Are PG Protection Statistics Misleading?

Discussion in 'ProcessGuard' started by worldcitizen, Aug 31, 2005.

Thread Status:
Not open for further replies.
  1. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    'Process Guard has protected your computer from 389 attacks'

    While the above from the PG statistics sounds very good and may be good for promotional purposes just how true and accurate is it?

    What is meant by attacks? If by attacks is meant unlawful attempted access by malware has been automatically blocked then that's cool but if that includes permissions sought by PG to allow/disallow then it may be just a whole lot of hype and misleading because basically decisions turned over to the user for adjudication can no longer be credit claimed by PG because the user has had to make the decision. So, if, for instance PG alerted me when I tried to open a new program I installed then that is not an attack and should not be registered as such because PG is not doing any 'preventing' in that case but simply turning the decision over to the user.

    Over 4 months I have installed and uninstalled umpteen dozen programs and received umpteen dozen offers to allow/disallow which could easily have accounted for each and every one of the 389 'attacks' in the stats window so how do I know if PG has protected me from any REAL attacks or not?

    Good question eh :cool:

    When DCS have more time they should look into clarifying exactly what kind of attacks I was exposed to that PG automatically blocked because even PG is accountable. If all the attacks were just programs that had been installed or changed from updating then I would not call that 'protection from attacks' and would see no reason to keep PG on my PC if it is not actually protecting me from real attacks but just 'making it look like it is' by registering every new program I open, install or update as an 'attack'. In other words I want to KNOW just what REAL attacks PG prevented and not be given a figure of 389 attacks which may be none other than my own use of my PC.

    There is no reason why the type of attack can't be logged and reported so the user can see what attacks PG has prevented. I know PG turns red and an alert is issued when it encounters something but that has always been for me my own updating or installing and not due to malware.I'm sure other users will have even higher figures of how many attacks PG has prevented but how many of those were actual attacks by malware? Any at all??

    PG needs to justify it's usefulness by registering clearly whether the attack was a REAL one or just a user initiated one otherwise it's just chalking up a huge amount of 'attacks' to make itself look good when in reality it may not have protected me from anything at all. I have no way of knowing or verifying if PG actually has been of any real use to me. The figures need to be more specific about what actual attack I was protected from to fully convince me that PG is actually protecting me from REAL attacks and not simply registering my installations, updates and uninstalls as 'attacks' and making it all look very impressive. The question needs to be asked of PG - what REAL attacks has it prevented?

    Dave
     
    Last edited: Aug 31, 2005
  2. virusread

    virusread Guest

    User initated attack??


    The problem has I see it is that PG itself does not know if there is a real attack or not without the user. That can't really be helped for products like this.

    All it knows is that it generated x warnings, it doesn't know and doesn't judge if the warning is really blocking a 'real' attack or not. Heh, most of the time even the user doesn't know if a real attack is being blocked assuming if we could even decide on what a real attack meant in the first place.

    What makes a real attack anyway? I get a warning that software x is trying to install global hooks , is that a real attack? Would my decision on whether it is a "real attack" change if I later realised it is a trojan?


    You see the same thing for other products like Prevx, which boasts of detecting 832 potential intrusion attacks. The wording here I suppose is slightly better than in PG since it talks about 'potential attacks' rather than 'attacks' but in the end it's equally useless.

    Anyhow that is why quantifying how useful products like PG is so difficult. You get a dozen prompts a day, but you don't really know how many times if any the prompt is drawing attention to something you really need to know.

    Often, you only know if you made the right decision, retrospectively after research, if at all.

    It probably meaningless for products like PG to try to list number of attacks blocked, since it doesn't track attacks at all, just behavior which might or might not be malicious.

    At best it can talk about number of warnings , popups generated , whether something is considered an attack is up to the user.

    I suppose PG could allow users to indicate themselves if a particular warning is one that warned them of malicious behavior as opposed to one that didnt. But how useful is that really?
     
  3. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    The thing is an AV does indicate what type of attack took place and we know from that over a period of time (not research) that we have been attacked by malware and that the AV has detected it and nullified the attack. But in the case of PG we have no indication that an 'attack' is anything more than a user initiated action which was interpreted as an attack as opposed to malware, which doesn't really allow us to evaluate PG properly in real time as to it's value. All we get is some useless and meaningless statistics but which may very well be only referring to our own choices and not real attacks by malware which is disappointing because if an AV can do it then PG should also be able to do the same at the very least.

