Congratualtions to everyone at DCS and the beta testers. Thanks Pilli for really working so hard to help get this so perfect and allowing me to annoy you with my questions and criticisms. ( which I enjoyed immensely)

But when it all comes down to it I am VERY,VERY HAPPY to be able to have PG 3 on my pc all the time WITHOUT CRASHES, WITHOUT INSTABILITY, WITHOUT ANY ISSUES - just protecting me from EVERY NASTY OUT THERE.

Now I can LAUGH at those who think they are being smart trying to close down my security software like last week. Someone tried to close down all my security software and stopped my AV and firewall from starting up but COULDN'T STOP Process Guard. There it was in my system tray all alone showing those idiots that they couldn't stop it from starting up and protecting my pc for them to stuff my pc. I then got their crap off my machine and got back my AV and firewall but Process Guard was something THEY NEVER COUNTED ON SO I LAUGH IN YOUR FACE GUYS. Try again if you dare but with this beauty you've got NO CHANCE!!

Very happy with this and HIGHLY RECOMMEND IT TO ALL WHO HAVE NOT BOUGHT IT.

Dave

-{ Quote: "Someone tried to close down all my security software and stopped my AV and firewall from starting up but COULDN'T STOP Process Guard." }-
Hope I am not off topic but with PG they still managed to shut down your AV and firewall? Were your AV and firewall not protected by PG? Or am I misreading your post?

Thanks,

Chris

A huge part of the whole point to ProcessGuard is to prevent security software from being terminated. So... Why did yours get terminated anyway? And why would you be raving happy that it did?

And... (trying to think of a nice way to say this...) I doubt the person who created that malware was an "idiot". He did kill your security software, and he would have done worse on 99.99% of the other desktops out there. And you're the one who let the malware on your system in the first place, so...

The attack stopped the 'ICONS' FROM LOADING FOR MY AV AND FIREWALL but in task manager the PROCESSES were running and when I tried to shut them down I got a 'not accessible' error.

What these idiots did was change a few registry keys to try and prevent my AV & firewall from starting up but all they succeeded in doing was to stop the ICON from showing in the system tray, however, the processes of Bit Defender were running and protected and could not be breached. An icon is a very small matter and does not represent a security threat if disabled. The program itself was protected and unbreached so if I'd been attacked by a virus in my email it still would have been intercepted and made no difference whatsoever that the icon had been disabled. The program is not the icon.

I'm sending a copy of the program to DCS for analysis because it even tried to disable PG and was a very clever attempt at intrusion.

Dave

-{ Quote: "and stopped my AV and firewall from starting up " }-

I misunderstood the above statement. Glad PG stopped the attempted intrusion.

Thanks,

Chris-

Good stuff Dave :)....lucky to have had ProcessGuard mate.

Regards,
Jade.

Yeh Dave, Good to send the malware to DCS, I am sure that they will enjoy taking it apart. 8)

Cheers. Pilli

Pilli. I'd like to send you a screenshot but I can't upload it here because it's over the limit. It did attack PG and tried to disable most of it's functions and did some damage but my security applications were still working.


Is there somewhere I can post the screenshot to so you can have a good look at what it did?

Dave

Hi Dave, Bowserman might be able to help you as he sometimes posts large graphics files on a site somewhere.
I'm sure he'll let you know.

Pilli

-{ Quote: "Pilli. I'd like to send you a screenshot but I can't upload it here because it's over the limit. It did attack PG and tried to disable most of it's functions and did some damage but my security applications were still working.


Is there somewhere I can post the screenshot to so you can have a good look at what it did?

Dave" }-


Here ya go Dave, nice free picture hosting site ;) : http://imageshack.us/index3.php

Regards,
Jade.

-{ Quote: "Pilli. I'd like to send you a screenshot but I can't upload it here because it's over the limit." }-
Hi Dave, if you save it as a ".GIF" you should be able to post it. You can also resize the screen shot through Microsoft Paint, found in Start> All Programs" Accessories> Paint

Hope this helps...

Cheers ;D

Does this help?

http://img17.exs.cx/img17/8855/PGErrormessage.th.jpg (http://img17.exs.cx/my.php?loc=img17&image=PGErrormessage.jpg)

A Before shot.

http://img4.exs.cx/img4/9660/Before2.th.jpg (http://img4.exs.cx/my.php?loc=img4&image=Before2.jpg)

The AFTER shot.

http://img4.exs.cx/img4/7520/After1.th.jpg (http://img4.exs.cx/my.php?loc=img4&image=After1.jpg)

PG start-up disabled????

http://img4.exs.cx/img4/7222/PGerroronstartup.th.jpg (http://img4.exs.cx/my.php?loc=img4&image=PGerroronstartup.jpg)


However my AV was still protected as I tried to close it via task manager but it wouldn't grant access. So with 3/4 of my start up icons missing including my AV and firewall and PG clearly INJURED in a malicious attack or bug or incompatibility or something unknown STILL PG SOMEHOW kept my AV alive and protected. Is this bravery or what? Maybe we should send PG to Iraq to protect the troops???

