ProcessGuard v3.xxx Suggestions / Wishlist

Thanks for the links of those very useful programs!

 

I think SMH should be more configurable. eg. it should be possible to disable the X title bar handling, while still having customized SMH confirmations. The reason - Some apps allow you to minimize to the tray when clicking on the X (eg. KAV) so you wouldn't want confirmation in this instance. However, you might still want SMH on this app for a menu item in it's tray icon.

Another SMH related problem I've come across is -

If I start the on-line help from within a SMH protected program, then when I try to quit the help window (by clicking X in title bar), I get the SMH confirmation dialog even though I haven't configured it for the help. I assume it's because the program is the parent process and so PG sees it as me trying to close the program instead of the help.

 

azumi21,
Make sure you look at what else is on each site and possibly even try the programs out on a non-critical machine in order to get an idea of how much you can trust the author... that goes for any program not just API watching or Security programs

I'm not saying anything for or against those sites as I don't have any references for them yet... its worth having a look around some of the security sites and googling to see if any of the "experts" have any opinions on the programs before you expose your computer to them....

 

If you look back a-ways you'll see a similar request that I made and from what I could gather Jason either didn't understand why I was asking or he didn't want to understand why...

Have a look back at this thread, posts 98, 99 and 100 where I asked about having a DELETE variant to go with the INSERT that would allow us to remove SMH behaviour for various actions on the application

I was looking mainly at being able to do it for dialog boxes/pop up windows to avoid HID confirmations for windows that have already been destroyed, I don't see why the same thing wouldn't apply in the example you just gave

Jason made the very valid point that unless these SMH modification actions were controlled then malware could selectively remove SMH protection
One fairly obvious way of ensuring that would not happen is to use HID interaction to confirm changes like this whilst we are "training" PG
In some ways it would be nice to get visual confirmation when we use the INSERT modifier as well so that we know it has happened... a balloon alert would do and an entry in the alert log would be useful

Once you start messing with SMH for different parts of the application it also becomes obvious that it would be nice to be able to see what has been defined (and it would also make it easier to communicate to others and record for our own re-use at a later point in time)

In your other thread where you brought this up, Pilli started making point suggestions about specific instances of why this generalised feature wasn't necessary (some of which you rebutted) and I think that just highlights the fact that more fine grained control over SMH would be a useful feature for those ppl that care to train some applications more finely to give them an extra layer of security

 

Hi,

*Firstly, thanks Gottadoit for your opinion about free and paid versions.
And i want to apologize for talking about the old version.It'not ethical at all.
I've decided to buy a full licence of PG (i'm waiting for an e-mail of DCSSales).

Why i've chosen PG?
Simply because it's the most exhaustive and powerfull of all infection prevention system (no updated signatures) that i'd never tested.

Some of thoses softs are never mentionned on wilders forum(list on pm only), but most of them are easily bypassed with usuals hackings methods (process termination, dll injection...).

It's not the case of PG who protects itself against advanced attacks.
And i really agree that when we find a great soft, we could make an effort to buy it.That's the best way to support it and to reward a very good work.

*For the links:i will never mention any software that i'd never tested myself(i'm a beta-tester of Winsonar).

And i hope that some users will agree with me:there's no incorruptible and umbypased system.It's a question of time and resources(DDOS).
Even with thousands of protections like API monitoring or integrity checkers.
As i said, Pg with usuals protections is enough for most home users.

*To stay in the subject:

*Protection of DCSPGSRV(PG sevice)

To prevent a deactivation of this service (anyone who's got a physical access on ou pc), it' possible to protect it manually:
-configuration service-recovery button-first failing:restart the service
-second ' : ' ' '
-third ' : turn off the computer.

But is it possible to integrate this configuration automatically with the installation of PG?

*An integrity checking scan (SHA-1) of all files -on demand,

-automatically on Windows start up and before Windows stopped.

Thanks for this forum and pardon me for my mistakes (english or computing).

Regards

 

karaldjag1,
Like I said it was nothing personal against the sites or yourself for suggesting them, it always pays to do some research before using something new

Also I was wondering if there was any reason you are still appearing as a Guest and haven't registered your login name ?

Regards

 

Hi,

When i want to reply to a post, i log in.
But when i'm quite long and slow, i log out automatically and kareldjag become kareldjag1.That's the only reason.

A friend of mine(a dev.) said that whitch notionally possible is sometimes no be able to develop concretely in reality.
That's why i'll abandon this whish list theme.

ProcessGuard could not be an "all in one against all" (attacks).

But just share your knowledge, it's a little door to immortality.

Regards.

 

If the "Show Extra Information" box on the Permit/Deny security screen used a slightly larger font, I wouldn't be usiing my magnifying glass nearly so often.. Once you've seen that screen a few times, the most important information is the hardest to read. Watching everyday command line parameters illuminates what really happens when I click icons. It would be great if I could follow along without having to scan my arm across the screen too.

 

to be able to right click on task bar icon and chose "trusted installation" for the installation of trusted software.

 

I'd agree with this one. The print is rather small. I would also suggest adding a "Permit with these parameters" option (which would allow future execution with the same details but prompt otherwise) to cover frequently used (i.e. tiresome to permit/block once) but not-completely-trusted programs (as discussed in Rundll32.exe - To Permit or not?).

May I respectfully cast a vote against this one? This creates two problems - the very practical one of having to disable the "trusted" mode at the end of an install (all too easy to forget) and the (currently) more theoretical problem it opening the door to PG-aware malware to compromise your system (waiting until a program installation would be the ideal time to attempt file or registry alterations). A more secure option would be an interactive mode where PG would prompt on whether a hook/service install should be allowed (like with Execution Protection prompts - this is how System Safety Monitor handles them).

