DARN it TDS 3 didn't protect me against W32.Gaobot.AFJ infection.

Discussion in 'Trojan Defence Suite' started by tempnexus, May 3, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    My clients PC just got infected with W32.Gaobot.AFJ (symantec def). The infection was not detected via TDS-3, only after I updated the defs of Norton (manual update through a website from another pc since the hosts file of this one was hosed). Come on guys, you made me look bad. :) I recommended this security suite and here they got infected. It's a server it can't afford an infection. :) Yes the execution protection is Running (and was running at the time of the infection). (oh yeah TDS3 was dead, killed by the strain, but when I've ranned TDS3 with the latest defs it did not pickup any Remnants of the strain in the registry even though by CTRL-A I could see the entries the strain has left behind...tsk tsk. :) ) Lost my faith :) Beaten by Norton. :)
    Now I installed BoClean on that PC for extra protection, I guess I can no longer trust one security suite to do the job. :)

    P.S.
    The files are in Norton 8 Quarantine, so I don't know how to get them out. Each time I try to export them all I get is 1kb tabdelimated text file. So if you guys want the sample (it's called win32.exe and it gets deposited in root/system32/) then tell me how to get the darn file out of the Norton Pro 8.0 quarantine and I will do so (and send the sample to you).

    P.S.S
    The TDS-3 got updated right after I restarted it, so the defs were/are up to date and it still can't see it.

    P.S.S.S
    BoClean installed on the server is the owners liceneased copy. It was his own personal copy which I adviced him to purchase for his own laptop. The reason I advice for BoClean instead of TDS-3 is because he wanted a non intrusive, set it and forget it low resource AT system. TDS-3 being a great system but needing actuall user interaction was not the option. So I told him that the server needs TDS-3 because it has a great overall system scanner (as new files arrive I can perform a system scan of all the files) whereupon his laptop doesn't need that. So in order to save the server and all of his files he sacrificed his copy of BoClean to the server....now you know why I don't want him to purchase any more Security software since he allready spent a lot thus Process Guard is not an option. ( it would just make me look like a used car salesman). So for Nancy or Kevin don't worry this is a copy used on only 1 pc (as far as I know). And it's not a large coporation it's an lab so it's not really a business.
     
    Last edited: May 4, 2004
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello, this sounds as quite a story, sorry to hear about it, as normally Gavin works in advance of all the nasties even appearing at all (is the impression at least).
    In most cases it would mean temporary disable Norton to be able to have access to the files zip if necessary and forward them.
    Eventually in safe mode if that is the only way.
    Does this help?
    Did you have TDS configured with all scanoptions and highest sensitivity?
    Was TDS running at the time of the infection? It needs to be running to protect you.
    We hope soon to see Active Guard for our resident protection too.
    Did you have a look at / install Process Guard (on a real clean system only) for more protection, as well as Port Explorer to see all possible connections from suspicious kind with one blink of the eye too?
    The three work fine together, with the firewall.
    How did TDS be dead, was it killed (what can't happen with at least Process Guard protecting it) or was it not started at all?
     
  3. testg

    testg Guest

    Sorry for not loggin in but I am currently at a public terminal and am not too sure how safe they keep it. (from the amount of spyware installed I assume it's not too safe).

    Yes TDS-3 is installed and is told to run in the background (small icon next to the clock). I've also downloaded a script to check for def updates every day at 4 pm EST. The reason for the script being the fact that the server never goes down (or well at least not scheduled :) ).
    The TDS-3 process was apperently killed by the strain. Apperently as soon as it got infected it killed the TDS-3, so Execution protection did not kick in, and from what I can tell the DEFS do not exist for this strain since even on Complete scan TDS-3 did not detect the registry remnants. Yes I terminated the win32 process via TDS-3. IT weird thought but I could start TDS-3 even with the variant running in memory. TDS-3 did a full scan (Everything checkec except NTFS links, the worm/trojan detection was on HIGH, token is on High etc). After the full scan even with the strain in Memory and running (I could see TDS-3 scan over it), TDS-3 found nothing. It is then that I called upon the process list Via TDS-3 and killed the strain process (it would not terminate via CTRL-ALT-DELETE). (Norton was going nuts telling me that Gaobot.blah is running in memory and can't be quarantined...but as soon as the process got killed Norton took care of it). Then I entered CTRL-A looked at the startup part of the registry and removed the remnant entries. Following that I gave the system a full scan via online scanner (BitDefender and Atrend AV...now it's clean). Norton has the strain in Quarantine and I can't seem to find the folder...so if anyone knows the location of Norton Corporate 8 quarantine folder then just let me know...so I can get the file and send it to you.
    I was surprised since the system has Sygate Firewall Pro 5.5 installed and configured...so at first I was like WTF!?! But then one of the coworkers told me that his system got an infection and he had to reformat. It is then that I've realized what happened. I assume since they have the drives mapped (it's a server afterall) and the password gets automatically entered when the system boots so the mapped drives act like real drives, the worm/trojan as soon as it hit the coworkers pc it spread itself through the network and since the server shares were allready openned (Via password) the strain had no problems infecting the server (it was a case like this one why I told my customer to get TDS-3, telling him that the utility will protect him..darn it made me look bad).
    Currently I am running BoClean just to make sure that the system is free of bugs (memory scanning of BoClean is great).
    Does anyone know where can I get a script (that works) which allows for a scheduled scans of TDS-3? The server is always up so I would like TDS-3 to do a full system scan once a day (At night).