Dave

Is my desktop wallpaper inviting or uninviting????? She's nice but is she really?

Dave

Nope Dave, She is not physically real, only virtually real, really ;D

Any comments about the screenshots. Just click on them to enlarge the picture. Maybe the bow and arrow in the background scared everyone away??

Pill - you're UNREAL 8) 8)

Dave

It's already getting late into the evening here in Perth so the rest of my analysis of the malware sample provided by worldcitizen will have to wait for tomorrow. I'll spare you all the gory disassemblies, but preliminary analysis shows a few string references which may interest some of you:
0041A7CD MOV EDX,ss3_0.0041AC58 ASCII " ==== DoPerform-5 ===="
0041A7E7 MOV EDX,ss3_0.0041AC78 ASCII "Using WM_CLOSE"
0041A808 MOV EDX,ss3_0.0041AC90 ASCII "Using WM_QUIT"
0041A829 MOV EDX,ss3_0.0041ACA8 ASCII "Using Terminate Process"
0041A850 MOV EDX,ss3_0.0041ACC8 ASCII "Don't Shut Down"
The three referenced termination methods - WM_CLOSE, WM_QUIT, and TerminateProcess!kernel32.dll -> ZwTerminateProcess!ntdll.dll are all elementary, documented termination techniques that ProcessGuard easily blocks (the first two with Secure Message Handling), and you can test that for yourself with our freeware Advanced Process Termination utility. Don't be surprised though - ProcessGuard also easily handles all known undocumented termination methods (WinStationTerminateProcess is a good example of a futuristic termination method available here today yet still undocumented, and thus hasn't yet been used by malware but ProcessGuard already protects against - another potential attack vector secured).

Thanks very much Wayne for that.

Two questions - if I didn't have a registry backup how would I have restored my icons to the system tray?

And if I didn't have Process Guard installed I gather I might have been in a spot of bother?

I'm so glad I had PG running as I only began using it since the new flawless version 3 came out.

New or interested users can learn a lot from this and maybe why they need Process Guard!

Dave

Also Wayne, what does that error message in the above screenshot about pgaccount not running mean? Has PG been tampered with or partially disabled and how would it's (pgaccount) functionality be restored?

It's great to have been able to document a real attack online to show the indispensibility of Process guard!!

Dave

Hi Dave, At a guess I would say thet the Icon problem is probably associated to Secure Message Handling NOT being enabled on certain programs. The registry changes, I assume, were made after the malware was allowed to run?
I am sure Wayne will clarify this when his analysis is complete.

If I'm reading your screeshots correctly,the malware certainly looks like it created a lot of new start ups for you to get rid of. :(

Pilli

How did this malware get on your system in the first place?

Hi Pilli. You didn't read it right. I had all those items in start up and after using the software they almost all disappeared!! Only my cunning in having a registry backup saved me a lot of work getting all my programs back up again where I could see them although they weren't terminated.

How did I get it on my machine. It was a free download I got somewhere - supposed to be a P2P client. There's really no way of knowing for sure if something is malware because a lot of software nowadays has malware built into it so the only thing one can safely do is have some good protection like PG because we can't just stop downloading software for fear of malware.

There should be a thread or sticky showing malware attempts at infiltrating system and how PG stops these attacks. Would give new and prospective users much insight into why we rave so much about PG.

I dread to think what might have happened had PG not been running or worse still that I didn't even buy it.

Dave

Pilli - which programs should I apply Secure Message Handling to and what will be the effect?

Dave

Yep, too easy to DL stuff now that your AV / AT etc. cannot stop even with the latest updates.
The war goes on ...

Me personally? I protect Avant, Firefox, Outlook 2003, TDS3, Port Explorer, CryptoSuite, Kerio 2.1.5 my resident Anti Spyware. I have KAV 5 on my prot list but not with SMH enabled as it already has good protection as does ZA though I do not use ZA.

Basically anything Internet enabled that APT can close down easily.

Pilli

This is a great testament to PG. I tried running the Trojansimulator to test av/at etc. Needless to say it never got past ProcessGuard. For those who had been curious about Giant recently, it blocked the effort to modify the registry.

Pete

Installed the program. NOT suspicious AT ALL, added files in its Program Files folder, nothing else. No termination attempts.

As I emailed you Worldcitizen, contact them. Looks like an uninstaller script error, and it deleted all \RUN keys in the registry. Uninstalled it and all it did was remove itself, albeit incorrectly.

There is no vulnerability as such, but errors like this are very bad for any software, it deletes all startup keys. All protection is still enabled in the PG driver, and you were warned that PGAccount wasn't running. Jason said he will look into this a bit more and already has a very easy solution if the PGAccount key ever does go missing

I am delighted with the latest generation of Process Guard. I have been waiting for this one, stable, simple and powerful, oh and light on the resources. Thank you DCS crew for a fine bit of software. Worth the wait and I hope you sell a million licences.