With regard to Process Guard , does a computer user who :- 1) Does not visit high risk sites 2) does not download from iffy sites 3)does not execute .exe attachments 4) does not use pirated software 5) has a good AV prog installed with up to date signatures - say Nod32 6) has a good firewall installed-say Sygate Personal Pro 7) regularly scans with Spybot and/or Adaware (free) for malware

..... need to have the paid for version or the free version to complete his/her security configuration?

Hi.

You are asking this in a forum devoted to Process Guard. What do you think most people here will say?

:)


Okay okay, if you want to know my answer is probably not. But you never know.... There are worse things to sink your money into if you can spare the cash.

Okay time to go, I'll let Richrf and others give you the sales pitch about 'executable portables' and 'catching strangers at the door' analogies.

-{ Quote: "With regard to Process Guard , does a computer user who :- 1) Does not visit high risk sites 2) does not download from iffy sites 3)does not execute .exe attachments 4) does not use pirated software 5) has a good AV prog installed with up to date signatures - say Nod32 6) has a good firewall installed-say Sygate Personal Pro 7) regularly scans with Spybot and/or Adaware (free) for malware

..... need to have the paid for version or the free version to complete his/her security configuration?" }-


Hi Palombaro

Assuming 1,4 are totally true you indeed might not need the paid version. Looking at my signature some might class me in the paranoid category. I also qualify on the 1,4 items plus the software, but the deciding factor for me is that my computer is online a good portion of the day, and my computer is mission critical for several business activities. The cost of this software is trivial compared to the cost to me of having a computer down to clean an infection.

I would say what you need to measure is given a small risk, what is the cost of having something slip by, and weigh that against the cost the software. It's kind of like an insurance decision.

Pete

-{ Quote: "With regard to Process Guard , does a computer user who :- 1) Does not visit high risk sites 2) does not download from iffy sites 3)does not execute .exe attachments 4) does not use pirated software 5) has a good AV prog installed with up to date signatures - say Nod32 6) has a good firewall installed-say Sygate Personal Pro 7) regularly scans with Spybot and/or Adaware (free) for malware

..... need to have the paid for version or the free version to complete his/her security configuration?" }-

The question is whether you visit only trusted sites, or do you surf at all. If you surf at all, there is always a possibility that you will get attacked. It happened to me by just linking to a site from Google after a totally innocuous inquiry (something related to dinosaurs or something like that). So, if you only visit trusted sites, then I don't see that you have any problem. If you visit sites that you do not know for sure are trusted - well all bets are off and ithen who can really say. For me, the few dollars it costs for PG licensed is more than worth it. Some people insure their car against collision and others don't. Everyone is different.

Rich

-{ Quote: "Hi Palombaro
.

I would say what you need to measure is given a small risk, what is the cost of having something slip by, and weigh that against the cost the software. It's kind of like an insurance decision.

Pete" }-

Yeah kind of, except real insurance pays you monetary compensation. Security software gives you no guarntees.

Otherwise a balanced commentary

Insurance: any means of guaranteeing against loss or harm; [Random House Unabridge dictionary]

Yes and I don't see one for using software.

-{ Quote: "Yes and I don't see one for using software." }-

Example sentence from the Random House Dictionary:

"Taking Vitamin C is viewed as an insurance against catching colds".

Another example:

Using HIPS is viewed [by many] as an insurance againast catching viruses and other types of malware.

I don't want at all to argue with the comments above but I just have this nagging doubt about the level of security software we actually need. The fact is in year of heavy net use, permanently connected to the net, and using only NOD 32, Spybot, Sygate firewall ( licensed) Adaware. ( two free , two licensed) I have had not one attack from a virus, trojan key logger etc. Tracking cookies , of course I remove with Sybot.
Recently I have added the freeversion of Process Guard to complete a reasonably secure system - it was the missing element(insurance policy) -given my behaviour.