    P.S.
    Yeah I've installed Proces Guard but it's the trail so I can only protect 1 process and I choose to protect Norton. I guess I will have to make another choice. :)

    P.S.S
    Once the system got infected the firewall stopped it...actually that is the reason how I knew it was infected since all of the sudden the firewall was aksing me to allow some new process out. It is then that I decided to investigate (seen that TDS-3 is not running made me even more curious).

    Thanks for all your help.
     
  4. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Ok got it from Quarantine finally. :) Sent it to all the people that matter. :)

    Just FYI KAV detects the strain as:

    Gaobot Strain.rar Archive: RAR
    Gaobot Strain.rar/Gaobot Strain/README.txt Ok
    Gaobot Strain.rar/Gaobot Strain/046C0000.VBN Packed: CryptZ
    Gaobot Strain.rar/Gaobot Strain/046C0000.VBN Packed: UPX
    Gaobot Strain.rar/Gaobot Strain/046C0000.VBN Infected: Backdoor.Agobot.gen
    Gaobot Strain.rar/Gaobot Strain/04800000.VBN Packed: CryptZ
    Gaobot Strain.rar/Gaobot Strain/04800000.VBN Infected: Trojan.Win32.Qhost

    P.S.
    Nod32 even with Advanced Heuritics also stayed quiet as a mouse. :)
     
  5. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    tempnexus,
    Wow...you really know your stuff. I'm not here to give any suggestions or advice because your computer knowledge is over my head. I just wanted to thank you for posting this because it is very educational.

    Jooske,
    What does this mean?
    What do you mean TDS has to be running to protect us? Do you mean that I have to have TDS start up every time windows starts up? I thought that with execution protection enabled that this wasn't necessary. Now I'm really confused.

    Was this really necessary?
    I don't mean to sound rude here, but this poor user comes here in need of serious help and here you come sounding like a commercial. Don't you think there is an appropriate time for sales pitches and inappropriate times. In my opinion, this user's claims are seriously damaging to Diamond CS' credibility and what I'd rather here is an explanation as to why this occured and what within TDS-3 failed to do it's job. Maybe this is a serious wake up call to the developers and urgency needs to be given to TDS-4. Just a thought. I could be wrong.
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Agobot is easily and completely blocked by Process Guard (full version) by enabling block services/drivers so new services cant be installed. Agobot is open source and a serious threat - and despite some advanced .gen detection implemented by virus scanners they still were missing ALL the private versions. Then along came a high profile PRIVATE source Agobot known as Phatbot. Some AV vendors have managed a .gen detection on that too, but how long until THAT will also fail ? Not forever..

    The answer is simply that SCANNERS can only detect so much. The most serious trojans (Agobot is an IRC Trojan, not a worm, not a virus) need real answers, which is why we develop additional security software like Process Guard :)

    The machine also needs to BE PATCHED - I would bet that infection was caused by missing patches, weak passwords, or other running vulnerable services (maybe NetBIOS). Private Agobot builds exploit at least 20 vulnerabilities to find these machines and infect them automatically, which is why AV's call it a worm. Without layered security which includes patching your OS, there will never be any good level of security.
     
  7. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    How many resources does it eat up and do you have to reconfigure it each time you install a new device? Also does it interfere with any other devices? I know some process guards out there can "guard" too much suddenly BSOD the system. :)

    Do you guys offer an Academic Discount? Also isn't PG be included with TDS-4?

