On the website it says TDS-3 can kill all processes, yet I have found a few that could not be terminated by TDS, nor process explorers. I was wondering how they prevent themselves from being terminated, when I saw in the WormGuard section it says it uses a "non-resident hook method" to prevent itself from being terminated. Could I get some more information on this? I want to know how this works. Thanks.
If it's not in the helpfile, i don't know more about it either. They're creating new finds all time and preventing TDS and WG of being terminated unintentioned by the user.
Hmm, I just got wormguard, and I'm testing it out, but it doesn't seem to work at all! I used a test program, and it did not prevent me from running it at all. I made sure to click install and test and try again, several times. I was able to terminate it with no problems as well. Why is it not working for me? I checked the help file and I did everything properly...
Hi Paragon, TDS can kill any process, if you are on Windows NT 2000 or XP be sure to tick the option Boost TDS Token Privileges in Configuration. Wormguard installs a DLL which is an execution hook, anything you run is then passing through that DLL and being checked - the application WGUARD.EXE is just for setting configuration options and enabling/disabling the hook. What test program did you use ? It must be a recognisable worm or trojan, we don't recommend you try any tests with live malware. You can create a test .BAT file which has DOS commands such as delete and format, this will trigger Wormguard. Do NOT use these commands in a BAT file unless you know how to make them useless commands - for example del thisfiledoesntexist.exe format nodrivehere: Files such as picture.jpg.exe will also trigger an alert as they are obviously suspicious, you can easily try this.
I was using Windows 98. I noticed the DLL, but it was only loaded by a few programs. Most of the programs didn't have the DLL loaded. The test program I used was actually the installation program for the keylogger I mentioned in the other thread. I tried naming it various restricted things, and it says it should restrict programs based on the name... I also tried giving it various double extensions like *.txt.exe I haven't tried the batch file test though, so I'll try that tomorrow. Thanks for the reply.
Oh, and about killing processes... It should be able to kill any process on a windows 98 system, but some processes I have not been able to kill with either TDS, or other 3rd party process explorers with the ability to terminate processes. A few such programs are Smc.exe (Sygate Firewall Pro), and 2 antivirus programs, including Norton Antivirus. The 3rd party process explorers I used were TaskInfo2002 and Process Explorer from www.sysinternals.com Well, at least I understand now how WormGuard can't be terminated. Because it's not the wguard.exe that gives the protection, but the DLLs. (Wguard.exe is what I had terminated.)
Update: I completely uninstalled WormGuard, reinstalled it, and it works fine. Not sure what the problem was.
