both seem to work ok, so it is not a problem.

I was very (unnecessarily) upset with PG on my last post. And as it turns out without grounds. Just wanted to let you know that all turned out good, and let you know as well that I made a mistake by attributing my problems to PG.

Hoping You All the very Best,
And Thanks Again,
John

PS
Finally found the thread that was being used to aid me with my problem. (My inexperience with the forum prevented my finding it but I am gaining that experience solving problems such as this.) Anyway the thread is “Insight into how to make PG work”. I am going to re-post this post there. Sorry for placing it in the wrong place.

i haven't (yet) read through the thread here, so..

1. i think there should be a limit put on the size of the log file in pg..

2. i wish that there was an option so that when you are alerted to something by pg, you could set it so that pg would not alert you again to that same thing.. i have three apps that try to create global hooks where i am opting to not allow those since i don't seem to need them to still use the apps.. however, i get alerted about the apps trying to create global hooks each time i start them.. then i have to pull up pguard so that the icon will go back from red to "blue".. it is not a biggy..

incidentally, i liked the red icons that were used previously in the beta versions.. i liked that the pgauard icon in the systray was red when everything was kosher, and darkened, "x-ed", when there was an alert.. i can understand why you changed that; at first, i did not like the red icons, but they grew on me.. :)

i am going to try to read through the thread.. some of the issues that others have mentioned, from what i have read so far, i do not have a problem with simply because i disable pg's protection when i am installing programs..

-{ Quote: "2. i wish that there was an option so that when you are alerted to something by pg, you could set it so that pg would not alert you again to that same thing.. i have three apps that try to create global hooks where i am opting to not allow those since i don't seem to need them to still use the apps.. however, i get alerted about the apps trying to create global hooks each time i start them.. then i have to pull up pguard so that the icon will go back from red to "blue".. it is not a biggy..
" }-

I would love to see this feature implemented as well

-{ Quote: "I would love to see this feature implemented as well" }-Me too, it helps address the issue with standard Windows dialogs that create mouse hooks.

-{ Quote: "Hi P2K,

Usually, after you have trained SMH, you should get an option to click "Ok to All" In the HID window, click that and your app and sub-windows should close down.
Clicking cancel can sometimes cause multiple HID windows and the App will close anyway, this has been explained in other threads and cannot be prevented in some programs.
For more information about SMH training please read the Help file." }-The problem is not having multiple HID windows appearing when shutting down an application, the problem is having HID windows appearing when any window belong to that application is closed. To take an example, with Outpost firewall you can run it in Rules Wizard policy where it prompts you for undefined traffic giving you the option of allowing it, blocking it or creating a rule. Responding to any such prompt brings up the HID. SMH training does nothing for this (though it is useful, indeed necessary, to prevent the "Exit and Shutdown" option in Outpost from being used). Being able to restrict HID to the main window only would solve this.

As for the HID prompt itself, I'd like to suggest that it include more readable information. Rather than a window name (which is unlikely to mean much to most users) how about the window title? Also rather than just giving a message type, how about the action requested? (e.g. shutdown, disable, allow all network traffic, stop background filescans). This may require supplying an action name in SMH training (to take Outpost again, I have SMH capturing any attempt to change Outpost policy to Disabled or Allow Most modes via the system tray icon menu) but it would be nice to be able to see these reported in the HID.

Yes, the problem P2K just described is very anoying.

How about an inverse of the INSERT key, allow us to hold down the DELETE key to train SMH to ignore closing a dialog window

Easy to say I know, much harder to decide how to identify this particular dialog window and not other ones...

-{ Quote: "How about an inverse of the INSERT key, allow us to hold down the DELETE key to train SMH to ignore closing a dialog window

Easy to say I know, much harder to decide how to identify this particular dialog window and not other ones..." }-

By unticking SMH for an application you remove all the SMH learning you have done for that application. I don't see the need to have something to do one at a time, especially when a malware could then mimmick that behaviour to get around the protection. :)

Jason,
As you probably already realise my objective is to stop the somewhat useless prompts that appear after some dialog boxes have already exited

I am now quite well trained to click cancel twice after responding to a Kerio dialog box asking me if it is ok to run a program....
The idea behind my suggestion would not be subvertable if you were to require some interaction to confirm it

My goal is not to remove SMH from my firewall... just to stop somewhat less than useful confirmation prompts from dialog boxes that have already closed. Dialog boxes have window titles (at least some of the time) that might be one way to distinguish between times we *want* HID windows and other times when it is somewhat less than productive...

One other method might be to have the HID dialog that you are displaying check to see if the related window (that it was triggered for) still exists, if it doesn't then there is nothing to prompt for... so you could give a different message and the option to not display the "got there too late" message for that app next time

Any suggestions on how to do this are of course welcome :)

Hi,
The improvements made to PG3's driver install protection are great, ie. Services.exe can now be allowed with no loss of protection. However I have a couple of apps which use RunDll32.exe to install a driver or service, and require access to physical memory (notably the ATI control panel) could the same approach be used to lock down this application? See This thread (http://www.wilderssecurity.com/showthread.php?t=53023&highlight=rundll32) for background info.
Thanks
Tom

I'll add my vote to get the rundll32 issue sorted out ...

-{ Quote: "Originally Posted by puff-m-d http://www.wilderssecurity.com/showpost.php?p=288965&postcount=7
Default Re: Allow RunDLL32.exe to install a driver?
You will need to let it install global hooks if you have a Nvidia graphics card.
" }-
-{ Quote: "Originally Posted by Jason_DiamondCS http://www.wilderssecurity.com/showpost.php?p=289051&postcount=10
Default Re: Allow RunDLL32.exe to install a driver?
RunDLL is sort of a small risk because some things can use it to load their DLL, however typically there needs to be another malicious EXE already running to do this (which sort of makes the point of calling RUNDLL invalid). I would put RunDLL on "Permit Once" and just allow it each time so I could monitor the COMMAND LINE parameters sent to it (which basically tell you what it is doing). It is sort of annoying if you need to do it every reboot, but for me it isn't that big a deal.

I sort of prefer getting the execution protection prompt before running most things now, I only permit always my startup applications.
" }-
Now that its been discussed openly its an achilles heel, even if it was considered to be an obscure issue, it has now been highlighted as an opportunity to bypass an otherwise good security tool

FWIW ".msi" installer scripts also tend to make calls to rundll32
A couple more examples of what rundll32 can do can be seen at http://groups.msn.com/windowsscript/rundll.msnw

Until this issue was discussed, I was fairly happy that nothing could set a global hook without explicit permission. If I have an NVIDIA graphics card then that isn't quite true....

Of course the more paranoid (that still want to be able to run programs) possibly also run System Safety Monitor (http://maxcomputing.narod.ru/ssme.html?lang=en) as well, just to have 2 products doing a similar thing in case one of them allows something unexpected...

Someone from DCS, how about some feedback on the issues that have been raised in this thread so far
I'm not asking for commitments that any changes will (or won't) be made or for timeframes, just your thoughts on what has been raised so far

Thanks

[Edit: Added link for SSM, its possibly worth a look - personally I'd trust PG more, being a patriotic Aussie]

-{ Quote: "RunDLL is sort of a small risk because some things can use it to load their DLL, however typically there needs to be another malicious EXE already running to do this (which sort of makes the point of calling RUNDLL invalid)" }-(Addendum to gottadoit's post above)
From the little I gleaned looking at this page (http://www.dx21.com/SCRIPTING/RUNDLL32/INF.ASP) you may not need a malicious EXE, just some script in an INF file.
. Example =>> cmd /c rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ScriptName.INF
I need cmd.exe on "Permit Always" or certain batch file idioms are intolerable. If I also wanted "Permit Always" for rundll32, I'd get no warning at all.

An of hour searching left Rundll32 looking like one of those dodgy MS-issues where the more prevalent, dangerous and ill-conceived a mechanism is, the more unfindable, unreadable and unusable its documentation will be.

earth1,
Its hard to know how much detail to go into when discussing issues like this, I don't want to assist people attempting to get past PG, but equally well I want to make sure that it is fairly obvious that it is an issue (for people that don't have time to burn digging around looking at these things)

I also looked at the same site when I did my looking around and I didn't explicitly mention INF files because they are effectively similar to an MSI file
There is also WMI and the possibility that rundll32 could get executed via that

You may have seen the semi-recent post about WMI being used to disable Norton AV script protection and uninstall it...
If not then have a look here (http://www.informationweek.com/story/showArticle.jhtml?articleID=54800003), it was mentioned on the langalist today but the information has been kicking around for a little while now
If you want to have a look at what WMI can offer M$oft have a little app to make it easy called scriptomatic (see scriptomatic download (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9EF05CBD-C1C5-41E7-9DA8-212C414A7AB0) )
DX21 also has some information on WMI and a link to scriptomatic as well, not to mention an example of WMI in the NAV vbs exploit (http://seclists.org/lists/fulldisclosure/2004/Nov/0160.html) ...

What can I say other than its an interesting and varied learning experience. I had no idea that Windows security was really this bad, I've been making fun of it for years with some substantiated evidence (and its expected when you are a Unix admin) but delving a little into some of the details over the past year or so has been a bit of an eye opener

As far as protection goes I used to download programs I was interested in and leave them in a holding directory for a month (or so) and I thought that if they did contain virus's or trojans that someone else would get it and report it and I'd hopefully have the signature in my AV by the time I went to test it out :-) [nb: I'm not talking about cracks or pirated s/w, just freeware/shareware/trialware downloads from websites]

Well all I can say is nobody said properly securing Windows was going to be easy :D . ProcessGuard provides the ability for you to secure your PC, issues like "ease of use" with security are things we are always looking to improve. Whilst some things can be annoying like this RUNDLL issue theres not much which can be done unless you don't want to be secure against it. That is UNTIL we find a better way, if there is one.

In regards to video card software requiring privileges, can you not disable the executables from running? On my ATI card at home I disable all services and don't get one issue with them. On my other machine with a NVIDIA card I have had no issues doing the same. What happens if you block the NVIDIA software from getting a global hook?

I would like to see each list box, Alerts, Protection, and Security, have/take focus (become active or what ever you call it) when the cursor is over the list. Thus enabling the user to scroll the list without having to click an entry in the list.

While this is not a critical feature it is something I feel should be included, to make this great product even more user friendly.

Just to finish off my virtual "day"....

It would be good to have the PG permit/deny box show extra information if there is an entry in the Security list already

ie: if there is a permit once or a deny once it should show that and also show the "Last Run" date using a suitable layout so that the information stands out and the box looks a little different to the norm

See here (http://www.wilderssecurity.com/showpost.php?p=320022&postcount=6) for where I got to thinking about it
-{ Quote: "
Unfortunately when the next PG prompt is displayed it doesn't tell you the last time that the program was executed and that you chose to "deny once", that would be a useful enhancement for when programs are denied... and especially useful if you do something like this
" }-

.exe allowed to run, because it could not ask the user!!! wtf??? Process guard would be better if it blocked it from running at all instead of allowing the executable to run once... >:(

-{ Quote: ".exe allowed to run, because it could not ask the user!!! wtf??? Process guard would be better if it blocked it from running at all instead of allowing the executable to run once... >:(" }-

If we did this the system would be unable to start. You can still control those items execution by changing the Last Action, however you won't receive any "live requests". All it means is ProcessGuard could not ask the user for whatever reason (ie. A window could not be shown to ask the user), but you can deny it retroactively.

