ProcessGuard - Is the free version strong enough?

Quote:

Regdefend works in a limited mode after the trial expires. I believe the block option is removed when something pops up, however the block all option remains and if you need to block anything specific you can manually add a rule to do so.

Thanks farmerlee

And as to AppDefend? Very Nice program indeed. Even though there is an entire sub-forum devoted to it some of us are only now discovering it.

[duke1959]

EASTER.2010. Since you use AVG AS and have used PG Free and Cyberhawk, let me ask you this. Do you see any need for me who is using AVG ISS and currently PG Free, to also have Cyberhawk on board? I have come to understand from your and other posts the importance of having a back up like AVG AS with PG Free , but what about rootkit installations and other things that's not covered by either AVG AS or PG Free? This is where I would think CH would come in. I'm just not sure if I need all this protection, and want to limit my number of apps. I'm also thinking about eliminating my Firewall if I stay with PG Free. Any help from you and others actually would be greatly appreciated. I have at least settled on keeping the AVG Antispyware Component installed, and definitely won't stop using AVG AV at this point, and now just want to use something else that best compliments them. I like PG Free very much, but the test results and forum support of Cyberhawk keeps making me want to go back to just using that, unless of course running them together does make sense. Thanks.

[Chuck57]

I had Cyberhawk (free) on this machine for a while. Had just about everything on here at one time or other, I guess. At first, I liked the idea of the ... "silence." Very few popups, etc. After a while though, I wanted some activity, if nothing else just to know it was doing something. Sounds strange, I know.

The free version seems to cover the important bases, but what else is needed to deal with what CH free doesn't?

[duke1959]

Hey Chuck57, I too have had way to many programs on this PC over time, but i enjoyed it. I have decided to stay with AVG AV and AS, but may try Comodo Firewall again, and then just use Cyberhawk yet and be done with it. I understand what you're saying about the silence part. Some of that was why I would uninstall the Antispyware Component and try other ones like Spyware Terminator or PG Free. This is also why I'm partial to PG Free compared to CH, but I'm hoping Comodo along with CH will give me what I'm looking for. At least for awhile. LOL. Take care.

[Chuck57]

Haven't changed my sig, since that would be a weekly event at the rate I'm going, but I have AVG antivirus and like it, AVG AS on demand and ASquared on demand, along with (today) appdefend and regdefend. Also of course, geswall for regular surfing and Powershadow for when I just want to play with some new thing for a while but not put it into the box.

My antivirus and 2 antispyware programs don't change. Everything else is an option.

So far, I like app/regdefend and have read what I can find about them. I haven't seen any accounts of anything getting past ghost security suite. They might stay for a while. My computer is noticeably faster with them on board.

[LoneWolf]

Having recently tryed process guard free i'm very happy i did.Very nice,to bad the company behind it has seemingly disappered.kinda wish i had purched the full version long ago,would of liked to have the extra security.maybe they will reappear,or OA2 will someday be released and i'll try that.

[Peter2150]

Quote:

Originally Posted by travellinman

Having recently tryed process guard free i'm very happy i did.Very nice,to bad the company behind it has seemingly disappered.kinda wish i had purched the full version long ago,would of liked to have the extra security.maybe they will reappear,or OA2 will someday be released and i'll try that.

Have you tried the prelease build of OA2. There is a thread about it down a bit.

Quote:

Originally Posted by Chuck57

I haven't seen any accounts of anything getting past ghost security suite.

Here's one that terminated both PG and GSS:

http://www.wilderssecurity.com/showt...342#post848342

Quote:

Originally Posted by travellinman

Having recently tryed process guard free i'm very happy i did.Very nice,to bad the company behind it has seemingly disappered.kinda wish i had purched the full version long ago,would of liked to have the extra security.maybe they will reappear,or OA2 will someday be released and i'll try that.

I agree 100% with those sentiments travellinman. I think they are in Minnesota USA and if i can reach them by phone sometime i like to find out for us. I'm one of those that had no idea it was that effective and now i do wish i could have got the full version because the partial free is really good IMO. Maybe we'll get lucky right?

[LoneWolf]

Quote:

Originally Posted by EASTER.2010

I agree 100% with those sentiments travellinman. I think they are in Minnesota USA and if i can reach them by phone sometime i like to find out for us. I'm one of those that had no idea it was that effective and now i do wish i could have got the full version because the partial free is really good IMO. Maybe we'll get lucky right?

If you find something out please let me know.Still very interested in the full version.

From their website:
DiamondCS ...
Diamond Computer Systems Pty. Ltd. was established on December 15, 1986 in Perth, Western Australia.

Are you sure that they are in the US.?

