ProcessGuard - Is the free version strong enough?

I agree, however I don't feel the same about Antivirus programs. Regardless of what the vendor says about installing two, if you close down the services for one and ensure that they're exe's are not in startup, you can run one as your online scanner and run the other as an on-demand scanner (as long as your open its services and close down your current one). I've done this with no problems, although when using Process Explorer, I have seen dll's from the closed AV program loading with explorer, even though the program is not active.

I think it should be mandatory to get the opinion of a second AV program from time to time, and I'm not a fan of online scans (who wants their entire OS partition file list to be archived on a 3rd party server)?

 

I just happened to be perusing this forum and noticed this thread. This is the one area of security I haven't gotten into as of yet.

I respect all of your opinions and am just starting to read more detail about these HIPS programs.

Are most of you of the opinion that programs like Spybot's Teatimer, Spyquard and Spyblaster are useless, or can be run in conjunction with a ProcessGuard?

Currently, I'm running the above three with my firewall and AV program.
I also have the MVPS HOSTS file loaded, although I've read that the Bluetack one is better. I'll probably reinstall IE-Spyad, even though I find that with all this installed, my IE6 browser crashes after awhile (I'll check the task manager and see it's using about 150 mg or more of ram).

I was just reading the Castle Cops wiki on ProSecurity, and they seem to feel that System Safety Monitor allows for more protection (see bottom of page):


http://wiki.castlecops.com/Prosecurity

 

Got PG Free installed again. I like it. I just wonder can anything possibly get by it? I mean barring any mistakes where I hit allow and let something in myself, what could get by this fine security program? And if something can, what would it be, and how? I would think something has to be able to get past PG Free or all other Security Software would become obsolete and not supported, instead of this happening to PG, right?

 

Come on folks help an obsessed software installing fellow out. Can anything get by PG Free, and if so what and how? I like the program, but just wonder if having my AVG Fireall and Arovax Shield is needed with it?

 

Hello duke2959:

Umm, i can share my recent experience with Process Guard (free). I only just tried the free version 2 weeks ago after reading so much about it from this topic and what do you know? I like it better than i thought i would. In fact it really does behave as another HIPS of sorts by guarding processes and preventing others from making modifications/launching freely etc. It's a nifty and kinda nice Rulez based safety proggy that now rests with my other collections that go something on this order.

System Safety Monitor
Kaspersky Internet Suite 6
Snoopfree
Kerio 2.15 (Welcome Back!)

I had been using CyberHawk or Launch Monitor by Infoprocess, but really, the prompts i don't really need and besides from what i discovered so far, this ProcessGuard (free) is really kind of unique even if it is a lesser version and maybe a bit out-dated. It still has a task to perform and does it as well as i would expect. Otherwise, it comes off my PC right away and into the stowaway bin.

 

Hi there, fcukdat. Why do you hunt malware? Is it sort of like a hobby for you, or do that as part of your job?

BTW, thanks to your post, I am going to give ProcessGuard (free version) a try. I wasn't planning to, but now I just have to try it.

Phil

 

Also fcukdat, are you saying that absolutely nothing can infect a PC with PG Free unless the user hits allowed? Or are there some at least some instances where PG Free doesn't prompt you with a warning and something can get in? I am using Cyberhawk again and it runs fine, but I liked having PG Free because of it's protection of processes and the GUI. However, it seems that something could come along that a Behavior Blocker like CH would pick up and PG Free wouldn't. Thanks.

 

Started as a hobby....now an addiction

It started as collecting malware to test softwares and compare performances.
It then got narrowed down to collecting and testing versus a set of softwares to return product/malware specific data back to the supported vendors(ongoing).
But since Nov06 i have uploaded 1000+ malware files new or not widely detected to malware listserve(MIRT) at CastleCops for widespread sharing amongst all vendors,research groups etc so the good guys can formulate a quicker defence against newly emerging malware threats

 

Re PG and possible weak points
If i'm wholey honest i cannot say that with 100% certainty,i have read proof of concept(POC) articles where in all theories something could bypass but based on extensive usage around exploit laiden URLS nothing has infected for me without code execution being granted.

The exploits will fire/start up but the malware payload executable code is always captured by PG.

