Best replacement for Process Guard

Discussion in 'other anti-malware software' started by david banner, Nov 25, 2007.

Thread Status:
Not open for further replies.
  1. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    I have PG 3.410 free version but I now undestand it is not supported. What is the best free replacement? Mostly I used it to block exe.s and to prevent termination of programs in the task manager. It was a bit of a nuisance in the latter when I needed to terminate but I liked it.

    Is PG a HIPS program? Also I do not understand why it needed support, does it not still work? I thought it best to start a new thread on this, hope that is Ok
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you read posts by fcukdat who tests malware and drive-by sites with PG, you will see that no executable gets by PG. No need to upgrade if this is your primary use.


    ----
    rich
     
  3. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Thanks , that is my primary use. As a matter of interest what does the upgrade cover?
     
  4. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Thanks , that is my primary use. As a matter of interest what would an upgrade cover? The anti hooks? But that was not in the free anyway
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you were going to Vista, or you had the paid version, you would need support. Changes in platform or advances in malware technique (such as driver installation etc) would necessitate modification to the prog. However the primary function of PG free is execution protection, and if the malware doesn't run it won't be installing services; so PG free is still OK to use on XP.

    If you wanted to check other apps then ProSecurity and SSM both have free versions worth considering.
     
  6. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,300
    Location:
    South Wales, UK
    Would agree with TopperID re. SSM and ProSecurity. I used to use PG but change to ProSecurity (initially free but the to the paid version) as I felt that PS is closer to PG in terms of appraoch when compared to SSM. But both are excellent programs.

    Another one to consider is EQSecure which is currently free...and seems to have a very good press from those that have tried it in depth. If you want to try it you will need to search around for an English page from which to download it (as it is a chinese product...try from here:

    http://www.eqspywatch.com/download/EQSysSecureSetup.exe)

    but if that does not work then that should not be too hard via Google.

    You can get an explanantion on how to configure it from the following link (courtesy of Kees195:cool::

    https://www.wilderssecurity.com/showthread.php?t=170691

    I have had a look myself and it certainly looks interesting.

    But as with all these I would recommend that you downlaod and try out fpr yourself as each has its peculiarities that do not suit everyone.

    Good luch:D
     
  7. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Is it safe to remove task manager from the protection of PG? I cannot terminate a program when the computer hangs and have to reboot. Would it be enough to have the programs themselves protected rather than have task manager protected or is there a way around that
     
  8. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Is it safe to remove task manager from the protection of PG? I cannot terminate a program when the computer hangs and have to reboot. Would it be enough to have the programs themselves protected rather than have task manager protected or is there a way around that

    Edit: I am getting a message about waiting 60 seconds to post but is about an houra go I posted.
     
  9. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
  10. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I'm not entirely sure what you mean but I am assuming that you want to be able to terminate processes using Task manager. If that is the case, then you need to give Task manager rights to terminate protected processes.
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Do you mean you have TM set to run once in the Security tab? Or perhaps you mean you have denied TM the right to Terminate in the Protection tab? Either way there is a perfectly good way around it.

    Just navigate to taskmgr.exe in Explorer and make a copy of it. Paste this copy to an entirely new location (say a new folder in Program Files) and rename it in any way you wish. Finally make a shortcut, on your desktop, of the copy so you can run it from this. Now you can tie the orignal TM up in security knots 'cos you will be using the copy and malware will not be looking for that. The only downside being if you needed to use alt ctrl delete (Process Explorer can be configured to replace TM in that regard).

    Actually all you need to do is grant TM permission to Terminate and then set it to 'Run Once'; that should stop it from being exploited - though if malware is not allowed to run it can't exploit anything, unless you are thinking of a script which of course PG would not block.
     
  12. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    But can the malware terminate a program in ProcessExplorer?

    Thanks everyone who rsponded find it dificult to keep up becaue I just had a hang coud not terminate had to reboot

    Think I will get the PE fcukdat would not want to be drunk typing that:D
     
    Last edited: Nov 25, 2007
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    In all theories specifically coded malware could perform that action if it is able to go native/live but then it would have to target PE directly for manipulation.

