Process Guard is letting me down

I bought PG a year or more ago and have had every faith in it since it seemed to catch or be configured to catch malware that cropped up. That is until I came across this link in Wilders where the Comodo people have discovered a new leaktest. I don't use IE so tests 1 & 3 did not concern me, but test 2 goes straight through PG. Of course if you did not allow the test suite to start in the first place you would be ok, but you cannot know if this process is hidden in an innocent appearing program that you try.

First of all I tried out AntiHook and that stopped it dead but is adding another layer which I don't really want. Then I saw that SSM stops the process in the freeware version.

In view of this I have uninstalled PG and switched over to SSM to see how it goes. A pity because I like PG but it no longer seems to do its job, and judging by other comments here there seems to be little input from DiamondCS now.

 

I just did a quick check and the last response on this forum to a post from Diamond CS was early Aug. I could have missed one,but it seems obvious.

 

Hello Djg05,

Regarding the test you ran, for me:

Test 1 PG & ZA Pro both warn
Test 2 PG & ZA Both fail
Test 3 PG no warning ZA gives warning.

I tried sending Wayne a private message, but his box is too full & cannot accept my message. I then sent Gavin a message regarding this thread. Also I sent the message to DiamondCS directly, via support ticket. Hopefully DiamondCS will respond & correct this problem.

I wonder if OA would pass this test? Also this says alot about my firewall & tomorrow I'll post this at ZA's forum etc..

Thanks & Take Care
rico

 

Evidently Wayne has been busy with a "minor" revision of Port Explorer.
https://www.wilderssecurity.com/showthread.php?p=864961#post86496

Now that is done...doesn't mean we get any help.

 

Hi,

This is a firewall leaktest, and PG is not a firewall. These firewall leaktests really are not related to how PG is designed to protect you (by giving you power over processes, injection, termination and drivers).

The sort of threats seen are very often EXE and DLL malware, rootkits everywhere. PG is doing a great job against actual threats.

On the other hand, a firewall is not for protecting against malware files themselves, unless it is an antivirus scanner as well ? its very important to look at the actual product purpose, especially when considering a "TEST". The word test implies something.

 

Hello Gavin!

Thank you very much for responding! To be fair PG does warn, when executing the exe file thart starts the leak test. I did have PG 'allow' to run the test. When the test is up, I would think/hope that what leaked past the firewall, PG would, so to speak cover my rear! Note other products mentioned this thread, are capable of stopping tests #2&3. Gavin if Antihook & the free version of SSM can stop, all the tests, does PG have some catching up to do? Sort of keeping up with the Jones's/HIPS's!!

Gavin does anyone at DiamondCS use 'Comodo' firewall? I ask this in order to gauge how well PG & Comodo play together. My ZA Pro will expire soon.

Thanks & Take Care
rico

 

I appreciate that this is a firewall test but the fact is that a free version of either AntiHook or SSM is managing to support a firewall where it might have a weakness. In this area PG is failing. Whether or not you consider this to be outside your scope of protection is for you to decide, however we as users want or need some protection from this type of malware.

As much as I like PG it is not providing the protection I need, or feel I need, as I do not know how relevant this threats are in day to day use.

Currently I have uninstalled PG and am trialling the full version of SSM. It would be useful to know of your intentions with regard to the future of PG.

 

I don't actually know how the leaktest works but it is called Simple Process Termination. Isn't that similar to Advanced Process Termination which DiamondCS use to test PG?

Isn't PG supposed to protect against process termination by any means?


Also, why does PG support protection against hooks? Does the keylogger leaktest use hooks to gain the information typed?

According to a previous post AntiHook provides greater protection against these leaktests. That is why I assume the keylogger uses hooks.


This is not an argument at all.

As everybody knows, malware continues to evolve and use newer, more powerful methods.

As djg05 mentions, we would feel more confident if PG could possibly incorporate protection against newer or more powerful methods as is recent. If not, will DiamondCS be looking in to providing a new product or solution in addition to PG?

Most of us are used to supporting DiamondCS as the LEADERS in security software. Since PG is in my opinion your most powerful protection application that is the most important application that I would like DiamondCS to concentrate their efforts in to developing, PLEASE.

I would have thought that DiamondCS were going to try their best to counter these new threats; since, on the syssafety website new users are able to get their product for half price if they move from a competitors product, which obviously creates competition.


Thanks so much for your time and help with our requests.

Best regards,
Lee

 

Test one should concern you because it tries to open your DEFAULT browser not IE unless IE is default.

Test 1: stopped by PG asking if I want to allow cpil.exe to run.

Test 2: stopped by Kaspersky's Proactive Defense asking if I wish to allow a suspicious process (hidden starting of default browser - Firefox).

Test 3: stopped by PG asking if I want to allow IE to start.

Test 2 is a great example of how PG and PAD of Kaspersky 2006 complement each other. I just love using the two together. I haven't seen any conflicts (although there may be some) rather two applications that work well together and complement each other as PG has no Registry defense like PAD has.

Test 3 didn't get by PG because I had IE tied down on a very short leash. Fx has been default for years but some time ago IE started itself, out of the blue, and went to Windows Update and was trying to download WGA when I caught it and killed it. I don't use WU and don't want WGA on my system. So, I immediately told PG that IE has to ask for permission each time now before it can start. (I'll stop Microsoft from trying to pull a fast one). So, I would suggest that if you use another browser as default and seldom use IE that you set PG to ask each time before allowing IE to start.