Nobody takes out insurance against every mishap that might befall them. No , they measure the risk aginst their circumstances, against their behaviour and then take out an appropriate level of insurance. I would argue that is exactly what PC users should do and yes Process Guard should be part of that insurance but maybe the free version is enough for many of us.
Surely my configuration is enough insurance for most users.

-{ Quote: "Surely my configuration is enough insurance for most users." }-

Depends. I installed a program from a site, that at the time seemed to be run by a very large and "trusted" company. Only, when I installed the software, PG alerted me that it was trying to install a "driver/service", which I thought was odd, so I disallowed it. It was only much later, did it become clear on a forum, why this company's software was trying to install a driver/service, and I am glad I had the opportunity to stop it.

For me, "total control" on what is installed and runs on my computer is what it is all about. I don't trust the "trustworthy" companies. The latest red flag being how MS AS is now handling Claria. Where there is money to be made, companies just ignore or privacy and ethics issues and do what they can to get information from my machine. At least that is what my most recent experiences have been and why I no longer trust signature based systems that are maintained by commericial vendors. I am just going to keep my own watchful eye on things. But it is not for everyone, I know.

Cya,
Rich

It isn't always possible to predict whether you're indulging in high-risk surfing. It's entirely likely that a new site that gives every outward indication of being legit may in fact be dodgy. The same is true if you test-drive shareware or demos from time to time. Under these all-too-common circumstances, having a multi-layered security strategy becomes important.

Whether you decide to move to the paid version of PG is ultimately up to the individual. However, I tend to think that it's only fair for developers to want\need compensation for their work. For me, this idea extends beyond just wanting added features. So far, PG has been a great app that I in no way regret purchasing.

Points well-made Richrf and Hard Warrior, I am almost convinced. Dead right about the ethics of profit making concerns, also dead right about the need to reward those software developers with scruples. (Diamaond CS , for example)

-{ Quote: "It's entirely likely that a new site that gives every outward indication of being legit may in fact be dodgy. " }-I agree.. also, you may be able to trust the site itself, but what about their advertisers? You also never know if it's been hacked, there will always continue to be worms like Download.Ject. That said, however, whether PG free is enough for you is really up to you. Are you comfortable making decisions on all of PG's prompts? If you're not completely comfortable with it's execution prevention, it may be worth adding something else.

-{ Quote: "With regard to Process Guard , does a computer user who :- ..... need to have the paid for version or the free version to complete his/her security configuration?" }-

Palombaro, Hello. :D

I'm in the same boat that you are regarding safe surfing. Every piece of malware I've come across came to me via email. I use Outlook Express' Preview Pane - which is probably not a smart thing to do. I don't click on attachements either. For me, PG has been a good friend and has helped me. So to answer your question, I would say yes to PG (IMO), right after a good firewall and AV.

P.S. I would probably say no to an AT in your case. I just use one (among many other pieces of security software) because I like experimenting. It's a hobby! ;)

Thanks Daisey. I have decided to go with the following config and see what happens.
Nod 32 +Sygate PFPro + Spybot + Adaware + ProcessGuard(Free)
For the moment I will stick to the free version of PG until I get used to some of its calls. Should I manage to get my head round PG I will certainly purchase the licence.

-{ Quote: "Yeah kind of, except real insurance pays you monetary compensation. Security software gives you no guarntees.

Otherwise a balanced commentary" }-

You are right, no guarantee's. If my computers weren't online all day, and if they weren't mission critical, I wouldn't go nearly as far as I do. But all it took for me was the effort required to clean up an infected computer(not mine) and the risk to me just isn't worth it. The pay off for me cost wise it avoiding the cost of cleanup.

to Palombaro

I take the same approach with backup. I can't afford to be down, so I use 3 different backup programs to 2 different backup devices. Same reason. Cost of doing it vs cost of being down. Has never happened yet, therefore what I have spent so far could be considered a waste. But.......


