Trial version of Process guard 1.3 and Bitguard firewall

Discussion in 'ProcessGuard' started by Red_Dwarf, Feb 12, 2004.

Thread Status:
Not open for further replies.
  1. Red_Dwarf
    Offline

    Red_Dwarf Registered Member

    Hello guys:),

    While I was talking to Controler tonight and I mentioned a feature in Bitguard.
    I was then pointed to the Process Guard Free
    So I went to the home page, downloaded the free version to try it out.

    Downloaded it installed and rebooted :D

    Then set about adding the one item allowed, soI added IE.
    I used taskmanager to kill IE and it failed and I saw in process guard sure enough taskmanger had tried and was denied.

    So far so good I like this:)

    I then went to my installed Bitguard Firewall selected IE in active programs selected IE and killed it and process guard did not catch it.
    *see posts about Bitguard in other firewall forum*

    Please feel free to contact me about this as I belive Process guard to be a fine program from what I can see and read here

    Best regards

    Red Dwarf

    p.s. as a quick further test I remove IE and added procguard.exe and I was able to kill it via Bitguard

    Again let me please stress I thin proces guard is fine program
    I am only interested in finding out why and if it is me doing something wrong? or something within the trial version
  2. Pilli
    Offline

    Pilli Registered Member

    Hi Re_Dwarf,

    The settings required to block all attempts to shutdown a specific App are as follows.
    Enable protection
    In the General protection tab tick all four boxes
    When your app is highlighted ensure that "Write, Terminate, Supspend & Set info" have the blocked flags ticked.

    In options is the Close Message (handling tick box, shown at the bottom of the window when an App is highlighted) this can be applied but may give spurious results as it is still a beta function, especially on programmes like IE which are very much integrated into the OS. Should work fine on procguard.exe though :)

    With Close message handling ticked you should get a Human Interface Device that requires you to enter letters before the App can be closed down.

    For seven ways to kill an Ap get the Advanced Process Termination Tool from here:
    http://www.diamondcs.com.au/index.php?page=products

    HTH Pilli
  3. Red_Dwarf
    Offline

    Red_Dwarf Registered Member

    Hey Phili,

    Wow quick responce...

    I am able to kill proguard since the firewall hooks in before proguard and gets there first as it were.

    I noticed those settings and if I try and kill process guard after I have killed it first time then yes it works just fine.

    Red Dwarf

    p.s. fyi Bitguard is installed as an NDIS driver and TDI
  4. Pilli
    Offline

    Pilli Registered Member

    Hmm, I am surprised that it beats PG's driver, procguard.exe does not need to be running for PG to work once you have enabled as stated above. So If your settings are set and you reboot and even close down procguard.exe then bitdefender should not be able to kill the protected process :)

    Thanks for the testing :)
  5. controler
    Online

    controler Registered Member

    philli

    I am getting the same results here using Bit Guard to terminate
    PG.

    However my install of PG didn't got he greatest.
    When i load PG I get an error PG could not open kernel mode driver
    and then below that it states PG protection is active.
    I went in and cleaned the reg and reinstalled as requested in another post. I am assuming PG is still working though.

    con
  6. Pilli
    Offline

    Pilli Registered Member

    This may be a limitation of the trial version. As by default full PG has important Windows services blocked and this is an assumption on my part.:)

    Would you allow me a few minutes to DL Bit Guard and try a few tests?.

    Also could you DL APT from the link above and see which Kill process closes your PG.

    Note: procguard.exe must have CMH (Close Message Handling) ticked to stop it being killed by a normal close message, an HID should then appear, cancelling will stop PG being closed.

    Having said that procguard.sys will not be stopped and all protected apps will be secure :)
  7. shapechanger7
    Offline

    shapechanger7 Guest

    Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    Why is this topic offline? And why is there no explanation at all? I do not like topics "to be under review". Usually, they never come back and noone explains why ...

    FYI: Bitguard is a danish firewall product which is similar to Process Guard:

    "Much higher security than seen before. BitGuard Personal Firewall is a software firewall but gives the same security as if it had been based upon hardware. It works from the so-called Ring 0 which is where all programs, including the operating system receive their rights to execute. BitGuard Personal Firewall assign rights to the operating system and to all programs having independent process ID. "

    "The firewall is not build over the traditional application- model. The only purpose of the driver is to control the driver. No security elements is handled by the application part. The firewall has a double security function consisting of keeping an eye on both the network traffic and the process traffic. Normally a firewall gives security on the network. This solution also protects against harmful .exe-files on the computer communication or just executing. All the firewalls does happens in the driver and that?s what gives the unique high security as it cannot be closed down dynamically. Traditional personal firewalls are vulnerable to problems with security in the operating system. The files of the firewall can be hidden on the hard disk but anyone with limited knowledge about Windows can find ? and delete the files. So-called worms can delete many firewalls. They can be deleted by the user himself or by anyone who can get access to the computer. It can be done from the outside by a Trojan horse deleting the firewall- file."