    The system was only missing the LSASS.exe patch, currently it's up to date.
    Unfortunatelly the shares can't be killed since that is why this server was setup, it's a local network file server which allows only local computers to connect to it. It also supports VPN but besides that it's a lockdown. The only negative side is it's local network. Since the folders of this server are mapped as drives in other computers connected to it and since Windows on client pc's is setup to automatically relogon to the server and renew the mapping as soon as the server loads then no matter how strong a password is placed upon the shares they are still open (to the local network, btw the password is an alphanumeric 16 symbol).
    Yeah NetBIOS is active since some of the clients are ageing win98 boxes. It's still strange that the file could transfer to the server and execute itself. :)

    The server has a pretty good security or so I thought, today I got proven wrong. Believe me when I told the customer that TDS-3 is the best choice I really meant it, now I don't want to go back to him and explain to him that he needs Process Guard. I mean place yourself in his shoes, he will think that I am attempting a sales pitch. :) He will not understand that I am trying to make it secure. He will most likely ask me. "I thought you said that TDS-3 was great at stopping this kind of thing." :)
    I guess all I can tell him is to wait for TDS-4 so I think you guys are planning on incorporateing PG into that suite right?
    I really thought that the heuritic scanner of TDS-3 would catch the AGABOT.ADSADSFEW#ASDF variants. :)
    Thanks for your help.

    P.S.
    The sample I've sent you from qurantine was pretty much mulled over by Norton Quarantine procedure so I will have to restore the sample tomorrow and try to get a live one. But that would mean takeing the server down for a while since I want to restore it in very limited account and not the server main account...just in case. So be patient. :)
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Very kind of you for allthe work you have to do to get a live sample for Gavin! Thanks in advance in name of the internet community as a whole!

    Email sales@diamondcs.com.au for the academic discounts if there is nothing on the site.
    For the use of Pricess Guard guess you best check the site and the support forum overhere at Wilders, giving some ideas.
    It will not be packed with TDS-4 for the simple reason as it is a tool on it's own and only working on NT/2000/XP systems, while TDS-4 will be intended for all windows versions.
    At adds an extra layer in your protection!
    TDS-3 is better then nothing, ActiveGuard will be the first we're looking for running beside it as the constant protection and yes, Process Guard adds an extra layer in all security like needed these days.
    Once you bought a product, you'll see in your own members area discount prices on your own personal pricelist, so the more products you won, the more discount you get till a certain degree of course.
    With the evaluation versions you can check for yourself what the software does and how it adds to your security.
    Process Guard Free is nice to protect one process to start with.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Dallan, think your questions are answered in the postings above and yes, TDS needs to be active for the exec protection to work, as explained in several threads recently too.
    In the scan console check all options on both tabs and move the slider on highest sensitivity means what it says.

    You know by now we do believe in layered protection and protection to the maximum possible for which are several tools available working in cooperation.

    I still help people out of trouble who don't know about nor want anything installed on their systems and are surprised about hot stuff popups and their system not functioning anymore and even hard drives beyond repair. (around here in the neighborhood i mean).
    Look in the HJT forum overhere and you see into what even people with some but maybe inadequate protection got themselves. We are talking about systems of respectable value, worth to be protected to the optimum, certainly a server!
     
    Last edited: May 4, 2004
  10. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Yeah the server has some nice protection going.

    It got Norton Corporate 8.
    TDS-3
    Sygate 5.5 PRO (Properly configured with custom rules and no services that shouldn't be servers are allowed as servers)
    SpywareBlaster
    Spysweeper
    BitDefender Free Scheduled Scan every week.
    Admuncher
    Norton Ghost, ghosting every 2 weeks on a external drives
    RAID 5
    Dual Redundancy Power supply, UPS backup
    Process Guard Free protecting Norton
    Spybot Host File
    And Now
    BoClean



    Yeah but how can I sell him an security option now when a few months ago I told him that TDS-3 was one of the best AntiTrojans out there and he needs it in order to keep his server safe. I told him that Norton will not protect him adequetly against trojans and all of the suden here we have a trojan infection which TDS-3 missed and Norton got. :) So he is kind of iffy about my advice now...kind of bad. :( Oh well I've tried.
    It's good that I offered him a free maintenance for a year that way he won't be pissed. Since I saved the server form further infection without loosing any data or remirroring the drives.
     
    Last edited: May 4, 2004
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I understand your position, and TDS-4 will go a long way to detecting unknown malware before it strikes, but unknown malware will always exist, thus my stance on these things :)

    Configuring and reconfiguring is not very hard, just tick "Block Services/Drivers" and none can install - then when installing new software which requires this access add it to the protection list and give it the privileges to install a driver.

