About "TrojDemo.exe" from Trustware

Discussion in 'ProcessGuard' started by spy1, Apr 28, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    In this thread , there seems to be mis-conception that PG allows "TrojDemo.exe" to "go right through".

    It was pretty well-rebutted in that thread, but it caused me to wonder why people who actually use PG don't seem to be in the habit of always running their computer with PG in the "Locked" condition after having set it to "Block new and changed applications" condition except when they are purposely installing something.

    As you can see from the screenshot, clicking on the "TrojDemo.exe" after I d/l'ed it (with PG in the state I described above) simply results in the "TrojDemo.exe" being stopped cold.

    (One has to wonder why people bother to have programs like PG and decent firewalls if they're not going to utilize them correctly).

    IMO, no "vulnerability test" where one has to purposely and knowingly DROP a defense or "Allow" something that one wouldn't normally allow is valid - period. Because it's not a "real environment" test.

    IF PG had allowed anything at all to happen in the condition it was in when I clicked on that exe, then I'd say there was a problem.

    As Blue said in that thread, even if you're not "cocked and locked" in PG and you click on the exe, PG flags it and if you "Deny" it - that's it - it doesn't run.

    So, I'm failing to see any problem with the way PG handles this one - period. Pete
     

    Attached Files:

  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pete,

    In answer to your question:

    The reason I do not Lock my system with PG, is that there are still some programs that I want to allow to run some of the time, but I don't want to give them permission to run all of the time - e.g. rundll.exe. Therefore, I must leave it out of Lock condition.

    If there is a way around this, I would be interested in knowing how others do it. As for the concerns about TrojDemo, I agree with your position. If a user gives permission, then the trojan will run. On my system, I have tried to set up backup lines of defense so that if I make one mistake, the other security programs (e.g. RegDefend) may trap it.

    Rich
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Right on guys. I recently tried a program (www.pc-st.com/us) that tests and rates your protection for hackers,virus, and spyware. I installed it an ran it. Of course first thing was PG asked permission to let it run. At this point I said yes, as what is the point otherwise. Then it ran the test against the firewall, and passed it 100%. For virus and spyware it trys to install and test your defenses. Well from that point on I denied it anything it wanted to do when both Regdefend and Prevx protested , and after about 10 attempts at different things it gave up and crashed. Wouldn't have made sense to give it permission to attack. It never got far enough to bother any of Process Guards further protections.
     
  4. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    That doubting thomas would be me :)

    Should I be offended? :D
    And what about people who have JUST installed PG?

    Hmm... I just wanted to point out that PG didn't pick up the attack.. that's all :)
    I personally don't use PG, but I've seen it in operation. I really don't suppose that a user with limited knowledge and time would spend a lot of time with his security apps once he thinks that he's covered all the basics, and would hate to see alerts every time he started a NEW or UPDATED app [one reason I think why ZA and NPF/NIS seem to be selling like hotcakes - automatic rules *grumble*]
    I think PG is a very good software, but these tests show that if a user hasn't set PG to go for "process execution", he's gonna be in trouble. I just hope that this will be looked at, however briefly, by the developers.
    Once again, I have no intention of stirring up trouble ;). I just thought that I DO have an opinion, however irrelevant, and it should be interesting to see what other people feel about this.

    Rgds.
    you know who.
     
    Last edited: Apr 28, 2005
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi no13,

    If you are suggesting that PG needs to be made more user friendly in order to reduce the potential for inadvertent mistakes, I wholeheartedly agree. There is lots that can be done to reduce the learning-curve of the product and make it more accessible. Hopefully, DiamondCS will have the resources to do this in the future.

    Rich
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Really? I thought this was the case:


    Not at all, since the remark wasn't directed at you.


    What about them? It's got to be a "given" that someone using the program has to have started with a "clean" machine, that they've installed the program correctly, set it up correctly and made every possible effort to read/understand/apply all the info in the "Help" file, gone through the "Learning Mode" thing properly and that they have just the tiniest bit of common sense/inquisitiveness and caution when it comes to handling alerts.

    Because no program is going to protect you to its' fullest extent if you don't do all of the above.

    And it's quite apparent from that quote that one of us is mis-understanding that situation (which we're both getting second-hand, BTW - I think). If the person involved "Allowed" the test to run - which it seems quite clear they must have done, either purposely or due to a "Learning Mode" situation - then PG was simply following its' operators' wishes by letting it run. This is the key point here and I'm not sure why you're not "getting" it.


    Which is also puzzling when you're making what appear to be statements of fact of what PG can and can't do based on second-hand information from someone else who does use it (especially when you make no reference to their skill-level or how PG was set up at the time).

    Well, if they're not keeping up with their security apps (or not learning them well enough to start with before depending on them), then it's hardly PG's fault if something did manage to get through, now is it?

    Trusted apps, when they update, aren't a problem - any time you run something "new", you should keep an eye on it for at least a short while to make sure of what's going on with it. You should also never grant more "privileges" to it than it actually needs to work effectively.

    And, of course, it goes without saying that you want warning of something trying to run that you haven't consciously initiated yourself - that's why I run PG the way I do.

    True and true.

    The developer's might take a look at it. However, they've made the program the best they possibly could have up to this point without actually coming to a d/l'ers home and setting it up for them one-on-one. It is up to the user to deploy the program effectively, learn it, to keep up with new developments and to question, question, question when they're un-sure of something.


    Yes, sir, you absolutely do have a right to an opinion. And it's certainly not irrelevant.

    Keep 'em coming - that's how we all learn. Pete
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    There is one thing a new user needs to do for sure. Read the help file first.

    Pete
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    As perhaps some members have noticied it, the Trojan Demo from Trustware is one of my Test tool:

    http://kareldjag.over-blog.com/

    I've also tested it against Process Guard, but some verifications are necessary before publishing the result on my blog (i'll give the first links next week).
    In all case, Trojan Demo is not an issue if you have already hardened Windows as possible as it could be.
    As i said on my disclaimer, test tools are different from real malwares...

    And yes Peter2150, it's often necessary to read the help files ;) ...

    Regards
     
  9. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    After allowing the trojdemo through PG, I got one alert from PrevX, and hit 'deny'. Seemed to stop the test dead as nothing else happened after that.
     
Thread Status:
Not open for further replies.