    "BitGuard Personal Firewall cannot be closed down. It is built to work deep inside the computer. And no exe-file or Trojan can start as all programs needs permission before they can run."
  8. controler
    Online

    controler Registered Member

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    since nobody else dares to say. Bitguard is a threat to processguard. period.

    To further inhance the story.
    Just review Kevins ( Bo Clean) comments on hacking the kernel. More then one program hacking the kernel is not good. He states Hacking the kernel is a no no even though some claim it is not actualy a hack but rather a undocumented MS thing. more then one hack is just destablizing your system.

    I will say this is a very toucy subject at the moment.

    There might be some PG Kill issues here so We shall wait for those that have been contacted to respond.

    con (not posting incognito)
  9. Dan Perez
    Offline

    Dan Perez Retired Moderator

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    I beg to differ ;)

    whatever the qualities of BitGuard I sincerely doubt that they are directly competitive in relation to ProcessGuard. I do not know the full details of why the thread was pulled for review so I will not post here something that might turn out to be partly misleading. I will let the DCS Mods give the definitive response here :)

    Until then, maybe we can refrain from somewhat disparaging speculation ;)
  10. controler
    Online

    controler Registered Member

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    yes dan that is what I said. we wait.
    I think you should try it before posting.
    try killing PG with Bitguard. then come back and post ;)
    sorry for being so impatient ad on my 7 th beer


    con
  11. shapechanger7
    Offline

    shapechanger7 Guest

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    Thanks for your reply, Con.

    " Bitguard is a threat to processguard. period. "

    Bitguard is a security application. And it has been developed before PG came into existance. Therefore, I would not call it a threat but something like a competitor ;-)

    Personally, I would prefer to install a standard firewall like Kerio and then protect it with PG. I do not like Bitguard's internet activation procedure which violates your privacy.

    "I will say this is a very toucy subject at the moment. "

    Wayne has always said that there ARE ways to defeat, terminate etc. Process Guard. There is (almost) no protection if you are engaged in a ring 0 fight.

    PG still has it's merits since you can control driver installation and, moreover, it is immune against many user-mode attacks.
  12. shapechanger7
    Offline

    shapechanger7 Guest

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    @con

    "try killing PG with Bitguard. then come back and post"

    It does not surprise if this is true. However, can you INSTALL Bitguard if Process Guard blocks driver installation? I believe that's the most important question.
  13. Detox
    Offline

    Detox Retired Moderator

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    One way or another, and regardless of the subject, I am going to request that a little more respect be shown to our moderators than comments like this.
  14. Pilli
    Offline

    Pilli Registered Member

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    Thanks Detox,
    The thread was placed under review at the request if the thread initiator (Red_Dwarf)as without any objective test results there was the possibility of negative remarks causing possible dissension.

    The discussion topic will be returned to the forum and / or specific comment made after the review.

    Thank you for your patience. Pilli
  15. Paul Wilders
    Offline

    Paul Wilders Administrator

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    Since an explanation/answer has been provided in regard to the subject from this thread it has been closed.

    As soon as the original thread has been "revived", there will be room for discussion again.

    regards,

    paul
  16. Jason_DiamondCS
    Offline

    Jason_DiamondCS Former DCS Moderator

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    Yes BitGuard's EndTask does kill PG protected programs, the reason for this is BitGuard installs a driver (Which PG can block) and this driver which runs in Kernel Mode obviously can do whatever it pleases in some aspects to make programs close down. From what I have seen though, PG should still have blocked BitGuard's current method it is using, I have emailed the authors asking for some confirmation regarding this.

    The point is, any valid software which installs a driver can possibly get around Process Guard's protections, this is why we added the Block Drivers/Services from installing option, so no malicious programs could get around PG. If you want to install programs/drivers which you feel enhance your security which have the byproduct of getting around some of PG's protections, then that is your choice. It doesn't mean PG is any less effective for malware.

    -Jason-
  17. Pilli
    Offline

    Pilli Registered Member

    Placed back on line after review and merged with why it was off line :)
  18. spy1
    Offline

    spy1 Registered Member

    Re:Why is "Trial version of Process guard 1.3 and Bitguard firewall" OFFLINE?