I standy by the statement if it can't execute it will not infect

If anyone would like to prove me wrong feel free to point me to a test/infected url that can bypass PG execution protection and as with all these lame security tests if it requires me to consentedly execute code then it fails by default

 

have you tryed ssm?
lodore

 

Thanks fcukdat, it's appreciated. From what you are saying I guess it still wouldn't hurt to have a back up plan so to speak, as in a secondary detection software. I wonder then if just an Antispyware would be enough, or it would be better to have something with Heuristics or HIPS? I see the benefit of Cyberhawk with it maybe because of it's Behavioral Detection in case PG Free did let something through, but then again maybe a signature type AntiSpyware with Heuristics would be enough. I just don't understand why PG or PG Free hasn't done better as far profits from more users though. You would think a lot of people would prefer what either one of them covers along with their ease of use, over other perhaps stronger HIPS programs that are hard for most users to understand and configure. Take care for now.

 

Nope but then i don't want or need that wider degree of control+configuration(& potential bugginess) over my system and events.
Fwiw judging from the frequency and type of updates it shows a *work still in progress* side for the more watchful

 

Fcukdat,

I do not have a URL, but PG does not protect against physical memory overwrites nor are its settings password protected, so in theory a phisical memory overwrite AND an ADS trick AND simulated mouse clicks could fool PG to allow a 'known' good ap, while it is a bad ap.

But then again how likely is that chance?

Regards K

 

Point taken but then there is a hell of a lot that PG dose not protect against(nor does it claim too )

But again i think you miss the crux of matter,none of the above are possible without code being given execution permission in the first place.

HTH

 

fcuckdat,

XP also warns you when you start up a program, so why need PG than?

The windows validation active X control for instance also overwrites physical memory. Have you ever tried DFK Threat Simulator 2 against PG? Executable code can be hidden in many sources.

 

How do you get TS2 to run its simulation without making a consented download + granting execution permission in the first place ?

Fwiw i don't use *threat simulators* i actually go dropping in on *live* exploit laiden urls with unpatched browser,SP1 and JRE1.4.2 installed to maximise the attack surfaces(firewall off,IDS off).Odd that if i turn off PG protection there are no OS generated execution warnings of the droppers that are being executed and the machine gets infected awfully quick

 

I'll also back that statement up, never got infected unless it was allowed.

 

Guys I believe you, but why don't more people use ProcessGuard Free then? I mean it's easy to use and understand. Plus it's low on system resources. You can also use other software programs with it like AV's, AS's and even HIPS for added protection. Any insight on this fcukdat and yankinNcrankin would be appreciated.

 

I just finished up a pretty lengthy run with ProcessGuard Free and was quite impressed with it actually. I really didn't expect much from the free version myself but it did more than was expected, so much so that i replaced Cyberhawk with it. Not permanently, well maybe later i will bring back CH but for now i have uninstalled PG for Spyware Terminator which i'm testing it's real-time shield and hips right now. Day #3

 

IMHO, because people interested in this kind of protection are more inclined to SSM/PS (full, fine-grained control). Their free versions are very good too.

 

I guess its preference when it comes to usage. I switched PG free to PS free mainly for its out bound TCP/UDP connection control and it also is as powerful in process + app control as PG free.
Currently use it to block PowerShadow from connecting out when I launch the program, also blocks explorer.exe from connecting outward. If you a paranoid privacy type of user, then you could configure PG to have certain programs not be able to read other programs etc, however you would need to play around with it to get it right as by doing this may make some programs not work correctly.

 

Thanks fellows, I understand now. It's still nice for a novice like myself though. Take care.

 

Good point.I use PG Free though,for the exactly opposite reason.I am tired of the exagerated fine-grained control.I try many programs and i am tired of clicking 100 times allow when installing something.At least PG pops up only about .exe.With the more heavy weight hips,you get registry/exe/dll/driver alerts and it makes me go crazy. Plus it is pretty much mature now.While the heavy HIPS in every changelog,have a list of serious bug fixes.And every time they include a new feature,new BSODs come.Simplicity has some advantages too.

 

I could not agree with you more. Processguard is very stable and quite simple and still gives the added application control missing from my kerio 2.1.5 that is also another goldie. No use to argue that it is the best HIPS cause it isn't but the things it does, it does them well.

 

It is great that we all have choices. Some of us want more fine, granular control, while others want something simpler. The end result is we have bolstered the security on our machines by using one of these products. As some in this thread have mentioned, at least being able to stop the malicious executable from launching is what it is really all about. Clearly PG can do that as well as the other competitors that just have a few more bells and whistles. The same can be said about all the different offerings of firewalls and anti-malware apps. There seems to be a product in all categories that is just right for all of us