I also suggest that instead of using a rival to PG that you keep PG and add KAV 2006 with PAD fully activated.

(I also think it would be nice if we got a little more support here).

 

With PG tests 1 & 3 both asked for IE which is locked down and not my default browser. Just tried it with SSM and it stopped both dead.

If KAV works for you that is fine. It is not the route I have chosen.

 

I had just stopped it on the first test when PG popped up as who would allow that to run after reading the information in the PG box? But since you said it tried to open IE even though IE was not default, I decided to see what it did on my box so when PG popped up and asked if I wanted to allow cpil.exe to run with that nice little file with the words I had typed, I said yes. PG stopped it cold. No browser tried to open because PG blocked cpil.exe from patching explorer.exe in memory.

Those tests are really unstable. They crash cpilSuite repeatedly. It's very difficult to do the tests.

 

Thanks for the information about KAV, Mele20.

I moved away from KAV last year to a different AV which has just a slightly better detection rate; however, not better program by the sounds of it. I was using KAV 5 if I remember correctly; not the newer KAV 2006.

If they don't update my AV program this year then I might move back to KAV next year: considering detection and overall security features at the time next year.

This doesn't mean that PG cannot be made to incorporate stronger defenses. As djg05 mentions, not everybody has the same defense applications which is why it is important that each is made as strong as possible (including those features which will not create conflict, of course).

Also, I use Internet Explorer. If we have strong enough defenses then hopefully we would not need to abandon Internet Explorer altogether. I have never tried another browser, but I assume IE is always best for widest compatibility?

Best regards,
Lee

 

Pro Active Defense in KAV and KIS is new for 2006. Kaspersky was radically redesigned for 2006. It is nothing like 2005. It is extremely light too. I have one problem with it and that is that the web antivirus slows my internet connection too much so I don't use that module. But this doesn't happen to everyone. PAD is great and will get even better with the service pack due out soon.

As for browsers, you should try Firefox or Opera. But Opera doesn't have the compatibility that Fx has. Fx is now recognized by bank websites and lots of sites that even a year or so ago would have worked only on IE now the vast majority of sites work on Fx and ISPs such as Road Runner now support Firefox (Fx is the official abbreviation). My home site, dslreports.com, has a great Mozilla forum where you can ask questions about Fx. Fx 2.0 is ready to be released officially any day now. Fx is much safer than IE. There is no activeX which is a lot of the reason for security problems with IE. Yet Fx has plugins for WMP, Flash, etc.

Do think about returning to KAV. What I love is that I can set KAV to check for updates every 5 minutes and it fetches 15-24 updates every 24 hours. No other AV comes close to that.

PG and KAV PAD complement each other and I think they are a great combination. (Don't try Comodo firewall though as it is incompatible with both).

 

Comodo - PG and KAV work fine for me.

I agree that KIS is a very capable product - very impressed with version 6

 

People using PG believe, and expect, that it protects you from .dll injection.

Yet this leaktest manages to inject CPIL3.dll into Explorer.exe; you can see the module loaded by looking in Process Explorer. I realise that it is not injecting via the Registry, even so I think this is an area PG should cover.

Now the method has been exposed, any chance of a PG update to cover this in the future?

By the way Mele20, does KAV6 help you with the PCFlank Leaktest, this also gets through PG/ZAP:-

http://www.pcflank.com/pcflankleaktest.htm

Of course you have to take the shackles off IE to do this test, it assumes IE is running.

 

No matter how many security products you run, there will always be at least one test that you cannot pass..........

 

I just wanted to say that the MP1 version of KAV and KIS will cover that leaktest among others .

 

Great

I'm still using KAV5 due to a few niggles with KAV6, but I'll be converting again as soon as the new pack is released.

 

@Devil's Advocate

I agree that you cannot protect against new malware or security flaws in security applications at the exact moment they are released or found. However, once they are known about: why shouldn't security providers be working towards stopping these threats?

That is the purpose of using security protection: you should gain protection.

Imagine if AV providers didn't release new definitions. Although, PG is able to protect against some new threats without being updated, but not all.

I understand that even if PG wasn't updated we would still have all of the protection that was available before. Though, as time goes on, the amount of protection available would start to deline in to the future. This is my point.

@Mele20
Thanks again for your information.

Best regards,
Lee

 

Also, I am not completely sure what Gavin is saying earlier in the post.

Does this mean that the SPT leaktest can ONLY get through a firewall if vulnerable and not be USED in different types of malware?

If it is only a firewall leaktest, then why is this so? How does it actually work?


I am sure though that the keylogger is NOT only a firewall leaktest.


BR, Lee

 

another thread where Wayne's comment is missing

 

I don't know if this is the proper thread in which to make the following comment, but, since it raises a ProcessGuard issue, which is pertinent to the topic here and since AntiHook was also mentioned, I will give it a whirl:

I have attempted to install Antihook 3.0 a little while ago (which, by the way, is out of beta, and is not free), but, during the installation, PG was detected on my computer and AH promptly declared that PG is not compatible with AH (at least not with version 3.0), and promptly rolled back the install.

 

i am sold.. i ran the test-program (dec. 5th), which, i believe, has been updated, and PG failed "test 2" and "test 3".. i installed SSM and it passed the tests, preventing the dll-injection..

while the test, supposedly, is for testing firewalls, it is a good way to test PG to see if it prevents dll-injection..