Insight in how best to make PG work

Diamond CS and anyone considering buying Process Guard,

Diamond CS (DSC) may have a great product with Process Guard 3.0 (PG) but my experience does not bare that out to be the case for me. Those considering the purchase of Process Guard might will consider their level of understanding with regard to security in general and the processes that the Windows Operating System (OS) uses and processes used by the applications on their system. Unless your already OS, app & security savy and then unless you are ready for a long learning curve as it relates to PG, you might reconsider that purchase. I only have my experience to serve as your guide and will share it with you now, so you will be able to avoid a mistake I have apparently made.

Now I can not knock the service that is touted by DCS to be delivered by PG, but you the user are going to have to have a high level of understanding to be able to set up PG so that it is capable of delivering that service. You are not going to be able to just install PG and go on about your business while it delivers its service to you. You are going to have to set it up to deliver its service to you. If you don’t know what you are doing in setting it up, the protector may become a bigger pain in the behind than what you are trying to avoid with the service it is suppose to deliver to you.

I was not having problems with my system before I bought PG. But I bought it. It instructions says that it is best to reinstall the OS and start fresh with PG on the system. Well that was not even an option for me. I would have to be forced to reinstall my system considering the time that would be involved to reinstall the OS, all the apps and set everything back to the way it was before the reinstall. Most likely it would never be the way it was. So to that, the answer was NO, no reinstall. PG would have to go before I would reinstall. That is because PG would then become way too expensive in time for me. I would have to let some of the stuff that it is suppose to save me from to force that reinstall. So with the decision not to reinstall, I installed PG onto my system. Bad mistake! Cause that mistake cost me the time used to make the reinstall that I wanted to avoid.

I have only had PG for a little over a week, but that short time has really run the cost of PG up to a great excess, in time lost to the reinstall task (that is not complete yet). And here I am writing this, mounting its cost even higher.

After the first install of PG all seemed to be going fine (that was with PG2 only one day). But then PG3 was released, so I uninstalled PG2 and installed PG3. Before I installed PG3. I thought I would uninstall Zone Alarm (ZA), Port Explorer (PE), AOL Instant Messenger, Windows Instant Messenger, as well as other programs used for the Internet. After installing PG3 I reinstalled all of those programs. With PG3 too, all seemed to be ok, ever now and then it would ask me to allow or deny something. I did not have a clue for what an appropriate response would be for those alerts. Sometime I would answer allow and sometimes deny depending on, if I had just taken some action on the computer. But really, I might as well have been flipping a coin to decide, with head giving an allow and tails giving a deny, for what I knew about it. After a while something froze up and I started Task Manager (TM) to close down the problem. But TM would not shut it down. So I thought I would restart the system. I clicked on Restart in the Start Menu and then Restart. The restart box went away but it didn’t start to shut down. I tried several times before giving up and doing a hard power shutdown. I did not know it but I was going into melt down right then.

When I pressed the power button to restart the computer it started going through the BIOS info on the screen then all of a sudden the blue screen of death came up. There was to much on the screen to read for the time it was up, but said something to the effect that the computer was being shut down to protect it. The blue screen went away and it started over with its boot. I went into Safe Mode and tried to uninstall PG3. When I finished and rebooted in normal mode it came up. But Internet Explorer (IE) wouldn’t work, but my Instant Messengers would work. My e-mail wouldn’t work. So, I was cut off from making contact with DSC about my problems. I next tried to do a system Restore to a time before the install of PG, but when the system tried to reboot to the restore point, the shut down hung again. To recover I had to do a hard power down again. It was all over then. It kept wanting to boot into Safe Mode.