-{ Quote: "If we did this the system would be unable to start. You can still control those items execution by changing the Last Action, however you won't receive any "live requests". All it means is ProcessGuard could not ask the user for whatever reason (ie. A window could not be shown to ask the user), but you can deny it retroactively." }- Jason,
Call it a request for another tickable option in the "advanced mode"
It makes a sensible default in learning mode but is it something that an advanced user would actually want once they "block execution of new and changed programs" ?

If you wanted to get fancy, you could poll the key every now and again and give the user a HID prompt as to whether they wanted to allow that specific entry to run on the next reboot... an "Allow Once" in advance seeing as it is a known event that is likely to happen

[EDIT: I was assuming that "wtf" means "want this feature" ]

Perhaps even delaying a forced decision for a reasonable amount of time. I'm guessing this is usually an unapproved program starting before pgaccount.exe is ready, yes? Temporarily leave the program in limbo while PG tries every 10 seconds to see if user communication has become possible. If the situation is unresolved, after a couple of minutes, then force the deciison. Just an idea.

Dunno if this has already been requested:

Ability to drag 'n' drop an entire folder onto the PG screen and have PG automatically checksum everything in it and add them to the protection list. This would be great for folders with large amounts of .exe files and such. Also the ability to ignore entire folders all together would be nice.

-{ Quote: "Dunno if this has already been requested:

Ability to drag 'n' drop an entire folder onto the PG screen and have PG automatically checksum everything in it and add them to the protection list. This would be great for folders with large amounts of .exe files and such. Also the ability to ignore entire folders all together would be nice." }- The drag-n-drop part has been asked for here (http://www.wilderssecurity.com/showpost.php?p=320022&postcount=6), and you can do it yourself although it would be interesting to see what sort of performance hit you would take by stuffing the lists full of things that are not going to be run very often....

I'm sure that the exclude directory part has been requested and I think it was going to be considered...

If PG could checksum entire directories like the program files or windows directory that would be great. Then you could drag the folder into PG and go watch a movie or something. That way you could create a baseline simular to how Black Ice works (if you wanted to), this would be great for newly installed copies of windows and it would save you time answering yes/no later on.

Hello

More algorithms for the integrity checker will be more efficient.
MD5 is too usual, and SHA-1 or 5 will surely procures more security to recognise change files .

I don't think that PG could stop all rootkits because he does't check all binary files (exe, dll, sys is not suffisant at all against thoses malwares).

Like TDS, an ability for checking ADS flux will be a great things too.

And so on maybe for the next time.

But it's impossible for one soft to protect against all insecurity issues.
That's a newbies fantasmagory!

Regards

-{ Quote: "I don't think that PG could stop all rootkits because he does't check all binary files (exe, dll, sys is not suffisant at all against thoses malwares).
" }-ProcessGuard prevents .dll injection, also a rootkit would need to install a driver or service which PG also prevents. As far as I know there are no current rootkits that can bypass PG :)

Jason has already stated that the hashing will change if the need arises.

-{ Quote: "But it's impossible for one soft to protect against all insecurity issues.
That's a newbies fantasmagory!" }-Absolutley correct, that is why Wilders always recommends a layered defence.

Cheers. Pilli

-{ Quote: "I might add if I havn't already, we are planning an application database for the ProcessGuard website, which will be compiled from our beta testers, forum members, and us.

The database will list which flags specified applications need and also a short description if needed." }-
Most users would appreciate much for this effort to help particularly PG users. If possible it would be greater when it comes with different configurations like : [more compatible] | [safer] | [safest]. Hope I am not wrong at this.
Thanks
:o)

-{ Quote: "Most users would appreciate much for this effort to help particularly PG users. If possible it would be greater when it comes with different configurations like : [more compatible] | [safer] | [safest]. Hope I am not wrong at this.
Thanks
:o)" }-

It is already underway, but I am not sure yet when it will be made available to the public.

Some features that Tiny Firewall's Windows Security has that I would appreciate in Process Guard are:

Ability to run programs in Track mode and then view All changes made by the program and select what you want to undo.

Ability to decide how a program is verified (Checksum, Path, Name, maybe even multiple checksums)

Read, Write, Create, Delete access per program per file/folder and registry keys.

System privileges, what can shutdown the computer, pre-defined groups, ect.

It would be nice to be able to specify an arbitrary number of extra files and their corresponding in-memory code sections (if they are dll/sys and already loaded) to be checksummed and verified each time that an executable is run

The reason to specify the files manually would be so that the overhead of checking would be minimised to things that are really of concern

Of particular interest is to be able to verify any .SYS file that is loaded when we allow programs to load drivers

Of secondary interest is to be able to monitor at least some of the key dll's for selected programs and by being selective that allows us to choose what level of overhead we create for ourselves

To go with this it would be nice to have a little point and drool tool that showed what DLL's were associated with the executable, just so that it is a little bit user friendly....

A complete lock down mode would be nice. Not just dont run new and changed programs but also an option to stop all programs from running besides the ones currently running.

Also pw protection so you can shutdown ProcessGuard would be nice. And maybe protect from task manager as well. ;)

Hi war59312, Both of those options are already available in the full version. :)

"Block new and changed". - Any application which you haven't allowed to always start will be blocked from running without a user confirmation when this option is enabled.

"Lock". - Displays another window which allows you to lock the ProcessGuard interface with a password. Without the password no-one can change any settings

Cheers. Pilli

-{ Quote: "Hi war59312, Both of those options are already available in the full version. :)

"Block new and changed". - Any application which you haven't allowed to always start will be blocked from running without a user confirmation when this option is enabled.

"Lock". - Displays another window which allows you to lock the ProcessGuard interface with a password. Without the password no-one can change any settings

Cheers. Pilli" }-

Pilli,
I read what war59312 said again and noticed that he was talking about "processes currently running" which is not all at what you responded to....

DCS,
A not so complete lockdown mode would be very useful

I would have thought "Block new and changed" would just perform the obvious english meaning of the words, but it does more
[Edit: I just read the dialog box that comes up when you enable the block new and changed and it does explicitly say that it will only allow permit always programs to be run... I had been lazy and not read that dialog box before... too many little things to read]

There have been several other threads where the merits of Permit Once have been put forward and the arguments are quite reasonable so I have been doing it that way (for a reference to one of them see rundll32 (http://www.wilderssecurity.com/showpost.php?p=335331&postcount=15))

However, now that I am fairly confident that the bulk of the programs that I will be using have been executed at least once, I would like to "lock down" the executable to the Permit Once and Permit Always list and still be prompted on my Permit Once items

This request becomes more meaningful when you consider that I allow things like Internet Explorer and Outlook Express on my Permit Once list because they get executed on occasions but I don't want them available for mailware (or poorly written software that doesn't check my default browser) to launch without intervention

rundll32 is in the same category of being a Permit Once item and that is required for many things from control panel applets to registering removable harddrives when they are inserted

Without multiple profiles (see earlier request which I haven't complained about for a good while now...) it is somewhere between hard and annoying to do it myself to have an "install" set of privs that asks lots of questions and a "secure running" set of privs that doesn't

All I can say is roll on TDS-4 so that attention can come back to the next point release of PG...

Hello,

I was using the old version of PG.consequently my brain was not on the right page to understand some posts!
In the 3.100 version there's not the "once" button.
Perhaps the DCS team would like PG to be easier for newbies.
But advanced users could be quite disappointed.

With a very less powerfull firewall application than PG (Safe'n'Sec) that i've tested recently, it offers choices like:

*permit/deny in this session
*permit/deny now/always
*only this action.

For Gottadoit:perhaps a complete lochdown mode is useful when our member's family or friends are using our PC.

There 's another whish for PG: a free tool like Winsonar2004 have the ability to kill any unknown process during an internet connection.
It's a powerfull function (no leaktest can bypass it) who could be great to integrate in PG.
For more information: http://digilander.libero.it/zancart/winsonar/odyframe.htm

But advanced users could use free utilities with PG:

*Sysinternals tools,

*APIMonitor: http://www.rohitab.com/apimonitor/

*APIS32: http://www.matcode.com/apis32.htm

Trust-no-exe(executable filter):
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm



But a mult-layered defense base on PG is very suffisant for most users!

Happy new year, almost for asian suffering people.

Regards

To perhaps clarify my request for different lockdown modes and report what looks a little like a bug ...-{ Quote: "
For Gottadoit:perhaps a complete lochdown mode is useful when our member's family or friends are using our PC.
" }-
I don't have an issue with the "complete" lockdown mode that is there (via block new/changed programs), it just hasn't been named in an intuitive way
It also isn't useful to me (and possibly others) the way my use of PG has evolved, I can see its purpose and it has its place in the scheme of things - its just not useful to me unless I can swap between different profiles...

I would like to see an additional mode (for trusted family and friends)

#1 Enforce currently defined security rules and allow no changes via dialog box prompts or via the GUI
prompt before allowing execution of any existing permit once executables (as usual)
don't allow any changes to the security or protection lists in this mode (via on screen dialog boxes or the PG GUI) just enforce what is there
ie: don't allow any new or changed applications to be executed; don't allow permit once to be changed to permit always, don't allow changes to privileges
And that leads me to the behaviour I uncovered while investigating this. I'm wondering if this a bug or if I am misunderstanding the intent of the "Lock" functionality in the GUI

The "Lock" function on the Main tab describes itself as
-{ Quote: ""You can lock down the ProcessGuard interface so no-one can change any of your settings. Simply enter a password to lock it, and when you want to unlock it, simply re-enter your password"" }-
I did a little bit of testing to see exactly what Lock did (thinking that PG might already do what I wanted) and this is what I found...

When the PG interface is "locked" entries in the "Security" tab can be changed even though the "Security" tab has been hidden from view
Specifically once PG presents its allow/deny dialog box it becomes possible for
existing Permit Once entries can be changed to Permit Always or Deny [Once|Always]
New entries for executables can be added, either as "Permit Always" or "Permit Once"


It is understandable why new/changed apps can still run seeing as there is a specific setting to control this, it might be worthwhile updating the description to point that out for people like me that just read descriptions and take them at face value...

If "Lock" actually did what the text box description implies then it would have implemented what I am asking for....

-{ Quote: "Hello,

I was using the old version of PG.consequently my brain was not on the right page to understand some posts!
In the 3.100 version there's not the "once" button.
Perhaps the DCS team would like PG to be easier for newbies.
But advanced users could be quite disappointed.

With a very less powerfull firewall application than PG (Safe'n'Sec) that i've tested recently, it offers choices like:

*permit/deny in this session
*permit/deny now/always
*only this action.

For Gottadoit:perhaps a complete lochdown mode is useful when our member's family or friends are using our PC.

There 's another whish for PG: a free tool like Winsonar2004 have the ability to kill any unknown process during an internet connection.
It's a powerfull function (no leaktest can bypass it) who could be great to integrate in PG.
For more information: http://digilander.libero.it/zancart/winsonar/odyframe.htm

But advanced users could use free utilities with PG:

*Sysinternals tools,

*APIMonitor: http://www.rohitab.com/apimonitor/

*APIS32: http://www.matcode.com/apis32.htm

Trust-no-exe(executable filter):
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm



But a mult-layered defense base on PG is very suffisant for most users!

Happy new year, almost for asian suffering people.

Regards" }-

Thanks for the links of those very useful programs!

I think SMH should be more configurable. eg. it should be possible to disable the X title bar handling, while still having customized SMH confirmations. The reason - Some apps allow you to minimize to the tray when clicking on the X (eg. KAV) so you wouldn't want confirmation in this instance. However, you might still want SMH on this app for a menu item in it's tray icon.

