Are PG Protection Statistics Misleading?

On my system, blocking a program from starting does not increase the number in my Protection Statistics. From the above, I would have expected your count to go up by 2 even though you had 4 more log entries.

 

Tests, such as the AV tests are probably the worse way to verify the ability of programs. These tests are based upon "already happened" events and all that is being verified is that an AV product can detect an event that already occurred. For most people this is "too late".

Luckily, PG can be verified in a much more basic and predictable manner. PG's capabiliites, can be verified at an "architectural level" - that is, whether it indeed monitors the events that it is supposed to be monitoring, and whether it correctly "alerts" on all occurrences of these events. As far as can be determined at this point, PG is in fact doing this. Should someone come across a case that an event that PG is suppose to alert on occurs, and PG doesn't alert, then we can say that PG has a bug and is not doing its job. At this time, no such breach in PG has occurred. So we can say that PG is doing its job.

Now, it is true, that there are people who do not want to be alerted whenever a critical program changes or a new program is introduced into the system, and for these people PG is probably inappropriate. But for those who do want to monitor all changes to critical programs or newly introduced programs, PG is extremely beneficial.

I am like others on this forum. I have much more trust in programs that provide me with positive alerts on all important changes to my system, so that I can make the decision on whether to allow it to happen, than I trust programs where some other person in some software company (e.g. MS) is making this decision for me (via signatures).

Yes, most definitely, DCS should change their counter from 'attacks" to "alerts" as RegDefend does.

Rich

 

Look at the logs.

(unless the free version doesn't provide logs, in which case, buy PG, then look at the logs)

Jim

 

I bought PG to replace my AV not to look at logs. Unfortunately my logs are not saved because I use Deep Freeze. Anyway, I had a look at todays log. What do you want me to do now?

 

I guess I don't see replacement of an AV with PG as a necessarily wise direction at this point in time, especially if you use DeepFreeze. Perhaps in the future, but not at the current state of development and product scope. Just my personal opinion...

Blue

 

Hi SpikeyB
The logs show which 'things' have been blocked from doing something, supposedly they support the total on the Alerts page. But they don't, and you're absolutely right, I expected the count to go up by 2 (not 4, in the post above: there were 2 allows and 3 blocks), but it didn't, leaving me wondering why? Wondering what the count is a 'count of'.
I did some more sleuthing and found that, for all the counts of different things blocked, I could not rationalize anything. What I mean is that (preferably) the sum of all alerts is equal to the Alert page count, but if not that, then at least some of the individual counts should add up to the Alerts count. They didn't, so to me the Alerts count is 'wrong' at this point. Or I don't know what's being counted. My figure of 154, which is now 156 with the 2 new ones, may represent counts from other months, for a smaller number of types of blocks. I just don't know. And the Help file doesn't help explain this.

Now as to replacing your AV with PG, I wouldn't do that. Keep both. The AV will catch most, maybe all. PG is the insurance policy in case something gets by the AV or is introduced some other way, such as from a CD for a new application. Just recently there was some noise about Creative releasing a CD for their product that 'somehow got a baddie on it' and they're rushing to get a clean CD to their customers. So, keep the AV. And keep PG. And, look at the logs, you may see where you need to revise your configuration a bit.

Enjoy, be happy, and most of all, be vigilant,

Jim

 

Thanks Blue and JW Clements

I've only replaced the real time component. I still have on-demand for downloads and e-mail attachments. The logic behind the decision is given in this thread: https://www.wilderssecurity.com/showthread.php?t=92487

 

SpikeyB, I did get you PM, but thought that I'd publish my stats here.

I imported my September PG log into excel, had to move some data around to make sense of it and then ran totals as follows:
count = 2 blocked from accessing physical memory c:\appssoft\security\ssd\spybotsd.exe
count = 15 blocked from running c:\program files\java\j2re1.4.2_06\bin\jusched.exe
count = 2 blocked from running c:\winnt\hh.exe
count = 1 blocked from running c:\winnt\system32\winhlp32.exe
count = 124 blocked from running f:\appssoft\msoffice\office\1033\msohelp.exe
count = 26 blocked from terminating c:\winnt\system32\cidaemon.exe by c:\winnt\system32\cisvc.exe
count = 3 blocked from terminating c:\winnt\system32\spoolsv.exe by c:\winnt\system32\services.exe
count = 8 Tried to modify an existing driver/service named vsdatant by c:\winnt\system32\winlogon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Diamond Computer Systems\ProcessGuard v3.0 value name is AlertCount, and mine still says 154.

the largest total is blocked from running = 142
eliminate that total from the Alerts total of 154. (this is prior to the extra two)
154 - 142 = 12 which is less than blocked from terminating (26 + 3 = 29)
so the difference must come from any others, which are:
2 + 8 = 10 which is not enough to cover the 12 required.

