Kevin's thoughts about ProcessGuard

From this thread:


http://forum.gladiator-antivirus.com/index.php?showtopic=9954&st=15

"What I'd actually SUGGEST (doesn't put a DIME in our pockets) for those who are concerned about this to such a degree is to buy Wayne's "ProcessGuard" (not the freebie, the PAID version) and let *ONE* kernel patch secure the entire array of whatever you want to protect. ONE hook is tolerable, the more you add, the more you're asking for trouble. Since many of the AV's already have a hook in there and so do most firewalls, most people are sitting near the ratty edge as it is. To add more security programs chaining into the kernel is just asking for headaches. And since Wayne's put so much effort into this (I'm jealous!) I'd suggest going with his solution rather than putting Madshi into BOClean ... the more "stuff" we add, the slower it'll get and our MAJOR advantage is SPEED ... "get the nasty before it gets you." Thus, I've always been concerned about "bloat" ..."

Now that's setting aside all the "My product/your product" bs and putting out solid, intelligent security-wise information if I've ever seen it!

Thank you, Kevin! Pete

 

Re:Kevin likes ProcessGuard, too!

Yes Pete, Quite an endorsement that's for sure but we must always remember that that those that will do us harm are always snapping at our ankles.

 

Re:Kevin likes ProcessGuard, too!

Kevin has taken a very honest and admirable approach to this whole issue, and I've already emailed him to let him know that I highly respect his attitude and professional approach to this - he's been completely honest with everyone (and as a competitor I can probably recognise that honesty more than most) . So BOClean users can sleep soundly at night knowing that their system is protected by a program that is created and maintained by a man that has dignity and is never afraid to be honest - those human qualities inevitably trickle down into the software.

 

Re:Kevin likes ProcessGuard, too!

In reguards to Bo CleanI think that it is a great AT and have run it for a long time but since i have installed process guard i can not get it to stop logging even though i have allowed the process and nothing blocked for that app. I hope may be when 1.20 comes out that may be it will be solved.So now i have shut down Bo Clean and have installed trojan hunter which is a good product as well and have no problem with the logging in PG.Has any one else had this problem and if you have were you able to stop all the logging please let me know.Thankd

 

Re:Kevin likes ProcessGuard, too!

Does it mean that users who have Windows 95,98, or ME are out in the cold? Isn't PG only compatible to XP, 2K, or 2003?

 

Re:Kevin likes ProcessGuard, too!

H siliconman01, Unfortunately W95, W98 & ME are not compatible to this technology, not the developers fault it is the way that the older OS's were designed.
Even more of a shame for W98 users is that MS will no longer support it from Jan 15th - Strange when consider about a quarter of all PC users still use those OS's.

 

Re:Kevin likes ProcessGuard, too!

Happy to see that a competitor can be so honnest

about PG OS compatibility, from the help file :

So yes, no Win9x (which would require another driver, and may be not possible, i don't know).

 

Re:Kevin likes ProcessGuard, too!

Hmmm...more gunpowder to get my brother off Windows ME and up to XP!

 

Re:Kevin likes ProcessGuard, too!

@Pilli

"but we must always remember that that those that will do us harm are always snapping at our ankles."

I believe there are only a few people who really want to snap your ankles. Many people just criticize DCS which is a completely different thing. Even more people simply love DCS.

It's important to bear this in mind. Paranoia isn't always a good thing.

@Wayne & others

This is just a bit off topic and it does not only apply to DCS. Sometimes, I feel that U.K./U.S. or Australian software developers do not completely understand why a many European's have difficulties with their adverts, their habits when talking about competing products etc. I believe this is noone's fault. It has simply to do with cultural differences.

In the US, for example, people are used to comparative advertising for a long time (see http://www.ftc.gov/bcp/policystmt/ad-compare.htm ). By contrast, comparative advertising was illegal in many European countries until recently (see http://www.i-infocus.co.uk/sponsor.php?trail=&doc=28 ). Actually, comparative advertising was/is a reason for getting sued. And there are still many European's having strong feelings about such marketing practices.

Personally, I do not think that comparative adverts or talking about competitors is generally bad. But it's quite difficult to be fair when doing so. Kevin's post exemplifies how it should be done. Some of the posts in this topic ( http://www.wilderssecurity.com/showthread.php?t=19163;start=30 ) show how it shouldn't be done.