Pete

-{ Quote: "Thanks Daisey. I have decided to go with the following config and see what happens.
Nod 32 +Sygate PFPro + Spybot + Adaware + ProcessGuard(Free)
For the moment I will stick to the free version of PG until I get used to some of its calls. Should I manage to get my head round PG I will certainly purchase the licence." }-

Understood. I think you'll find it easy to use, once you understand it better. If you ever have any questions, you know where to ask! ;)

-{ Quote: "Depends. I installed a program from a site, that at the time seemed to be run by a very large and "trusted" company. Only, when I installed the software, PG alerted me that it was trying to install a "driver/service", which I thought was odd, so I disallowed it. It was only much later, did it become clear on a forum, why this company's software was trying to install a driver/service, and I am glad I had the opportunity to stop it.

For me, "total control" on what is installed and runs on my computer is what it is all about. I don't trust the "trustworthy" companies. The latest red flag being how MS AS is now handling Claria. Where there is money to be made, companies just ignore or privacy and ethics issues and do what they can to get information from my machine. At least that is what my most recent experiences have been and why I no longer trust signature based systems that are maintained by commericial vendors. I am just going to keep my own watchful eye on things. But it is not for everyone, I know.

Cya,
Rich" }-

Hi,
Rich, so basically what you say, the abundance of security is to give you more control of what is happening in your machine rather than prevent acutal attacks against it, since even if probably only half your setup, you're still rather secure. If that's your angle, I like it. Comparing back to cars, I would like to be able to install in my car a particular type of brakes, or particular type of fuel injection etc.
But for someone who just wants to be secure, it can be done with less.
Seeing people around me and helping them get rid of spyware in their machines, I realize that it narrows down to what the user does at the end of the day. The rest is paranoia, cosmetics, fetishes and hobbies.
Cheers,
Mrk

-{ Quote: "
Rich, so basically what you say, the abundance of security is to give you more control of what is happening in your machine rather than prevent acutal attacks against it, since even if probably only half your setup, you're still rather secure. " }-

Hi,

1)ZoneAlarm: Firewall
2) KAV 5.0: On-access anti-malware file protection
3) ProcessGuard: anti-executable, driver/service, global hook, rootkit installation protection
4) RegDefend: registry protection
5) WormGuard: script protection

Whether or not this is an "abundance" of security, I guess is in the eyes of the beholder. For me, it is just right.

-{ Quote: "If that's your angle, I like it. Comparing back to cars, I would like to be able to install in my car a particular type of brakes, or particular type of fuel injection etc." }-

Yes, I would like to decide what goes on my computer, rather than leaving it up to some other vendor to decide - e.g Microsoft/Claria issue.

-{ Quote: "But for someone who just wants to be secure, it can be done with less." }-

Less? In what terms? Dollars, manhours learning, manhours installing, manhours maintaining? Maybe if you give me the absolute equivalent configuration (to the exact detail) that you believe can replace what I have, it might help. Generalities are difficult to discuss.

-{ Quote: "The rest is paranoia, cosmetics, fetishes and hobbies." }-

I think it is just people doing the best they know how, with what they know and what they can achieve (time, money, experience, etc.)

Cya,
Rich

-{ Quote: "The rest is paranoia, cosmetics, fetishes and hobbies." }-I wouldn't be so quick to judge, you never know what people's circumstances are.

Hi,

Perhaps the question could be expanded to "do we really need personal HIPS/proactive protection/behavioural blockers?"
And this question can be related to this thread: http://www.wilderssecurity.com/showthread.php?t=91297

Absolutely sure:a single host without Process Guard:
- has more chance to be compromised/infected by a malware,
-facilitates the job of the potential intruder.

I don't have a risky surf, don't use P2P/Warez softs/ICQ/MSN/Outlook/Thunderbird/bank-shopping online, never store any sensitive information on my computer and i'm not paranoiac at all.
Result: i never trust in scanners for my security.
Many people can be infected with an AT/AV/AS: it's really common as it is often noticed on the "virus/backdoor/worm area

AVs are limited by their database: they can only detect/block what they know.
And AV publishers can't be aware in real time about all new threats and malwares:for instance Blaster, and recently Kelvir have not been detected/blocked (only after a few hours); but were blocked by some personal HIPS/behavioural blockers.

