ewido-security-suite

Discussion in 'ProcessGuard' started by Optimist, Dec 12, 2004.

Thread Status:
Not open for further replies.
  1. Optimist

    Optimist Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    90
    Hello, I use the ewido-security-suite. The ewidoguard.exe starts while Booting the Computer. However, ProcessGuard doesn't detect this program. Why can ewidoguard remain undetected?
    Please, excuse my bad English. I use a translation program.
     
    Last edited: Dec 12, 2004
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I think this is because ewido starts very early in the boot process, you should manually add the file to the protection list using the browse function.

    Windows services race to start and it depends where each is on the list, I have had the same happen with KAV 5's service, on one PC ProcessGuard loaded first and the KAV service was added ti the list and on another KAV loaded first and was not added.

    HTH Pilli
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I've got both ewidoctrl.exe and ewidoguard.exe added to PG's protection list.

    With the default protections, ewido's stuff still doesn't show up in the PG log. At least, not as ewidoctrl.exe or ewidoguard.exe

    SecuritySuite.exe shows up when you open the main interface of EWIDO, but there's still nothing to indicate that ewidoguard.exe is running (at least, not by that name).

    What's up with that? Pete
     
  4. Optimist

    Optimist Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    90
    Many thanks for the explanations!

    Regards
    Bernd
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pete, It is part of Ewidos self protection, KAV does the same, basically Ewido hides the service so that malware cannot kill it.
    You will probably find that with Ewido service removed from the protection list that Advanced Process Termination will not kill it.
    APM is available from here: http://www.diamondcs.com.au/index.php?page=apm
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Pilli - I'm not getting a really warm-and-fuzzy feeling about this.

    If EWIDO can start, run and hide from ProcessGuard, what's to say that malicious software can't do the same thing?

    And, EWIDO can't be killed by anything in APT?? Is KAV equally well-protected? If EWIDO is that well-protected from any form of termination, is there any real use in having it protected by PG?? Pete
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Pete, The malware would have to have been loaded, It would have to be executed & allowed to install a service or driver. ProcessGuard will have given you at least two chances before that could occurr, it requires the same diligence that you need when installing ANY new software - Only install software from trusted sources. Scan with your AV & AT before installing.

    Cheers. Pilli
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I don't think Ewido or KAV really needs PG protection. I think they both defend themselves quite well.

    The way both Ewido or KAV can be killed is by a driver designed to terminate them. PG protects against that by blocking driver/service installs. The only way around that is by getting the person to lower the PG defense by getting the person to disable the protection during software installs.

    I usually block all new drivers and services unless I am installing security software, new hardware or software from some trusted company like Raxco (PerfectDisk). I will not allow drivers/ service install from software from third party sites either.


    Starrob


     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    spy1,

    It (any program) can't :). The first time it runs ProcessGuard will ask you if you want to allow the executable to run. Then if it wants to install a driver, ProcessGuard will again jump in so it has to clear two layers of PG security first - ie. you basically have to say "yes I trust this program" twice before it's allowed to run properly.

    If it (again it being any program) uses drivers to either hide and/or protect itself in the same way as a rootkit or PG would then yes it would be out of the current realm of APT, as effectively we'd have to add rootkit-detection style capabilities to APT, such tricks would have to wait a while as we have other projects with higher priority levels such as TDS4 (although a new update of APT is due for release very soon) :)
     
    Last edited: Dec 12, 2004
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    BTW both Kav and Ewido can both be killed without a driver (ie. in Usermode, one example is using Sdtrestore) if you do not have ProcessGuard installed on the system. So does ProcessGuard help to protect programs like Kav? Yes. However you probably won't need to add them to the protection list, the global protection options and execution protection are the biggest protectors with programs like Kav.
     
    Last edited: Dec 13, 2004
  11. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    exactly jason!

    but not only sdtrestore can stop them :-D
     
Thread Status:
Not open for further replies.