As you can see, nothing adds up, like when someone says they have a $.47 and only have quarters and dimes and nickles. No pennies to make $.47.

If there is some portion of the Alerts Count that applies to other month's logs, then it becomes more impossible to rationalize. DCS needs to explain.

Hope this helps but I'm not sure it can, it hasn't helped me understand.

Jim

 

I would count that as 39 (2+26+3+8 ) attacks because the "blocked from running" don't count as attacks.

As far as I am aware, the Protection Statistics count from the day the program is installed, so it will be higher than for the September log alone.

 

SpikeyB,

I guess I still wouldn't be completely comfortable, but if I was heading in the DF direction, I guess I'd try for the integrated solution with running AntiExecutable along side DF, but this is nominally off-topic in the current thread, which is focused on PG and its detection statistics.

Maybe I'm a bit of a throwback, but I only appeal to logs if I sense an ongoing problem. For assessment of performance, I use a combination of any publicly available test (formal or informal), compatibility with my system, and infrequent personal challenge-response testing.

Blue

 

Don't get me wrong. I'm not saying you support these products because they are paying you, or that you get then free. I'm talking about emotional reasons. You are clearly proud of being a "official beta tester".

 

No problem, but IMHO it also makes the opinions of "betatesters" a little suspect. They can't really help it.

Espically those who are closely associated with the companies working in closed betas.

Not curious, I've done it quite a bit myself, that is why I can understand how it feels. People give me copies of software and request that I write a review for example.

 

I fail to see the reason for expending time discussing one counter that clearly counts good and bad. This is silly. If it was not there, how many of you would have demanded it. This is one reason many producers of programs do show extensive information that only 10% of their customers have any interest in.

Maybe the author can simply delete it for the short term and efforts can move on to something useful. Things such as what can sneak past Process Guard? How can Process Guard become more user friendly? How can more meaningful statistics that are less "raw" be produced?

This counter thing is trivial at best. The producer of the software needs to widen the market for the program. There is a need to improve the user interface to allow it to be more intuitive to use Process Guard. If the market is not extended support will go away as the team seeks more fertile avenues. It is in your self-interest to make Process Guard better. To rant over a counter that is totally a non-functional element, is _______________________.

Dick

 

Quite right, but not friendly, I think. Ignore threads that bother you this much. Personally, I learned to ignore the counts long ago. But someone had a concern. and in this forum, people listen and try to help. Your concern for 'improvements' in PG is shared by many, others are quite happy with it as it is. They don't challenge you to stop expressing your ideas and you've hardly contributed anything new.

Jim

 

Jim,
I heartily apologize for offending you in any way. You are obviously an individual that is sensitive to the content of messages that may, in any way, contain offensive or challenging view points. I assume that you are the manager of the forum or at least a senior and respected member that has assumed the role of filtering out undesirable messages. Perhaps the forum can make a formal appointment of you to act as a filter to prevent further breaches of etiquette. Or perhaps you could head a lobby for a task force that is empowered to censor insensitive posts, such as mine, before they assail the eyes of others.

I shall refrain from further postings until such safeguards are in place..

In closing, I only hope that Process Guard is improved in a manner that attracts a larger market so that it will be continued as a supported product. Yes, the counter is broken and so is the logic that discusses it.

Regards from,
A paying customer that is offensive

 

Your last post was very friendly and appreciated, so I hope you do paticipate. It was the word "silly" that was a bit out of place.
Good constructive comment and suggestions and helping by sharing knowledge and experience are realy quite rewarding. There are a lot of folks with much less knowledge and that can sometimes be very worrying to them. When one thing doesn't look right, then they may think that there's more that's not right.
But, undaunted, I will clear my logs and I will clear my registry counter, just to learn a bit more, just in case I do want to watch the 'counts' someday.

Keep near,

Jim

 

I would hope no one except a select few would carry that opinion. IMHO....those that feel the opinions of "betatesters" are suspect just because they are Betatesters would more than likely question that the Sun rises in the East Heck....we are all Betatesters in one form or another which means all opinons would be suspect

 

i guess partial would have been a better word than suspect.

 

Everyone, I feel, has their biases, partialities, perspectivies, leanings, etc., and I recognize. No problem, as far as I am concern. However, I have chosen to completely ignore "anonymous" opinions. For me, this is really "suspect". Could be a developer of a competing product. A programmer/consultant with definite economic interests. Someone who just likes causing trouble. Whatever. Anonymous to me equates to ignore.

Rich

 

Everyone champions their favorite software, whether they have a rapport with the developers or not. As long as people can keep it in perspective, and realize that their favorite isn't necessarily the best for everyone, I see no problem with it.. these forums are all about opinions, after all, and everyone is entitled to theirs.

I tend to agree.. not entirely, but for the most part.

As for the attack stats.. I tend to think that anyone really using PG will understand what it's about, although it certainly wouldn't hurt to add in the word "potential".