    At least its only Agobot, IRC bots are relatively low risk since they are rarely maintained like a RAT would be. The machine becomes a drone in the GROUP of machines and is not singled out and remoted administered like a machine would be, if it was involved in a 1 on 1 RAT attack, someone remotely connected and spying all the time, browsing through for files.

    The big problem on the other hand is they commonly request CD Keys located on that machine.. lucky its a server and surely noone plays games on it :)
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    My personal view and one I have used before is quite simply that the new threats cannot be covered 100% by any scanner type software that requires regular updates, which is why many new programmes such as Process Guard, System Safety Monitor, Abtrusion Protector and Bitguard (firwall) using process control methods adds the necessary extra level.
    Of those Process Guard uses a kernel mode driver and is very difficult for malware to circumvent thus malware writers usually go fo the easy targets such as closing down your normal security programmes or placing malware in a running programmes memory space.
    As has been said many times before a layered defence is the answer, process protection is now at the very root of these layers for defence against the new threats.

    DCS recognised this some time a go and that is why it was necessary to develop Process Guard as part of their development program for the new TDS range.

    Pilli
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    At the last count there were over 900 different agobot versions actually in the wild

    I have found several new ones in the last week that nothing detected including KAV scanner, but all went to all the antivirus vendors including Diamond, unfortunately since all the "kiddies" have the source code for agobot and a tiny mutation stops automatic detection we are fighting a continual battle with this one
     
  14. Curious0

    Curious0 Guest

    @Gavin

    You have started to emphazise that AT/AV scanners (including TDS-3) are "dumb". I fully agree. However, I find your statement quite unusual since you guys from DCS usually do not bash your own products. On the contrary ... ;-)

    Therefore, I am wondering whether you have something less "dumb" in mind than signature-based scanning (apart from PG). Can we expect some kind of heuristic detection based on the actual behaviour of trojans?
     
  15. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    "Dumb" isn't the right word, but there are natural limitations to detection-by-signature, and many tricks that can be employed to bypass various detection techniques. Scanners are actually quite smart and will detect the majority of things out there (including some modified variants due to generic detection, heuristic rules etc) so although they're not 100% perfect they still definately have a strong place in any security software arsenal. However, for that 1% of nasties out there (advanced rootkits, heavily modified trojans, recompiled open-source variants, etc) a scanner often isn't enough - this is the reality of all scanners (anti-virus, anti-trojan, anti-adware, etc etc), but this is where layered protection comes in -- if for example a trojan was somehow able to bypass detection in your scanner, then there's a good chance it will still be blocked by your firewall (but there are also firewall-bypassing trojans) or Process Guard, and its sockets/traffic showing up in Port Explorer.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It must be my english, did not see Gavin stating that "dumb" part?
    Think TDS is not just looking for code and deciding good or bad with that database only, it has some 20 or more ways to detect malware, including generic scanning. Think with all the current DCS tools together you can have your system protected rather tight.
     
  17. Curious0

    Curious0 Guest

    Would you mind to answer the last part of my question as well ? TIA.

    " Can we expect some kind of heuristic detection based on the actual behaviour of trojans? "

    1.
    I wonder whether future scanners will be able to generically detect a non-reverse trojan. You have already developed a concept:

    "Nearly all trojans have one thing in common - they sit alive on your computer, running in the background as an invisible process (no windows, no taskbar icons, or anything visible on-screen), with a socket listening on a port (usually TCP). It's these characteristics that Port Explorer zeros in on."

    (In addition, such trojans are usually autostarted via the registry.)

    2.
    Most DLL trojans, code-injecting malware (e.g. Leviathan) & some rootkits (e.g. Aphex) can be detected/stopped with the help of a CreateRemoteThread blocker (like PG).

    3.
    Driver based malware (e.g. HackerDefender) can be stopped by PG as well.

    4.
    Are there any ways to detect the "rest" like non-DLL reverse trojans or statically injected DLL trojans?

    5.
    Can such features be unified under a single interface so that you simply press "search for malware" and all signature-based & behaviour-based detection methods will be applied at once?
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Interesting idea of one multi-layered protection tool (if it only were possible with all those different windows versions) installing on all possible and needed levels at a time and either one press on the button search - clean - protect - search for new potential malware. Complete anti malware suite.
    I'm one of the many getting rather annoyed of the new malware threaths each day and unfortunately they force to new concepts and tools in detection, it is not simply update a database for new nasties, also new ways and approaches need to be developed.
    You did look at the free tools as well i guess?
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Curious,

    We will continue working on stopping all major threats that land in our ballpark - that is, trojans and worms. The only real big threat left then would be Adware :)

    We will be working on heuristics, thats for sure. There are plenty of ideas like the hidden sockets one in PE which we can use to our advantage..
     
