App to prevent process kill?

Discussion in 'other anti-malware software' started by bellgamin, May 14, 2022.

  1. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I'm running Win7 Pro & a Linux distro on my "hobbiest" laptop. I have an older security app, "EXE Radar Pro" (whitelister/anti-executable/default-deny) that accepts user-developed rules.

    EXE Radar Pro is still a useful security tool for my purposes BUT -- as far as I can tell -- it has little or no protection against a "kill shot" by malware.

    GIVEN: Malware must get by my laptop's security in order to "kill" EXE Radar Pro. My other security of is AVG (twin sister to Avast) and OSArmor. They are excellent but NOT bullet proof so....

    QUESTION: Does anyone know of an app that can be set to protect a running process from being rendered inoperative?
     
    Last edited: May 14, 2022
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Can you please explain what you mean by this?? Why can't the security programs you already have in place not prevent this "kill shot" malware from launching in the first place?

    EDIT

    BTW, in the example given, unless this "kill shot" malware you are alluding to can elevate, it will not be able to terminate the running processes of OSArmor.

    OSA processes.png

    Once again, can you please explain and especially provide an example of how this might be a concern.
     
    Last edited: May 14, 2022
  3. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    OSA_Self-Defense.png
    Are you looking for something like this or are you looking for an app that prevents ALL processes from being terminated by malware?
     
  4. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    He's looking for something that can prevent a 3rd party software from being terminated. As far as I know, only a HIPS can do that. I believe SpyShelter Firewall can do that you're looking for. Maybe this would work, is you put the exe as protected?
     
  5. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @wat0114 wrote...
    Please note the "Given" in my post #1. My existing security *probably* will prevent the malware from getting on my computer, but it is not a certainty. I seek a "fail-safe" in case a malware does get by my other security.

    Current day anti-malware apps usually are self-protected against being uninstalled or inactivated by a malware, as in your OSA example. EXE Radar Plus does not have such protection AFAIK.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    @Buddel wrote --
    Close. I am looking for an app that prevents user-specified processes from being terminated.
    ~~~~~~~~~~~~~~~~~~~~~~~~~
    @n8chavez wrote --
    YES!!! I will check SpyShelter -- it sounds like a good possibility. (As to your link, it's good info. However, I already have file protection whereby critical files are protected from being modified or deleted.)
     
    Last edited: May 14, 2022
  6. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Well, that's why I stopped using it. I prefer to not have all my eggs in one basket. Can I ask why it's so important to have anything "unkillable?" It seems like you're pretty close to that already, with the combination of ERP and OSA. What's the likelihood of something getting past both of them? I would argue, with Defender now being much better, you don't even need a 3rd party scanner.
     
  7. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    As stated, I am running Win7 Pro. MS Defender is not available but I wouldn't use it even if it were.
     
  8. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    A while back AppGuard enjoyed a lot of attention here on Wilders until they went more or less exclusively catering to a small business/corporate audience. Which may or may not be more prone to rule out the antiquated Windows 7 for compatibility issues.
    On increasingly rare occasions AppGuard will be mentioned in the "What is your security setup these days?" thread. Granted, with your setup, this app would most likely be overkill. Maybe. Anyway, since it appears that 3rd party scanners are
    on the table for consideration and according to your assertion in post #5, "However, I already have file protection whereby critical files are protected from being modified or deleted."... It'll be interesting to see where this thread ultimately settles.
    In essence, a BOLO for an app that reinforces tamper resistance on apps that purportedly already utilize self-imposed tamper resistance.
     
    Last edited: May 15, 2022
  9. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    So true! {I love cop jargon :cautious:}
     
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    win7 is beyond evil and not worth any discussion.

    you only can stop kills when the attempt is upcoming, but in most cases that (detection) will fail, so the task is killed anyway. the only option is to restart the progam.
     
  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Feature "User defined protected files" of SS cover processes also as on example below:
    - you can add chosen process to the list with factor "read&write" and category "personal"
    220515121123_1.jpg

    - and if other process will try to take an action on it you should see alert like this
    220515121422_2.jpg
     
  12. moredhelfinland

    moredhelfinland Registered Member

    Joined:
    Mar 31, 2009
    Posts:
    344
    Location:
    Finland
    @ichito
    In your screenshots, explorer.exe is trying to execute an application called 1by1.exe. If i want to protect, for example, myprogram.exe process for terminating(aka tamper protection), is this possible via SpyShelter?
    Many, many malwares targets windows own firewall to make custom outbound/inbound rule. Usually, it does it to add reg add command to during early boot stage. This of course does not work, if you use third party firewall, that does not rely on windows own firewall.
    One of the best self protection on AVs i've tested, is Dr.Web and ZoneAlarm firewall driver.
     
  13. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @ichito -- In your post #11 above, what is lowest priced version of SS that will enable "User defined protected files"?

    Also, I am interested in your answer to moredhelfinland"s question.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    :eek: Whooo -- sounds spooky!

    Just kidding. I respect your counsel & I understand your point about the risk of using a no-longer-supported OS. However, I am retired, with a very comfortable pension, so I no longer do any "serious" business on my computer. Win7 is an old friend & often knows what I want to do before I do.

    I have given a few dozen computers to my various grandchildren & great-grandchildren. I assure you -- those computers are all running Win10 or Win11.
     
    Last edited: May 15, 2022
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    @bellgamin,

    I mostly agree with @Brummelchen above with his implied assertion about Windows 7 being a weakness.

