Are PG Protection Statistics Misleading?

As a compromise (in the signature debate), why not give PG some AV integration feature. Something like an option to "Block execution and send to AV for analysis". The default AV would be specified in PG's basic settings. E-mail clients like The Bat! and PocoMail use AV integration for inbox protection.

 

An interesting idea (and one that System Safety Monitor offers) but in practice, most AV background scanners will check every file when you execute it anyway - so this option would only be really useful for those running multiple on-demand scanners.

 

Good point. It would also be useful for those, like me, who chose not to run AVs in the background.

 

instead of AV integration, a database would be a better option but as mentioned previously it would take constant updating and maintenance. for now i guess a clear button for PG's statistics would suffice.

 

Thank you, oh great beta tester of a thousand security products, I didn't know how to do this already.
I don't need to tell you that the exe name doesn't tell you a thing , since it can be easily renamed. Or do you recommend we start looking at the md5 hash??

As for the old tired analogy about driving and licneses, if I had equalvant skill with driving as with computers, I would probably be designing and building my own cars by now

Personally, I don't think what you do with regards to this is important. You could go the other way and run only signatures based scanners and you would still be fine. When you have only a one in a million chance of getting hit, it hard to figure out what works, since 999,999,999 times your defense isn't tested.

The fact that you prefer "intrustion preventation" doesn't by any chance have to do with the fact that you are a "beta tester" of PG,RD,Safensec, online armor are you?

 

Comparing PG and KAV is like comparing apples and pears of course, unless PG has a antivirus component?

 

Take that quote along to the more professionally trained PC security experts and they'll die laughing! Security software, because it is supposed to protect our PC's from infiltrators and criminals must itself above all be accountable and be able to produce in real terms records of it's having protected the user's PC.

If money is being invested in this software by end users they have the right to know what it's actually doing for them other than a ' don't worry mate, I'm protecting you'. Verification is important and PG's verifications system ' your computer has been protected from 1,000 attacks' blah blah is laughing in our faces.

Does anyone really believe that PG has protected them from '389 attacks' as in my case so far? This is a corporate plug for the product to IMPRESS the naive. If you'd been attacked 389 times you'd know and already be formatting your hard drive. It's a joke and treating us like fools assuming us to be gullible enough to even put it there in the 1st place. It's an insult because it's a lie.

Some of you may have even been protected thousands of times by PG - REALLY It's just a lot of hype that is there for those who like to believe in such things. What I want to know is when does PG do it's protecting not when I open or install a program.

PG may very well turn out not to be so pro-active and the counter is just there to make it look that way but in fact it may very well be just another TDS 3 or TDS 4 where your AV is basically doing the job and the counter is just there to make it LOOK as though PG picked up 389 attacks that your AV did not - an absolute mockery and outrageous joke!!

So PG has protected me from 389 attacks that Kaspersky Pro 5 MISSED? Ha! Ha! Ha! Someone want to try and pull my other leg?? The counter is being flaunted and used to JUSTIFY PG's very existence as PG is just as much under scrutiny as TDS 3/TDS 4 because our AV is doing all the protecting. So either Kaspersky is terrible at detection or PG is just simply grossly misleading users with the counter stats in order to make it appear pro-active when in very fact your AV, as in the case of TDS 3/4 is doing the job nicely.

The counter is to drum up business and is a total and complete lie because it cannot substantiate it's claims. It only gives a number and that could have been me installing, uninstalling and opening programs so I buy PG to tell me I'm opening, uninstalling, installing programs C'mon, if AV's at least try to be accountable then I expect PG to do the same because it's making claims of protecting users from thousands of attacks NONE of which can be verified.

With a firewall I can find the name of the virus or malware and look it up on the internet and research it but with PG the watchword is to 'trust me without question or verification or accountability' but fortunately there are some here who use their brain and realise that all this hype of PG protecting us from so many hundreds of 'attacks' that our AV has missed is absolutely ludicrous and complete nonsense. What were those 389 attacks that Kaspersky Pro missed I want to know because if my AV is so bad I then must either inform Kaspersky of missing so many attacks or only use PG if the attacks read right but they are just a nonsensical figure comprised of the user opening and installing programs which is pathetic for security software.
Dave

 

Surely you do not really believe that Dave There is one thing to question what is the meaning of PG's attack count....it's a whole different ballgame when someone of your caliber attempts to make false and outlandish comments such as the dribble above. What is it you are really after Dave....the answer....or a soap box to express your displeasure with DCS

 

Rather then just pull one sentence out of context, I would say that as a whole Dave makes a lot of sense.

