Who has actually had PG save them from a malware attack?

You see quite a few posts in the NOD32 forum about how IMON caught a Trojan and such before it could infect their system. But I don’t think I have heard many PG stories, so who has had an experience where they would have been infected with something nasty, but thanks to PG were not?

 

Hi Matt,

PG has certainly prevented lots of unwanted program executions as well as unwanted (and possibly malicious) program services installations. I am often quite surprised at what is going on behind the scenes of some of the programs that I install. I cannot say that these situations were bonafide malware, because they never go started, but they were definitely unwanted and potentially malicious.

Rich

 

Matt,

That's a very good question and one that should be asked more often.

I personally don't think much get's through a very good anti-virus and firewall & anti-spyware but many users like to have layered security 'just in case'. If you have good security then Process Guard will enhance it in case your AV and/or firewall meet something they can't kill or intercept. But I think the bottom line is just how valuable your assets are. If you're just a casual home user with a basic PC then you wouldn't be as concerned about security as much as a business with a high end PC and a lot more to lose by infections/downtime, and a good firewall and AV will suffice. But if you have a lot to protect then Process Guard is definitely a 'must have'.

 

Hi worldcitizen,

What you say is certainly true. A person who is doing financial transactions, for example, on a machine would want to take greater care than someone who is just playing games (a safe desposit box is worth more than a Sony playstation - at least to some people ).

But I have been involved with situations where even a game machine was made unusable by an over abundance of malware and this required a complete re-install. So for this situation, I would recommend that someone who is not well protected, purchase an image copy program (I use Image for DOS), in order to save the time required to completely bring a system back to current time.

But even casual users have "privacy" issues (do they want someone to have the password to their online email account?), so it is difficult for me to recommend to anyone nowadays to do anything less than ensure a secured computer. For this reason, I pretty much recommend ProcessGuard to everyone who asks, but only a percentage actually act on my recommendation.

Rich

 

For those that do internet banking...and this is the way I look at it.

You have a router
You use an application firewall...then protect the firewall and the applications with internet access using PG...now nothing can get in NOR out without your permission...ie...Normal trojans are useless, and Trojans that infect running processes that have internet access are also useless.

PG also protects from the Trojans that anyone who does IB fears most...keyloggers and rootkits (havent found out if there is any other way to steal a password, but these two are the main ones that i know of).

I personally also use PrevX in combo with PG, and AT, AS, and AV, and a system monitor. I know Rich uses it in combo with RegDefend, another good way to go.

Edit : I've never found malware on my comp since installing PG/PrevX and my scanners have never picked up anything, so I can't attest to it stopping anything yet.

 

If you'd like some more information about the variety of attacks that PG protects against this page has some good information:
http://www.diamondcs.com.au/processguard/index.php?page=attacks

 

It's worked for me a few times. Then again, I don't run a resident AV so the chances of it working for me are higher.

I run PG set to block new and changed applications and also run deep freeze.

For my most recent case, I was on the internet and got some error messages on the page. I closed the browser and took a look at the PG logs. On this occasion cmd.exe had been blocked from starting. I rebooted and carried on.

So I guess PG works for me.

 

Does PG monitor your HOSTS file by chance in addition to all the other things it is watching/monitoring?

 

just add your host in the protected programs list...choose all programs, then you can see your hostfile in system32 > drivers > etc > host

 

Infinity - Thanks a lot. I am thinking of trying out this software.

 

Hmm, this is news to me, I assumed PG could only protect executables
Tom

 

That is correct

And to say on topic ... my experience is similar to what Rich mentions in Post #2, so my answer would be a definite Yes.

 

So can it not protect the HOSTS file then?

 

NO ... it only protects executables

You can pretty much protect your hosts file, by going into the properties and setting it to "read only", you would have to remove the "read only" status to modify your hosts, though.

If you want to ensure the contents of the hosts stay the same you can use a file checker which would calculate the checksum and verify the file against it for any changes. Keep an update backup of your hosts, and if there are any unauthorized changes simply re-write the hosts with your backup. Every time you update your hosts, you will also have to update the file checkers checksum. This type of protection for your hosts isn't really required, but it's an option should you wish to do so.

Steve

 

Thanks for the clarification dog.

Regards,

Jag

 

Well its saved the test machines loads of times also helps a LOT in my job, I can't imagine not having it..

 

A much better way to protect the hosts file: Never work or surf under your administrator account unless absolutely necessary. Under a user account (with restricted rights) you only have read access for this file and the other system files.

Quite honestly, I've never understood why most Windows users use lots of software (like virus scanners, personal firewalls, registry protection software, PG, ...) but still surf as an administrator thus giving full rights to any virus, trojan or whatever. The consequent use of a user account is IMHO the basic measure to increase the security for your system (and a matter of course for every Linux user, by the way) that should be applied before any other measure.

 

I use security software as PG so that I can surf as an admin with peace of mind I like to test things and find it handy not to have to hassle with programs that require admin rights.
As for the topic of this thread. Mostly NOD32 takes care of trojans while surfing (ie before they have a chance to execute so PG can do its job), but lots of times while surfing on certain webpages PG blocks scripts and stuff from reading memory as the first layer of defence. Also it blocks alot of global hooks that are pointless, or maybe its virus/worm activity, dunno cause PG blocks it.
I rarely get any trojans, worms or virus. So I have downloaded a couple of them just to test PG and it blocked dll injections, driver installation and of memory reads. Havent had opportunity to test rootkits (simply because I dont know where to find them)

And it is interresting to learn what goes on behind the scene.

 

Enviable

Such as ...? Usually you only need admin rights when installing new software - and even then not in every case. Most programs don't need admin rights once installed. An exception is ProcessGuard whose GUI can be started via the runas command (or alternatively with RUNASSPC from http://www.robotronic.de/runasspc.html ).
My rationale is that no security related software is 100% flawless. Even PG might be defeated some day by a new kind of malware. That's why several layers of protection are needed - and surfing under a user account is an important one.

Interesting. My first layer of defence is using Firefox instead of IE, the second one Outpost where all active content is disabled by default and only selectively allowed for specific sites which I trust, the third layer is Kaspersky Anti-Virus Pro 5.0. As for emails, all mails containing executables are filtered out, and I use Thunderbird where scripting is disabled. PG is my LAST layer of defence (besides RegDefend). PG has never blocked any scripts for me - they have never come that far .

 

Yep, i used to layer protection but i consider myself advanced enough just to use process guard on its own. Process guard has/and will continue to notify my of dodgy application activity which i usually clean up myself. PC runs a lot faster that way. Keep up good work DCS.

 

Slightly of topic, apologies.

Re: tlu's comment about using restricted user accounts. I used to do that with with my kid's PCs but I was finding Windows update would only work on an admin account and sometimes for whatever reason I hadn't logged on their PCs under admin for a few weeks their updates were quite out of date.

I see windows update almost as important as many of the security programs so I switched their accounts to Admin to ensure constant windows updates - are there any tips or tricks to run updates under restricted accounts?

 

q1aqza, that' s not correct. At least on Windows XP (I can't remember the situation on W2K) automatic updates are also downloaded under a normal user account and will be installed during the next reboot.

 

Must be something I'm setting up wrong as I have never had windows update working on a restricted account. I know whenever I logged in their PCs under admin to allow a game installation or something then straight away update would start downloading??

I'll have to do some more searching on this as I just assumed it was the restricted account issue. I am using XP Pro SP2 on their PCs

 

An article by Microsoft about this topic can be found on http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/intmgmt/27_xpupd.mspx

 

Why bother with AV? You have to keep it updated... with PG you just forget about it.

regards,

-rich