Questions about ProcessGuard

Im looking at purchasing ProcessGuard, like everything its just getting the funds to buy all the goodies that I want. I have a few Questions :

What Termination Techniques does ProcessGuard NOT Protect against. I understand that it doesn't protect against WM_CLOSE, are then any others

Will you fully disclose the nitty gritty on how all termination techniques work, for up Progammer wanna-be's (I start doing Engineering, Software Engineering next year)

How does the driver provent itself gfrom being unloaded, or having its memory space modified, or any other shutdown attack.

Can it be set to write an entry in the event log, if a program attempts to terminate another program.


Thanks In Advance


Khaine(BOT)

 

Hello & welcome Khaine.

Process Guard does have a switch (Close Message Handling) which can block any listed .exe and protects against WM_CLOSE

SetWindowHookEx (firehole) is not currently covered but PG protection is being developed, currently there are no known exploits of this hook.

There are examples in the help file

PG is a driver which loads very early in the startup process, any attempt to close procguard.sys will open a Human Interface Dialogue box, probably impossible to emulate, this requires human input to allow closure.

Every attempt to access a listed (protected) programme can be logged in the procguard.exe window and or to a text log.

Please download the trial version which will allow you to list one programme which you can then see exactly happens what when an attempt is made to close it. http://www.diamondcs.com.au/processguard/

HTH Pilli

 

Just a few clarifications. You can't really "Close" the driver. You can try and unload/remove it but Process Guard will never allow that to happen unless Protection has been disabled (which needs the Human Confirmation box to be entered correctly).

WM_CLOSE (and other close messages) protection is already in there and works great for a lot of programs, it also has it downsides with some programs too, like too many confirmation boxes appearing. Some programs (Outpost firewall) don't seem to like it at all and close down after a Human Confirmation comes up. It is a BETA feature, so use it on programs it doesn't have problems with, and don't use it on others it does have problems with . It appears Delphi and VB apps have the most problems with it, due to their over extensive use of hiddens windows, etc.

-Jason-

 

Thanks for the clarifications Jason

 

DiamondCS vs. SetWindowsHookEx

Jason and I had a very intense R&D session this afternoon - DiamondCS vs. SetWindowsHookEx. It was a challenge we'd been wanting to tackle for a few weeks now but only today were we able to find time to have a real go at it. Anyway after some six hours, SetWindowsHookEx was defeated, by TKO to Jason's driver.

We can't elaborate much more for now as we still have some testing to finish, but with any luck we'll be able to release a new version of Process Guard this week with SetWindowsHookEx protection which will protect against not only the Firehole (and similar) leaktests, but also most keyloggers, some trojans, and some other nasties.

Anyway, back to work - I hear a debugger calling ...

 

ReiamondCS vs. SetWindowsHookEx

This sounds pretty damn good.

 

omg Tuuullliiiii!!!!!

nähtykkään aikoihin !

Man it's been long time, glad to see you are still hanging out on the boards

Cheers,

 

Terve, Unzy! Olen ollut vähän ulkona viime aikoina...

Yea, I've been a bit absent recently, but at least I've some time off now that it is nearing Christmas. Good to see you around too.

 

Well done Wayne & Jason - Hope you both enjoy the weekend, looking forward to the next release

BTW Wayne will you be updating APT by adding Kill 8

 

Once again DiamondCS was issued a challenge, and was up to it.

It is nice to be protected in this day and age.


Now: Can you prevent my getting the flu?

 

Great Work Wayne and Jason!

I'm sure everyone looks forward to the additional capability of an already very formidable program!

 

Good news !

I can't wait the next version

 

Thanks Jason for correcting me

ProcessGuard appears to have improved alot from its inital release, and I can't wait till I purchase it.