A lot of his argument could be leveled to a lesser degree against other similar products of course, but this is a PG forum, so obviously it has to be about PG.

 

PG logs contain a 'dump' of actions taken, such as allowed, blocked from ....., etc. and look like the following:
Sat 03 - 08:02:51 [EXECUTION] "c:\winnt\hh.exe" was blocked from running
[EXECUTION] Started by "c:\appssoft\security\dcs\pg\procguard.exe" [1516]
[EXECUTION] Commandline - [ "c:\winnt\hh.exe" c:\appssoft\security\dcs\pg\procguard.chm ]
There are 3 lines per action, only one has the action description, in this case
"blocked from running". It's possible to use "Find" to find these, but the text is, IMHO, formatted incorrectly and further, would be better distributed into two separate log files, Allowed and Blocked. The action should be towards the left and in each line, with a blank line between the sets of 3, to make reading by lowly mortals a bit easier.
I saw that PG has protected me from 134 'bad things'. However, when I looked at my logs, there was a lot of repetition. So it would make sense to have a Summary log as well, where I could see that I had been protected from accessing PG's own Help file 7 times, so I could relax my security a little bit.

PG does provide logs, but they're sloppily conceived and executed at their current degree of development.

JWC

 

Bubba, I'm not here to slander DCS.

I personally believe having a counter that says my PC has been protected 389 times is ridiculous because if my AV is not detecting them then just how 'serious' in fact are they? (389 attacks)

I do want to be able to 'see PG in action' cleaning up some real bugs but all I can get access to is it's counter as well as logs telling me which programs I opened and closed and that doesn't really tell me a lot about any real malware that got swiped by PG if any.

It's just so unfair to come here and be honest and frank about something I feel is not good about PG and then be accused of setting up a soap box to slander DCS etc etc. Why? The issue here for me is the attack counter NOT whether DCS is a credible company or not so why twist it that way? I said the 'counter is a lie' NOT DCS so please don't misrepresent or misconstrue my statements because there's absolutely NO malicious intent at all. But criticism of the PG attack counter - yes indeed!

Pg's attack counter needs to have a proper log where a proper description of what kind of attack took place is listed for the counter to have any credibility because none of these 389 attacks were mentioned by my AV and I would want to know then if that was because they weren't in fact real attacks (just me opening and installing programs) or that they were real but my AV didn't detect them. Then I would be able to see where PG is doing it's work of complementing my AV.

But so far how do I know that this is not just another product that is sitting in my tray doing nothing while my AV is picking up all the real attacks. In other words as a user I want to know PG is protecting and not just be told to 'trust it' or with a counter. Trust without verification is not science. Everything scientific MUST be verified. Blind belief and imitation are superstition.

In all honesty, since I have had PG for over a 1 I have never ever come across any 'indication' that I was saved from anything dangerous. All it will ever tell me is 300 or 600 attacks but not specify exactly what happened so am I to just believe these stats blindly?? I am hoping to find out exactly what PG has done for me that my AV hasn't and if the difference is negligible then I would have to question having it installed.

The issue here is NOT DCS so please don't MISCONSTRUE I'm having a go at them when I'm not and clearly the issue for me is what attacks is PG intercepting. I'm not interested in them (DCS) but I am interested in whether PG is actually protecting me or not and whether it's claims to have protected me from so many attacks is verifiable and if not what if my AV, like with TDS 3 is doing all the work and PG is just there for show?

So please be open minded and do not harshly judge and interpret everyone who is critical as a DCS slanderer with a bone to pick which I am not. Is my AV doing all the work with only the PG counter as a sign that PG may be protecting me? I don't know because I can't verify what the counter's attacks are referring to so I'm after a real answer.

Dave

 

The counts seem inaccurate as well, the PG Alerts screen shows 154 attacks, however, when I count them in the log file I find:
143 Blocked from running (many the same programs)
29 Blocked from terminating, which adds up to
172, which to belabor at point, is not the 154 shown by PG.
I wouldn't mind as much if one of the counts tied, such as Blocked from running, but then that would indicate that Block from terminating wasn't considered an attack.
The counts should add up to the total, the total should be the sum of the pieces. Whichever way you look at it, they aren't and that means the program isn't correct.

