ProcessGuard - Is the free version strong enough?

Discussion in 'other anti-malware software' started by xeda, Jan 29, 2007.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It only intercepts executables that have not previously been given permission to run.

    PG is not a script blocker, it will not prevent scripts from running.
    On my system SSM fails all three tests; what configuration are you using to pass these tests?

    If you can make SSM pass, then I would say it was a classic example of SSM being to complicated to be used effectively by the average user (though I should explain I have only had it on my machine for a few days and am still finding my way around it.)
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Nothing specific. SSM block low level keyboard access in all cases. Rememeber that u should not type within the window of AKLT.
    SSM free block 3rd one saying it as hooking.
    It is complicated I agree but with the level of control it gives, it can,t be so simple.
    To me only reg stuff is more difficult. ATM I am using free version as I have made all rules in it and can,t start over again in paid version( i got free). I really like the disconnected user interface, such a nice feature, no pop ups.
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    <Removed one posting>

    As generous as the member's offer may be, we cannot have such exchanges taking place here at Wilders .
    Thanks for your understanding.

    EDIT:
    Just to back this up, taken from the Port Explorer License Agreement (which I'm positive applies to ALL DCS purchased software)

    LICENSED VERSION:
    The full licensed version of Port Explorer, keyfile, license, and serial are not to be sold, distributed, published or otherwise given to anyone. It is available only to registered Port Explorer license-holders.

    USER LICENSE:
    DCS grants to you the non-exclusive, non-transferable right to use the software program Port Explorer on any one computer that you own, for every one license that you own. DCS reserves all rights not expressly granted to you.

    OWNERSHIP OF KEYFILE:
    You can use the Port Explorer keyfile (unlock code) but you do not become an owner of it. Ownership and title of the Port Explorer keyfile is retained by DCS. You may not sell, transfer, publish, distribute, or otherwise give anyone any Port Explorer keyfile(s). DiamondCS reserves the right to terminate keyfile(s) at any time without notice upon their own discretion.


    If anybody feels the need to question this, or needs further clarification on our position at Wilders, she/he can PM one of the Admins.
     
    Last edited: Jan 31, 2007
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Well I did type within the Window of AKLT, so am I doing the Test wrong?
     
  5. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Back on topic with PG and what it can do etc

    Re :Scripts/javascript I have yet to find a script that can infect a machine without code needing to execute for it to go live.

    If anyone knows different feel free to point me in the direction of a working example-

    BTW when i drop in on exploit laiden Urls triggering allsorts of shannanigans on my machine,if i deny all executable code run priviledges nothing will infect reguardless of how many exploits/scripts are run;)

    Re Keylogger test's once again the installing code needs to execute to drop the keyloggers. PG free on my machine= 3/3 everytime.

    Now some folks consider this *basic* or *dated* because the software is no longer supported.

    This is far from the truth it is purely *effective* at what it dose and the weakest point of the software is the enduser's decisions if in error.

    FWIW i've yet to visit any form of security test site that dose not require the user to allow an executable to run inorder to check whatever it is looking for.

    Now if that dose'nt tell you something about the importance of process firewalling(anti-executable) then nothing will.

    Why worry about what the burglar will do in your house when he can't get in unless you let him:thumb:
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Not sure but this way many software fail here so I guess it might be wrong as when u write in active window, there is no logging infact as u are actually wrinting there. Anyway I am not expert here.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    So if u stop all exes, even registry defence is not needed at all. Am I correct?
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    RegDefend is very protective with installations as well and it has some more features.
    You would execute an installation of some software, wouldn't you? :cool: With that protecting you can see step by step where it is writing / modifying and you can decide to allow or not, while you get nice reports in a log.
    Try the free version to start with if you like.
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    Reg def/monitoring would be another layer of a defence,is it really needed is debatable but i would always reccomend that this would be a part of a 3 pronged software based core security policy.

    Ist anti-exec(process firewalling),best time to stop something is before it gets onboard.

    2nd IDS(incorperating reg monintoring) should you make a bad decision with 1st tier or somehow it is bypassed then catching something whilst its adding a *run* entry to the registry is another check point.

    3rd Software firewall to prevent all unsolicited inbound connections and control all outbound connections and offers yet another checkpoint.

