DARN it TDS 3 didn't protect me against W32.Gaobot.AFJ infection.

"Process Guard is the only kernel Mode driver based programme with this capability as far as I am aware."

TPF can do, too. ;-)

 

Yeah all I had was the process Guard FREE, protecting just the Norton Professional 8.1.
I just installed Abtrusion protector on that system, want to test it out, see if it will get in a way of their daily routine. (They do VPN). If that goes fine them I might as well look into it a bit further.

I don't want to get Process Guard since it's $30.0 and he will not spend more then $20.0 on a security software (he feels it's not worth it, aftearll he allready spend about $300.00 on it and the system still got nailed, thus he said $20.0 is the max otherwise we will just ghost it). Thus if I were to install PG I would have to pay out of my own packet, and I don't care much for that. I've allready given him a free maintenance for a year and that is enough. (I thought that with TDS-3 I wouldn't have to spent much time cleaning up the trojan mess, I guess I was a bit wrong , but that's ok I mean there is no way to protect against everything. I know that since I"ve been in this for quite a while...but He doesn't, he doesn't know much about security so well Ignorance is bliss and with Ignorance one thinks that everything is easily fixable and/or easily preventable). I am glad he had the Firewall or otherwise no one knows what could have happen to the system. Also I could have overlooked the fact that it was infected. Since it was the firewall program exit request that peaked my interst.

The TDS-3 apperently was not killed by the user, since the system is on KVM switch so it's rarely used.

 

Hi, Pilli!

Thanks for the info. So can you specifically tell me what would have happened in the above scenario if Tempnexus had Process Guard running, and how it would have PREVENTED the infection? In other words, would it have:
1. Alerted the user that an unknown process is starting, and ask if the user wanted to allow it? or...
2. Determined a process was trying to add something to the registry and asked if the user wanted to allow it? or...
3. ??

 

Tempnexus Wrote:

So $400 is a cheaper alternative?

From the AP Pricing page:

Abtrusion Protector™ is licensed on a per computer basis. For non-commercial, personal use, the product is currently free of charge (click here for all the details).

For corporate use, Abtrusion Protector™ is licensed at a price of USD20 per workstation. Server licenses are USD400. Volume discounts are available. The product may be used for free for a sixty day evaluation period.

OK so you say it is in a lab, you may be able to run the home use version
though if you do need the Administration version for it to run properly on your clients server, this will require a certain level of knowledge. If you are not around I guess you could do it remotely.

 

Hi again D&C,

1. Alerted the user that an unknown process is starting, and ask if the user wanted to allow it? or...

If a new programme starts Process Guard's Secure desktop will ask if you wish to allow it, allow once, block or block once. Providing it is not in learning mode
If it is a modified trusted program you are again alerted.
This obviously requires some knowledge by the user. i.e I just did a windows update therfore I would expect secure desktop to inform me if a certain update related .exe file was changed.

2. Determined a process was trying to add something to the registry and asked if the user wanted to allow it? or...

No, Process Guard does not check the registry.

3. ??

You really need to visit www.diamondCS.com.au and read through the threads here where you will find many screenshots etc showing Process Guards capabilities.

HTH Pilli

 

Jooske -

At the risk of wearing out my welcome, I have one more question for you regarding this issue. If you re-read my question on this issue, I realize that that Tempnexus didn't have RegistryProt installed. My question is - in this case, IF it would have been installed, would this free app from DCS have prevented the infection, in your opinion?

 

At the kernel-level, yes, but to the degree of protection that Process Guard has, no, but they should be commended for putting the foundations in place.

 

D&C:

RegistryProt has become one of our most popular freeware programs - it's small, lightweight, 100% free, and uses 0% CPU because it 'waits' in a suspended state for registry events to occur in certain registry keys only (ie. the so-called 'run' keys). I think the reason it has become so popular is that it effectively adds another layer of security and adds another way to alert the user when they might be infected with a trojan, at the very time of infection. For example, if you run the original NetBus trojan, it will copy itself to your Windows directory as "patch.exe", execute that file, and create an autostart key at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\patch, with the value being the full path and filename of patch.exe. So, if you're running RegistryProt, immediately you'd see the creation of the key, and you'd also see the value (patch.exe). Straight away you'd know 1) what program you just ran so you'd know which is the original culprit - the 'dropper', 2) you'd know where it had installed itself in the registry, and 3) you'd know where it had copied itself (patch.exe). You can then manually disinfect yourself in most cases simply by terminating the original file and patch.exe (if they're running), and then deleting their files. Deleting the autostart entry isn't necessary as long as the file is gone, but still recommended.