 

Re:Kevin likes ProcessGuard, too!

Helo noname0,

You misunderstood my words, I was not refering to healthy competition but to the maliware developers. i.e the need to try and keep ahead of them.

 

Re:Kevin likes ProcessGuard, too!

Doh!

 

Re:Kevin likes ProcessGuard, too!

I do agree with some of noname's post. I don't think it is just European countries though, rather developers who don't have English as a first language. In another programming field (non security related) I have seen a lot of people get upset by what these people say, when in reality they havn't been that harsh after they explain what they meant, it is just hard for them to use the correct English words. I don't know if this is the situation in all cases, just something I have noticed.

I posted my reply to someone posting this on the DCS forum (saw it there first )

http://www.diamondcs.com.au/forum/showthread.php?p=19652


-Jason-

 

Re:Kevin likes ProcessGuard, too!

you will have to be absolutely sure that EVERY WORD in a comparative advertisement is true and backed up by 110% proof.. otherwise you_will_get_sued and lose your case..
for example recent trial in finland between mercedes and volvo, mercedes said in their ad that volvo doesn't offer genuine wood decorations.. while it in fact does, although it's optional... one very expensive loss for mercedes...

 

Re:Kevin likes ProcessGuard, too!

Before I get going on this, I'd like to ask everyone to PLEASE bear with me here, because it seems as though my original post may have been a bit misinterpreted. First off, Wayne, Gavin, Nancy, myself and several OTHERS in the security business are not only COMPETITORS, but FRIENDS as well, and we share a NUMBER of nasties, issues and concerns with one another in private.

The MAGNITUDE of the issues which confront all of us as a "untied group of programmers against the bad guys" just go so FAR past the "MY antitrojan is the ONLY answer" guys who have, by their malevolence, cut themselves AND THEIR CUSTOMERS off from "shared information amongst the honorable." It's a damned shame that a small number of so-called "security vendors" have chosen a path of "scorched earth" to sell their ... ahem ...

Just wanted to put it up front that we from the BOClean house, TDS, NOD32, the Otis-Vigil brothers and many more of us who serve all agree with one another and cooperate. Wayne, Gavin and the other folks at TDS are people we've ALWAYS highly respected - that's WHY we can work together, based on the premise of "the needs of the many FAR exceed the needs of the few."

But, despite my undying respect, I feel a tiny bit MISQUOTED, and thus feel the need to offer a MINOR correction. Wayne and I *do* agree on this in PRINCIPLE. "Hacking the kernel" is a BAD thing. Distant versions of expired BOClean *DID* hack the kernel in a USELESS attempt to prevent "TerminateProcess" and other nastiness. Some of them worked VERY WELL too ... UNTIL Microsoft issued another "bandaid" ... THEN our customer's machines wedged SOLID - couldn't even reboot. We abandoned "hacking the kernel" to "protect or hide BOClean"

What Gavin and Wayne have done here is REFINED the "hack" but no matter WHAT you call it, it's STILL a "kernel hack." Granted, better than any *I* have written, and better than those provided by McAfee, Norton, ZoneAlarm and a few others who have only ended up hosing the system.

The REASON for my endorsement though of ProcessGuard isn't that I *agree* with it - I have to answer to our PRIMARY BOClean customers - the US government, military, "spook agencies that don't exist" and numerous others with serious security concerns. They never PERMITTED me to release the "hacks" in BOClean. To the military and those whose OS's are "mission critical" *ANY* tampering with the system, other programs, or anything else is an absolute "WE YANK IT! VERBOTEN!" OUR bottom line unfortunately is that our MAJOR customers will not accept ANY "hack" of the system, even if we were "SOLE owner" of it. We are PROHIBITED from doing so under the contract which allow us to give you a license for BOClean on ALL the machiens you own without having to pay more, PLUS over seven years of upgrades and updates for FREE after paying ONLY ONCE. The folks we have to ANSWER to are the cash cow that allows such generosity and "hacking the kernel" is NOT allowed with them. The unknown repercussions on OTHER security software is TOO great to risk.