    Dave
     
  4. controler

    controler Guest

    It doesn't seem that hard to understand to me.
    Any attack would be something that has vilolated your security settings with PG. In other words, if you made checked do not allow services OR drivers,
    Any attemp of that nature would be logged as an attack.
    So yes, PG sees any attemp to install services and drivers an attack.
    If this alert happens when you are installing some software, it would not be an attack.

    controler
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    yes but with PG (not in learning mode) pg will initially block any attempts at installing drivers, hooks, etc. however its most likely its just a FP caused by the installation of software. its not an actual attack by a known malware. PG not being able to differeniate between the two (it doesnt use sigantures or defs), will registers all attempts as attack. its just how PG works.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Seems to me this is a mute point. The only way PG would have of knowing something was a real attack is to go to signatures, and updates of signature, and that would be real bloat, and to what purpose. Maybe the word attack is the issue.
     
  7. dboley

    dboley Registered Member

    Joined:
    Aug 21, 2005
    Posts:
    10
    Indeed the "Attacks" counter has no meaning due to the arguments made above. It is the responsibility of the owners of Process Guard to clear up this situation. Speculation as to their ability to detect user initiated events versus "evil" events is their challenge and I look forward to a fix.

    Having said all that I do want to complement the owners of the program for something that is VERY needed. It is pitiful as people run about with dozens of so-called spyware cleaners trying to catch the thief AFTER they have stolen their information. There is ONLY ONE way to be safe from keyloggers and that is to prevent them from entering the PC. Cleaners are a placebo for the naive!!!! Ok, do not trust any software and run them anyhow. I do....

    I hope that the owners of Process Guard realize the importance of their product. As such, they need to be absolutely sure of that any claims they make are as solid as possible. Thus we return to the attacks counter. Little things like this can cast doubt on the program and serve no useful purpose other than to confuse the customer and raise concerns. Simply remove it or fix it.

    Dick
     
  8. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Exactly! A fix is really very much needed for the attack counter and I hope DCS realise the importance of this because this is security software claiming to be the best and yet we really can't verify these claims in real time or have any logs or proof that PG is actually stopping any malware. AV's firewalls and anti-spyware all come with this feature which is very important and now that TDS 4 and TDS 3 are no longer keeping DCS busy it's about time they improved things like this in PG.

    To just accept things blindly is no longer acceptable in todays PC environment and I would also feel a lot better seeing what PG is blocking than just relying on a meaningless counter. For all I know PG may not have even blocked 1 real malware in all the time I've had it installed and I may be keeping it on my machine for nothing.

    Dave
     
  9. saintjogn

    saintjogn Guest

    Not exactly bloat, but rather a step towards furfilling the promise of a different way compared to AVs.

    People here love to beat on AVs and how signatures are not proactive, don't catch everything blah blah,and imply that products like PG,Online armor etc are the answer because they are behavior based.

    But when you dig deeper, you realise PG and similar classes of software doesn't really help against malware except for the limited class of driveby downloads which execution protection covers. For the rest, you are basically guessing if something is malware or not based on a singular limited clue (driver install, global hook).

    The promise of behaviorial based methods I think have instead appeared in what most people consider traditional AV/AT products like Panda's Truprevent and A2 squared IDS.

    They are behavior based, but don't borther you with every bit of data. These are also guesses of course, or signatures if you prefer , but at least they are guesses from more sources of info, and more importantly embody knowledge from malware analysts.
     
  10. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    the great thing about panda truprevent is that although its a behavior blocker, it does use signatures.
     
  11. santaclaus

    santaclaus Guest

    Signatures is what makes the whole thing valuable if you ask me.

    I really enjoy how, products these days have cleverly shifted the blame (or responsibility if you like) COMPLETELY from the vendor's end to the user if any malware slips through.

    If an antivirus fails to detect a worm, everyone blames the vendor for not having it in the signatures.

    But with so called HIPS that do nothing but alert on every little behavior, it's the users fault because he didn't "respond correctly". In defense of this line of argument, one would even draw a broken analogy with users ignoring Antiviruses warning :)

    Never mind, if it's some silly alert, that process x is starting 1 second after the user initiated it. As the reasoning goes "We gave you the *chance* to stop it, why didn't you? It's all your fault, don't blame us . In fact we gave you the chance to stop EVERYTHING that runs on your computer, true, there is no way in hell you would know which out of the thousands prompt is malware, but that's your problem, we gave you the chance."