[fcukdat]

Quote:

Originally Posted by tayres

Here's one that terminated both PG and GSS:

http://www.wilderssecurity.com/showt...342#post848342

Oh brother by chance do all of thoes test's(leaktest) rely on the end user giving consent to the test code to execute....of course it dose

Now show me code(tests) that terminates PG without needing to execute and you will have found something not yet found

[lucas1985]

As fcukdat said, there are important differences between:
- Execution interception. This is what PG free does.
- Interception of suspicious behaviours (hooking, installing drivers, injecting code, reading/writing physical memory, etc) of code already loaded into memory. This is what leaktests try to prove.

[Peter2150]

Quote:

Originally Posted by lucas1985

As fcukdat said, there are important differences between:
- Execution interception. This is what PG free does.
- Interception of suspicious behaviours (hooking, installing drivers, injecting code, reading/writing physical memory, etc) of code already loaded into memory. This is what leaktests try to prove.

Just curious how code gets loaded into memory if a process isn't allowed to execute. This is where I find the leak tests so stupid. I download and try them and the first thing I have to do is allow them to run. If I allow them, then I get to see if my firewall will pass John Q Leaky's latest invention, but I don't allow them, no test.

Give me a leak test to try that doesn't have to run something on my system, and I'll be interested.

[aigle]

Quote:

Originally Posted by Peter2150

Give me a leak test to try that doesn't have to run something on my system.

This is the way, every thing including malware, works. Ur demand makes no sense. No execution, no malicious action on ur system- Ok.
But remember, No execution- no legit action as well.

[lucas1985]

Understanding Computer Infections I
Understanding Computer Infections II
Understanding Computer Infections III

Quote:

Originally Posted by fcukdat

Oh brother by chance do all of thoes test's(leaktest) rely on the end user giving consent to the test code to execute....of course it dose

Now show me code(tests) that terminates PG without needing to execute and you will have found something not yet found

I read Chuck57's statement to mean ANY way (it was read out of context, you're right).

[Peter2150]

Quote:

Originally Posted by aigle

This is the way, every thing including malware, works. Ur demand makes no sense. No execution, no malicious action on ur system- Ok.
But remember, No execution- no legit action as well.

Aigle you totally missed my point. OBVIOUSLY stuff has to execute to get anything done. My security software knows to let excel run, but when it prompts me for leaktest.exe, I just block it. Then it can't leak period. So my point was give me a leak test, that doesn't have to run something I can't block.

[aigle]

I do understand that but people who get infected they ofcourse let the malware run either unknowingly or by mistake.
So take my comment in context of an ordinary user not a person who is security concioususing and is using HIPS.
Ur point is exactly right but not valid for ordinary users, I think.

[Paranoid2000]

There are two methods for code to execute without triggering a PG prompt:

• Using existing permissions - this applies for "programs that run programs" like rundll32, cmd.exe or javaw.exe. If you have permanently allowed these (very likely for rundll32 for instance, since Windows uses it a lot), then any malware can use them as an infection vector without causing a PG popup. Software using child-parent permissions (e.g. SSM) is more resistant to this since the calling routine will likely be different in an attack but this is not a sure thing. The best countermeasure is being able to check parameters for the likes of rundll32 - SSM offers this as an option but users have to select it.
• Buffer overflows - mainly a problem with programs that remain running in the background accepting network traffic. Corrupt data can cause a program with a buffer overflow vulnerability to execute instructions of the attacker's choosing, without starting a new process. In practice, many such attacks would try to start a command shell (a new process, which should trigger a check by PG/SSM - though this would mean cmd.exe which is quite likely to be allowed with PG for most users). Aside from this, neither PG nor SSM can protect against buffer overflows, but it should be stressed that these are mainly a problem with vulnerable software accepting incoming network traffic - with anything else, the user has to take an action for this attack to occur (e.g. visit a site, open a file, etc).

PG Free can be a useful addition for people not already running software that prompts on program execution - but it lacks the global protection features of the full version (the most important aspect of PG in my view). There are now better options to PG Free for controlling applications - whether users should switch to them depends on their risk level, experience and tolerance of popups.

[aigle]

Quote:

Originally Posted by Paranoid2000

The best countermeasure is being able to check parameters for the likes of rundll32 - SSM offers this as an option but users have to select it..

Where is this option? Can u explain it a bit.
Is it present in free version as well?

[Paranoid2000]

When you receive an SSM prompt for something like cmd or rundll32, just check the "With these command line parameters box" - SSM will keep a note of the parameters and prompt whenever the program is called in future with different parameters - this example occurs when bringing up the Windows clock/calendar:


You can subsequently view (and alter) the allowed parameters via Preferences/Rules/Applications/<program name>/Process Control/Parameters:

[aigle]

Thanks paranoid.

[Tarnak]

.....ditto. I ticked the box to enter the parameters. Thanks Paranoid2000