So I thought, guess I am going to have to reinstall my system, cause I can’t use it like this. Then I though I might as well use this problem to my advantage by upgrading my hardware, and get a faster processor than my 1.6 ghz one, since I am going to have to reinstall. I couldn’t get the new motherboard and processor installed for a couple of days. Once the new hardware and OS were reinstalled I thought I would install all the Internet programs with the cable modem disconnected and the main programs I needed before I installed PG. So I did that and put PG in learning mode and then started all the programs I had installed. I reconnected the cable modem and everything seemed great. I even got the confidence to continue with my program installations and all seemed well. Later in the evening I was reading an article on the Internet, when all of a sudden an alert popped up from PG to allow or deny an exe file to run. Since I wasn’t doing anything to cause a program to start running I clicked deny and then another alert popped up and I denied it too. A bit later I shut down the computer to get ready for bed. I was preparing for bed when I remembered something I had forgot to do before shutting down. I turn the power on and it started to boot, but then the blue screen of death came up, and my heart sank, the blue screen disappeared and it started to reboot again. I did not go into Safe Mode, but let it continue to try to load Windows. It got to the first XP splash screen then went blue again and started another reboot. I let it go again, and this time it got past the first splash screen and got to the Welcome screen before the blue screen popped up again. With that one I said enough is enough and then went to Safe Mode and uninstalled PG. I then rebooted and it has been running fine for two days now, without PG installed.

I wanted the program or I wouldn’t have bought it. Although, the bottom line is I expect it to work without all this grief I have experienced with its use.

If I can get some insight on what I am doing wrong, I might give it one more try if someone can explain how I am to handle those pop-up alerts correctly. But I can tell you all this, I am very, very gun shy with PG now.

Any advice I can understand and use for resolving my problems with PG will be greatly appreciated.

Here’s hopin’,
John

Oh, PS:
Diamond CS, I have uninstalled McAfee from my computer and hope not to use them again. I would appreciate a referral of the anti-virus program your company uses.

 

Hey John,

I have taken the liberty to split your post into it's own thread. I feel it is important for others to read and to also give you a better chance of attempting to get PG to work for you via your own thread.

Good Luck

 

I have the attention span of a piece of cheese so I couldnt read your message but.....just keep PG in learning mode until you launch EVERY ONE OF YOUR PROGRAMS...it will cause you less problems.

I have McAfee AV....think its agreat program. Never let me down and very unobtrusive. That, BoClean, PG and AdAware.

 

The alerts are quite simple to follow once you understand a few things. Firstly not all alerts are malicious in nature, if the application wanting access is a trusted program you installed, then by all means give it that access. However if you have no idea about what an application is and it is requesting access then that is when you might need to do some research on the application in question.

For instance if I see an alert like this "smss.exe tried to terminate csrss.exe" I know that I should allow it, however if I see something like "1a2b3456.exe tried to modify iexplore.exe" I know something fishy is going on. Even if you are a total beginner, eventually after using ProcessGuard on your system for a little while you will get used to the good applications you run and use on the system and will notice something odd which sticks out fairly easily.

ProcessGuard isn't some "set and forget" tool, even if for the most part it can be used like that. It does require some thinking every now and then. I do agree that if you want a "set and forget" tool and don't want to learn a little bit about your system ProcessGuard is definately not the application for you. Then again, no "set and forget" tool will ever be as good as ProcessGuard at detecting unknown malware.

 

Johnniee: when that happens and it's a process you don't know, you should look it up in Google to check that it's safe. Sorry to hear you're having such problems. It might have been an idea to use the free trial version first, to find out whether it's for you or not. But my advice is to do a little learning and stick with PG - it really is an excellent app.

 

i don't think that using/setting up pg3 is that complicated.. true, we may not know the best way to tweak all of the settings, but still, using pg3 is not difficult.. just use the default settings and allow whatever priviledges legitimate programs need (when you are alerted to them by pg).. that is what i do.. the only thing that concerns me is to have my antivirus program functioning properly, to not have pg interfere with that..

incidentally, i never use "secure message handling"..

 

I would first like to thank each of you who have responded so quickly to my post for you contributions of information or action to aid me with the resolution of my Process Guard problems. Thanks Bubba for setting this up for me as its own thread, as it seems to have resulted in a much quicker response than I had expected.

It seems that all are advising me to let PG learn all my programs. I got PG for one reason only that was to protect those programs that serve me for security, as firewall, anti-virus, port explorer, pest patrol, etc Those programs being protected are suppose to protect all the other programs, that is as I understand it. Logic says, once those security programs have been protected by PG all the other programs I have on my system need no protection from PG, as they are being protected by the security programs that PG is protecting.. Help me out if I have a misconception.