    This triangle of core security policies(softwares) will give a computer savvy end user total control of their computer and what occurs on it and at this point the decision of the enduser is the only potential *weak* point in this setup :)
     
  10. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I have tried them all from their very 1st versions up till now and I'll give my honest opinion, Process Guard Free properly configured for me at least has shown to be alot more powerful in locking down my system and preventing BAD SH*T from happening, even if BAD SH*t wanted to happen it never has yet, however with the other programs sorry to say they have, but hey maybe it could of been program incompatability issues could be numerous stuff to many reasons. PG for myself has been the easiest to configure and has kept my system out of trouble so far, even when I go looking for it just like fcukdat.
    Problem with running too many HIPS together is that they may conflict cause of the hooking methods and code hooks used, the programs may be hooking same SSDTs' & services this could make one program that use to detect a ceratain exploit or malware not detect it at all and vice versa. I have personally witnessed this on my box when I ran Cyberhawk with Prevx1, yes they play well together but in a popular keylogger test that cyberhawk passed b4 prevx1 was installed, it failed when I had both programs installed.
    Currently my set up is in my signature, if I ever get breached and it has never happened yet, if I cant deal with the problem with the custom tools and scanners that I have then I wipe it all out killdisk, secure delete, recreate, reformat, then clean install. :)
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    In general that is correct, if a trojan doesn't run it can't write to the Registry. Indeed if you are having Reg changes then you are in difficulties anyway 'cos you're only protecting certain areas of the Registry and you can also have damage caused by files being overwritten or corrupted etc. Nonetheless, if you can prevent the malware from recording itself in a Reg startup position (leaving non-registry startups out of it) then you can at least prevent it from running after the next boot-up, enabling you to clean up the mess.

    The exception to this is exploits on web sites that may be able to make changes to your Home Page or other settings, which Registry defence could prevent. However with correct browser settings, or FW blocking of code, you should be able to prevent this in any event. So in that case you could say PG (and its like) is a better Reg defender than an App that actually does protect the Registry!
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Suppose u stop all new exes running on ur machine. Even then exploits can do their harm?
    In that case PG will faile here?

    Thanks.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    There was a whole thread on this very topic when people were debating whether RD was really necessary if you have PG (unfortunately I've been unable to locate this thread). The 'expert' view at the time was that, depending on browser settings, changes could be made even without an executable running on your system.

    Read Bubba's posts here to get an idea of the sort of thing I mean:-

    https://www.wilderssecurity.com/showthread.php?t=161896
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    So PG free( or SSM free/ Pro Security free version) plus No script and u don,t need RegDefend at all.
    Am i right?
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Mistakes can happen, there are various reasons why, and if you had a reboot forced on you, you would be very pleased if start up entries were prevented and the malware was just dead meat waiting to be removed.

    Reg defence is good insurance, you can sleep easier if you have it, even though you may never need it for 'real'.
     
  16. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    So far I like it. It's excellent on system resources. :)

    However, I'm curious about a few things...

    As a test, I turned off learning mode and removed all application rules from the "Protection" and "Security" tabs, and then restarted Windows.

    Upon booting up, ProcessGuard only prompts me about a few startup items. The other startup items are automatically added to the security tab with their own rules (permit once - unable to ask user). At the bottom it says "26 items (24 autoallowed)".

    I suspect this happens due to the startup/boot order, right?

    Also, as another test, I removed all rules and opened a .bmp file which I have associated with Windows Picture and Fax Viewer. ProcessGuard fails to prompt me, why? Is it because it's opened from within explorer.exe?
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It happens where files start running and PG is unable to prompt you with a pop-up. Were it otherwise PG would have to auto-block and windows would never start. That is why you should catch these progs by booting in learning mode. The one or two that are not caught must be auto-allowed by clicking the 'Security' tab and selecting the prog in question, you must then right click to change the 'last action' to 'permit always'. It is of course assumed you are installing PG on a clean machine so these progs can be trusted.

    To pick up a few more starting progs in learning mode you could set the driver to run as 'System' rather than 'Automatic', whereupon PG will start up earlier; but quite honestly you don't need to worry about that at this stage.
    No, executables started from within Explorer are intercepted by PG in the normal way. However a .bmp file is not an executable and cannot run - the same thing applies to .txt, .doc, jpeg, etc, etc, files. Some files, like .doc files, may be potentially dangerous 'cos they could contain macros or scripting, but that does not render them executable as such.
     
