Process Guard and windows rootkit question

Discussion in 'ProcessGuard' started by md411, Jul 25, 2004.

Thread Status:
Not open for further replies.
  1. md411

    md411 Registered Member

    Jul 5, 2004
    I recently went to this one site and and this site tried to download and install files without my knowledge - NAV 04 Pro stopped the downloads. These fiiles were hxdef100.exe, hdef100,2,ini, rdbs100.exe etc etc and yes these were NOT false positives. I may have found a "bug" in Firefox .08 - browser I use... I used NAV in safe Mode along with KAV ( detect, delete, reboot - run scanner again) .. anyways

    MY question is does or will Process Guard tell me if there has been a new 'process" that was executed? In other words , if a rootkit did get installed somehow ( hoping not) then will I be able to see it being run? in process guard logs? I can see everything else that "run" in the logs. Running a virus scan I found some .exe files like 13592048.exe, 2fa0065a.exe, etc etc - these were hopefully all deleted - but if these exe files are in the temp directory.... dont these exe files have to gain permission from Process guard before they can execeute?

    I run AVG free with NAV 04 pro in memory... I noticed the last 5-6 scans.. NAV has been finding exe files labeled as backdoor.hackdefender.The latest AVG scan did not cause NAV to detect anymore exe files...

    I dont know if this has been mentioned in suggestions but I wish there was an option to list programs in certain order in program checksum....
  2. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Mar 4, 2004
    Hello, md411!

    Let me try to answer your question. It is my understanding and experience that before any program can run, PG will ask you if it's OK. The log will note any programs that are allowed to execute, and all programs that are not allowed to execute (i.e. it logs everything). Not sure exacty what a rootkit is, so I'll let someone else respond to this.

    In the Checksum screen, simply click on a column heading, and it will resort based on your selection.

    Hope this helps!
  3. nick s

    nick s Registered Member

    Nov 20, 2002
    One of the features of PG is blocking advanced malware like rootkits. Hacker Defender works by executing hxdef100.exe. Even if you accidently allow PG to let it execute, PG will stop it from installing drivers and services.

Thread Status:
Not open for further replies.