PROCESSGUARD V3

Restarting Outpost firewall made no difference, neither did a reboot. :-(

Process explorer does not show procguard.dll injected into process.

 

way cool interface

 

process guard crashed algain under same way

no stall on pc

no crash pc

another bug windows xp start menue keeps telling me theres a new program and no mater how many times i go to start thrn processguard folder to show it i seen the new program it wont shut up

really anoying other programs do it once i look and it shuts up

processguard always seems to be new

 

the interface is way cool and easy on my bad eyes

its really clean and to the point

needs option to hide icon on system tray

has few bugs

i hope this has helped

i ran it into the guter

if you need more testing let me know

has bugs but nothing im sure cant be paned out

also when pg crashs it dosent take the whole pc with it

thats a good thing

no matter what it wont crash your pc

so its safe

 

I think I am going to uninstall this beta. On my system it always allows a new application to run and adds it to the Security list with a 'Permit once' flag. I feel I was better protected with Version 2.


EDIT:
This effect only seems to happen when the drivers for my Wacom Tablet are installed. If I disable the TabUserW.exe executable from running on startup in msconfig, I am prompted to allow/deny all new programs.
Tom

 

I put this post in the wrong thread by accident so sorry.

Some questions.

1. How SHOULD PG3 be configured?

2. I install and try a lot of programs so if I install a program with a driver or graphics drivers will PG3 block the installation or will I get a pop up requesting permission?

3. How are Windows XP updates affected? Do I have to turn off something before installing Windows updates?

4. How will I know if PG3 is not working properly or if it IS working properly?

5. If PG3 blocks something how do I know if it is a normal Windows process or something malicious as I don't have technical knowledge of all terms, processes and program names?

Dave

 

When you first fire up Process Guard it goes into learning mode, this puts normal system and start up files on to the protection list and checksum list.
After the first reboot learning mode is turned off. Add your trusted security and Internet apps slowly and watch the alerts for any necessary Allows that may be needed.

You will be alerted that something is trying to do this if you have a General block on say Driver/rootkit/service installation.

Service packs will require all other programs to be disabled as is the case with many other software updates etc.

If the Driver is not installed you get a warning that there is a problem
You can also test it with Advanced Process Termination available from the DCS downloads page, it is free

For the non technical user anything can be dangerous and it would be very difficult to make a "follproof" program of this nature.
Common sense is probably the best thing to use. If for instance you have installed a trusted program then you would expect PG to pop up a question, if however, you are not installing or updating then it would be wise to investigate before allowing.

HTH Pilli

 

You should setup ProcessGuard for your system while it is clean, and not put it in danger. This way, you can use the learning mode to set it up for you Dont install any new programs yet, just leave learning mode on and use your PC for a couple of hours, running all the programs you use most commonly. These programs will get their required configuration no matter what setup you have chosen, even all 4 general options ticked.

By not putting your PC in danger I mean not getting online and not running any unknown untrusted programs since you are in learning mode. You can quickly add all the common programs and get them protected then reboot once and be all set up. This is how I like to get it set up quickly and easily and knowing everything is compatible and ready to go.

When installing new programs just choose to allow them, they should install fine. Most program installers just install files. If you suspect a driver will get installed you can disable PG - if you trust the installer completely. OR you could leave protection enabled and watch the alert screen - if it tries to install a driver you can either allow it or abandon the install, at worst you would have to disable protection and then reinstall.

XP updates should work fine while not in learning mode, just allow the execution of the update. All most updates do are replace files..

You will know PG is working in everyday use because learning mode should be OFF as soon as possible, and you will receive alerts often. We've tested the protection side of things extensively to ensure it wont just "break" all of a sudden or anything like that

I hope to write a very easy to understand portion of the help file about executions and what to allow and what NOT to allow. Part of this might include the suggestion to deny a new program and then examine the file, and update the virus scanner before allowing it to run next time. Most programs dont just run "out of the blue" so if learning mode is allowed to set the machine up properly then these sort of incidents should never occur.

 

You wouldn't be using KAV5 by any chance would you ? Please email processguard@diamondcs.com.au with some config info and we should be able to fix this. On all but 2 machines so far everything has been perfect..