    I think so, too. You can probably install any number of programs that will defeat PG if you choose to do so (especially if you mess with the "allowances" and default protections of PG) - but - the crux of the matter here is exactly that - on a clean system where PG is already properly set up, can such a program install itself without PG blocking it?

    Software installed prior to the proper installation and set-up of PG isn't (or shouldn't be, IMO) any kind of a basis for doubting PG's "protective" abilities - that would be like expecting a box that's already infected with something that has changed major system files, taken over the box, etc. to be corrected by PG - which isn't the case at all. Pete
  19. Red_Dwarf
    Offline

    Red_Dwarf Registered Member

    I was waiting till I got an email back from the developer of Bitguard and to wait on another email before I posted back here.

    But I am sorry to see my first post has wandered off in the wrong direction here.

    As I have clearly stated to site mods my intention was to see if I was doing something wrong in the configuration of Process Guard which I strongly belive to be an excellent program and one that goes hand in hand with Bitguard.

    Since I wanted verification of what I found I asked for this thread to be closed to verify what I was doing and what I had found.

    My aim was not to show any negative comments to PG or Bitguard.

    As an Alpha and Beta tester for Bitguard I am extremely interested in what PG does.

    Let me set this straight please before any other misfactor occurs *sighs*

    Facts PG:
    PG when set up correctly does stop the Bitguard firewall installing NDIS & TDI drivers.

    PG Does protect a running process when set with all the available flags set

    PG with default flags to protect a process did not stop Bitguard from killing a running process.

    Facts Bitguard:
    Bitguard when attempting to kill a process respects the flag sent back to it, otherwise it would run the risk of BSOD a machine very uncool.

    Bitguard When set to kill a process before it is launched will stop that process from running even if PG is set to protect it.
    *IE there is a difference of course from running code and code launched*

    <end rant>

    I merely wished to enhance and help both parties as I believe a process control such as Bitguard and a process monitor such as PG can go hand in hand.

    I am still waiting from a response from the developer to give a more technical explanation but until I hear back from them I am posting this comment.

    I hope this clears matters up since I saw this thread going of course.

    My best regards

    Red Dwarf
  20. gkweb
    Offline

    gkweb Expert Firewall Tester

    for what ?

    This has been explained, you allowed Bitguard to install, so you allow it to kill processes.
    If a rootkit wants to do the same, it won't be able to if you have enable the "block driver".

    I think the answer has been fully explained.

    May be can you ask what in particular you want more info on ?
  21. spy1
    Offline

    spy1 Registered Member

    Red_Dwarf - I'm not knocking you (or your questions/comments/findings) at all - and I thank you for bringing the issue up to start with.

    I just wanted to make sure I understood what was being discussed. I'll hush now. Pete
  22. controler
    Online

    controler Registered Member

    I wonder how many other firewalls out there charge 199 bucks and it is only a year LIC. Every other firewall is lifetime not one year, right?
    very spendy for a software firewall. You can buy a pretty darn nice hardware firewall for that price.

    con ;)
  23. Jason_DiamondCS
    Offline

    Jason_DiamondCS Former DCS Moderator

    Yes no need to apologize Red_Dwarf, it is good that things such as these are known. I have also requested confirmation from the developer regarding what methods they use to kill programs, from my short look at BitGuard, PG still should have blocked what BitGuard is doing in this particular instance.

    The fact still exists though, a driver (kernel mode software) on Windows can do WHATEVER it likes once it is there, it can unwind every single protection ever to be made including now and the future. The aim is to stop malicious programs from getting there, and then to stop malicious programs which can't get there from doing other things which could harm your system. 99% of current threats don't run in kernel mode, but it does seem to be the trend because you have so much power once running in kernel mode.

    So for the existing kernel mode malware and the future malware which will want to be run in kernel mode you have protection with PG. As long as you don't give "Allow driver install" to the malware. ;) :cool:

    -Jason-
  24. Jason_DiamondCS
    Offline

    Jason_DiamondCS Former DCS Moderator

    Red_Dwarf and Controler,

    have you had any problems with BitGuard in regards to installation/uninstallation? The two systems we installed it on needed to be reinstalled, but we are not sure if the problems are 100% BitGuard related or not. On one of the systems the network card stopped starting up after I uninstalled BitGuard. I was wondering since you both seem to know a bit about BitGuard whether or not this is a known issue?

    -Jason-
  25. Red_Dwarf
    Offline

    Red_Dwarf Registered Member

    Hi Jason,

    You have an email sitting waiting for you at your diamondcs.com.au account

    Best regards

    Red Dwarf


    p.s. Col 3 year lic is $59 if you mean Bitguard?
Thread Status:
Not open for further replies.