In order to detect all malwares, AV vendors should place a guard behind each potential malwares coder in the world!
Staying aware about 29A, HangUp or CWS groups is not sufficient.
For instance, a new PAID version of the free Hacker Defender will be available at the end of this month:some AV publishers would perhaps pay to integrate it in their database...

No need to have a risky surf to be infected by a Cool Web Search trojan: recently, the Sunbelt labs has discovered new variants which are not detected by any AT/AV: for this case, risks are real for the ones who use online banking/shopping: http://sunbeltblog.blogspot.com/ (august 8 and 4).



Technically, AVs are bypassed like it's shown in this research paper:
http://www.securityelf.org/html/software_misuse/index.html

Solution like ProcessGuard increase the level defense, especially against unknown/new threats/malwares.
For instance, worms typologies provide many possibilities for new variants:

-SSH worm:
http://www.schneier.com/blog/archives/2005/05/the_potential_f.html

-Web application worm:
http://www.imperva.com/application_defense_center/white_papers/application_worms.html

Being infected by a malware is not a big problem, but it costs time and sometines datas...
Finally, with or without ProcessGuard, it's a personal choice: each one his policy.
Palombaro: on the next links, you'll find independent reviews about Process Guard which is well known to be an anti-rootkit/keylogger solution.

http://www.morgud.com/go/open/Digital-Fort-Knox.pdf

http://www.wilderssecurity.com/showthread.php?t=90583

I'm not a PG user (it will be an over-protection on my system) but i can't contest (see the "Overall" link ) that it's an excellent product.

Regards

-{ Quote: "I wouldn't be so quick to judge, you never know what people's circumstances are." }-

Hi,

Actually I was talking about myself ^^

@rich, when I said less, I meant mainly the effort introduced into the processs of securing your system, by not just installing programs, but by learning them and eventually controlling them. For instance, hardening takes a lot more than clicking buttons in a GUI. It takes deep understanding of processes and how the OS wants its stuff done.

Cheers people,
Mrk

The paid for version of PG gives extra protection compared to the free version.

The extra protection is:

Protect physical memory
Block global hooks
Block rootkit/driver/service installation
Block registry dll injection

Can a piece of malware do any of the above without executing? If not, the free version is as good as the paid for version.

-{ Quote: "The paid for version of PG gives extra protection compared to the free version.

The extra protection is:

Protect physical memory
Block global hooks
Block rootkit/driver/service installation
Block registry dll injection

Can a piece of malware do any of the above without executing? If not, the free version is as good as the paid for version." }-

There have been several occassions when I allowed a process to execute only to find that it was trying to install a driver/service or obtain a global hook, which I was then able to stop. So these added capabilitiews were very helpful to me. The block registry dll injection can occur without a user being aware of it. Here is a paper explaining this:

http://www.commontology.de/andreas/win_secure_pg3.html

Rich

Thanks richrf, I had a quick search through the paper. I'm still not convinced that the change to the registry for the dll protection can be accomplished without something executing first (perhaps I missed the relevant bit, could you copy and paste the relevant bit or PM me thanks).

I can see your point on the install driver/service blocking. Why would a supposed note taking program need a driver/service, suspicious.

The extra protection from the paid version may help if you deliberately execute unknown programs but for general surfing will they give you any added protection if you block unknowns from executing?

-{ Quote: "Thanks richrf, I had a quick search through the paper. I'm still not convinced that the change to the registry for the dll protection can be accomplished without something executing first (perhaps I missed the relevant bit, could you copy and paste the relevant bit or PM me thanks).
" }-

Rich

Hi SpikeyB,

The issue that the paper is discussing is how processes can be initiated and doing work without the user ever knowing it. ProcessGuard warns of these occurrences: e.g. attempter dll injection, global hook acquisition, rootkit installation, etc. This is the part of the paper that discusses these issues.