 

No not KAV5
Firewall - Agnitum Outpost 2 Pro
Anti Virus - Sophos AV
Anti Trojan - TDS3 Full

What info do you need?
Tom

 

Hi Tom

In alerts open your logfile and copy / past into an email to support@diamondcs.com.au
It may also be helpfull if you can list your Operating sytem and resident programs.

Thanks. Pilli

 

frogfoot : Ok thanks ! will get Jason to look and let you know

 

Thanks very much Gavin and Pilli for all that info.

When I used PG2 I noticed that during a defrag some files could not be defragged so should I have PG3 turned on/off during defrag and how does this affect the drive if I can't defrag it - i.e. will it eventually get corrupted? Also a couple of times PG2 crashed it wiped or changed my anti-virus beyond recognition and caused disk errors so is this new one as dangerous too?

One other thing is that I am like many people and when I'm surfing or installing something new I'm engrossed in what I'm doing and WON'T remember to turn off PG3 during driver installs (or too late after clicking on the install buttom - that's me!!) or updating Windows or defrag etc so I hope that to a certain extent PG3 is 'idiot proof' or 'set it & forget it' because I almost always forget to turn it off until it's too late and that poses problems unless PG3 has an inbuilt 'idiot proof scanner' that will just let me go on my merry way and forget it's there!!

I hope you don't mind me asking all these questions because they are from the standpoint of the average ignorant user who knows almost nothing and needs to get some simple basics to feel confident to use the program.

With user switching how does it work now?. My wife and I both have separate accounts in XP Home and both are administrator accounts. Can we both acces it?

I really appreciate your super fast replies because I want to install it but am a lot hesitant because of problems I had with PG2 and I just got a new motherboard so I don't want to have to re-install Windows again as I have everything running just great and this is beta software. I'm a 'set it & forget it' type of user that doesn't want to get bogged down with all sorts of problems arising. I basically just want the protection without any hassels.

Regards

Dave

 

I am sort of glad you are experiencing this problem, because one of our beta testers also has, but no-one else at this stage. It shouldn't be that difficult a problem to fix once the issue is found I think, but finding the issue is the hard part here.

 

I think Gavin that something needs to be written for the 'mainstream user' who has the 'set it and forget it' mentality and doesn't want to get bogged down with technical problems and trouble-shooting. If this program can appeal as much to the mainstream user as the DCS tech savvy guy then it will be a great win for PC security as well as sales.

My sister looks after 3 kids so all she's got time for is to install a program and then forget about it so if you can fashion your programs for simplicity and ease of use for people like her then it's a great step to getting people like this interested in this kind of software. She bought a new PC and I TOLD HER to get an AV immediately and she ignored me and then got hacked and infected so badly that she eventually went out and bought an AV at once but she still can't get some spyware off her machine and I couldn't get it off either so now she knows about the need for installing SP's!! She picks me up once every so often and drives me 20km to her place & treats me to Big Mac's to fix her PC because she's got no time or patience and this is the kind of people that need your program but as long as it is no hassel to run. She rings me up to do her internet banking because everytime she tries to access it her PC logs off her account and logs onto another account called 'Mark'. Everytime she wipes it, it comes back again and anti-spyware says it's coolwebsearch but I tried to detelete it and it came back and nothing helps so looks like I'll be in for some more Big Macs to re-install Windows for her.

The point here is I could probably talk her into buying PG as long as it leaves her alone and she doesn't have to worry about it.

Dave

 

There could be some problems with software that protects itself from DLL injection, like some firewalls may. I will have to investigate the latest Outpost and other firewalls. Secure Message Handling does require a lot of tweaking to get it to work well with a lot of applications, however some applications which I personally don't think have well-coded exit routines are hard to add secure close handling to.

Most applications can be shutdown in a variety of ways, not just by pressing the close button, which is what causes the issues sometimes. For instance, there might be a menu item called "Exit" which has it's own exit routine separate from pressing the X button. You get request dialogs saying windows are being shutdown, and regardless if you say cancel to these requests the application doesn't care and eventually quits anyway. At least with these abnormal methods there needs to be specific shutdown methods to close them down, not just generic ones (which Process Guard would catch).

There is no good way to determine which application sent the message. However there might be some alternative ways around handling shutdown.

Human Verification Dialogs will be added to the ProcessGuard GUI when making changes very soon, they are not in the current BETA.