Another SMH related problem I've come across is -

If I start the on-line help from within a SMH protected program, then when I try to quit the help window (by clicking X in title bar), I get the SMH confirmation dialog even though I haven't configured it for the help. I assume it's because the program is the parent process and so PG sees it as me trying to close the program instead of the help.

-{ Quote: "Thanks for the links of those very useful programs!" }-

azumi21,
Make sure you look at what else is on each site and possibly even try the programs out on a non-critical machine in order to get an idea of how much you can trust the author... that goes for any program not just API watching or Security programs

I'm not saying anything for or against those sites as I don't have any references for them yet... its worth having a look around some of the security sites and googling to see if any of the "experts" have any opinions on the programs before you expose your computer to them....

-{ Quote: "I think SMH should be more configurable. eg. it should be possible to disable the X title bar handling, while still having customized SMH confirmations. The reason - Some apps allow you to minimize to the tray when clicking on the X (eg. KAV) so you wouldn't want confirmation in this instance. However, you might still want SMH on this app for a menu item in it's tray icon.

Another SMH related problem I've come across is -

If I start the on-line help from within a SMH protected program, then when I try to quit the help window (by clicking X in title bar), I get the SMH confirmation dialog even though I haven't configured it for the help. I assume it's because the program is the parent process and so PG sees it as me trying to close the program instead of the help." }-

If you look back a-ways you'll see a similar request that I made and from what I could gather Jason either didn't understand why I was asking or he didn't want to understand why...

Have a look back at this thread, posts 98, 99 and 100 (http://www.wilderssecurity.com/showthread.php?p=306832&highlight=insert#post306832) where I asked about having a DELETE variant to go with the INSERT that would allow us to remove SMH behaviour for various actions on the application

I was looking mainly at being able to do it for dialog boxes/pop up windows to avoid HID confirmations for windows that have already been destroyed, I don't see why the same thing wouldn't apply in the example you just gave

Jason made the very valid point that unless these SMH modification actions were controlled then malware could selectively remove SMH protection
One fairly obvious way of ensuring that would not happen is to use HID interaction to confirm changes like this whilst we are "training" PG
In some ways it would be nice to get visual confirmation when we use the INSERT modifier as well so that we know it has happened... a balloon alert would do and an entry in the alert log would be useful

Once you start messing with SMH for different parts of the application it also becomes obvious that it would be nice to be able to see what has been defined (and it would also make it easier to communicate to others and record for our own re-use at a later point in time)

In your other thread (http://www.wilderssecurity.com/showthread.php?t=61121) where you brought this up, Pilli started making point suggestions about specific instances of why this generalised feature wasn't necessary (some of which you rebutted) and I think that just highlights the fact that more fine grained control over SMH would be a useful feature for those ppl that care to train some applications more finely to give them an extra layer of security

Hi,

*Firstly, thanks Gottadoit for your opinion about free and paid versions.
And i want to apologize for talking about the old version.It'not ethical at all.
I've decided to buy a full licence of PG (i'm waiting for an e-mail of DCSSales).

Why i've chosen PG?
Simply because it's the most exhaustive and powerfull of all infection prevention system (no updated signatures) that i'd never tested.

Some of thoses softs are never mentionned on wilders forum(list on pm only), but most of them are easily bypassed with usuals hackings methods (process termination, dll injection...).

It's not the case of PG who protects itself against advanced attacks.
And i really agree that when we find a great soft, we could make an effort to buy it.That's the best way to support it and to reward a very good work.

*For the links:i will never mention any software that i'd never tested myself(i'm a beta-tester of Winsonar).

And i hope that some users will agree with me:there's no incorruptible and umbypased system.It's a question of time and resources(DDOS).
Even with thousands of protections like API monitoring or integrity checkers.
As i said, Pg with usuals protections is enough for most home users.

*To stay in the subject:

*Protection of DCSPGSRV(PG sevice)

To prevent a deactivation of this service (anyone who's got a physical access on ou pc), it' possible to protect it manually:
-configuration service-recovery button-first failing:restart the service
-second ' : ' ' '
-third ' : turn off the computer.

But is it possible to integrate this configuration automatically with the installation of PG?

*An integrity checking scan (SHA-1) of all files -on demand,

-automatically on Windows start up and before Windows stopped.

Thanks for this forum and pardon me for my mistakes (english or computing).

Regards

-{ Quote: "Hi,
*For the links:i will never mention any software that i'd never tested myself(i'm a beta-tester of Winsonar).
" }-

karaldjag1,
Like I said it was nothing personal against the sites or yourself for suggesting them, it always pays to do some research before using something new

Also I was wondering if there was any reason you are still appearing as a Guest and haven't registered your login name ?

Regards

Hi,

When i want to reply to a post, i log in.
But when i'm quite long and slow, i log out automatically and kareldjag become kareldjag1.That's the only reason.

A friend of mine(a dev.) said that whitch notionally possible is sometimes no be able to develop concretely in reality.
That's why i'll abandon this whish list theme.

ProcessGuard could not be an "all in one against all" (attacks).

But just share your knowledge, it's a little door to immortality.

Regards.

If the "Show Extra Information" box on the Permit/Deny security screen used a slightly larger font, I wouldn't be usiing my magnifying glass nearly so often.. Once you've seen that screen a few times, the most important information is the hardest to read. Watching everyday command line parameters illuminates what really happens when I click icons. It would be great if I could follow along without having to scan my arm across the screen too. :)

to be able to right click on task bar icon and chose "trusted installation" for the installation of trusted software.

-{ Quote: "If the "Show Extra Information" box on the Permit/Deny security screen used a slightly larger font, I wouldn't be usiing my magnifying glass nearly so often.. Once you've seen that screen a few times, the most important information is the hardest to read." }-I'd agree with this one. The print is rather small. I would also suggest adding a "Permit with these parameters" option (which would allow future execution with the same details but prompt otherwise) to cover frequently used (i.e. tiresome to permit/block once) but not-completely-trusted programs (as discussed in Rundll32.exe - To Permit or not? (http://www.wilderssecurity.com/showthread.php?t=59185)).-{ Quote: "to be able to right click on task bar icon and chose "trusted installation" for the installation of trusted software." }-May I respectfully cast a vote against this one? This creates two problems - the very practical one of having to disable the "trusted" mode at the end of an install (all too easy to forget) and the (currently) more theoretical problem it opening the door to PG-aware malware to compromise your system (waiting until a program installation would be the ideal time to attempt file or registry alterations). A more secure option would be an interactive mode where PG would prompt on whether a hook/service install should be allowed (like with Execution Protection prompts - this is how System Safety Monitor handles them).

On the SMH side of things, the human verification popup could include some more explanatory text like PG2's did (e.g. "To prevent malware from carrying out this action, user verification is needed. If you wish to proceed with this, please enter the 5-letter sequence below to confirm."). The current information is not as clear and quite intimidating for new users ("Window class? Message type? What's that?") so could be replaced with more recognisable information (e.g. window titlebar contents, user-specified description for INS-learnt actions) with the raw detail available via a More Info button.

Finally on the graphics side, could we please have the 3.000/3.050 scrollbars back? The 3.100 ones IMHO look like escapees from the 1980's Apple Macintosh, clash with the rest of PG's graphics, aren't skinnable by WindowBlinds and won't work with mouse scrollwheels.

Another SMH-related option - add the option to require a password rather than the 5-letter confirmation. This could be a very useful facility for shared computers to prevent certain programs from being shut down - e.g. a family computer could use this to prevent Junior from shutting down the firewall or web filter.

-{ Quote: "But just share your knowledge, it's a little door to immortality." }-Very true :).

Nick

-{ Quote: "

On the SMH side of things, the human verification popup could include some more explanatory text like PG2's did (e.g. "To prevent malware from carrying out this action, user verification is needed. If you wish to proceed with this, please enter the 5-letter sequence below to confirm."). The current information is not as clear and quite intimidating for new users ("Window class? Message type? What's that?") so could be replaced with more recognisable information (e.g. window titlebar contents, user-specified description for INS-learnt actions) with the raw detail available via a More Info button." }-

Come on guys. If a lot of these types of request were added DCS could turn PG into bloatware like some of the well known products on the market. This issue should be at all confusing IF Mr newbie would just read the helpfile.

I for one would hate to see this code get bloated to make the program so it could be run by a brain dead newbie who won't read. This might sound harsh, but I am afraid I don't have much sympathy for the newbie who wants everything handed to him so he has to make no effort.

Pete (climbing back off the soapbox) :D

-{ Quote: "Come on guys. If a lot of these types of request were added DCS could turn PG into bloatware like some of the well known products on the market. This issue should be at all confusing IF Mr newbie would just read the helpfile.

I for one would hate to see this code get bloated to make the program so it could be run by a brain dead newbie who won't read. This might sound harsh, but I am afraid I don't have much sympathy for the newbie who wants everything handed to him so he has to make no effort.

Pete (climbing back off the soapbox) :D" }-

Pete,

<hastily picking up discarded soapbox>
I think you might possibly have replied to the wrong post ;-), the bulk of that suggestion was about adding a bit more *text* and you are referring to code bloat

On a lighter note, DCS are most probably giving considered thought to everything that is posted here and by not responding at all they are not obliged to do anything, least of all make choices that would result in code bloat

Personally I'd think that they are a bit smarter than that given the responses I have seen to date. They seem to have identified their target market and hence the set of "useful" features that they are considering
nb: pure speculation based on several posts, one of which was about WFP

If it turns out that their target market includes "dumb newbies" then nothing anyone says here will change the onset of features to help market the product :-)
</hastily picking up discarded soapbox>

I just want to second P2K's suggestion that rundll32 have multiple instances of security approval, where each permit/deny decision is relevant only to an invocation of rundll32 that uses exactly the same parameters.

hi, :) can you make it so the popups are movable? as talked about in this (http://www.wilderssecurity.com/showthread.php?t=61760) thread. thanks.

Some GUI suggestions to make it even more useful

In the Security tab add an extra column "Last Modified" with a date (just like last run)

Add to the right click menu, an entry to show "previous" properties to bring up a properties window of what the the properties were prior to the last modification. An extension to this that would take a little more work would be to open a custom window showing the current and previous "properties" side by side with differences highlighted (this could be fairly useful)

In the Alerts window, add a right click menu (very similar to the one on the security tab) to allow the selected program to be manipulated from that window without having to switch tabs and go and find it again
Alternately a double click on an item in the Alert tab could take you through to the entry for this program in the security tab (if it was there and add it and take you to it if it wasn't already there) at which point you could do the same thing

A logging omission :

When programs are allowed to run without operator authorisation during startup (Permit Once - Unable to ask user) the corresponding entry in the text logfile does not show that it was "Unable to ask user", it doesn't even show that it was a permit once item either and the permit once/always could usefully be logged. Having this would enhance the usefulness of the logfile for forensic analysis

[NB: I would really like a way to stop this happening, once "learning" mode is over and done with I would prefer explicit authorisation]

A logging enhancement request :

When a program is found to have changed, output a small table of the differences found (nb: requires PG to be storing and comparing the information presented in a "Properties" display), while not comprehensive it would be a very good start for someone using the logfile to see what has happened (to the core executable at least)

First off let me say, YES! This products is the best I have seen so far!

But, I do have one suggestion. I know that DCS has the Wormguard product, but installing that, to me, is not going to achieve my goal. My goal is to find THE product that can stop us from paying this Bugware Tax. ProcessGuard is the closest thing I can find to doing this by stopping execution and giving the user the control they should have had from MS.