In fact, several OTHER *major* security programs are NOT permitted on the same computers as a DIRECT result of kernel hacks OTHER vendors have done. You won't FIND ZA on military machines as an example. Kernel hacks have a NASTY habit of neutering the FRONT line of defense such as major antiviruses, antikeyloggers and other specialized software because expected "hooks" disappear as a result of tampering by OTHER vendors who are not aware of the negative immpacts of their "we're the ONLY one" designs. We have numerous records of wholesale takeovers of machines as a result of poorly-designed "security" software that not only fails on its own, but causes OTHER security software to fail as well based upon BAD "hacking of the kernel" using libraries such as Madshi, Elicz, and others.

If we're going to have antitrojan vendors using "Leet libraries" and actually building their systems on the very same libraries used in BEAST, NUCLEAR RAT and dozens of OTHER trojans as their OWN core (perhaps it's OK for the lazy to say, can't beat'em, join 'em if they can't write their OWN code) from Madshi, then we've ALL got a problem if security vendors are cutting and pasting TROJANS into their own "ANTI-trojan" ... damned sad statement on what passes for "morality" these days indeed.

What WAYNE brings to the marketplace is *ONE* solution to the "TerminateProcess problem." If you're going to have "security vendors" "hacking the kernel" then my OWN attitude is most precisely, "better ONE than everyone" doing it ... ONE "kernel hack" on ONE system is likely to have far LESS of a negative performance/security downside than DOZENS ... and THAT is where I was coming from with my remarks. Conceptually, I *still* disagree with *ANY* kernel hacks ... but if people REALLY feel that it's required, "BETTER ONE THAN MANY, OR MANY INSTANCES OF A REALLY REALLY BAD ONE" (like "Madshi") ... I wasn't so much endorsing "ProcessGuard" as much as I was saying "if you REALLY FEEL that you NEED such, don't phuck around - go with *ONE*") ... no offense intended towards ProcessGuard ... if you really THINK you need it, THIS is the way to go rather than the alternatives. Madshi is NOT stable ... so far ProcessGuard appears to be.

Don't mind me, I'm "old school" ... "if it MOVES, fondle it."

If it WORKS, USE it ... if it doesn't, STOP!

But I'd MUCH rather that people have ONE process guard than "death by a thousand cuts" of OTHER registry hacks all colliding in memory. There's a REASON why we didn't do what we'd built 6 years ago. It worked, worked well ... then Microsoft did an update. WHOOPS! We fixed it, happened again. And again. AND AGAIN. Gave up, felt better.

My output though was - "*IF* you gotta do this, GO ProcessGuard" ... ONE hooking is better than MANY ... but PG won't stop the antitrojans with Madshi, and currently it SEEMS to have a problem with our own system hooks (I *know* WAYNE will FIX this problem, we're buddies after all) in its logging. And frankly, for those who have taken on Gibson-level worries, this IS a solution ... meanwhile, the ONLY way BOClean was ever shut down by a nasty happened to be a particular antitrojan with a particular clueless tester who happened to have an expired version of BOClean provided by a competitor who didn't have a licensed version. Got printer cartridges? I can give you the link to the review site so you can get your printer cartridges and of couse, NOSPAM.

Wayne and Gavin have put in a LOT of effort into this - and like I said, it's far better to have *ONE* kernel hack than many - the more you add, the more unstable Windows becomes. I'm impressed by it, and I'm JEALOUS. However, the customers WE have to answer to will not be applying ProcessGuard either on PRINCIPLE. "Kernel hacks are NOT allowed" and that's the haze that we've had to design under for BOClean. And as I've also said, aside from ONE trojan specifically built for a specific reviewer, BOClean's NOT been taken out by nasties otherwise. *ANY* security program can be taken out under the correct specific circumstances ... and SO CAN PROCESSGUARD. I won't divulge the details ... Wayne and I discussed it though. The LIKELIHOOD of it getting taken out though is as slim as BOClean getting taken out, which is good enough for most everybody including ME. But as I said in our own forum, NOTHING is bulletproof. Some are just more so than others, but NOTHING is absolute.

Just wanted to clarify my point, and no offense intended ... I need me some SLEEP, or I probably woulda been more lucid.

