About "TrojDemo.exe" from Trustware

In this thread , there seems to be mis-conception that PG allows "TrojDemo.exe" to "go right through".

It was pretty well-rebutted in that thread, but it caused me to wonder why people who actually use PG don't seem to be in the habit of always running their computer with PG in the "Locked" condition after having set it to "Block new and changed applications" condition except when they are purposely installing something.

As you can see from the screenshot, clicking on the "TrojDemo.exe" after I d/l'ed it (with PG in the state I described above) simply results in the "TrojDemo.exe" being stopped cold.

(One has to wonder why people bother to have programs like PG and decent firewalls if they're not going to utilize them correctly).

IMO, no "vulnerability test" where one has to purposely and knowingly DROP a defense or "Allow" something that one wouldn't normally allow is valid - period. Because it's not a "real environment" test.

IF PG had allowed anything at all to happen in the condition it was in when I clicked on that exe, then I'd say there was a problem.

As Blue said in that thread, even if you're not "cocked and locked" in PG and you click on the exe, PG flags it and if you "Deny" it - that's it - it doesn't run.

So, I'm failing to see any problem with the way PG handles this one - period. Pete

 

Hi Pete,

In answer to your question:

The reason I do not Lock my system with PG, is that there are still some programs that I want to allow to run some of the time, but I don't want to give them permission to run all of the time - e.g. rundll.exe. Therefore, I must leave it out of Lock condition.

If there is a way around this, I would be interested in knowing how others do it. As for the concerns about TrojDemo, I agree with your position. If a user gives permission, then the trojan will run. On my system, I have tried to set up backup lines of defense so that if I make one mistake, the other security programs (e.g. RegDefend) may trap it.

Rich

 

That doubting thomas would be me

Should I be offended?

And what about people who have JUST installed PG?

Hmm... I just wanted to point out that PG didn't pick up the attack.. that's all
I personally don't use PG, but I've seen it in operation. I really don't suppose that a user with limited knowledge and time would spend a lot of time with his security apps once he thinks that he's covered all the basics, and would hate to see alerts every time he started a NEW or UPDATED app [one reason I think why ZA and NPF/NIS seem to be selling like hotcakes - automatic rules *grumble*]
I think PG is a very good software, but these tests show that if a user hasn't set PG to go for "process execution", he's gonna be in trouble. I just hope that this will be looked at, however briefly, by the developers.
Once again, I have no intention of stirring up trouble . I just thought that I DO have an opinion, however irrelevant, and it should be interesting to see what other people feel about this.

Rgds.
you know who.

 

Hi no13,

If you are suggesting that PG needs to be made more user friendly in order to reduce the potential for inadvertent mistakes, I wholeheartedly agree. There is lots that can be done to reduce the learning-curve of the product and make it more accessible. Hopefully, DiamondCS will have the resources to do this in the future.

Rich

 

Really? I thought this was the case:

Not at all, since the remark wasn't directed at you.

What about them? It's got to be a "given" that someone using the program has to have started with a "clean" machine, that they've installed the program correctly, set it up correctly and made every possible effort to read/understand/apply all the info in the "Help" file, gone through the "Learning Mode" thing properly and that they have just the tiniest bit of common sense/inquisitiveness and caution when it comes to handling alerts.

Because no program is going to protect you to its' fullest extent if you don't do all of the above.

And it's quite apparent from that quote that one of us is mis-understanding that situation (which we're both getting second-hand, BTW - I think). If the person involved "Allowed" the test to run - which it seems quite clear they must have done, either purposely or due to a "Learning Mode" situation - then PG was simply following its' operators' wishes by letting it run. This is the key point here and I'm not sure why you're not "getting" it.

Which is also puzzling when you're making what appear to be statements of fact of what PG can and can't do based on second-hand information from someone else who does use it (especially when you make no reference to their skill-level or how PG was set up at the time).

Well, if they're not keeping up with their security apps (or not learning them well enough to start with before depending on them), then it's hardly PG's fault if something did manage to get through, now is it?

Trusted apps, when they update, aren't a problem - any time you run something "new", you should keep an eye on it for at least a short while to make sure of what's going on with it. You should also never grant more "privileges" to it than it actually needs to work effectively.

And, of course, it goes without saying that you want warning of something trying to run that you haven't consciously initiated yourself - that's why I run PG the way I do.

True and true.

The developer's might take a look at it. However, they've made the program the best they possibly could have up to this point without actually coming to a d/l'ers home and setting it up for them one-on-one. It is up to the user to deploy the program effectively, learn it, to keep up with new developments and to question, question, question when they're un-sure of something.

Yes, sir, you absolutely do have a right to an opinion. And it's certainly not irrelevant.

Keep 'em coming - that's how we all learn. Pete

 

Hi,

As perhaps some members have noticied it, the Trojan Demo from Trustware is one of my Test tool:

http://kareldjag.over-blog.com/

I've also tested it against Process Guard, but some verifications are necessary before publishing the result on my blog (i'll give the first links next week).
In all case, Trojan Demo is not an issue if you have already hardened Windows as possible as it could be.
As i said on my disclaimer, test tools are different from real malwares...

And yes Peter2150, it's often necessary to read the help files ...

Regards

 

After allowing the trojdemo through PG, I got one alert from PrevX, and hit 'deny'. Seemed to stop the test dead as nothing else happened after that.