Jason, you have advised me about the alerts that are requiring an allow, or deny user input. That advise, as I see it, is at the heart of my problems with PG. I feel that my inappropriate answer to those questions is largely responsible for my problems. It could be that Kegel has supplied a part of the answer that would resolve many of my problems along this line by "just keep PG in learning mode until you launch EVERY ONE OF YOUR PROGRAMS." For if I did that I might not get as many of the alerts. In any case, I am pretty sure I would still get them. As you give as example, Jason, the "smss.exe" and "csrss.exe" alert. I do understand those executable files to be processes that are apart of the Windows OS. I do not know how those processes function, but I am sure the guys that wrote the code for Process Guard have an in depth understanding of both processes. Those guys knew that the Windows OS would be using those processes for and what those processes are suppose to do. I would think with that understanding PG would have been coded to automatically accept everything they did that is within the normal operating perimeters of those processes. Therefore, if PG is coming to me, the user, (who certainly doesn't know as much as the programmer who wrote PG) to ask my opinion on what to do with the handling of this process, that says to me this process is doing something outside its normal and acceptable perimeters. With that viewpoint in mind, I am biased against those processes carrying out whatever action is being attempted. So, obviously they are going to get a BIG DENIAL for execution. But Jason, you say that is not the way I should have handled it. So, there goes my system again. And those are not the only two processes in the OS that I don't know a thing about. There is a whole flock of them that I know nothing about. And all represent a danger to my system by what they are capable of doing to it, if I inappropriately accept their execution or cause damage to my system because they are unable to carry out a critical operation for my system because I inappropriately denied the execution of a needed process. Damned if you do, damned if you don't, flip coin and see what happens. Doesn't sound like a very good way to secure a system to me.

I need rules to follow with those OS processes. So let me think about it logically for a minute. If all I am trying to do is secure certain security programs, then it would seem that once I have installed PG on my system with those few programs launched and running with PG in learning mode and they are shown to be protected, then when I turn off learning mode, they are secure. I can then 'allow' everything that PG alerts me too and really have no problem. I am not trying to secure Office apps or a ton of other programs that are on my system. There are other programs for that.

Jason, point out the flaws to that idea if there are any and, if so, supply the rules I am looking to follow for allowing or denying execution of these OS processes. I am not looking to become a Windows XP OS expert for the purpose of having a secure system, I am looking for a means of having a secure system without having to be an expert.

Meltdown, thank you for your suggestion of using Google to check out these programs that bring to light my ignorance. I have already used Google in an attempt to help me with those decisions for allowing or denying, It has been of help to me with some of the obscure program names that are a part of some application that I have on my system, Like it told me some program was a part of PaperPort, so I allowed it. That was easy, but those Windows OS processes are not as easy. On just about everyone you look up will be found positives as well as negatives on most all of them. Any negative gets a denial. So almost all of the OS processes get a denial to execute. I will give you an example by using the same example that Jason used. You go to Google type in "smss.exe" and up comes an endless list of places to checkout concerning this entry. You click on one of the (I'll use just one) sites, which happens to be the 'Security Task Manager' site. The site gives the process a low risk security rating, but notes "The smss.exe file is located in the c:\windows\System32 folder. In other cases, smss.exe is a virus, spyware, trojan or worm!" As I don't know where this "smss.exe" file that needs permission came from, it give me greater motive to deny. Keep in mind I am reading this with a biased mind anyway. I was biased against its running before I even started looking. What I am looking for is something to prove my bias wrong. Then further down the page is given User's Opinion to rate the process. I think that if they can even rate it they know more about it than I do. There it says, "user ask for this file. 3 user doesn't rated it ("don't know"). 16 user rated it as not dangerous. 3 user rated it as not so dangerous. 6 user rated it as neutral. 6 user rated it as little bit dangerous. 13 user rated it as dangerous." So I see there are 3 that are as ignorant about it as I and rest are split down the middle on their opinion if it is dangerous or not. 19 say no and 19 say yes. But one of them that rated it as dangerous had this to say about it. "A large number of spyware and trojan programs use a version of this file and the csrss.exe, both created in the %windir% (NOT %windir/system) to contact websites and irc to download programs and give outside access to your computer."

Jason, you must have been one of those who rated as safe. But why you rated that way or why the other guy rated it as dangerous I have no idea. Logic would demand that I side with your opinion Jason since you have good understanding of the effects those processes have as they relate to PG. But Jason, you are not going to be setting here beside me every time one of those alerts pop up demanding a choice from me. Therefore, I am going to have to make the choice and to make a safe choice I am going to have to have some guidance in the way of rules, on how that choice is to be responded too.