 

"no offense intended" - none taken. I've altered (edited) the title of this thread and also the thread reply I made in the TDS "General" forum, here: http://www.diamondcs.com.au/forum/showthread.php?p=19638#post19638

And I hope what I had written didn't cause you any problems or embarrassment - if so, you have my apologies. Pete

 

Thanks for the clarifications Kevin, Very pleasing to see two developers & competitors having a civilised and well constructed discussion.
It's a shame MS left all these damn holes in the road in the first place

 

@Kevin

"But, despite my undying respect, I feel a tiny bit MISQUOTED"

I got you right from the beginning. IMHO, BOClean does not need any anti-termination protection. It's an AT scanner and not a system firewall.

"What WAYNE brings to the marketplace is *ONE* solution to the "TerminateProcess problem."

I believe that PG is much more. TerminateProcess is no real problem. By contrast, DLL trojans are a problem. PG will prevent most DLL trojans from injecting themselves into other apps. That's an important benefit. Moreover, the forthcoming PG version is expected to handle keyloggers as well. Not bad either.

Consequently, PG is a good example for layered security. If your AV/AT scanner fails because malware has been modified or treated with Armadillo (I guess Gavin is still investigating this issue ;-) you have a chance to stop it by using PG (or a system firewall like SSM or TPF). And if PG also fails there is still your firewall ...

 

As usual Kevin, you're a class act!

Acadia

 

Re:Kevin likes ProcessGuard, too!

Hi Kevin thanks for straightening it out.

Process Guard's driver doesn't really "hack" the kernel. There is a difference between changing code in kernel32.dll (what MADSHI and other usermode hooks commonly do) and adding your functions to a proper kernel mode CHAIN which just happens to be undocumented by Microsoft. Process Guard does not rewrite any code in the kernel or change anything except for a few pointers. So I would not call it a hack, I would call it a driver using and doing 99% undocumented things.

There is an issue with Service Packs breaking these undocumented things as you said you have run into, but I have designed Process Guard to not rely on fixed offsets or anything of that sort which usually is what causes issues between service packs. The only thing which will break Process Guard in a new service pack is Microsoft totally rewriting a lot of their structures (possible but unlikely) and in either case would require a small update to make it work if any issues did arise.

Process Guard is very stable, the only blue screen we get is actually not caused by the driver, but by the EXE. And there is a solution to work around this with the current version. So what Process Guard (kernel mode/driver wise) is doing is stable, if it wasn't we wouldn't release it until it was (well we do release it to our beta testers ).

I like to think of Process Guard as an addition to the operating system which makes it more like it should have been in the first place. I'd just like to reiterate that what Process Guard is doing isn't a hack, it is UNDOCUMENTED but the modification that occurs is programmed into Windows.

I'd also like to mention I havn't seen any Proof of Concepts (theory or code) which actually can remove Process Guard's driver, so I will have to ask Wayne about what you mean in that regards.

-Jason-

 

Sorry for my delay Kevin, although Jason has pretty much covered most of what i was going to say anyway
Just wanted to emphasise this:

Yes we do both agree that hacking the kernel is a bad thing (which would almost certainly involve modifying kernel-mode code) and we could do that but we've never had a need or desire to. But it's my fault for any confusion because I loosely referred to it as 'patching the kernel' (just so as to help our lesser-technically-oriented forum readers distinguish that from user-mode patches), but in reality it's essentially a chain structure that Microsoft created for this very use, as Jason described. It's not officially documented by MS, but you can find some tricks about it in Undocumented Windows 2000. Process Guard doesn't make any changes to the kernel itself or anything of that nature, as the driver is able to take care of everything without requiring anything like that. Consequently, it's fine for personal use, military use, and so on. (If Process Guard somehow isn't fine for military use then neither would a firewall).
So while user-mode hooks do patch code, PG's kernel-mode driver doesn't make any such patches or code modifications - just a valid link insertion (all our code is in the driver)

Cheers,
Wayne

 

Re:Kevin likes ProcessGuard, too!

@ donsan709 you will find in my thread the answer to BOClean logging problem:
http://www.wilderssecurity.com/showthread.php?t=18225;start=15
I have it setup and running very well now together with PG as long as I don't let PG auto start I am very happy with the way the 2 work together.

I'm a very satisfied user of BOClean (2 years) and find it comforting to see the co-operation between you guys in hopes of providing the best security apps possible (best that I have found to date).
Keep up the good work Kevin / Gavin / Wayne / Jason well... all of you really
Thanks

 

not true for 1 gig of meory it cost 160 dollers for 120 gig hard drive it cost 60 bucks now i think

processor now resoanable prices