    That said, if you insist on using Win 7, at least keep it as fully up-to-date as possible, especially browsers with extensions you are running on it. I understand you are looking for something that can save the day in case your primary security fails to block the "process killing" malware, but then that means you don't fully trust your primary defenses (sheesh, I'm talking like a military strategist :rolleyes: ). In my case I install primary security that I trust implicitly and don't worry about augmenting it with "what if" scenarios additional programs, that are really only going to drag your system resources down, potentially conflict with your primary defenses causing stability issues, and create more time-consuming rules management headaches for you. In my case, at the end of the day if malware somehow grabs a foothold on my device, I will "save the day" with a backup image.

    Just read this moments ago. In that case, your rational for running Win 7 is justified for sure. It also means, imho, you should be even less concerned about stopping process-killing malware.
     
    Last edited: May 15, 2022
  15. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I do trust my security set-up. I haven't had an unfettered infection vector in years. Beside that, I am also a security hobbyest. I visit Wilders because it's fun, interesting, & generally friendly. Also, I enjoy learning more about computer security, as well as trying out various computer apps -- even those apps where it is unlikely that I would ever use them on a permanent basis.
     
    Last edited: May 15, 2022
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    FWIW, you are a member at Wilders I have a great deal of respect for, and for that reason I tend to gravitate in replying to your posts in the most helpful way I can think of. You are one of my favorites. Have fun :thumb:
     
  17. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @wat0114 -- Much aloha to thee and thine.

    You have kept me on my toes more than once. :thumb:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    At all: I just bought SpyShelter Premium (SSP) after giving it a good shake-down cruise. It gives me a decent approximation of what I was seeking in this thread, plus it is a super powerful, multi-faceted security app to add to anyone's armada.

    My fervent thanks go out to everyone who helped with this thread's question. Wilders folks are the greatest!
     
  18. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    Looks here like a case of "can't see the forest for the trees." Kind'a like looking for a way stop the itch as a panacea to chicken pox. Why not just play the end game as usual to stop malware in all of its nefarious forms of a system attack?
    That umbrella of sought after protection would naturally include the unintentionally comical "stopping process-killing malware." In any event, the yet to be revealed silver bullet to this "process killing malware" werewolf may turn out to be
    worth the price of a front row ticket after all. ("The maples scream 'oppression', and the oaks just shake their heads." RIP Neil Peart)

    Edit: Silver bullet = SSP

    @bellgamin ---keylogger of firewall??
     
    Last edited: May 15, 2022
  19. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @StillBorn -- I seldom play word games (have you met Roy G. Biv?) but I do enjoy an occasional game of Chess or Japanese Go.:isay:

    My real-time security now consists of 3 super light apps: AVG, OSArmor, & SpyShelter. I suggest you check out SpyShelter, if you haven't already done so. SS is a powerful security app with MANY facets. I chose Premium version, but there is also a free version.
     
    Last edited: May 15, 2022
  20. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    @bellgamin Life time license for the firewall. Switched back to the native W10 firewall. Always time to reconsider.
     
  21. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I bought SS Premium because it does NOT include the firewall. As noted above, I use AVG. AVG has a very competent, highly configurable FW (plus the usual alphabet soup: AV, AI, BB).

    BTW, you might take another look at SpyShelter -- it's changed a good bit since back in the days that they offered lifetime licenses.
     
  22. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    297
    Seems like "back in the days" SS firewall was at least as popular back then as it is now (go figure). And back then the firewall kicked proverbial "aces" high. With all due respect, hats off to SpyShelter for their continued tenacity in fighting the good fight.
    And with a life time license (how 'bout those good ol' days...) "tiii ii iime is on my side."... Rolling Stones~ style :D
     
  23. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    I think yes...SS can protect files from termination especialy if they are included to the list of protected files/folders - see the window of advanced rules. Red marked rules show what action of process is set in relation to protected files/folders:
    - "default" means actualy nothing to the time when process try to act on protected object and depends of level of protection you choose
    - "allow" and "deny" is your particular decision when process tries do something with protected object
    220521165429_2.jpg
    In my opinion it's important to check tab "Aplication Execution Controll" (only in SS Firewall) and remove default rule of "explorer.exe" signed as "*" what means that explorer.exe can open everything.
     
  24. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    @ichito -- Excellent info. Thanks!!!
    Quick question: What are the uses or benefits of SS's "Application Execution Control"?
     
  25. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    The simplest way for me is to use describtion from my SS review (it's translated by Google from original Polish version)
    "Application start control - this module is only available in the version with a firewall, and it has to control which application can be run and which is blocked (what matters here is the process, not its action ... so we have anti-exe functionality in some way).
    It is difficult to suggest anything here, but it is certainly worth paying attention to what, for the so-called superior processes, "parents" (in the top window) are shown to us as child processes ("children") in the bottom window. Usually it is a list of processes, the presence of which we can somehow explain to ourselves, e.g. in the case of the list for the Explorer.exe process or for the file manager (for me FreeCommender.exe ) ... if we find something disturbing, the fastest way is definitely remove, but it's probably better to check what the process is about and whether it can be run by a specific other parent process.
    It is worth paying attention to the entry on the bottom list marked only with an asterisk " *"as in the example below ... these are rules created automatically by the SS, and they mean any file from any location ... and here is the danger, because in the extreme case it allows you to open a file without further alert, i.e. a pest. most of these entries, I left only for the applications that I know or those whose running (through other processes) I wanted to block..."

    https://www.wilderssecurity.com/thr...s-and-useful-information.410717/#post-2905423
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.