Anyway, my suggestion is that ProcessGuard be extended to allow or deny scripts. Anything executed by cscript.exe, wscript.exe, or cmd.exe. In a business network, you might have logon scripts or other automation, so you will need to allow execution of those programs from cscript.exe. ProcessGuard does not protect from unwanted scripts. If it did, it would most certainly be perfect!

It would be very easy to write a vbs script and have it delete files or download other scripts to run, and ProcessGuard would allow it. Having to buy Wormguard or other AV software just makes you pay the Bugware Tax even more. Maybe ProcessGuard can't or shouldn't do this, but it would be nice if it could.

-{ Quote: "Maybe ProcessGuard can't or shouldn't do this, but it would be nice if it could. " }- Nice idea :) I too prefer prevention rather than cure as you correctly state a stopped bug is harmless, We certainly must reach a stage shortly with all the definition updates for viruses, spyware, Trojans etc where we are spending more time scanning our machines than actually using them! ;D

Cheers. pilli

Thanks, Jason, for suggesting we try allowing trusted programs via "Permit Once". I like it for internet apps, but I've discovered that with permit once, PG no longer compares the program's checksum to its "last run" value. Ideally, I think PG should be able to apply both permit-once and checksumming in tandem. Otherwise, it seems, I close one hole only to open another.

something that i think should be added to PG is for there to be a confirmation dialog before removing items from "protection" to help to prevent inadvertently removing something that you do not actually want to remove..

-{ Quote: "Pilli,
I read what war59312 said again and noticed that he was talking about "processes currently running" which is not all at what you responded to....

DCS,
A not so complete lockdown mode would be very useful

I would have thought "Block new and changed" would just perform the obvious english meaning of the words, but it does more
[Edit: I just read the dialog box that comes up when you enable the block new and changed and it does explicitly say that it will only allow permit always programs to be run... I had been lazy and not read that dialog box before... too many little things to read]

There have been several other threads where the merits of Permit Once have been put forward and the arguments are quite reasonable so I have been doing it that way (for a reference to one of them see rundll32 (http://www.wilderssecurity.com/showpost.php?p=335331&postcount=15))

However, now that I am fairly confident that the bulk of the programs that I will be using have been executed at least once, I would like to "lock down" the executable to the Permit Once and Permit Always list and still be prompted on my Permit Once items

This request becomes more meaningful when you consider that I allow things like Internet Explorer and Outlook Express on my Permit Once list because they get executed on occasions but I don't want them available for mailware (or poorly written software that doesn't check my default browser) to launch without intervention

rundll32 is in the same category of being a Permit Once item and that is required for many things from control panel applets to registering removable harddrives when they are inserted

Without multiple profiles (see earlier request which I haven't complained about for a good while now...) it is somewhere between hard and annoying to do it myself to have an "install" set of privs that asks lots of questions and a "secure running" set of privs that doesn't

All I can say is roll on TDS-4 so that attention can come back to the next point release of PG..." }-
I agree! :)

Please make ProcessGuard remeber the darn window size and location and if its maximized or not.

Sick of having to resize and replace window on screen after every reboot. :(

Hi, To save the window size you need to "Exit" the GUI so that the settings are remembered. Just closing or clicking the X will not do it ;) When you re-start the ProcessGuard GUI your window size should have been remembered.

Pilli

-{ Quote: "Hi, To save the window size you need to "Exit" the GUI so that the settings are remembered. Just closing or clicking the X will not do it ;) When you re-start the ProcessGuard GUI your window size should have been remembered.

Pilli" }-
Why don't they just make it so that the GUI settings are saved when the X is clicked ?!

-{ Quote: "Why don't they just make it so that the GUI settings are saved when the X is clicked ?!" }- Because this method was requested by users, your firewall & AV almost certainly do it the same way. It is added security unless you specifically want to close the GUI - This occurs quite often in service type programs.
KAV, NOD32, Tiny, Kerio, SpyWareGuard, Giant(MS) to name a few ;D

-{ Quote: "Because this method was requested by users, your firewall & AV almost certainly do it the same way. It is added security unless you specifically want to close the GUI - This occurs quite often in service type programs.
KAV, NOD32, Tiny, Kerio, SpyWareGuard, Giant(MS) to name a few ;D" }-I'm not suggesting they change what happens when the X is clicked (ie. it should still minimize to tray icon), just that they should also save the window size and position when the X is clicked. Surely there is no security risk in doing this ?!

-{ Quote: "I'm not suggesting they change what happens when the X is clicked (ie. it should still minimize to tray icon), just that they should also save the window size and position when the X is clicked. Surely there is no security risk in doing this ?!" }- Jason explained this somewhere else, it is the way that windows works and cannot be easily accomplished. It is either or so to speak :)

-{ Quote: "Jason explained this somewhere else, it is the way that windows works and cannot be easily accomplished. It is either or so to speak :)" }-

Maybe its just me, but ....




a window resize is an event that is handled by the application
waiting for the program to exit (or the x to be clicked) before saving this particular bit of state information seems somewhat of a sub-optimal way to do it given that the program cannot trap all exit points
Just another one of those situations where the problem is hard to solve unless you have a clear problem definition, which in turn generally leads to changing the way the solution is considered.
In this case you don't even need to know anything about Windows programming to reason out the solution...

It certainly is possible. As gottadoit states, a window resize is simply an event sent to the application. The same is also true when the X is clicked.

I would not save the window state on a window resize because that would mean the state was saved too often and become inefficient.

However, saving the state when the X is clicked would be easy to achieve and still be efficient. All they have to do is add the required code (which they have already coded) to save the window state when this event/message is received.

It would be a 5 minute job to do.

In that case I stand corrected and we shall have to await Jason's response ;D

-{ Quote: "In that case I stand corrected and we shall have to await Jason's response ;D" }-

Might be a long wait, statistics aren't on your side here looking at the number of responses from Jason in this thread so far

NB: I'm sure he reads the thread... ;-)

-{ Quote: "Hi, To save the window size you need to "Exit" the GUI so that the settings are remembered. Just closing or clicking the X will not do it ;) When you re-start the ProcessGuard GUI your window size should have been remembered.

Pilli" }-
oh ok...

still think it should be added ;)

Please can you impliment the following idea(s) into Process Guard ASAP...

1. The ability to see in real time what is global hooking and give option to stop (even if on a reboot to complete)

2. Protection for the registry / service information of Process Guard its self and Optionally maybe other services from being altered, Eg a program changes the registry in system and currentcontrol set and services and changes the file name of important files / drivers / exe's for Its self (process guard)

Please email me at as_crucker8 at yahoo dot com with your thoughts / plans

Wijly

~email address modified....Bubba~

It seems that dcsmutex.exe is pretty changed/updated after TDS3 updating db; under PG protection, blocking new/change exe enabled, tds startup scan shows mutex found in memory for the changed dcsmutext.exe is blocked from running. Is it safe to implement another option "frequently change" into PG?
thx.

-{ Quote: "
2. Protection for the registry / service information of Process Guard its self and Optionally maybe other services from being altered, Eg a program changes the registry in system and currentcontrol set and services and changes the file name of important files / drivers / exe's for Its self (process guard)" }-Already both the files and registry entries of Process Guard have very strong protections against alterations. But I agree that it would be an interesting new feature to extend this protection to registry entries and files of your other protected applications. Espessially knowing that the engine is already there in Process Guard.

-hojtsy-

Actually i test software, and get my friend to buy software for me to test ;) (nice to have rich friends!) and i wrote a small site for instructions for the most complete security i can find at this time, The link is http://www.chums-of-kandi.netfirms.com/security But i must stress that in order to actually "do it" you will have to either try it with any demo releases or buy the software ALSO i did this for some friends for info In the process guard i PERSONALLY tick all the advanced options (memory, root kit etc) please check the pages out and let me know what you think about it. I provide this info for INFORMATION SAKE and if you decide to actually impliment it i take no responsibility for any damage, Its JUST INFO on what i found and how i did it.

Please email me at computersoftitian@yahoo.co.uk with your thoughts.

With SHA-1 being broken, can we see process guard migrate to another hashing function, maybe whirlpool ? or SHA-256/512 (may hae similar flaws as SHA1)

How about a button to get rid of old applications that are still listed in both the Protection and Security that have sense been deleted.

Or even better make it automatically. Of course an option to disable and enable. ;)

Thanks,
Will

-{ Quote: "With SHA-1 being broken, can we see process guard migrate to another hashing function, maybe whirlpool ? or SHA-256/512 (may hae similar flaws as SHA1" }- ProcessGuard uses MD5 and is still fine for doing executables as far as I am aware. :)

-{ Quote: "ProcessGuard uses MD5 and is still fine for doing executables as far as I am aware. :)" }-

I replied in another thread (http://www.wilderssecurity.com/showthread.php?p=377088#post377088) about this, but seeing as a fair chunk of the post was something that could be done with PG, I thought I'd put the request in here as well

How about PG protecting against potential hash collision threats by adding a twist (or two), it doesn't sound very complicated but may add some value ....

#1: When computing the hash for an executable add the license key to the start of the data stream
this would effectively randomise the first block of data making precomputed checksums non-generic
it would also need some extra code to manage the transition between the existing licensed PG and free PG (which wouldn't have this) and the newer licensed PG which would generate different checksums. So ideally this would be optionally switched on and at the point of enabling the feature all the binaries could be re-checked and a new checksum computed (if they were still the same)


#2: Compute more than one hash value for a file
If the hash computation is done for the full file and also against different chunks of a file then precomputing things becomes much harder
If the size of each chunk is varied in some way between different installations, then it would be more computationally expensive to attack PG by precomputing a hash (seeing as it would need to be done at least twice)
Once again by different installations using varying sized "chunks", the malware needs to somehow make sure it fits inside the first "chunk" in order to avoid detection and seeing as the chunk size is hard to determine it makes the attack harder
If the license key is used to vary the chunksize then the hash computations will still be the same for a home user with a right to use license for all their home PC's and presumably for a business user that is purchasing multiple user licenses
In terms of cost of computation of this suggestion it could all be done in one pass of the file


By varying the chunksize by installation and adding an non-generic element at the start of the stream, it stops a generic precomputed hash being generated, users would have to be targeted individually

Seeing as its a potential threat atm, doing this would be more of a future-proofing and peace of mind enhancement so that next time a security researcher finds a way to bypass a hashing algorithm, there won't be a generic zero day exploit for PG

-{ Quote: "How about PG protecting against potential hash collision threats by adding a twist (or two), it doesn't sound very complicated but may add some value ....

#1: When computing the hash for an executable add the license key to the start of the data stream" }-This would make the pguard.dat and pghash.dat files user/licence-specific which could be a problem for companies trying to distribute a "standard" Process Guard configuration and would also prevent using these files for a licence upgrade (from single to unlimited use for example). Given these possible downsides, this addition should be made optional.-{ Quote: "#2: Compute more than one hash value for a file" }-This could be worthwhile if different algorithms were used but would impose a performance penalty - for this reason I would suggest making this optional also.-{ Quote: "Seeing as its a potential threat atm, doing this would be more of a future-proofing and peace of mind enhancement so that next time a security researcher finds a way to bypass a hashing algorithm, there won't be a generic zero day exploit for PG" }-The weaknesses uncovered in SHA and MD5 do not provide for any zero-day exploits as such. What they do mean is that an attacker who knows your existing signatures may (with a great deal of effort) be able to craft a file that matches one of them.