I really appreciate the input all of you have made, but I am going to have to have a bit more input for answering these questions I pose concerning these alerts for OS process permissions. Because without that information, I am not going to have the confidence that my system can survive another install of PG.

And in closing, Jason, I would sure appreciate it if you would let me know what Diamond CS is using for anti-virus protection. I noticed that request was not responded too, from my previous post. If it is that Diamond CS does not want to give an endorsement of some product over this forum, that is understandable, however as a forum moderator you should have access to my e-mail address, and an e-mail would do just fine to get that info.

John

 

you have some good points there john. I too wonder about my ability to deal with all alerts in a satisfactory method. I still struggle with the accepy /deny bottons . If it was simple like say prevx has in that you can >click > dont ask me again and its taken care of . But I seem to find difficulty in stopping the array of pop ups and sussing out what they are really for. Prevx have an excellent choice that takes you to a home page with information about that alert Good information that one can then make a solid decision based on the facts infront of one . I find that very sensible for a user such as my self . maybe this is some thing that could be looked into . It only takes one wrong click and the system may be comprimised and all the security applications really dont matter.

 

Hi Johnniee,

I too exaluated PG 3.0 along with Prevx. Somewhere along the line something went wrong and crushed my system. The problem with these type of programs is that unless there is some specific guidance based upon real experiences, there are too many things that can go wrong and create problems which in many ways are worse than the problems that can be caused by the actual viruses or trojans that the software is trying to protect me from. For example, I had to do a compelte XP re-install next week. I am not adding anything to my very stable system (KAV 4.5.104, BOClean, ZonaAlarm Pro), until I get a very reliable image copy - which in itself is no easy task in the PC world.

I think there are some very standard programs that ultimately DiamondCS will have to create a user manual for which will describe recommended settings and actions. The only alternative is trial-and-error which for me is too costly in time and in potential data loss because of recovery issues (e.g. recovery to an old image copy).

Whennever DiamondCS has the time, inclination, and resources, I think this would be the most helpful next addition for users who do not have the expertise and/or time to figure it out for themselves.

Rich

 

Hi Peter2150,

You said in your reply to my post that “Jason told you what to do and you allowed your bias to override them.” Peter either you misunderstood what I said or I fail to state my position so that it could be understood, as I intended.

I did not mean that I would allow my bias to override what Jason was saying should be done in regards to the example that he gave. I intended to say that without those instructions that he gave for the appropriate action to be taken in regard to a “smss.exe” alert, that choice for how to handle that alert would be biased. It would be biased for the reasons that I gave. Without guidance, such as from Jason (one who understands the functions of those OS processes), my choice would be flawed by my bias, as the guide that I would have to follow, without Jason to serve as that guide. I have explained the reasoning involved to arrive at that biased position. The reasoning that I used was based in LOGIC. My understanding of the terminology COMMON SENSE is that it and LOGIC are the same thing. Common sense is a slang referral to logic, therefore, common sense is what I have used.

As far as, doing what Jason has told me, I intend to do so, but as well intend to do what you have told me, along with following the advice of all the others who have been nice enough to respond to my post. But I will be following that advice only if and/or when Jason gives me instructions on how the OS process alerts are to be handled.

Peter, thank you for the 2 replies to my posts.

John

 

To make PG work best, get all the software you want to use ready, and consider formatting your PC one last time Install it all, Windows Updates from downloads or behind a firewall - router if possible. Get it all set up how you like it, then install PG and learn all persistent programs (startup processes). Learn all security programs too, and everything with internet access.

Once set up, treat all new software with care. Installing TRUSTED packages like a Norton CD you bought from the shop is fine to do with PG disabled, then enable it and learn the new program too.

If you have any doubt on the file, try installing it with PG fully enabled - the worst that can happen is you will need to reinstall it because PG blocked something important. Most spyware installers will give you many many alarms on new EXE files running from the temp folder, often with suspicious names which are a dead giveaway

I've run countless trojans recently during analysis and always do so with PG enabled, and it effectively stops most of the worst trojans. Example - the VERY prevalent RBOT and other open source bots. These install a service (blocked) and if this wasn't blocked, they wouldn't be able to be terminated with Task Manager. As soon as they are installed, the firewall goes crazy and shows connection attempts to IRC.whatever.net. If this was a service, many would also become stealth trojans and bypass the firewall. Without PG, there would be no indication that anything was wrong.

