Bouth TDS-3 like 6 mouth ago and am happy with it so I am thinking about buying procces guard to. 1. If I allready have a keylogger in my system, woude procces guard prevent it from operating or dose the protection vs those only apply to those that are executed while procces guard is active? 2. Do procces guard take much of my computer? like procces and memory. 3. Will it damage "good" programs? It sounds like procces guard might stop alot of non-virus, non-trojans from working like zonealarm did (I use sygate now).
1. if you have a keylogger it 'should' stop it from working...unless the keylogger is at kernel level (driver) 2. PG is very resource friendly 3. PG will let your programs run freely, so long as the correct permissions are given...the easiest way to achieve this is to put PG in learning mode and run every program once (and if it has subprograms, like many AV's and AS's, run those subprograms once also). Learning mode will allow PG to give your programs all the correct permissions. If you forget to run a program before putting PG back into protection mode, that's okay, PG will let you know in the alert screen something like 'rtvscan.exe was blocked from installing a driver' which means you need to give rtvscan.exe (part of NAV) permission to install a driver/service.
Process Guard can certainly stop a keylogger from installing but whether it would block an existing one comes down to how you install PG. If you follow DiamondCS' recommendations about running in Learning Mode to set up permissions, then any existing software on your system (including malware) will be given the permissions to do what it wants - which is why DiamondCS stress the need to ensure your system is clean first. Another method of installing PG is to disable Learning mode and reset the Protection list to default (meaning only a few key Windows components are granted permissions) and reboot. Many of your startup programs will fall in a heap and fail, but you can then go through the Process Guard logs to see what was blocked and decide, on a program-by-program basis, what to allow for subsequent restarts. Any keylogger would (almost surely) be caught out by this - so as long as you know what programs are legitimate, you can block out malware in this fashion. It does require detailed knowledge of your software setup however.
I'm considering a program such as PG; another is FreezeX (now called anti-executable) In a sense, with PG you are creating your own white list by giving permissions. What appeals to me about FreezeX is that when you install it, it does a deep scan of the computer and puts everything into a white list. Nothing else will run. Period. While this would seem to be a little less maneuverable than PG, my sense at the moment is that it is a more secure way of operating. But I'm still considering... Thanks for the good explanations from everyone in this thread. regards, -rich
Freezx might duplicate the blocking executables, but does it protect against the other key things in process guard, like termination protection, blocking installs of services and drivers. Pete
I think what he means is that FreezeX will block programs from executing/running as does PG. However, it's not clear if FreezeX has the additional protective measures that PG has.
Hi, A couple of things to research in regard to FreezeX, 1) While it will rollback the system to prior state during re-boots, it still has "vulnerabilities" during the period of time during boots. For this reason, I have noticed that there are FreezeX users who run with PG on the DSLreports forum. 2) There are certain "updates" that you will not want to rollback. In this case, you will have to put FreezeX in a thawed state. Thus, you as a user, still need to know, and remember, when to place your system in a thawed state and bring it in and out of thaw (I believe this requires a re-boot, but I could be corrected) in order to "hold" the updates. As I understand it, FreezeX was designed for public libraries and schools where the environment is both resonably static and highly controlled by central administrators. It may, or may, not be appropriate for home users. I would also research the effort required to uninstall FreezeX type products in case you decide that it is not what you are looking for. Hope this helps, Rich
I'm not sure if we are getting mixed up here between 2 different Faronics products: Deep Freeze which sets the system back to its original state after a reboot and FreezeX which is meant to give protection while Deep Freeze is in a thawed state. I have read about problems uninstalling Deep Freeze but it worked OK for me following the relatively simple instructions they gave.