    This idea looks promising, let's monitor a million other things, sure we don't know if any of them is likely to indicate malicious behavior, but as long as we can say, we gave the user THE CHANCE to stop it, we are protecting them.

    Any failures we can just blame the user for being a noob, or not doing enough research on the ins and outs of global hooks and drivers.

    Just make sure we don't fall into the trap of actually trying to help users figure out which set of behavior is likely to indicate malicious behavior, that would be silly since

    (1) We would be back to having to *work* at trying to analyse malware though this time in terms of behavior (emulation is too slow and difficult).

    (2) We would leave ourselves open to actually *failing* to detect malware. Why risk doing that? Much easier as it is right now, we don't claim to detect malware, so we and our product can't fail. Only the user can!

    I now understand why TDS was abandoned. Just kidding ;)
     
  12. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    I suppose they could add something like "Attack-like", "unauthorized attempts", or "possible malware action", or any other of myriad other terms. It is not misleading because PG monitors and prevents attacks based on those actions. If one does not use the learning mode which is specific for telling PG it is not an attack but a planned change, then one will get erroneous data.
    We do not "know" anything of the sort. We know only that the AV thinks we were "attacked". That ignores the false positives that arise from time to time. The only way this is different from PG, which also tells you what it considered an attack, is that PG also allows you to tell it when something is going to happen.
     
  13. controler

    controler Guest

    From what I am seeing here you think PG should be a set it and forget it/

    If that were the case, you better be able to FORMAT your own system.

    PG needs to be installed on a clean system , PERIOD!!!!!!!!!!!!!!!!!!!!!!!!!

    This means you install all your other crap , then install PG and if they make it set it and forget it, You will be fine. You will NOT be able to install another program even if you want to.

    I like that. INstall your OS fresh, install the other programs you think you need, then install PG. After that Expect full protection from PG, no questions asked?

    Ahahhahahahah

    This gets too funny

    controler
     
  14. Chewbacca42

    Chewbacca42 Guest

    "What real attacks" hmmmm me thinks if this program could tell you what a real attack was then you would just use it and no antivirus or anything else :)

    Dont like how it cant be cleared back to 0.. using free version now...

    Just fussy :) clearing it would be good
     
  15. Han Solo

    Han Solo Guest

    Well if all PG promises is that if you don't install anything you can't get infected, we can simply *choose* not to install anything, without using PG. :)

    Yes very funny. A lot funnier is the idea that it is helpful to be told by PG that you are now running a program that you want to run.
     
  16. dboley

    dboley Registered Member

    Joined:
    Aug 21, 2005
    Posts:
    10
    From what I am seeing here Process Guard is yet another program that does something but what it does is being debated. I realize that the problem is Windows and that is caused by Microsoft catering to commercial interests so they can do almost anything to your desktop and other things. These "partners" of Microsoft have been given many paths to allow them to track your usage so that they can Offer You A Better Experience. Because of this catering approach hundreds of little groups (some called companies) have arisen with many being almost as evil as the things they allegedly detect.

    While some who have a bit of knowledge babble on forums with arcane homemade terminology the average user is on their own with no material guidance and no assurance that any of these so called protection programs is not stealing data from them. Sort of makes you feel like the refugees in New Orleans that were left on their own.

    I am not going to spend countless hours learning the dark world of "PC protection". I did not buy this PC to sit here and spend hours sorting out what programs ($$$$) I need to protect myself from the criminals that are let in by a woefully inadequate operating system. I stumbled upon Process Guard and it SEEMS to be the most rational approach. Now I am being told that the program may not be doing anything since there is no proof of performance.

    What many who populate these endless product forums fail to realize that there is a vast world of people with PCs out there who have no where to go for solid advice on what to do. There are thousands of "partial experts" offering advice that leads no where except to yet another program that does something but needs something else to complete the protection process. All we know for sure is that the continued use of our PCs for managing our personal and commercial information exposes us to to extreme financial loss. Beyond that there is the murky world of security and a totally unregulated industry of people touting programs that will supposedly cure your protection fears. Is Microsoft the only answer for us? Tis a sad world!