 

Dave,

I'll let Bubba speak for himself, but my reaction was similar. Frankly, the language you chose to use in the post in question is inflammatory. You may not think so, but it is the perception of the reader that matters.

As to the technical point you make, these so-called attacks are alerts. Alerts with respect to operations which have not been expressly allowed by PG. I view them as analogous to a communications firewall log, except that they erefer to application execution and activity. Should they employ alternate terminology? If you feel strongly about it, suggest it to the vendor and don't weigh down your position with as much hyped baggage as you seem to feel exists in the product.

As to whether PG is a suitable addition to you PC, it is the final defense with respect to internal PC operations. If you are seeing a lot of activity, it would be due to you AV not recognizing a new threat (which is possible) or it is simply that you are not using a terribly effective AV.

I have already noted that many users appear to want to see defensive activity from every piece of security software that they have installed. That if it is not throwing up alerts left and right, it is either useless or nonfunctional. I really question this perspective. As I have already mentioned in another post somewhere on the site, if you are seeing frequent activity in any given layer of your setup, that implies that it is a primary measure, not a backup measure. To me, something like PG should be considered pure backup. In my estimation, you should see vanishingly little truely protective activity from PG. I realize that begs the question of how one would know that the backup layer will function as needed when it is required - well that does come in part from the alerts you are seeing and lamenting now.

Blue

 

My "humble" opinion is that the "counter" just was not properly implemented. From reading posts from the company representatives I conclude that they are very good programmers but not that market savvy. I would place the "counter" in a dumb mistake category.

I have to say that given the array of claims by various programs, with degrees and types of protection, it does not make sense to believe any of them. This is especially true since some are actually crooks hiding stuff in their so-called security programs. So, as some said, you simply cannot rely on any claims at face-value, PG included.

There is a personal caveat for ME. I have the "feeling" that the owners of Process Guard MAY be honest. As I said, they do not appear to be (1) as market oriented as many others. (2) The structure of their advert material and comments on the forum show a limited marketing skill. So I conclude that they ain't crooks.. Would I indemnify them from liability for someone loosing their bank account and their identity? Absolutely not. First for me they are an off-shore company (for me) and my legal re-courses are limited. Second their financial asset & cash position would probably be of little help even if I could have a successful recovery. Right now, for me, it is close to blind trust unless I take a clean PC and test Process Guard in a pristine setting. Not a very rational thing to do unless you are a hobbyist who enjoys playing with security on PCs.

Microsoft MAY develop their AntiSpyware program to a degree that it is a do-all program that is sufficient for the home user. There is a belief today that it will block some unknown type of intrusions. I desire, in the strongest terms, a product from Microsoft to be as comprehensive as necessary to protect me from problems. The size and longevity of Microsoft insures continual updates/reactions to new forms of attack. I worked on operating systems and I understand that you DO NOT MESS WITH THEM. I DO NOT want Microsoft to put security in the operating system. The requirements are too fluid. A free, outside of the OS product, is the best approach.

Now, I am sure that those who read 10 words and fly into a rage are already composing lurid responses.

We do need other programs as well. Why? Nothing is perfect. Microsoft is not the most nimble company. They are also not gods in command of all knowledge. The slime intruders demonstrate that daily. Process Guard, or some program like it, in my opinion, is needed to supplement any security program. If Microsoft improves AntiSpyware will all of their customers need Process Guard - maybe not. Not everyone runs financial data on their PC. However, if you do use your PC for "serious" activities I would recommend a Process Guard like program as a must. Full trust in Microsoft is like using only one simple 4 character password for all of your secure programs/activities. Once again, Process Guard is on the right track. The owners "seem" honest. However, they could get into a fight and the product can disappear over night! Or, what if Microsoft recognized their worth and bought them? You can bet a lot of money that has crossed the minds of the owners and investors in the company. Independence and flexibility are now lost and the worth of the program diminished.

There are many things to think about beyond the rabid technical discussions. People who use their PC for serious functions need to look at security in the same light as an insurance policy. If you are just a hobbyist then have fun.

Dick

 

I'm not miscontruing anything Dave....I'm simply reading your post and stand by what I stated.

Then reset your counter....observe the log for a reasonable amount of time and bring that info into the discussion. We all then can chew on your findings and attempt to get to the bottom of what We as users feel DCS has in mind in regards to what their Attack count numbers possibly mean. All the other rhetoric does nothing in your quest for the answer you seek.....Are PG Protection Statistics Misleading?