Yes - Process Guard actually has execution protection, so whenever a new file is executed, Process Guard will ask you if you want to allow it to run (once, or always, or not at all, etc).

Both RegistryProt and Process Guard come with helpfiles that should answer most if not all of your questions - we've put a lot of time into them, and I guarantee you'll also learn a few interesting things along the way, so please take some time to browse through them when you get a chance.

 

@Wayne

I like PG and I also like TPF (http://www.tinysoftware.com/home/ti...ffer=standard&pg=news&article_name=build_1332).

TPF can certainly do things which PG cannot do yet. For example, TPF can restrict the access of any internet applications to certain areas of the harddrive (e.g., partitions or directories not containing sensitive data). It can also prevent appending file viruses from writing themselves into other files. This is quite useful. However, TPF is much more complicated to set up than PG.

You said: "At the kernel-level, yes, but to the degree of protection that Process Guard has, no, but they should be commended for putting the foundations in place."

I would like to know whether this statement refers to the self-protection capabilities of PG and TPF. Or does it refer to PG's features (i.e., are there any features of PG which TPF does not support)? I believe that PG's most important features like stopping services installation, CreateRemoteThread blocking etc. are also supported by TPF. Maybe anti-termination protection of PG is more advanced?

 

@Wayne

Sorry. It's me again. Is it true that there will be a successor to RegistryProt? I would be highly interested in a registry blocker/monitor which supports all new autostart methods and also allows you to add custom entries.

 

NotAffiliatedToTPF,

I meant in terms of protecting processes from attacks by other processes, as well as protecting itself from attacks by other processes. If you get a chance please take some time to read through the PG helpfile as it describes a lot of the various attacks, all of which PG - and in most cases only PG - can block.

But don't get me wrong, TPF is one of the best personal firewalls out there - I think Gavin actually rates it as his favourite at the moment, and I've always been a fan of Kerio (KPF) as well. TPF extends beyond just a personal firewall and it's great to see that they are adding extra protection, but really there is no comparison between PG and TPF -- PG is process protection, TPF is a firewall, and both programs seem to compliment each other very well when used in tandem.

I can't comment too much on that at this stage sorry, all I can say is that yes we may have some type of 'Registry Guard' in the works.

Enjoy the weekend,
Wayne

 

Process Guard is one of the best programs I've purchased yet. Its powerful and and has a small footprint. I purchased it to protect my AV and Firewall from being shutdown by malware. Not to mention you can add just about any exe to the list. It's checksum function is superb and it monitors every exectuable that runs. Wished I had bought it along time ago.

Try the program,you won't be disappointed.

 

Thanks for your reply, Wayne.

Just two more comments: I would not call TPF a personal firewall. IMHO the firewall component is not that good. But TPF is the most developed/complicated system firewall (and a nice tool for malware analysis ;-). It has nothing in common with Kerio 2.15, Kerio 4.1x or Tiny Personal Firewall 2.15.

" If you get a chance please take some time to read through the PG helpfile"

I did. It seems to me that TPF can prevent most (if not all) of the described attacks. But PG may still be the better solution for most people since it is more sharpened (in a positive sense) and easier/more convenient to use. PG blocks potentially malicious attacks while TPF allows you to control (almost) everything. But only if you know how to do.

Cheers xyz ;-)

Btw.: PG2 is a huge improvement in every respect. Congrats.

 

Process Guard is definitly a good buy, especially with the circumstances. Since you have TDS, you should have a discount for PG. Set it to protect the system processes (as it picks up the first time it's run), all security software, allow any other software that needs to run, then just block all new and changed processes from running. I wouldn't rely on TPF for a server, either.. it's a desktop app (unless you want to go with their enterprise edition), not to mention the fact that it slows the system down noticably. But really, on a server you would want the least amount of user interaction as possible. Do you trust the client to know the difference between a system process, and a trojan masquerading as one?

On a machine acting as a server I would really want to add at least one IDS layer. GFI LanGuard (http://www.gfi.com/) comes to mind, and Prevx may be worth checking out (2 different types of IDS, both have free versions. Look around, there's others too) and DEFINITELY start auditing, if you haven't already.

This article is for 2k, but I don't think it's too different for XP (not sure what you are running)
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx
At the very least this could have shown you what damage was done, so you can see what to repair. Auditing and IDS are two essentials with servers, IMO.