For this to be a realistic exploit on PG-users, attackers would have to select a file known to be used by a large number of people (e.g. a Windows system file like userinit) but since different versions exist (due to the version of Windows installed and patches subsequently applied), at best only a small section of the PG-using community could be affected by a single signature collision. However "individualising" signatures by including the licence could tighten things up further and could be a useful option for the full version of PG (since the free one would have no licence).

So while this is a potential issue, the work involved and the limited scope does suggest that this is never going to be a universal compromise and other means of attack are far more likely to be used (e.g. an attacker integrating a trojan with a legitimate software install which you then choose to allow with PG).

-{ Quote: "This would make the pguard.dat and pghash.dat files user/licence-specific which could be a problem for companies trying to distribute a "standard" Process Guard configuration and would also prevent using these files for a licence upgrade (from single to unlimited use for example). Given these possible downsides, this addition should be made optional.
...snip..
So while this is a potential issue, the work involved and the limited scope does suggest that this is never going to be a universal compromise and other means of attack are far more likely to be used (e.g. an attacker integrating a trojan with a legitimate software install which you then choose to allow with PG)." }-

I did suggest that it would need to be optional for those very reasons

I don't agree with you on the limited scope aspect of your argument, mainly because a decent segment of the population will be able to be targeted using either a totally unpatched version of the O/S or one on the latest patchset
There are a lot of ppl in between but Microsoft will get the message out sooner or later that people need to patch and those that don't understand have probably never patched

To be fair the actual work involved in having an extra few variables to run several hash computations at once is not particularly mind blowing, there would be a bit of messing around in the GUI and a bit of documentation, but hardly an earth shattering effort

I would like to see Process Guards execution protection monitor what programs try to individually run since this is the only reason I also use System Safety Monitor at the moment.

For example, if my email program (Outlook Express) decides to execute or spawn Internet Explorer or cmd.exe, I have System Safety monitor set to alert me allowing me to permit or deny.

Sometimes I don't want programs, for example Yahoo Messenger to be able to run anything else but I want to allow other programs to execute something. For example I would like to see Process Guard's execution protection allow me to prevent Yahoo Messenger from spawning Internet Explorer individually while still permitting me to run it directly.

Securitywise it would be good because you could prevent programs from executing cmd.exe or automatically spawning Internet Explorer to do a malicious act etc etc.

I agree with Ylease. It would be nice as long as it was an optional feature that could be turned on/off, because it would overlap features a lot of firewalls have (even if the firewalls only triggered the GUI to ask user to allow/disallow network access).

I just bought process guard and am really enjoying using it ...

But i was wondering, since processes can consist of quite a few components or modules - wouldn't it be a more accurate program if it was a component guard versus a process guard?

Or is Process Guard indeed checking individual Processes components?


thanks as usual.

Just a reminder to remove the erroneous warnings of: "pgaccount.exe is not running...". It occurs whenever I log into a restricted account in every version of PG from v3.0 to v3.150. Not only does it misinform new users, but experienced users have grown accustomed to clickiing "OK", "CANCEL", "CANCEL" and assuming it's the same old false alarm they get every day. If it really does fail to start, I probably won't notice.

It would also be nice to add a section to the help file for users who want access to PG's GUI from a restricted account. I have seen that question answered as, "You don't need the GUI to be protected." That's good to know, but it's not the point. When I need to change a setting in PG, I don't want to close ten programs and log on as Admin to change the setting, then log back in as User (re-enter my Admin password 2 times for "runas" ) and, finally, try to get back to where I started from. I think DCS will benefit from showing their users that it needn't be difficult to practice safe computing and use ProcessGuard. :)

EDIT: Yes, Jimmytop, I think you have the "real" version of the problem.. The GUI issue has a much better fix that's been described by several people, but it is still undocumented. See this post (http://www.wilderssecurity.com/showpost.php?p=368016&postcount=2)

-{ Quote: "Just a reminder to remove the erroneous warnings of: "pgaccount.exe is not running...". It occurs whenever I log into a restricted account in every version of PG from v3.0 to v3.150. Not only does it misinform new users, but experienced users have grown accustomed to clickiing "OK", "CANCEL", "CANCEL" and assuming it's the same old false alarm they get every day. If it really does fail to start, I probably won't notice.
" }-

I'm getting this error message AND the pgaccount.exe is NOT running. In other words, the error is true for me. I open the gui and it also notes in status that the pgaccount.exe is running. This happens when I switch from a limited user account to an admin account, even if I log out of the limited account. I posted it here and also emailed support. I'll let you know what I hear. But in my case, this does not appear to be a false warning.

-{ Quote: "
It would also be nice to add a section to the help file for users who want access to PG's GUI from a restricted account. I have seen that question answered as, "You don't need the GUI to be protected." That's good to know, but it's not the point. When I need to change a setting in PG, I don't want to close ten programs and log on as Admin to change the setting, then log back in as User (re-enter my Admin password 2 times for "runas" ) and, finally, try to get back to where I started from. I think DCS will benefit from showing their users that it needn't be difficult to practice safe computing and use ProcessGuard. :)" }-

Use "Fast User Switching" (if you're running XP). You don't have to shut anything down in the limited account to switch to the admin account.

EDIT: fixed the quoting that I messed up originally ::)

-{ Quote: "Just a reminder to remove the erroneous warnings of: "pgaccount.exe is not running...". It occurs whenever I log into a restricted account in every version of PG from v3.0 to v3.150. Not only does it misinform new users, but experienced users have grown accustomed to clickiing "OK", "CANCEL", "CANCEL" and assuming it's the same old false alarm they get every day. If it really does fail to start, I probably won't notice." }-I'd second this - I actually had a real problem due to installing an upgrade to a differently named folder (resulting in PG not running properly) but discounted this warning message initially since it was such an everyday event.-{ Quote: "It would also be nice to add a section to the help file for users who want access to PG's GUI from a restricted account. I have seen that question answered as, "You don't need the GUI to be protected."" }-I would strongly agree with having the option to run the GUI from a limited account. While using "Run As" to give it Admin access does work (with the spurious error message), it also leaves your system open to an escalation of privilege attack (any malware you mistakenly allow to run can use the PG UI to gain Admin access) though this could likely be addressed separately by having ProcGuard call the help file viewer externally as detailed in Bugtraq: HTML Help API - Privilege Escalation (http://seclists.org/lists/bugtraq/2003/Oct/0234.html).

Also the GUI is not really optional - you do not receive popup alerts without it so have no other way of being alerted when activity is blocked.-{ Quote: "Use "Fast User Switching" (if you're running XP). You don't have to shut anything down in the limited account to switch to the admin account." }-This still leaves the escalation of privilege vulnerability, plus the requirement of having to switch back to the admin account periodically to see any alerts.

Hi,

I'm not sure to really understand this account privilege problem.
It's not a PG's weakness but a question of "hardenning Windows".

There's others ways than DropMyRights or RunAs to limit privileges and rights on Windows (tools, policy configuration, registry...).

Here's one of them: RunAsAdmin (shell explorer, integrated on the systray as a key's icon):

https://sourceforge.net/docman/display_doc.php?docid=26314&group_id=127612

Regards

-{ Quote: "It's not a PG's weakness but a question of "hardenning Windows"." }-It's a bit of both - when accessing Help from an application, by default the Help window runs using the same account. It is relatively easy to access the command prompt from within Help allowing almost total freedom if an administrator account was used.

PG's problem is that the UI has to be run under the Admin user - this means that Help is then run as Admin. The fix is to either allow the UI to be run with a non-Admin user or to change the call to Windows Help so that administrator privileges are not inherited.

Other products that include a UI running under Administrator or LocalSystem accounts have had similar problems as the article highlights (e.g. Outpost firewall, which fixed this in version 2.5). It does require a coding change to PG itself though so using DropMyRights or RunAs won't help.

-{ Quote: "Also the GUI is not really optional - you do not receive popup alerts without it so have no other way of being alerted when activity is blocked.
" }-

Unless I'm misunderstanding what you're saying, I can tell you that this is false. I run almost exclusively for everyday use in a limited user account. I DO get alerts if I run an application that is not already on the allow list. You are given the option to allow/deny and remember. The GUI icon is not there in the system tray so the limited user can't change PG settings via the GUI. But you do get alerts without having to switch to the Admin account. That is, unless the admin user has chosen to "Block new and changed program execution" - which solves the problem of non-admin users giving something access that they shouldn't be.

-{ Quote: "
This still leaves the escalation of privilege vulnerability, plus the requirement of having to switch back to the admin account periodically to see any alerts." }-

Huh? Using fast user switching to go the admin account is no more dangerous than logging off the limited account and logging into the admin account. You just get to leave your limited account programs running if you use fast user switching....

-{ Quote: "Unless I'm misunderstanding what you're saying, I can tell you that this is false." }-You are misunderstanding what I said. ;) I specifcally stated "popup alerts" meaning the ones visible from the PG system tray icon when an activity (hook, driver, physical memory access) is blocked. Aside from the Alerts log, no other indication is given by PG of this happening.-{ Quote: "Huh? Using fast user switching to go the admin account is no more dangerous than logging off the limited account and logging into the admin account. You just get to leave your limited account programs running if you use fast user switching...." }-The problem is not FUS, it is having the PG UI running under an Administrator account in the first place. Using FUS does nothing to change this.

-{ Quote: "You are misunderstanding what I said. ;) I specifcally stated "popup alerts" meaning the ones visible from the PG system tray icon when an activity (hook, driver, physical memory access) is blocked. Aside from the Alerts log, no other indication is given by PG of this happening.
" }-

Ah ok, I get it. I guess I don't miss all the background stuff when I'm in limited account. My wife and kids also use limited accounts so I would just as soon they not see them either. But I see where you're coming from. Sorry for my misunderstanding!

-{ Quote: "
The problem is not FUS, it is having the PG UI running under an Administrator account in the first place. Using FUS does nothing to change this." }-

I guess I just don't see what the problem is with running the PG UI under admin. I run all my other security software under admin - AV, Antispyware, etc. If I want to administrate PG, I do it from the admin account. That's what it's for. I don't do administrative stuff from the limited account, unless I have to then I use MakeMeAdmin.

-{ Quote: "I guess I just don't see what the problem is with running the PG UI under admin." }-There is a possibilty of another process, script or macro using this to gain Admin access for themselves via PG's Help. If you mistakenly allowed a malicious process to run, this could significantly increase the amount of damage it could do.

Since this is a generic issue with all programs that have a window running as Admin, the chance of someone producing an exploit for it is higher. On the other hand, you would have to allow such an exploit to run and PG's Help cannot be accessed using the F1 key.

Currently, after clicking its Help button, PG prompts me to Permit/Deny the execution of hh.exe on procguard.chm. If an exploit manages to trigger PG's help system in order to hijack procguard's privilege level, would I see an unexpected Permit/Deny query? If so, would it be for hh.exe or for some other program? If hh.exe, would it have different command-line parameters? Just wondering what this attack would look like if it happened.

Thanks, P2K for the heads up. I agree that it would be better if procguard.exe can be made to run under a restricted user account.

Work correctly with PB. ;)

Earth1,

Hh.exe is the Helpfile Viewer which will be called in almost every case when you access an applications helpfile. Assuming that you had previously decided to Permit this (which most people would have), you probably would not see much indication of any malware using this (it would have to access Help, then a command prompt window but could then close these quickly to hide them). However any malware would trigger a PG execution prompt if an executable program. Windows scripts however require other counter-measures (http://www.wilderssecurity.com/showthread.php?t=60736).