Of course this discussion could be somewhat more beneficial if a DCS rep would actually explain their methology behind their Attack count numbers.

 

It took a bit of reformatting, but here's what I've been protected from, msohelp is the biggest offender:
count = 2 blocked from accessing physical memory c:\appssoft\security\ssd\spybotsd.exe
count = 15 blocked from running c:\program files\java\j2re1.4.2_06\bin\jusched.exe
count = 2 blocked from running c:\winnt\hh.exe
count = 1 blocked from running c:\winnt\system32\winhlp32.exe
count = 124 blocked from running f:\appssoft\msoffice\office\1033\msohelp.exe
count = 26 blocked from terminating c:\winnt\system32\cidaemon.exe by c:\winnt\system32\cisvc.exe
count = 3 blocked from terminating c:\winnt\system32\spoolsv.exe by c:\winnt\system32\services.exe
count = 8 Tried to modify an existing driver/service named vsdatant by c:\winnt\system32\winlogon.exe

I know that this happened because I set the check for Block new/changed applications. The meaning really is "Block without asking" other wise pop up the prompt to allow or block.

I've removed the check by the way so that I can see what's 'attacking' me.

 

Bubba, Most users won't want to reset the counter unless there's a button on the PG Alerts page. I can't remember where I saw the 'tip', but I think that this requires a Registry change.
The key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Diamond Computer Systems\ProcessGuard v3.0
and the specific value name is AlertCount
and mine still says 154.

Jim

 

I don't know about the word most....but many users do choose to reset program counters....whether it be a Firewall(ZoneAlarm), AV(Nod), browser Toolbar pop-up counts....etc. I can understand you and others apprehension Jim for not dabaling in the registry....but in the end it's one large .ini file that can be easily\safely modified.

Yes....it would be very useful for those users if programs such as PG had a reset counter button.

 

And some more statistics, PG has protected me from TDS-3
Sat 03 - 10:56:21 [EXECUTION] "f:\appssoft\security\neotracepro\neotrace.exe" was allowed to run
Sat 03 - 10:57:09 [EXECUTION] "c:\appssoft\security\dcs\tds\tds-3.exe" was allowed to run
Sat 03 - 10:57:09 [TERMINATE] c:\appssoft\security\dcs\tds\tds-3.exe was blocked from terminating f:\appssoft\security\neotracepro\neotrace.exe
Sat 03 - 10:57:33 [TERMINATE] c:\appssoft\security\dcs\tds\tds-3.exe was blocked from terminating f:\appssoft\security\neotracepro\neotrace.exe
and my counter now shows 156 (up by 2)
Jim

 

Bubba, it should be mandatory, not just "very useful". And so should the logs be formatted for the visually impaired, and categorized and summarized to provide meaningfull and easy to use information that would help someone adjust other settings in other applications to eliminate some of the logging. I don't expect to see any response from DCS on this right now because it's 11:11 p.m. in Australia, but maybe tomorrow...
Jim

 

Basically more information about attacks would be more useful than just a counter because in my mind me opening a program doesn't constitute an attack by malware which is what I bought PG to protect me from and it would greatly help to see just what malware is being detected and stopped by PG instead of just a counter. With the counter you have to allow for the user initiated actions which caused alerts and try and weed them out from what were real attacks by malware. Firewalls and AV do have this system and give you decent info so I think PG should also have some better feature to show how effective it is.

Dave

 

In the Introduction of the PG help file there is a heading called Main uses...

The first bullet point is "Securing processes from being attacked (terminated, suspended, modified)"

From this statement, I believe that DCS define an attack as a termination, suspension or modification of a process.

I believe that the protection Statistics are a count of the number of times an attack (as defined above) has occurred.

I do not find the Protection Statistics misleading in the slightest.

 

SpikeyB, the counts don't reflect the log entries, hence the term "misleading" is appropriate. Just check your logs and compare.

Jim

 

I'm not saying it doesn't do its job I'm just asking if there isn't a way of verifying it other than going by users assurances. There is a difference when AV's pass tests and a realtime situation and only the real time situation is proof that they are doing their job and there is no way of telling that with PG.

'It's doing it's job' It's fine' 'Trust it' etc

It's so strange that on a forum which basically picks to pieces security programs and tests and verifies almost every piece of security software out there that I'm told that PG is 'doing it's job' and to rely solely on a simulated test. How do we evaluate in realtime that it's doing it's job as opposed to a simulated test?

Dave