Rich

-{ Quote: "On a seemingly unrelated edge of the malware front have trojans a year or so ago started to use another technique to bypass personal firewalls: It's called "dll injection" and it means that the trojan injects (parts of) its code as a dynamically loaded library (dll) into running processes that are likely to be allowed to communicate through the firewall. While the firewall might alert or even block an "attempt by Iamatrojan.exe to send data to 123.456.789.123 (www.homeofthetrojans.com)", it will probably already be so configured as to let, say, InternetExplorer send data to any host's www port. So the trojans manage to have their code being executed by Internet Explorer and the firewall lets the communications pass.
Dlls are actually a good thing: If you're writing a routine, or a set of routines, associable with a specific task (say, image rendering), maybe you don't have to have these loaded into memory until your main application program (maybe a word processor) wants to do something which corresponds to that task. Then you put them - in about the executable form they would have if they were static parts of the main application program - into an extra file which the application can load on demand. This has the additional advantage that some other application that might want to perform similar tasks (say, a webbrowser) can also load that extra file with your routines and doesn't have to invent the wheel twice.
Now the trick is that, just like with TerminateProcess(), any program can call a function on another program that makes the other program load a dll of the caller's choice, and that makes the other program execute the instructions therein. It needs a bit of tweaking so that the "host" program doesn't just crash for executing this foreign code, but that's something the trojan authors now can handle.
Initially, the personal firewalls made sure that communications belonged to a certain application program in order to be permissible, but that wasn't sufficient anymore. Consequently, many firewalls have started to also control what dlls are being loaded by applications that are potentially allowed to send data out. Unfortunately, there are applications that are very common (like InternetExplorer or WindowsExplorer) that load really very many dlls even out-of-the-box (and even more with more software installed), and so that control is not only a venture into a territory which is not the proper ground of firewall software, but is also necessarily complex and means a significant resource strain.

A final, also seemingly unrelated, tendency has emerged in even more recent times: Strategically spoken, trojans are being used less to have fun with some unwitting victim "l00ser" computer user, but to more or less professionally sniff out bank account and password data. (Or, to have the infected machine act as a relay for spam mails where the trojan operator can send thousands of mails, and be paid by some crook for it, but never be traced back because the mails are originating on the poor infected user's machine.) Technically, that information retrieval is done a) by searching the hard disc for sensitive information, but more importantly b) by logging all the keystrokes of a user. To have this logging installed, and to have it hidden, trojans are beginning to meddle with the internals of the windows operating system. They hook onto the "keyboard handler", and they inject themselves into the OS's central processes.
Slowly but surely, they're also beginning to adapt a hiding technique known from unix malware by the name rootkits: They mess with central system functions in such a way that the user or even other programs can not even see that they're there. For example, they have the Task Manager behave normally and list all the running tasks - except one, the trojan task. They are using techniques discussed above (dll injection and process manipulation), but no longer on the programs that prevent them from working as intended, but on those core processes that even the scanners have to use to find them. It's going to be interesting to see how the anti-virus, anti-trojan developers counter that threat.

I hope it has become clear that all of these threats have a common root in Windows' architecture. While the architecture is so designed as to keep the memory space, data and command stack of all processes totally seperate from each other, the demands of possibilites of process interaction seemed to require a way to bridge that gap, and Microsoft decided to deal with it by providing functions which put everything about a process into the hands of the one that calls the function.
The most natural, most common-sensical reaction, is of course: Ah! Why didn't Microsoft design a proper way of inter-process transactions in the first place?! Or: Wouldn't Microsoft just come up with a patch that has these transactions happen in a more secure way?! (The answer to that latter question is of course, as anyone can easily guess: Nope.)" }-

Thanks richrf.

I think that explains how PG will block things if you allow a program to run. It's not clear whether the nasties have to execute first, e.g. can program X call a function on another to load a dll or can program x take memory space without program x executing? I don't know the answer but I wish I did.

-{ Quote: "Thanks richrf.