This is correct. FreezeX blocks any executable from running which is not on its white list; doesn't matter whether the system is frozen or thawed by Deep Freeze. According to the Process Guard Web site describing Process Termination: ------------------- The Attack: To terminate any process, a trojan would normally first acquire a special (but easy to obtain) privilege... ------------------- If this works via a trojan, then it is blocked by FreezeX which prevents trojans from running. However, to be certain of this, I've asked for clarification from Faronics. As for blocking installs of services and drivers - here again, any install program not already on the system will not run. FreezeX has rename-copy-delete-move protection for all executables, so no contamination of the white list is possible. As for some of the other neat features of PG, again the available literature for FreezeX does not go into such detail, so I've asked for more explanation on this. However, after perusing this and other current threads about using PG on this forum, I've decided that PG is not the program for me. I don't want to have to constantly worry about guessing about permission for this process or that. While it's impressive that PG works at that level, the threat of that type of attack is just not that ominous, IMHO - on the alarm scale of 1 -10, might make it to 1. In addition, I had some concerns after reading the "A Word of Caution..." section in the Andreas paper, p. 3. I just don't want the possibility of any conflicts. FreezeX is designed to create a white list of all programs when it installs. That's all it does, and it won't nag you unless something not on the white list tries to run; and, it's designed to work in conjunction with Deep Freeze. (DF and my firewall are the only security programs I have). An anti-executable program will complement that, in that no virus, spyware, adware, trojan (rootkit, key-logger, etc) can ever install, and will be removed on reboot. Having said that, I'm impressed with what PG does, and it certainly adds to one's feeling of security for those who are concerned about those types of protection. regards, -rich
Hi Guys, Thanks for the correction. PG can easily be set up to create a "white list", which is what it does at inital installation under learning mode. You can "freeze" the system if you want to after that. However, not matter which product you use, if you wish to "add" anything to the system after that, then the user has to make a decision somewhere. Whether it means putting a system into "thaw", or giving "permission" or whatever. It is all the same. worldcitizen prefers PC Internet Patrol because there is a "database" that makes the decision for him. That's fine, if he trusts the database. He still has to make a decision to trust the database and the program that is trying to install the new software. Somewhere, a decision has to be made "to permit" or "not permit". It is a matter of how one goes about making that decision. There is also the matter of which product is most architectural "hardened" against attacks. A comparison of different products in this respect would be interesting. Rich
I agree with your statement that pg creates a white list at initial installation under learning mode, I also use pcInternet Patrol, and it has that same feature when you first install it, it also has the database which has the ability to further check to see if a program that is at time of install existing, or one that is later added has been authenticated as safe to use. pcInternet Patrol also provides a list of all active programs, what the program is started by, a component list which includes all exes and dlls and it makes for a invaluable quick and easy reference, it has other features as well, enable disable sharing, quarantine for email attachments, pc hacker tracker, and when using another 3rd party firewall it can block pretty much any leak test you throw at it so it is far more than just a database program. To me the advantage in using these 2 programs together is that say I download a program, go to install it, and pg prompts with a alert allow or deny, and I allow it and pcInternet Patrol monitors the install and finds malware or whatever pcInternet Patrol has the ability to stop or block my mistake. I agree with you also rich that it would be interesting to see a comparison of which product is most hardened to attacks, and i look forward to reading more about it. Regards, Wake
Since this is a forum for PG users, it's perhaps not the proper place to go on too much about other products. My reason for checking here was to find out more about PG, as I was still considering both it and FreezeX (now called Anti-executable) So, I'll just say that I'm beginning to see that they are two different products, and so it's not feasible to say one is better than the other. PG offers protection other than just a white list of executables. PG is much more user-friendly - you permit/deny on the fly. Cant' do this with FreezeX. You have to turn it off via a password, then do your change. A similar comparison can be made between ShadowUser and Deep Freeze - both are lockdown programs, but SU allows changes while in ShadowMode ("commit") and DF does not while in Frozen State. The reasons have already been mentioned in another post, that the Faronics products were first designed for institutions - libraries, schools - where few changes are made to the systems. Both DF and FreezeX offer Command Line Control and Remote Console for network-wide administration for their Enterprise Editions. With both Faronics products in their institution settings, the user (student, library patron) cannot make any changes - only the administrator can do that, by going into the console via a password, and you can understand why. At home, of course, you are the administrator, but it's still of bit of a hassle if you make frequent changes to your system. Which is not my case, and so I chose DF over SU quite some time ago, and just today, FreezeX over PG, for reasons mentioned in an earlier post. Having said that, when asked, I have recommended SU over DF for home use just because it is more user-friendly, and having read about PG in the past few days, would not hesitate to recommend it over FreezeX in most situations. It is really quite an awesome product. Hope that answers some of your questions, Wake2. regards, -rich
hi Rmus, Thanks for your response, reason i mentioned pg and the program i did was because i have used them both for a long time, and feel that they compliment each other nicely. Far as the two products you mention i have seen them both discussed at Wilders but i really have no personal experience with either of them, but after reading your comments about them think I shall have to check them out for myself and thanks for the information and feedback. Wake