It would be very nice to be able to be able to perform a "validate" from the security menu so we could check and see if any of the binaries had changed since they were last run, and if they were then present the option to accept the changed binary (or deny) as usual

Seeing as multiple programs can be selected, this would make it relatively easy to check everything in the list - of course there would be a wait whilst the binaries are being read and checksummed but anyone that chose to do this would probably wear that

The reason that I ask is that it would allow us to perform an install (or windows update patch) and get all the prompts out of the way quickly so that we can return to whatever variety of normal running and/or lockdown mode that we have specified confident that we (or anyone else using the PC) shouldn't be getting any changed executable prompts for existing programs....

Thanks

Back to the issue of having profiles again.... I'd still like to see them and I've been finding more situations when they would be useful

Assuming that adding profiles is under consideration (at some point in the future when you guys have time.. presumably post TDS4) :
- it would be really handy to be able to change profile with a right click on the PG icon (and be able to directly select the profile name from the popup menu)
- from there either a HID window or optionally a password prompt would then need to be satisfied before the profile would actually change...
- I didn't try and specify the mechanics of copying information between profiles because I was asking for export and import of the data as well, but a copy from one profile to another would be good (as well as the export

If there was an easy way to swap the binary files around I probably would have just done it by now... but seeing as there isn't without involving reboots (and that is something I certainly won't be doing to achieve this) I've added this as an additional idea for the selection of a profile for easy access

I'd like PG to either alert me when a program tried to access the internet (with allow once, always etc tick box) or else allow me to authorise internet access for selected programs in the protection tab.

-{ Quote: "I'd like PG to either alert me when a program tried to access the internet (with allow once, always etc tick box) or else allow me to authorise internet access for selected programs in the protection tab." }-SpikeyB,
I agree that is a good piece of functionality to have as part of application control but it isn't the focus of ProcessGuard.
I would suggest that you look at one of the many personal firewalls that provide application control because they provide the functionality you are after.

From all reports Outpost is a good one to consider, but your best bet is to read up on the different ones then choose 2 or 3 and trial them to see which one suits you and your setup the best.
Have a look on the forums here at Wilders there are plenty of opinions and lots of information because personal firewalls seem to polarise opinions quite strongly

"because personal firewalls seem to polarise opinions quite strongly"

Amen to that one

im just wondering, will the next release support windows xp x64 edition?

i had an idea where pg would have predefined rules for which prograsm would be allowed which flags, but then i realized ppl have personal preferences on whether they want gloabl hooks, close message handling etc...neways thats just something that came into my head.

I don't know if it has been suggested in the past, but file access and registry access control would be an amazing feature. I am using the demo version right now and am so far satisfied with the overall features. It would be nice to be able to permit/deny access to certain files or registry keys eventually, but a start would be to permit/deny file and registry access.

Ditto on folder/file access protection. It can cause quite a lot of alerts, so hopefully the permissions can be granted in such a way that a single program execution can be granted access to a folder/file for the entire duration of the program execution.

Rich

Hi there,

here are my comments and suggestions for the (hopefully) upcoming ProcessGuard 3.5 or 4.0 (using Version 3.150):

System specs: AMD Athlon 1.4 GHz, 512 MB RAM, Asus A7V133 with VIA-Chipset Motherboard, OS MS Windows 2000 Pro SP4, IE 6.0 SP1, Common
Control Components: 5.81.4916



-multilanguage GUI support/Versions of ProcessGuard; Either you (DiamondCS) compile international language versions of ProcessGuard
(i.e. in German, France, etc.) or you make the ProcessGuard GUI multilanguage compatible, so that you and/or users can supply language files in their own native tongue.. (e.g. textfile based language files..)



-lower System Resource Usage; the RAM consumption of ProcessGuard and their 3 tasks/processes is too high! (about 18-20 MB)
(you write in the quicktips of ProcessGuard: "The ProcessGuard architecture was carefully designed to use minimal resources, so you can keep it running all the time and shouldn't even notice it's there."
In my opinion 18-20 MB RAM consumption isn't low.
If you do things in the main windows of ProcessGuard, like look after some processes/startup objects or set up some options, the "procguard.exe" process increase the RAM usage from about 6-7 MB to about 12-13 MB and don't turn back to 6-7 MB, when closed/minimized to systray.

You should optimize the code of ProcessGuard in that all processes uses only the half of the current RAM consumption. I.e. lower the RAM usage of the processes "procguard.exe" from about 6-7 MB low to about 3 MB, "DCSUserProt.exe" from about 2-3 MB low to about 1 MB and "pgaccount.exe" from about 2-3 MB low to about 1 MB.
So all ProcessGuard processes uses only about 5-6 MB of RAM! (that's low/minimal resource usage! :-P)



-btw. why ProcessGuard need 3 tasks/processes? Why you don't integrate/unite/combine the 3 tasks/processes to 1-2 part(s)?!



-Add/sign (to) all ProcessGuard executables, driver and services (ProcessGuard setup, too) (with) an "digital certificate", so that you
can ensure the integrity of all files/setup and so that no one can manipulate the files.
With the digital signature, users can to be sure, that all is ok and the ProcessGuard setup and files are authenificated by and from DiamondCS.
Many software companies (like Microsoft, Symantec, Skype, etc..) doing that, to ensure/guarantee the integrity and intactness of their products. (setups, files, etc.)!
And beginner/novice users/customers can trust them, that they really come from that company and aren't malicious or dangerous..!



-If you Exit/close ProcessGuard (procguard.exe) and ProcessGuard is locked, no question dialog which ask for the correct password is shown. And if you set "Secure Message Handling" and you Exit/close ProcessGuard (procguard.exe), no "Human Confirmation Required" dialog/window is shown..



-You don't have the possibility to export/save the "Protection" list/settings! (for backup, new OS install, reinstall, etc..)



-Integrate the ability to build a local database of the applications in the "Protection" list which you can then synchronize with the server application database (on diamondcs server). I.e. during ProcessGuard installation/setup, an predefined application database/list being copied to the pc and then if start ProcessGuard and have Internet connection, you can over an integrated Update Module, download a newer list/database of predefined applications (if there is any).

And if there are an application that isn't in the application database/list on the diamondcs servers, you have the ability/possibility to upload/submit new entrys to that database/list with the special settings for that new application..
(e.g. "wintv2k.exe" need rights/access to set/install global hooks (global CBT hook; I think to disalow the screensaver during watching TV, video, etc. or so..)

So other users don't need to configure settings for "wintv2k.exe" again, if someone submit it with the correct settings to the application database/list on the diamondcs servers and download firstly/before the newer/newest application list/database from the internet/server..



-Integrate 64bit support for AMD/Intel on Windows NT 5.2.x 64 bit and SMT/SMP support



-option to disable the PG-Icon in the systray



-Integrate an advanced Interface, that allows the user to set customize flags for specific applications. I.e. normally if you set for example the "allow termination/terminating" flag to one application, this application can terminate all protected applications from now on..
But if you want that for example the application "taskmgr.exe" can/may only terminate for expamle the application "iexplore.exe" and no other application/process, it's impossible to do so/specify so.
With this advanced Interface, you able to define what application(s) can access/modify/terminate all, specific or no applications/processes!



-Additionally you should be able to set/specify on the advanced interface what kind of modification/termination/terminating should be allowed or disallowed, like End Task or ZwTerminateProcess, etc...

(in default/standard mode, the ProcessGuard GUI shouldn't show the advanced interface, so that beginners/novices aren't confuse/disturb so much..The advanced Interface should be only for advanced/profi/expert users/customers..!)



-As a result of the advanced Interface, you should integrate the ability/possibility to set/specify the actions on the "ALERTS" tab/window more precise; i.e. (if advanced Interface is activated and shown) you should able to set/specify that "This application" for example "taskmgr.exe" to "Allow Terminate" (all termination/terminating methods to all applications/processes..) OR to "Allow this Termination/Terminating" for example "Type: ZwTerminateProcess" (the shown specific termination/terminating for all applications/processes..).

And for the lower part "Was BLOCKED from ..." (for example terminating) there should be the ability/possibility to set/specify "Remove Protection" (for removal the (in this case) terminating protection for all applications) OR "Remove Protection for this app" (for removal the (in this case) terminating protection ONLY for the current application/process (in this case "taskmgr.exe"..)) OR "Remove ALL Protections" (for removal all possible protections from this/current application; in the case, the user want that this application/process doesn't have any protection anymore..) from (the) this/current application/process (in this case "iexplore.exe")..

(in the default/standard mode, the ProcessGuard GUI (ALERTS tab/window) shouldn't show the "new" action buttons, so that beginners/novices aren't confuse/disturb so much..The "new" buttons/actions should be only for advanced/profi/expert users/customers..!)



-integrate the ability/possibility to click for expamle on the application/process Icon on the "ALERTS" page/tab/window and then
ProcessGuard displays/shows detailed info about this application/process in a new info window. (infos like filetype, company/corporation, description, version, Copyright, product name, product version, comments, digital certificate/signature (if there is any..), etc, ...).
So that you are more informed about this application/process and you can better associate/assign/classify the current application/proccess..!



-integrate the ability/possibility to set/specify that, if you tick "Terminate protected applications" or "Modify protected applications" in the "Authorize this application to" box in the "PROTECTION" tab/page/window, you able to set/specify whether you will be ask with the human confirmation window (if you for instance terminate a protected application (if allowed to do so..)) or not.
So you can tick a new option/setting named for example "ask human". In this way you can protect an allowed application from being manipulated from another process or app and ensure that only you (human) can kill/terminate or modify an application or process..



-Remember "Lock"-Password; you have to enter all the time again the password to lock the ProcessGuard GUI; i.e. if you click on "Lock" in the "MAIN" window/page/tab and then enter a password two times and click OK, the GUI is locked. If you want now to unlock the GUI again, you have to enter the password. (until now, all ok/right..)
But if you now wants to lock the GUI again, you have to enter a new Password or the same Password two times..
That's bad, in my opinion it's better that ProcessGuard have to remember the two times typed Password (for the first time, you want lock the GUI..) and then after you have unlocked the GUI and want to lock it again, simple click on the "Lock" Button and no need for entering the Password two times again..!
Additionally, if you want to change the Password in future, then ProcessGuard have to supply such an feature/option..



-integrate an "Protocol only" mode. (tickable at the "Protection enable" option/setting..) So that users can protocol/review what a specific tool/installation does/change in the system without stopping or blocking them..
It's useful for instance for research and learning, etc :D



-integrate shortcuts/hotkeys in the "Human Confirmation Requirement" window/dialog, so that the user/customer can confirm or cancel the window/dialog just with the keyboard. (You can enter the confirmation word and press "Enter" to confirm, but if you press "Esc" nothing happens (window/dialog should close then..) and if you want to confirm all dialogs ("OK to all" button..) you have to use the mouse and cannot press "ALT+A" or so..)



-if the GUI is locked out, the Protection Statistics interfere with the lockout screen..




thx and best regards,

iNsuRRecTiON

1. Limited account (in Windows XP) support.
2. Password protect option, PG can only exit and/or accept new applications with a password.

If this was suggested before please excuse the duplicate request.I would like to see an alert for when Windows component(s) needs to do something that it does not currently have permission to do. i.e. I just upgraded the XP Windows update to v6, yes it is out, and during the install services.exe needs to install a driver/service. I do not give services.exe this permission and naturally the update failed. If I were presented with an alert and was able to give it permission to do this on a per-instance (Permit Once) basis the update would have succeeded the first time.

This would be useful for other components that can run other things, such as rundll32.exe, where if the user is doing an upgrade/update and another process needs additional permission to complete the process.