    Dick
     
  17. controler

    controler Guest

    Don't get me wrong, I completely agree that not only PG but all security
    software needs to be as user friendly as it can get. I try to look at the package as if I were a new PC user not a veteran of security boards.
    I am not sure however it is always that easy to make a program that can go things perfeclty in everybody's eyes that will be user friendly and keep it's best protection.
    I am seeing more and more people here doing their own tests and not just listening to the security forum babble. Believe me, it is not all that easy to test things the correct way. Anytime you test a new product, it should be done on a clean system ( with all windows updates & SP2). This takes time unless you have an image of all that. For instance, install product before introducing nasties to see how it reacts, then install product after nasties, which is really more real world related. PG is at present created for a select group.
    Not every home user can just reformat on a whim.

    This is why I been preaching two things lately. One to really be sure you got rid of a nasty , you need to reformat , use your recovery CD which could be your IMAGE software of choice and the newest winners will be well contructed security suites. NOT a dozen different apps all fighting for the kernel. Then again what will Vista bring?

    controler
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Getting back to the original topic, that statistic is totally irrelevant and misleading. While a count of blocked driver/service, hooks, memory accesses, etc. may be of interest, labelling them all as "attacks" is nonsense. The sooner DiamondCS redress (or drop) this function, the better.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Hi Dick

    Rest assured that PG is doing it's job. This is a somewhat silly debate relating to the fact that PG keeps count of the number of times it stops something and the fact it labels it an "attack".

    It has also turned into a debate about signatures. PG doesn't need signatures in that it knows what is allowed on your machine and challenges anything else. Yes this does put some responsibility on you the user to know what is good or bad. There are some other programs out there trying to solve this by having an online database of trusted programs, but you still have the problem that the database has to be kept up to date, and these programs still require the user to make decisions.

    What people are hoping for is a security solution where they don't have to learn anything or make any decisions. Would be nice in an ideal world, but I am afraid that given the reality of the criminal element now determined to part people from their money, I doubt that ideal will be reached.

    An anology that seems to fit is that if you want to drive an automobile you have to have a license in most countries, and that requires some basic education and a test. Internet access doesn't require a license, but I am afraid it is going to require people to educate themselves.

    Pete
     
  20. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    u hit on every point pete. so now i ask: whats the ideal balance between sigantures and user interaction? also whast the minimum amount of education in internet security that internet surfers should have?
     
  21. Pollmaster

    Pollmaster Guest

    I don't know the answer. But the amount of knowledge is clearly much higher than what I have. As it stands tools like PG are of limited use to me.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    These are tough questions. Pollmaster, one way to start is when you see an exe name check out what it is by googling it. This isn't a bad way to learn. Problem is this takes time.

    But this leads to the question of time. How much time do you spend doing this.

    The answer to this is very individual and depends on your circumstance. If your computer/internet use is very low risk, the answer might be not much. But if you are like me and your computer is the heart of your business, and you are online a lot, then you might want to invest a significant amount of time.

    As to signature base vs non signature, I can only tell you what I am doing. Not counting Firewalls, and wireless security, I am running Kav 5.0, Regdefend, Process Guard, Safe'n'Sec and Online Armor. I was running Counterspy and Spysweeper real time, but I have shut them down. I have cut KAV's realtime protection back to the minimum level from the standard, and am going more with the philosophy of Intrusion prevention, rather than signature scanning. BUT.... I realize while this works for me, it probably won't work for a lot of folks. BUT.... I also see a let of the Intrusion Prevention software companies working toward solving the problems involved in the decision making. Will be interesting to await developments.

    Pete
     
  23. controler

    controler Guest

    Ok how about this.

    Install Windows Shared Computer Tool Kit with Sp2 and all updates. I stall PG
    Set to max. Then try running Brilliant HackerDefender.
    It don't get ahold of you.
    If by accident it does, reboot.

    controler
     
  24. I would like to see a program like ProcessGuard released as a part of a new version of KAV. Wouldn't that be great if PG and KAV could be combined in one product? Or perhaps some other top anti-virus company could do it. Then you would get intelligent warnings that we could finally understand, well most of us anyway.
     
  25. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Well KAV2006 (in beta) does include Proactive Defense which gives process and registry monitoring (and currently BSODs nicely if Process Guard is present). It doesn't offer the configurability of PG though, nor the Execution Protection or Secure Message Handling features.

    It should be noted that PG is pretty light on system resources though - KAV is quite the opposite in my experience...
     
Thread Status:
Not open for further replies.