Discussion in 'ProcessGuard' started by Peter2150, Apr 30, 2004.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Sep 20, 2003
    Hi Gavin

    I was glancing thru other posts on Wilders and found this post of yours:

    "I just tried a variant and it failed against Process Guard with my default
    setup - it tried to infect any running process it could. This is because it
    USERMODE patches NTDLL.DLL in a running process to change some
    functions. No driver, just the single Agobot/Phatbot process. Users of PG
    should add all running processes to the list just in case"

    The significance of this seems to be all running processes and any exe that is used for any time, also needs to be added to the list.

    I wanted to post this here, as this was not in an obvious place where I found relative to Process Guard.

    Jason, maybe for the next version, the new install needs to not only add certain system stuff by default, but everything it finds running?

    Last edited: Apr 30, 2004
  2. Oremina

    Oremina Registered Member

    Mar 28, 2004
    I second Peter2150's suggestion for the next version. It would be very useful
    for some of the more cerebrally challenged amongst us. (Me!!).

  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    I've been meaning to look closely at some of the more advanced malware before making any recommended settings, but adding all running EXE's.. its not something you really need to do. Not yet anyway since there is no malware which does need it - I'll edit that post since it was actually blocking services/drivers that counts.

    I think the help file is probably a little underused which is a consideration for default settings.. will have to look at it. We can't make the full version too aggressive without users being able to handle how that could stop certain things working, its a very hard thing to balance. Blocking services by default isn't really a good idea unfortunately, but in future versions we should be able to get more things done FOR the user rather than leaving it up to them.

    The default setup PLUS block services/drivers blocks the latest Agobot/Phatbot installs :) This will be in the next help file and any online documentation. There does need to be some guides to usage, and this is where the community could help. Agobot will be a good example of why block services/drivers just like Hacker Defender so I'll try to get something extra good into the next help file.

    The default configuration will protect against all other usermode patching, its just that THIS one does add a service, like Hacker Defender and any driver based rootkit.
  4. jwcca

    jwcca Registered Member

    Dec 6, 2003
    The path is, from the menu bar:

    Protection > General Protection Options > 3. Block drivers and services from installing

    should have a check mark.

    I've checked all 4 options, paranoid - probably, safer - definitely.
Thread Status:
Not open for further replies.