Process Guard Rootkit prevention - in need of an update?

I know what the topic is about, that's why I posted, yet it's gotten into just about every other HIPS/malware program and has gotten off the point of the first post. Diamond CS, Wayne, and PG...Some good reading, but wasn't the rootkit successful ONLY after executing it by the user? While it's true PG has some holes, what security product doesn't, be serious, isn't one of the first steps to prevent ANY type of infection to your system, knowing what to execute and what not, meaning trusted files from those that aren't, downloading only from trusted sites, etc. I'd be more shocked if this self executed through a site or something, but if the user is doing it, it's a no brainer you could be having issues later down the road. Malware is getting much more advanced these days, but most, you still have to execute on your system to start infection. 11+ years of internet use and file use, never any type of issues on ANY of my networked machines. A bit of common sense does go a long way in terms of never executing files you don't know, or haven't gotten from trusted sites...Getting infected from websites, or self-executing files, via internet or embedded into files, is a totally different story... Thanks for the reading though, very interesting..

 

PG is a behavior blocker. A yeller, but bb. Sure only when you execute, but then the behavior of the executable isn't properly reported. The sole purpose of paying for PG, instead of using PG free. This is the test.

Then the OP tested others to compare. He ended up sharing more with us, including the results of another rootkit. Again testing not only PG. That way it's interesting

 

Btw, @ topic starter, have you notified the makers of the various tools that fail against this stuff? Perhaps you can also sent them the malware files, so that they can fix this.

 

I admit the topic has gone several ways, of course : My goal was at first to try to get some input by either Wayne, Gavin, after unsuccessful attempt to contact them via mail - probably a little bit to rush them, provided the total lack of support (I'm a customer after all, bought PG licence 3 years ago). If support forum was closed, I've never seen any official anouncement about the death of the company

Now, what happened is that people asked to test these stuff against other programs, HIPS and sandboxes, hence the disruption of this thread.

I should have started another topic about "system debugging" rootkits, and SSDT protection then offered by these HIPS/sandboxes programs : That's probably a feature we should see more in HIPS in the future, since this is actually a very efficient KILL method malwares are beginning (or not?) to use - just look at how programs which can't block these malwares are litterally "bumped of the system off", made useless when such malware manages to install.

Thanks Pedro , I wasn't about to discuss this "execution or not/files you're unsure about or not/etc" point again !

I'll try to run Samuraï, if I can find time.

 

Have you done this? Also, perhaps you can test the new Comodo Firewall (with HIPS)?