 

With all due respect, unless DCS can add a mind-machine interface to PG this is not going to be a realistic possibility. First of all, PG's settings will have to be altered for special circumstances (e.g. installing a new application or Windows patch) at least temporarily and since the user is doing the installation/upgrade, only they will know when settings should be relaxed and tightened again. Secondly, it is not practical to build a database of "good" (to be allowed) and "bad" (to be denied) programs due to the huge amount of software available (even just keeping track of specialised malware like trojans is enough of a struggle) - the user will have to make the decision here also.

The only way for a novice to achieve trouble-free security is to allow someone else to administer their PC - to decide what gets installed and when. Software like PG does provide greater control over Windows' internals, but just like a firewall, the user has to empower themselves with the knowledge of how best to use it.

Outpost does pop up another dialog to request confirmation that you want to shut it down so that could be the problem. Perhaps the best solution is a "special CMH" option where PG could actually terminate the process itself after verification to avoid having to deal with any such prompts - or alternatively PG could send a user-defined keystroke sequence to the application to close it cleanly (a more civilised option).

 

I think every security company in the world is trying to do something like this, but it is really impossible with the current technology how it is. The problems of security on computers is roughly caused 5% by the computer and 95% by the person using it. Until we can attach upgrades to people's brains I think we are going to continue having problems for the people who refuse to learn such things.

ProcessGuard is here for people who at least want to learn something, or haved learned some things, and know that even if you know it all your computer is still at risk (that 5% I mentioned).

ProcessGuard users could almost (I stress almost) use it entirely for the security on their computer due to how well it works. It blocks the really bad programs from installing on your computer (rootkits), it alerts when new programs run (things like Blaster worm would be stopped), it alerts when programs change, it alerts when something tries to modify/terminate/read something else, etc. Even if a program gets beyond the first level of ProcessGuard's protection, there is not much a program could do to the system that ProcessGuard does not protect against.

 

Also:

I agree. However (on pgv.2 / Windows XP Home) i often every now and again get a pop from pg out of the blue, (nothing prompting it), asking whether to allow HelpSvc.exe to run (C:\WINDOWS\PCHealth\HelpCtr\Binaries) with the command line: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe" /embedding.
Then about 1 second after that asking whether to allow wmiprvse.exe to run (C:\WINDOWS\system32\wbem), with command line: C:\WINDOWS\system32\wbem\wmiprvse.exe -embedding. These two are the ones that occur most frequently, and interestingly they seem to run when the pc has been idle for a while. They are both Microsoft programs with helpsvc.exe being Microsoft Help Center Service, and wmiprvse.exe being Windows Management Instrumentation. So i usually allow them to run. But it's strange that they are running at all, as i am not prompting them to run. I could understand a program running on it's own, out of the blue, if it were like a program registration reminder dialog or the desktop clean up wizard, which runs every 60 days, but not this helpsvc & wmiprvse.

Another program that sometimes runs out of the blue by it's self with no prompting is the ms defrag tool, it's not in the pg event log at the moment, so i can't give any more details, but i have seen it run befor when that system is just siting idle. When these programs, helpsvc, wmiprvse, defrag thing run, nothing happens. No box's pop up or anything, the only thing is they get added to the wintaskman process list, then disappear off the list alittle while later. Strange, what do you think ?

Cheers, Meed.

 

Hi Meed, Windows runs quite a few housekeeping programs such as those you have mentioned. Personally I do not have a problem with them as I know they are legitimate. If for some reason they were changed then the check sum would change and I would be alerted, then I would investigate.

You can turn off a lot of these services with SafeXP or XP-Antispy if you so desire.

Pilli

 

yup im uninstalling it today

no complaints about the interface

miss the the confirmation change this by typing in letters should be an option

crashs

no option to hide icon on taskbar

no right click on icon option list

off to recycling bin

 

I noticed on the Main screen that the status always reads "Status:System Secure". Is this supposed to change at all? When I disable protection it still reads system secure.

 

Hi se7engreen, I think this will be addressed for the full release.
What DCS want to test mainly is the driver and protection stability before adding the bells and whistles
Plus the fact it gives all something to look forward to.

Cheers. Pilli

 

Thanks Pilli, it's good to know that there are even more improvements to look forward to. Things have been running smooth for me for the past several hours with PG running with all my other apps. The only other anomaly I noticed is when I permit an app to run only once, I am able to run the app over and over again without any warning. Is this something that still needs work or am I the only one experiencing this?