  20. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Folks, what am I missing here? Let me first apologize for my ignorance, as I am definately a novice when it comes to understanding these complicated and sophisticated applications. I also want to say how bad I feel about TEMPNEXUS' prediciment :'( - I also invested in TDS-3 thinking it was almost invincible.

    From what I've read about Process Guard, it is my understanding that it protects against malware shutting down a critical process, such as TDS-3 in this unfortunate case. Obviously, TDS-3 can't detect something if it's not running.

    However, as stated above, even after TEMPNEXUS got TDS-3 back up and running with all options enabled, it still didn't detect any traces of the bad guy on his server.

    So what I fail to understand is how Process Guard is going to help here? If TDS-3 can't detect the worm when it's running, how is Process Guard going to help by keeping TDS-3 breathing? o_O

    Also, something TEMPNEXUS stated above gave me the impression that this worm wrote data to the registry.

    Will Registry Prot (free app from DCS) not have effectively blocked this activity, and possibly the infection as well?

    And finally, Pilli states:

    I've been seriously considering Abtrustion Protector. Seems to me this app would cover a lot of ground. Probably would have helped TEMPNEXUS, and based on how it works, negate the need for Process Guard.
     
    Last edited: May 5, 2004
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hold this in mind, when it comes to advice about advanced software and complicated problems

    We all do and are looking for reasons to avoid repeats and filling the holes for that.

    We all did, i since 1999, and we are, by lack of better. Waiting for the ActiveGuard and we will be even muich better.

    ProcessGuard was not installed at all on the system, so TDS could not be protected with that at that time. A closed program can't detect anything, equal with any scanner.

    Not sure, other variant? Gavin explained clearly about variants here, so if the nasty is found by any scanner or TDS mentiones it "suspicious" do submit the find immediately submit@diamondcs.com.au as it can be a variant, it can be a false positive, anything!

    You're mixing two things.
    Process Guard has nothing to do with TDS, a very different program, doing all different things, protecting processes from termination by anything you configure, not going after malware detection. So it does not need updates for trojan databases, it works all different.
    At the time of the problem there was no Process Guard installed so it was not involved, could not protect a system on which it was not running at all.
    At this point we need to know what was able to get TDS closed; i close at times a program when clicking a series of X-es till i see that was one too many so it can have been done by the user, it can have crashed for some reason, it can have been closed or killed by a nasty. That has to be found out, before jumping into conclusions.
    If TDS processes are protected by Process Guard, it will be protected from any of such terminations, so yes, Process guard would have protected it.

    There was nowhere in TEMPNEXUS story RegistryProt was installed and failing as well. At this point just let's hope in a next occasion it is installed and does protect adequately.

    You should have read Pilli's next line too, where Pilli described the all different approach of the kernel based protection of Process Guard against other software; we do know Process Guard is the only one doing this as it's a very complicated process. So the most central protection one can have.

    Now back to your first statement:
    Hope my explanation added somewhat, even though i used the easy explanation, not being an expert myself. We learn all day!
     
  22. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hi Jooske - Regarding Process Guard, my question again. In the scenario above, if Tempnexus had that application installed and running (and I realize it was not), what would have been the benefit? Previous posts have tried to sell Tempnexus on Process Guard, but I fail to believe it would have made a difference here. In this scenario, if your suggesting that Process Guard would have prevented the worm from disabling TDS-3, I submit that the end result would have been the same - infection! Because afted Tempnexus restarted TDS-3, it FAILED to detect the presence of the worm, which at this point Tempnexus knew was already there.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  24. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Jooske - So your saying that benefit of Process Guard here would be preventing another process from starting / loading? I apologize then. I was unaware Process Guard possessed this ability. I thought it only protected currently running processes from being forcefully stopped.
     
  25. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dazed_and_Confused, Process Guard does a lot more than just prevent processes from being stopped.
    It also does an MD5 checksum of every programme that you run and notifies you if and when that program is changed. i.e if malware mangaged to change a programme that is not running, when it is started PG would alert you that the program had changed.
    Process Guard is the only kernel Mode driver based programme with this capability as far as I am aware.
    Abtrusion protector and SSM have been dropped by many Process Guard users because of Process Guards more complete cover against the new malware threats.
     
Thread Status:
Not open for further replies.