  18. xeda

    xeda Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    59
    Thank you for your detailed explanation. :)

    What I meant was...

    I know .bmp files aren't executables, but since I have them associated with Windows Picture and Fax Viewer, shouldn't ProcessGuard prompt me about Windows Picture and Fax Viewer running upon opening a .bmp?

    For example, when I open a .txt file it prompts me about notepad.exe, the program I have associated with .txt files.
     
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Oh yes of course, I see what you mean. However when you open a .txt file you start notepad running and you can see it as a process in Task Manager. Similarly, you may find .bmp files open with Paint and Picture It; in which case they too will run and appear in TM.

    When did you last see Windows Picture and Fax Viewer as a running process of its own account? It appears to be integrated with windows and thus does not need to be started - it runs with windows.

    Similarly, when you open a .zip file, the extractor does not have to start as a seperate prog. (Unless you are using WinZip or WinRar etc).

    Another interesting case is .dll files. Normally they are loaded into executables which seek to run; but they can be run by Rundll32.exe, so if you allow that app permission to always run you could be open to exploit. Thus it is desirable to permit it once, on a case by case basis - if you don't mind the pop-ups when windows runs it legitimately.
     
  20. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I have read this tread with great interest, and have a few questions. Would it be smart to run Cyberhawk with Process Guard Free, or am I understanding that a Router Firewall, Software Firewall, and PG Free is enough protection? The reason I ask is, I thought PG didn't do nearly as well in the Gizmo's Test for HIPS Programs as some others did, like Cyberhawk for example?
     
  21. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    One thing to remember PG is not a HIPS and those tests are pure proof of concept made for HIPS and not REAL LIFE scenarios, If anyone disagrees with me then show me some real life proof or example of an actual instance of true bypassing occuring in a REAL LIFE scenario where those tests would apply.
     
    Last edited: Feb 3, 2007
  22. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Just visited the site on Gizmo's Test for HIPS Process Guard wasnt designed with Artificial Intelligence lol :D
     
  23. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    So using Process Guard Free behind a Wireless Router Firewall with my AVG 7.5 Internet Security Suite, would in your opinion be better than using Cyberhawk with it? I imagine PG Free would also protect all the Components as well, correct? Also I have tried ProSecurity Free recently and it's nice, but when I used PG Free a long time ago, I remember it was easier to understand and I felt much more comfortable with it. Should I worry about it not being supported at this time, like PS Free is?
     
  24. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    For me, PG free is a great tool when you want to keep some programs on ask basis. It was when I used it on my system "stable as rock", much more so than SSM free that is also harder to use.

    Some firewalls like kerio 2.1.5 have no settings practical for asking firewall about internet app controll.
    It is best to operate them in making best possible and as tight allow rules you want. Then PG fills the gap nicely by providing that added control.

    As a hips SSM free is much better and for diagnosticising your system. But at least on my system not as stable as Process Guard.
    I have been thinking on installing PG back since I seldom run SSM on my system.
    So PG is a usefull program for protecting your applications i my opinions.

    No component control duke1959 in PG free, unless my memory fails. There was no DLL control as far as I remember, but that is pretty useless in Comodo too that I now run. But running today Comodo in learning mode in that department I got still a warning about some hook, so runnning Comodo in learning mode is better than the whole component control turned off.
     
  25. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    PG and Cyberhawk are not quite the same in what they do and how they do it. Cyberhawk may do better in certain tests, but that doesn't mean it protects you better. I would certainly feel safer with PG; but make up your own mind by reading this review:-

    http://wiki.castlecops.com/Cyberhawk

    In particular note this:-
    The fact that it will allow executables to run without approval makes Cyberhawk entirely unsuitable for my own protection set-up.
    No it doesn't, it alerts you if a prog runs with changed components, but it is not protecting the components. Some products (though not many!) attempt to monitor .dll loading, but this causes huge problems with pop-ups and even an anally retentive fanatic would have his work cut out checking every .dll that needs to load - so in practice you tend to let them through which defeats the object! Even SSM does not have proper .dll loading control, though Prosecurity does.
    Its a mature and stable product that does what it does very well, it doesn't need any supprt at this stage. Sure, it would be nice if termination and global protection were kept up to speed, but the latter is in the paid version, and, as has been said, execution protection is the vital thing.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.