I think that explains how PG will block things if you allow a program to run. It's not clear whether the nasties have to execute first, e.g. can program X call a function on another to load a dll or can program x take memory space without program x executing? I don't know the answer but I wish I did." }-

ProcessGuard, together with other security products and/or techniques, seeks to cut off these tunnels at key junctures or "choke points" that are known to be exploited by malicious software. PG in particularly addresses some very important ones including the initial execution, installation of drivers and services, physical memory access . etc, which can cause havoc on a machine. TO what extent they are important to any individual's environment lies in the way an individual uses a system.

If new programs are not installed, or are only installed from trusted sources (assuming one trusts MS), then the free version may be all that is needed. In my own experiences, I have been pretty surprised by what some vendors are doing, and am glad that I was notified that the company was trying to isntall a driver/service, which I was able to stop. It is quite possible to avoid all of this stuff, by minimizing ones use of the Internet, and ultimately abstinence may be the best approach - from a security and life perspective. ;)

Cya,
Rich

The thread is providing lots of useful info. It does reveal one problem though , i.e. to run the full version of Process Guard seems, to me at least, to require the user to make decisions which presuppose a relatively high level of knowledge on the part of the user. Most users , me included, just do not have this knowledge, neither do they have the time or inclination to acquire it.
I know that much of the threads in Wilders are in fact conversations between the expert or experienced and maybe this gives the impression that the full PG is more complex than it is . Is the average user really able to use it on the basis of 'look and click' or is the apparent complexity actually the case?

(I also know that when an 'innocent' like me asks questions in the forum they are answered generously and clearly)

I know I've talked a bit about PG not being appropriate for all users, but I mainly reffer to the multitudes of users that have very little computer skills that are in the greatest need of security and come here when things get bad. It's all pretty subjective, really.. are you comfortable with the file system? That is, if you lost a shortcut to a program in the start menu, would you know how to go in through "My Computer" and start the program manually? More appropriately, if your antivirus detects something as a trojan, are you comfortable differentiating between an actual detection and a false positive? If you can manage that, then you might give PG a try, just read through the help file and you should be just fine. :)

-{ Quote: "The thread is providing lots of useful info. It does reveal one problem though , i.e. to run the full version of Process Guard seems, to me at least, to require the user to make decisions which presuppose a relatively high level of knowledge on the part of the user. Most users , me included, just do not have this knowledge, neither do they have the time or inclination to acquire it.
I know that much of the threads in Wilders are in fact conversations between the expert or experienced and maybe this gives the impression that the full PG is more complex than it is . Is the average user really able to use it on the basis of 'look and click' or is the apparent complexity actually the case?

(I also know that when an 'innocent' like me asks questions in the forum they are answered generously and clearly)" }-

I felt very much like this when I initially installed PG. But I quickly found out that whoever writes helpfiles at DCS has a REAL touch for it. In the course of about 45-minutes I was able to familiarize myself with the ins and outs of PG, and was able to knowingly configure it for my circumstances. Don't worry, if I can master it you can too. ;)

-{ Quote: "It's not clear whether the nasties have to execute first, e.g. can program X call a function on another to load a dll or can program x take memory space without program x executing? I don't know the answer but I wish I did." }-Does anyone know the answer to this?

-{ Quote: "Originally Posted by SpikeyB
It's not clear whether the nasties have to execute first, e.g. can program X call a function on another to load a dll or can program x take memory space without program x executing? I don't know the answer but I wish I did." }-

Without executing a trojan can't do anything. The only pure code attack seen is the SQL Slammer worm which was a small exploit of SQL servers. PG deals with executables, since thats where most threats are. Nearly all threats...

And no, there is NO way to execute a file without being hooked by PG and stopped from running. Learn the system with PG in a clean state then protect it and it will stay clean !

-{ Quote: "...Learn the system with PG in a clean state..." }-

A very important point. ;)

-{ Quote: "Without executing a trojan can't do anything. The only pure ............" }-Thank you.