    If the code is targeted at TM then PE will not be adversly effected as it operates independently of TM.
     
  14. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,300
    Location:
    South Wales, UK
    Let me put it this way...I never protected TM using PG. If a program is protected against termination by PG or PS (which I now use) then TM would not be able to terminate it anyway...so what protect TM from malware code that whilst theoretically possible has yet to be produced (and it is dubious that any one would waste the time to produce as there are cleverer way, so I am told, of achieving the same thing).

    Just my thoughts on the subject.:D
     
  15. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    My mistake. Thanks for your reply
     
  16. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    My mistake. Thanks for your reply

    sorry posted twice I keep geting message to wait 60 seconds, even tho it was more so did not realise had posted. Thanks to all for the info re terminations etc
     
  17. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Hi TopperID

    "perhaps you mean you have denied TM the right to Terminate in the Protection tab? Yes

    "Now you can tie the orignal TM up in security knots 'cos you will be using the copy and malware will not be looking for that."

    Did that but it will not terminate. I changed its name and put in program files Says access denied

    Thanks
    David
    PS sorry about double posts see it happened several times
     
  18. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    I have Process Explorer now. This does not install? Where should I run it from or does it matter? I have dozens of instances of a screensaver in PE and task manager though it is not running. It seems every time it tries to run PG blocks but still it appears in the process tab of task manager
     
  19. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Just a personal setup choice of mine.I extract it to its own folder in Programme directory.On first time opening the main exe you get the EULA screen before opening the software.After this goto *options* tab of PE and select replace Task Manager. From now on Ctrl+Alt+Delete= PE:cool:

    Not 100% what is causing that for you,it might be a conflict of installed software.Can you kill these multiple incidents with PE ?
     
  20. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    On first time opening the main exe you get the EULA screen before opening the software.After this goto *options* tab of PE and select replace Task Manager. From now on Ctrl+Alt+Delete= PE

    I missed that, can I go back tp it. And I cannot get the help file to open, it says page cannot be displayed


    Can I make a shortcut instead of Ctrl+Alt+Delte. Always got task manager by right clicking in the task bar OK got it thru GUI right click on tm now PE

    Can you kill these multiple incidents with PE ?
    No only one at atime would take ages, anyway I had to reboot and they are not running yet


    Why are some processes pink/blue/yellow? Can'rt kill in PE PG says access denied, evn though PE not entered. Will it take the settings for task manager from PG?

    Thanks
    David
     
    Last edited: Nov 25, 2007
  21. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Have you tried through software help tab or the procexp.chm file in the PE folder.

    Yep you can shortcut it to your desktop:thumb:
    Right click on procexp.exe file>>>send to>>>desktop(create shortcut)

    <Process Explorer uses difference highlighting to help you see what items change between refreshes. Items, including processes, DLLs, and handles, that exit or are closed show in red and new items show in green. If the refresh rate is not paused the highlighting remains in effect for the interval specified by the Options|Difference Highlight Duration dialog, which has a default value of 1 second. If you pause the display the difference highlighting is in effect only until the next time you manually refresh>

    <snipped from PE help file>
     
  22. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576
    Have you tried through software help tab or the procexp.chm file in the PE folder.

    Yes but it says the program cannot display the web pagepage when click each topic. and I can't terminate protected programs from it
     
  23. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    No you will have to configure procexp.exe permissions for PG to allow PE to terminate <kill process>

    For this goto protection tab of PG.Select add application = procexp.exe

    Authorize it to terminate,modify and read.
     
  24. david banner

    david banner Registered Member

    Joined:
    Nov 24, 2007
    Posts:
    576

    Authorize it to terminate,modify and read.[/ Done now

    I understand now, won't terminate protected progs? Is that right?
     
  25. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    PE should now be a process killer(even protected ones):thumb:
     
Loading...
Thread Status:
Not open for further replies.