I would really like to see a "lite" (stripped-down) version that is "mom friendly" I'm thinking a version that has a pre-defined set of system files and popular security programs, only does MD5 hashing for protected programs (with an alert saying "[program x] has changed, did you recently upgrade it?"), no execution protection, only does process and global hook protection.. basically a version that just protects core system files, security software, stops keyloggers, and of course a "friendly" GUI. I think this would be perfect for non-technical users and would give you even greater exposure. You could sell it for $5-$10 and I'm sure plenty of people would go for it (I know at least 4 or 5 that would buy it, or I would buy it for them, my mom being one of them) :)

I would also like to see an option to prevent processes from escalating privileges and more control with execution protection including the ability to only allow processes to be executed by certain accounts/account groups, along with the previously mentioned things like command line options, what processes can/can't launch others, etc.

outbound internetfilter even as a plug-in.

great addition to windows firewall and all intergrated inbound filters used in routers/broadband modems.

You don't need a software firewall anymore and it's a piece of cake to implement for diamondcs...
Dolf.

:) I like Notok's view on things .... a simpler version .... but it would also be nice to have the option to upgrade to the full program once the user felt comfortable with the stripped-down version.

I really want to install ProcessGuard .... but being a new user & also having heard of other users being unable to start some programs with PG installed, I'm a bit intimidated to install PG right now. These are the ONLY things that are holding me back. On the other hand .... from what I've heard, PG is pretty much one of the best security programs that a user could install on their PC.

HR 8)

-{ Quote: "- but it would also be nice to have the option to upgrade to the full program once the user felt comfortable with the stripped-down version." }-
afaik, processguard uses a serial number so u just have to purchase it and enter the serial number into the into the lite version to convert it to full

-{ Quote: "afaik, processguard uses a serial number so u just have to purchase it and enter the serial number into the into the lite version to convert it to full" }-

Hi, and thanks for responding :) .... but what I meant was if PG should come out with a very basic version of their program .... as Notok has suggested above .... it would be nice to be able to upgrade to the full version from this so called stripped-down version as he has called it .... after purchasing the so called (basic) or stripped down program.

HR 8)

Hi HR,

There is a free version of PG that is has some important functionality stripped out. You can try out this program and if it works for you, all you need to do is add a serial number in order to access the rest of the functionality.

There are just two things to remember when installing:

1) Stop a real-time protection (including things like Tea Timer) while installing PG.

2) Keep it in learning mode for a least three restart cycles and make sure that you run all of your security program Updates while in learning mode.

This should put you in pretty good shape. Additionally, DiamondCS is now recommending that you do not give "services.exe" Install Driver/Services permission anymore in order to close a hole that might allow a rootkit to be installed.

This basic setup gives you lots of protection. Personally, I also give Permit Once permission to rundll.exe for some extra protection, but it does make PG a bit more talkative (e.g. control panel functions usually call on rundll.exe).

Rich

Hi Rich, :)

Hmmm .... This sounds very interesting.

So, once I save the download of PG to my desktop .... I should deactivate my AV temporarily .... my 2 anti trojan programs (with guards) .... any antispyware active protection ? What about WinPatrol, SWB, Spyware Guard, MRU Blaster, BHO Demon, UnHackMe & SnoopFree ?

Also, what about things running in " Services " like my Ewido scanner & BitDefender on demand scanner .... should they be shut down as well during the installation process ?

When you say " Tea Timer " I'm assuming you are referring to Spybot.

HR 8)

Hi HR,

Yes, you've got it. Just disable all of those real-time programs temporarily and you should be fine. You don't have to be concerned with your on-demand scanners. Some of the real-time stuff like Spyware Guard probably will not interfere, but just shut them down to be on the safe side. No reason to mess around with an install.

Alternatively, it may be possible to just install PG in safe mode, but I never tried it so I don't want to suggest that it is OK to do so.

Once PG is installed, just let it run for a while. Make sure you go through an update cycle with all of your security software. Also, remember to turn protection off if you are doing a Windows Update. It is not always necessary, but again, why mess around until you are comfortable with PG.

Keep us posted, if you decide to go ahead with an install. It should be very smooth.


Rich

Hi Rich, :)

I have contacted support at DiamondCS to see if PG can be installed from the Safe Mode. It will probably take a couple of days, or so .... to receive a reply.

I just installed SpySweeper 4.0.3 from Safe Mode on advice from a Webroot tech not more than a few days ago .... so I don't see why there would be a problem doing the same with PG. However, I'll wait to hear back from DiamondCS .... just to be sure !!

Thanks Again,
HR 8)

afaik, processguard does have to install a driver, so i wonder if that is possible under safe mode.

-{ Quote: "I have contacted support at DiamondCS to see if PG can be installed from the Safe Mode. It will probably take a couple of days, or so .... to receive a reply.
" }-
My dear friend, you don't need any help from DiamonnCS for this. In safe mode you can do anything you like. If it doesn't work the way you want, just undo.
Dolf.

Not entirely true, I didn't tried to install PG in safe mode, but I sure know you can't do everything in safe mode, sometimes uninstalling won't even work in safe mode, the only sure thing you can do is to make a restore point before trying and in safe mode reversing back...

but not everything is installeable in safe mode :)

-{ Quote: "but not everything is installeable in safe mode :)" }-
mainly programs that use microsoft installer. dont u hate that?

Hi, :D

First off .... Thanks to all of you that posted on the Safe Mode installation possibility. ;)

However, DiamondCS support has responded by advising me NOT to shut ANYTHING down prior to the installation .... proceed with a regular install .... and state that Process Guard should install just fine.

They claim that the most important thing to do .... is to follow the step by step .... SETUP GUIDE within the help file .... after the installation.

Hmmmm .... I'm wondering if anyone has experienced difficulties installing PG by NOT shutting down their real time monitoring programs prior to installation ? ???

Anyway, I'm getting closer to that actual " big install " moment .... LOL .... as I now have the PG installer saved on my PC Desktop !! ::)

Thanks again people,
HR 8)

Hi HR,

I seem to recall some prior posts where people did have problems, but I cannot recall which programs were involved. I would listen to DiamondCS support though.

Rich

Hey Rich, ;D

I kind of figured that .... Think I'll dig around Wilders a little
.... just to see if I can locate any.

Just color me chicken .... :-[

HR

On the "Protection tab", in the "Authorise this application to" box, I would like to see two more tick boxes. These would be "Access the internet" and "Run scripts".

These are two features from a program called Principal Antivirus. I'd like to see them in Process Guard.

well if pg had option for allowing/denying internet access, would that make it more a firewall? i dont like my programs to bloat up.

-{ Quote: "well if pg had option for allowing/denying internet access, would that make it more a firewall? i dont like my programs to bloat up." }-Not really. A firewall does a lot more than just say xyz.exe is trying to connect to the internet. I don't really need a full blown firewall because I have a router. I guess a little extra in PG would have a lot less bloat than a whole firewall package.

-{ Quote: "On the "Protection tab", in the "Authorise this application to" box, I would like to see two more tick boxes. These would be "Access the internet" and "Run scripts"." }-While such an idea may seem simple on the surface, in practice this could be very complex to implement.

Firstly, "Access the Internet" would need to be broken down into "Client" (can make outgoing connections only) and "Server" (can receive incoming connections also) options at least (like ZoneAlarm - some programs like file-sharing ones need Server access but from the security perspective, the number of programs allowed this should be kept to a bare minimum). Then some means of offering more tightly defined rules for applications you only partially trust (e.g. svchost.exe on Windows XP needs a very tight leash!) would need to be added.

Then we come to the issue of indirect access - what if a program invokes Internet Explorer (or any other browser) to access the network rather than doing so directly? To cover this, PG would need to monitor all access to "network enabled" programs also.

This does go very much onto firewall territory and should explain why most firewalls are more complex to configure than PG. If DiamondCS wishes to retain PG's existing simplicity then this feature would be very hard to implement effectively.

"Run scripts" is another potential can of worms. While restricting access to Windows Scripting only would be easy, there are plenty of applications with their own scripting language that would have to be addressed separately (e.g. GetRight Pro (http://pro.getright.com/compare.html)). In addition, DiamondCS have a separate program, WormGuard, for addressing scripts.-{ Quote: "These are two features from a program called Principal Antivirus." }-Looking at the product details (http://www.resplendence.com/antivirus) suggests that indirect Internet access (see FirewallLeaktester (www.firewallleaktester.com) for example exploits) is not covered, nor are program-specific scripts. Perhaps you'd care to try these out and let everyone know the results?

I suppose what I was wishing for was something very specific to me. However, it might have a wider relevance seeing as someone decided to put it in their product Principal Antivirus.

If I wanted a firewall, as I have in the past, then I would use one. What I'm thinking about is if I wanted to try out a new package e.g. a note taker such as InfoAngel. I don't really want to run a full blown firewall but I would like to know if InfoAngel wanted to connect to the internet. If it did, I could try to find out why, seeing as it's only for making notes. If I tried a new browser, obviously it would need to connect to the internet so I wouldn't be concerned about that.

The role of PG (apart from its other features) would be to give me a bit more info/control about what the programs on my comp want to do. All the programs that needed internet access would get a tick allowing them to do so.

I am not trying to get a firewall built into PG. It's meant to be a simple yes/no to internet access. If I wanted further control for the allowed programs, I could use a proper firewall.

I don't really know about the leaktests for Principal Antivirus. I only used it for the trial period and then decided to go with PG. When I run the leaktests with PG (and I haven't got a firewall to leak past), PG just stops them from running. I guess that's exactly what PA would do as well.

Hopefully, I've explained my wish a bit more clearly.

Any chance of being notified of the actual dll being used to attempt the injection of a Global system hook when hook protection is enabled?

Secondly, being able to pick and choose which ones to allow if there are multiple hook libraries being loaded on a single process.

It's quite likely that this was requested preciously, but here i go:

Ability to ignore alerts on a per program basis. The option should be set for each option seperately, so that if ie internet explorer tries a global hook (and the ignore option for global hooks is set), as it so often does, this will be logged but the trayicon will not flash. When it tries to install a driver and the option is not set to ignore such events it should flash and of course log this event as usual.

The security tab should include the year the program has last run as well.

An option to force a program to a set priority.
To elaborate on that, it would be helpful if one could set some programs, ie emulator/games in general to run at idle speed, because very often those are poorly programmed and take up all cpu ressources there are, invariably hogging all cpu time and dragging down any other process without need.
This option would counter this behavior so it would be a rather useful addition.

Apart from that, some keyboard combination to allow running a new program if no mouse is connected/working. if this were an option some lockups involving a nonworking mouse could be resolved easily (ie if one did not allow some program to run which is responsible for driver installation).
Can happen if the ps/2 port starts bugging on you, or something else.

-{ Quote: "An option to force a program to a set priority.
To elaborate on that, it would be helpful if one could set some programs, ie emulator/games in general to run at idle speed, because very often those are poorly programmed and take up all cpu ressources there are, invariably hogging all cpu time and dragging down any other process without need.
This option would counter this behavior so it would be a rather useful addition." }-
theres seperate apps for that like Process Tamer (http://fileforum.betanews.com/detail/Process_Tamer/1111857421/1) and Process Lasso (http://fileforum.betanews.com/detail/Process_Lasso/1070027121/1).

A feature I would like to see is for PG to prompt u for protecting memory, driver, hooks etc. instead of automatically blocking them.

Yes wil back you up on this:

the whole thing (a lot of things..) will be solved when the parent and child popup will be there :)

I don't know if this was already order...