On the SMH side of things, the human verification popup could include some more explanatory text like PG2's did (e.g. "To prevent malware from carrying out this action, user verification is needed. If you wish to proceed with this, please enter the 5-letter sequence below to confirm."). The current information is not as clear and quite intimidating for new users ("Window class? Message type? What's that?") so could be replaced with more recognisable information (e.g. window titlebar contents, user-specified description for INS-learnt actions) with the raw detail available via a More Info button.

Finally on the graphics side, could we please have the 3.000/3.050 scrollbars back? The 3.100 ones IMHO look like escapees from the 1980's Apple Macintosh, clash with the rest of PG's graphics, aren't skinnable by WindowBlinds and won't work with mouse scrollwheels.

 

Another SMH-related option - add the option to require a password rather than the 5-letter confirmation. This could be a very useful facility for shared computers to prevent certain programs from being shut down - e.g. a family computer could use this to prevent Junior from shutting down the firewall or web filter.

 

Very true .

Nick

 

Pete,

<hastily picking up discarded soapbox>
I think you might possibly have replied to the wrong post ;-), the bulk of that suggestion was about adding a bit more *text* and you are referring to code bloat

On a lighter note, DCS are most probably giving considered thought to everything that is posted here and by not responding at all they are not obliged to do anything, least of all make choices that would result in code bloat

Personally I'd think that they are a bit smarter than that given the responses I have seen to date. They seem to have identified their target market and hence the set of "useful" features that they are considering
nb: pure speculation based on several posts, one of which was about WFP

If it turns out that their target market includes "dumb newbies" then nothing anyone says here will change the onset of features to help market the product
</hastily picking up discarded soapbox>

 

I just want to second P2K's suggestion that rundll32 have multiple instances of security approval, where each permit/deny decision is relevant only to an invocation of rundll32 that uses exactly the same parameters.

 

hi, can you make it so the popups are movable? as talked about in this thread. thanks.

 

Some GUI suggestions to make it even more useful

In the Security tab add an extra column "Last Modified" with a date (just like last run)

Add to the right click menu, an entry to show "previous" properties to bring up a properties window of what the the properties were prior to the last modification. An extension to this that would take a little more work would be to open a custom window showing the current and previous "properties" side by side with differences highlighted (this could be fairly useful)

In the Alerts window, add a right click menu (very similar to the one on the security tab) to allow the selected program to be manipulated from that window without having to switch tabs and go and find it again
Alternately a double click on an item in the Alert tab could take you through to the entry for this program in the security tab (if it was there and add it and take you to it if it wasn't already there) at which point you could do the same thing

A logging omission :

When programs are allowed to run without operator authorisation during startup (Permit Once - Unable to ask user) the corresponding entry in the text logfile does not show that it was "Unable to ask user", it doesn't even show that it was a permit once item either and the permit once/always could usefully be logged. Having this would enhance the usefulness of the logfile for forensic analysis

[NB: I would really like a way to stop this happening, once "learning" mode is over and done with I would prefer explicit authorisation]

A logging enhancement request :

When a program is found to have changed, output a small table of the differences found (nb: requires PG to be storing and comparing the information presented in a "Properties" display), while not comprehensive it would be a very good start for someone using the logfile to see what has happened (to the core executable at least)

 

First off let me say, YES! This products is the best I have seen so far!

But, I do have one suggestion. I know that DCS has the Wormguard product, but installing that, to me, is not going to achieve my goal. My goal is to find THE product that can stop us from paying this Bugware Tax. ProcessGuard is the closest thing I can find to doing this by stopping execution and giving the user the control they should have had from MS.

Anyway, my suggestion is that ProcessGuard be extended to allow or deny scripts. Anything executed by cscript.exe, wscript.exe, or cmd.exe. In a business network, you might have logon scripts or other automation, so you will need to allow execution of those programs from cscript.exe. ProcessGuard does not protect from unwanted scripts. If it did, it would most certainly be perfect!

It would be very easy to write a vbs script and have it delete files or download other scripts to run, and ProcessGuard would allow it. Having to buy Wormguard or other AV software just makes you pay the Bugware Tax even more. Maybe ProcessGuard can't or shouldn't do this, but it would be nice if it could.

 

Nice idea I too prefer prevention rather than cure as you correctly state a stopped bug is harmless, We certainly must reach a stage shortly with all the definition updates for viruses, spyware, Trojans etc where we are spending more time scanning our machines than actually using them!

Cheers. pilli

 

Thanks, Jason, for suggesting we try allowing trusted programs via "Permit Once". I like it for internet apps, but I've discovered that with permit once, PG no longer compares the program's checksum to its "last run" value. Ideally, I think PG should be able to apply both permit-once and checksumming in tandem. Otherwise, it seems, I close one hole only to open another.

 

something that i think should be added to PG is for there to be a confirmation dialog before removing items from "protection" to help to prevent inadvertently removing something that you do not actually want to remove..

 

I agree!

 

Please make ProcessGuard remeber the darn window size and location and if its maximized or not.

Sick of having to resize and replace window on screen after every reboot.

 

Hi, To save the window size you need to "Exit" the GUI so that the settings are remembered. Just closing or clicking the X will not do it When you re-start the ProcessGuard GUI your window size should have been remembered.

Pilli

 

Why don't they just make it so that the GUI settings are saved when the X is clicked ?!