This is exactly how we designed PG, to stop the worst threats that your scanners and firewall can't stop. If the AV didn't detect it, you're in big trouble.. and this has been happening a lot lately.

 

Just remember, even in the worst case that you do allow something malicious to run you will be stopping it from doing any damage to your running protected programs.

Deciding whether or not to allow a program to run is ProcessGuard's first layer of defense, but by no means is it the only layer. The other layers will stop all the worst kind of attacks from occuring.

 

Thank You Gavin, Jason & All,

After your replies to me, I realize that I am in quicksand here. I am in way over my head trying to secure my system with Process Guard. This could just go on and on. But I can not afford to let it go on and on. I am going to have to cut my losses. And they are a lot more than the 24 bucks I paid for Process Guard. When you take an action that allows you to move forward, you have made a good move. Well, the move to purchase PG has not only not allowed me to move forward, it has become an anchor that is preventing me from moving forward. I simply do not have the expertise required by Process Guard to deliver to me its service, nor the time that will be required to gain that expertise.

I appreciate all of your contributions attempting to aid me with my problems concerning PG. Although, I suspect you all have great understands with regard to computers and the security of them that I lack, which allows you to use PG with the confidence that you can secure your system with it. I, on the other hand, have not that same confidence, nor have your contributions to me aided me in gaining the confidence that I would require to attempt another installation of PG.

I certainly would have liked to have had the degree of security that PG promised, but the cost is too great. I have already paid a lot for it, still do not have it and with my decision to cut my losses will not be able to get it. If I am ever forced to take a look at PG for solving a problem that I encounter, I will re-evaluate PG then. But without being forced to do so, I am going to have to put PG behind me and move on to those things that are screaming for my attention. I will never be able to give those things that attention while my computer sits here in limbo waiting for solution to the problem that PG has delivered to me.

Thanks again guys, I am really sorry that we were not able to get me going with PG.

John

 

Overtime your knowledge of computers will increase as you become more experienced. This will allow you to revisit Process Guard at a later date. The good thing with DCS Products is that once registered the license will not expire, enabling free updates to later versions as they evolve and become available.

Your points are well founded from your perspective. Leave Process Guard alone for a while. In due course I hope you will return to it. You can also expect future operating systems themselves to include similar security programs as part of the operating system itself. We have an early example of this with XP and SP2.

 

In reality you have 2 options I feel. Either make sure your PC is clean - definitely clean, by scanning with many scanners and getting some help. Email my profile email if you want help making sure, dont use ProcessGuard until you clean your machine for sure

OR, format and install everything just stay offline to be SURE nothing bad is on your PC while PG is learning. Now you can trust learning mode, dont worry about the mumbo jumbo you have heard about such and such EXE being a virus. Just do what we ask - learning mode on, options on, LEAVE learning mode on and use your PC as much as possible. Keep it learning for as long as you can stand to stay offline just using all the programs you have. Then turn learning mode off.

The key here is with a clean system there will be NO conflicts. If you change ANY of the default privileges you will cause problems, so dont. Once you come out of learning mode, every alert you get, tick always, press allow. Once you get online, apply a different attitude - dont allow ANYTHING you didnt specifically expect to run.

Now if you formatted get Windows Update sorted first, at this stage allow everything to run as needed to perform Windows Update, and if you are getting a lot of updates even put PG in learning mode before rebooting. Stay offline and make sure your PC boots. Boot it twice in a row then disable learning mode again if you really want to be sure. Possibly do some housecleaning of the lists now - removing dead entries that arent needed.

If NOT formatting - The most important thing to remember is that you can allow everything you want - even if its a trojan you would be in the same boat as you were before. THEN you can clean it afterwards, just email me directly from my profile email. I will check your system manually with a log from ASViewer for malware

 

I read with interest Johnniee's posts as well as the thoughtful replies from the other members. I feel that some valid points were raised from both sides. I for one consider myself an "advanced" user in that I am familiar enough with my system to be comfortable using Regedit, modifying .ini files, using with confidence tools like Ad-Aware, Spybot, HijackThis, qfecheck, sfc.exe, etc etc. However there is still room for improvement in the area of core/baseline OS file recognition & setup. I'll explain more below.