I want to suggest an alert window when some program wants to use some items of the Global Protection Options, to decide what we want to do...

Regards

i already suggested it, look two posts up. but maybe if enough people suggest it, itll have a higher chance of being implemented. ;D

-{ Quote: "i already suggested it, look two posts up. but maybe if enough people suggest it, itll have a higher chance of being implemented. ;D" }-
Nice ;D

I would like control over 2 things, mainly to lock down IE ;D :

- Application start and spawning
- File access

Also, I want a nicer, more professional looking GUI, the current one just doesn´t cut it, know what I mean? To give you a hint look at these apps (except for the third pic in second link, that´s ugly):

http://www.snapfiles.com/screenshots/winshark.htm
http://www.softpedia.com/progScreenshots/Tiny-Personal-Firewall-Screenshot-6105.html

didnt u already make a post about this? neways let me remind u of what James Taylor said:

-{ Quote: "Why? It's called PROCESSguard not IEguard.
IE is so dangerous, you need a specific app to guard it, not something as generic as Processguard." }-

Yes, I already posted this but not in this thread, so I don´t see what the problem is. And should it matter why I want certain features? ???
I will use it to lockdown IE, but maybe someone else will use it for another reason. And I don´t agree with James Taylor because IMO tools like PG, Prevx and SSM (generic or not) can all help in making IE safer, and perhaps even protect against zero day bugs.

-{ Quote: "Yes, I already posted this but not in this thread, so I don´t see what the problem is. And should it matter why I want certain features? ??? " }-

Because it would be foolish to try to force an existing product to become something it isn't.

-{ Quote: "
And I don´t agree with James Taylor because IMO tools like PG, Prevx and SSM (generic or not) can all help in making IE safer, and perhaps even protect against zero day bugs." }-

I didn't say that. Besides according to you IE is safe enough when running it with dropmyrights + all the 'hardening' you do... Right?

Well let the developers decide, like I said before I think it would be a nice addition, but perhaps they don´t think it´s necessary, SSM does offer this however. :) About IE, you already know my opinion about this subject, yes I think IE is safe enough with a certain configuration. ;)

-{ Quote: "Well let the developers decide, like I said before I think it would be a nice addition, but perhaps they don´t think it´s necessary, SSM does offer this however. :) About IE, you already know my opinion about this subject, yes I think IE is safe enough with a certain configuration. ;)" }-

LOL, a certain configuration means what? Running half a dozen programs to 'secure' IE by cripping most of its function, add a couple of IDS systems just to protect IE, *and* start spamming wishlists of IDS products meant for generic protection begging for IE specific protection.

Yes, I see you really think IE is "safe".

For the record I think your fixation with IE is not necessary .

I don't think that this topic is to post opinions, but just suggestions... ;)

And try to respect the other opinions.

-{ Quote: "I don't think that this topic is to post opinions, " }- Quite correct :) Please confine this thread to suggestions and not discussions. Either start another thread or use the Wilders Instant Messaging (IM) system.

Thanks. Pilli

My final comment in this thread @ James Taylor:

I´m asking for a feature that would make PG even more powerful, IMO it doesn´t really matter what I need the feature for. And why do you think products as Prevx, Safe n Sec and SSM are around? Just to secure IE? No, but they can make IE more secure.

If you want to know what the remarks were, PM me. ;D

Unnecessary remarks removed: Pilli

-{ Quote: "Also, I want a nicer, more professional looking GUI, the current one just doesn´t cut it, know what I mean?" }-*I* know what you mean, but I think quite a lot could be done just by making the tabs, and perhaps the bevel, smaller. Doesn't seem like much, but I think it's all it really needs to make it look really sharp :)

Windows XP Professional 64 bit compatiability would be super!

Hello,All

@Jason

First my apologies i am not big on words so don't take
this the wrong way or think im some nut.
well the nut part is up to you to say:)

now my dad went out & as always over did it
i now have i think 4 PG that he paid for not sure
why he would do this with all the progs he would
see

now i have tried time & time again to use this great prog
of yours but it's hard as hell now i would like to ask you
this is there some way that you can add to the popups
taking about when there is a warning.

could you add some type of click here that will send
the user to say a web site with info on what just happen
with PG & it will help someone like me see what it is that
PG is asking of them.

like i said not big on words here say a box pops-up
Bla Bla want's to do A B or C
so i click button takes me to web site where it
tills me if it is safe or not

something like ZoneAlarm has that if a box pops-up
you just click more info & before you know it your
at the web site with info if your next move is safe or not

Thank you

Hey,Jason

Well please kick me in the yahoo i just happen to find this here
http://www.diamondcs.com.au/pgdb/

i think this is what i had been thinking of when i posted
the above info my apologies should keep me hole shut

Thank you

Whats going on?

It's easy to accidentally uncheck the global protections options section.

Some kind of message, ie- "Are you sure you want to disable block global hooks etc?" when you try to uncheck anything in this section.

The reason, i say this is, the other day i booted up and one of the global protections was unchecked.

I don't remember doing that!

I'm the only one who uses the machine and so i must of accidentally unchecked it. Still don't remember doing it though!

vlad

a ProcessGuard that works with punkbuster games!!!!
currently you have to un-install ProcessGuard to play punkbuster
games ie Battlefield 2 ect.....

One recurring annoyance is the tooltip box popping up with "known" (and accepted) blocks, this is an annoying type of false positive because the PG icon goes red

In my case it is because I am using a citrix client and get the alert
-{ Quote: "wfica32.exe was blocked from creating a global Low Level Keyboard hook" }-Its something that doesn't matter and happens frequently (when I switch back to the citrix window) but it pollutes the log files and gives visual false positives to the point where I ignore the colour of the PG icon now becuase it doesn't actually indicate that there is a problem


Also worth noting is the thread raised by passing thru about hangs during shutdown (http://www.wilderssecurity.com/showthread.php?t=91839), that would be a nice thing to see fixed

And not to forget, a fix for the services.exe issue with drivers. I realise that the workaround given is reasonable as long as people are careful, but if someone does an install in learning mode (as suggested) then services.exe could silently obtain service/driver install privileges again and not everyone may realise that they need to check afterwards if they use learning mode.

Thanks

Is it possible to have a function which PG can prevent another kind of EXE spoofing?
==============================
Case (1)
svchost.exe is at c:\windows\System32
However the hacker uses a trick to put the SAME file name svchost.exe in other paths (eg c:\windows). If I see it would like to be executed, I would probably get deceived.

Is it possible to add file path verification, so one can warn me about possible spoofing, so I won't make silly/careless mistakes?

Case (2)
This time the hacker uses a trcik to change the name of a legitimate file a bit (eg scvhost.exe). If I see it would like to be executed, I would probably get deceived.

Is it possible to add file name verification, so one can warn me about possible spoofing, so I won't make silly/careless mistakes?

Note: In fact, since a hacker usually only change 1-2 characters, so one may implement a checker if it checks that the file name is slightly different form a Win legitimate file. If so, issue an warning.
===============================

After all, are the above diffiuclt to implement?

1. It's counterproductive and annoying to place the popup window in the center of the monitor screen. I got a popup message from PG and wanted to research the module. Unfortunately, it was difficult to use the browser because of that damm popup window sitting in the middle of the screen without a title bar or controls that would allow it to be minimized or moved.

2. When running PG, I am unable to do a clean backup using Windows backup. get the following dialog:

Backup Status
Operation: Backup
Active backup destination: File
Media name: "C_Backup.bkf created 8/14/2005 at 5:30 AM"

Backup (via shadow copy) of "C: C_HD1_Boot"
Backup set #1 on media #1
Backup description: "Set created 6/24/2005 at 5:10 AM"
Media name: "C_Backup.bkf created 8/14/2005 at 5:30 AM"

Backup Type: Normal

Backup started on 8/14/2005 at 5:30 AM.
Warning: Unable to open "C:\WINDOWS\system32\pghash.dat" - skipped.
Reason: Access is denied.

Warning: Unable to open "C:\WINDOWS\system32\pguard.dat" - skipped.
Reason: Access is denied.

Warning: Unable to open "C:\WINDOWS\system32\drivers\procguard.sys" - skipped.
Reason: Access is denied.

Backup completed on 8/14/2005 at 5:36 AM.
Directories: 1439
Files: 15938
Bytes: 2,488,316,782
Time: 5 minutes and 48 seconds

3. It doesn't seem smart to initially run PG in learning mode UNLESS you are 100% sure that you don't have any rouge processes hiding in your system. Otherwise, they will be approved automatically, which seems to defeat what PG is trying to do.

4. The UI is UGLY. I wish developers would express their "creative urges" elsewhere and stick to the standard Windows GUI. Makes helping others over the telephone or in forums a lot easier if everyone is on the same page from the beginning.

5. You should take a hash or CRC of every program approved for execution and check against that hash in case a hacker gets access to your system and installs a new replacement file with the same name as a system file that has been approved.

-{ Quote: "5. You should take a hash or CRC of every program approved for execution and check against that hash in case a hacker gets access to your system and installs a new replacement file with the same name as a system file that has been approved." }- Every executable that is on the security list is MD5 hashed, any changed or new executable is alerted on.

Thanks Pilli :)

-{ Quote: "1. It's counterproductive and annoying to place the popup window in the center of the monitor screen. I got a popup message from PG and wanted to research the module. Unfortunately, it was difficult to use the browser because of that damm popup window sitting in the middle of the screen without a title bar or controls that would allow it to be minimized or moved." }-

I second.

currently while PG is in LM, i notice that if an executable (like an installer) tries installing a service, hook, etc. then PG initially blocks it then allows it, this sometimes causes error messages from the executable. when in LM allowing permissions should go smoother or be silently added.

It would be great if I could use PG to regulate which programs could run with and without administrative rights.

-{ Quote: "currently while PG is in LM, i notice that if an executable (like an installer) tries installing a service, hook, etc. then PG initially blocks it then allows it, this sometimes causes error messages from the executable. when in LM allowing permissions should go smoother or be silently added." }-

This requires a complete redesign of Learning Mode.. version 4 feature most likely. Lots of other things mentioned are being added/fixed for the next version though :)

-{ Quote: "It would be great if I could use PG to regulate which programs could run with and without administrative rights." }-
i think only windows can decide that; also if u need to run a program under a limited account just use Run As and run it as admin.
-{ Quote: "This requires a complete redesign of Learning Mode.. version 4 feature most likely. Lots of other things mentioned are being added/fixed for the next version though :)" }-
thats good to know, im looking foward the new version.

About the GUI, please make it look more like System Safety Monitor v2, I think it´s a much more professional looking GUI, much slicker. :)

http://syssafety.com/screens.html

Not sure if the following has already been mentioned or not in the numerous posts in this thread, but I believe I've found a small bug.

Normally when I install software, I turn PG's protection OFF (as I just did when installing the update to Port Explorer :) ). As you know, lots of software will ask you to restart your PC after install, which I did, leaving PG's protection OFF. And when Protection is OFF, there is a dark "X" through the pretty PG icon in the systray. Well, after restarting my PC, I noticed the "X" was no longer there, but Protection was still OFF. If I hadn't remembered that I still had Protection turned OFF, I probably would have never realized I was unprotected, because the "X" was not there to remind me.

For the next release.......... Thanks! :)

I'd like to see the addition of tool tip like functionality for when the text in a given column is wider than the column. Then when you hover over the text in that column, a little tool tip pops up to show you the full text of that field.

In a similar vein, I like to resize the columns and it'd be great if this column resizing can be remembered between reboots.

Thanks!