I found PG3 (especially 3.050) to be 99% problem-free. I did not have a single BSOD (blue-screen) while using it (and I had a few with v2.0) I found the learning mode to be excellent, and the new UI to be very clean and well-organized. To date, there are a few lingering bugs/annoyances (most of them have been covered in the "wish-list" thread) that I hope will be addressed by a 3.1 update at some point. But none of them have prevented me from thoroughly enjoying the protection that PG3 offers. It has already blocked 4 attacks on my system and for that I feel it has paid for itself many times over.

However, I DO feel that one area sorely lacking and in desperate need of better documentation and/or implementation from DCS is a "baseline" settings tutorial for the core Windows XP/2000/2003 processes. I have even started a thread about it over here a few weeks ago, but it didn't get much user response, and not a single DCS response at all which is what I was really hoping for. I feel that with these processes properly documented, at least 75% of these beginner questions/problems could be avoided. Don't know what "csrss.exe" is supposed to be allowed to do? Well, then look it up in the help... oh wait there is no help for this. Well I think there should be! Posts like Johnniee's further confirm this. I hope that some sort of solution, either a built in baseline setting that is pre-installed, or at least some sort of reference in the helpfile or online somewhere, would be great.

 

Jason, Gavin & all who advised with my problem,

I first would like to apologize for pointing to Process Guard, as the cause of my problems, when in fact it was not. I doubt seriously that it caused me to have to re-install my system, as one of the responders pointed out, that it was probably caused by my uninstalling my security applications, installing PG then re-installing those security programs. And probably, as he suggested. the re-installation of my system was likely unnecessary. At any rate I did re-install my system and the problems that I attributed to PG after that re-installation, it turns out, was not PG at all. I have discovered that my problems were not gone with the uninstall of PG. I got another blue screen startup after PG was removed. Which got me looking for the cause, which I still thought was PG and I had a bad uninstall. A friend suggested that I use Administrative Tools/ Component Services/ Event Viewer/ System (as it was a System Error I was getting). There I found that an Error was showing and its cause was my Ultra 160 SCSI controller card driver. During the installation of the OS that driver had not been installed. I suppose that Windows XP had SCSI drivers on board to just get me by, but at boot time the controller wanted the driver that was designed for it.

Anyway I installed, the driver and used the computer enough to discover that system error had been eliminated. I next thought, should I give PG another try. I decided I would, as all of my problems that I had been attributing to PG may have been the missing driver all along after the re-install of the OS. So I finished installing all my programs on my system, then installed PG. And so far, (knock on wood) it is working great. I did as suggested Jason and ran all of my applications with PG in learning mode. When I switched off learning mode and rebooted I was most apprehensive. But that apprehension was in vain, as it has worked flawlessly since that reboot and I am not getting all of those, system files coming up asking me to allow or deny. I think that I have only had one of those since the re-install of PG, but it was obvious what it was for, so I allowed it, with no apparent problems resulting.

Like I say it is working great. There is one thing though that keeps coming up (not causing any problems though), it is a little balloon notice by the system tray, which says that a Global Hook to the Mouse and Keyboard has been blocked that msmsgr (or some such file name, Windows Instant Messenger I assume) is attempting to install. It gives me the same message for yhmsgr (again not sure of the file name, guess Yahoo Instant Messenger). But both seem to work ok, so it is not a problem.

I was very (unnecessarily) upset with PG on my last post, as it turns out without grounds. Just wanted to let you know that all turned out good, and let you know as well that I made a mistake by attributing my problems to PG.

Hoping You All the very Best,
And Thanks Again,
John

PS Gavin,
I really like those rules you set down about handling allow & deny when on & off the internet. I am sure those will be of great benefit to me. Thanks

 

Actually that can be a problem-- go to your PG "protection" tab and locate msmsgr.exe in the list, select it and check off the "allow global hooks" checkbox. Reboot and see if the message goes away. Same thing for Yahoo messenger.

And, glad you got PG working!! Welcome to the world of secure PCs!

 

Very glad to hear you are running ok now Johnniee with ProcessGuard. Good work on solving your problem.

 

Thnaks, LuckMan212, for the tip I am going to follow your advise.

John

 

Thanks Jason,

I am very happy about the outcome, as well.

John