Hello, I use the ewido-security-suite. The ewidoguard.exe starts while Booting the Computer. However, ProcessGuard doesn't detect this program. Why can ewidoguard remain undetected? Please, excuse my bad English. I use a translation program.
Hi, I think this is because ewido starts very early in the boot process, you should manually add the file to the protection list using the browse function. Windows services race to start and it depends where each is on the list, I have had the same happen with KAV 5's service, on one PC ProcessGuard loaded first and the KAV service was added ti the list and on another KAV loaded first and was not added. HTH Pilli
I've got both ewidoctrl.exe and ewidoguard.exe added to PG's protection list. With the default protections, ewido's stuff still doesn't show up in the PG log. At least, not as ewidoctrl.exe or ewidoguard.exe SecuritySuite.exe shows up when you open the main interface of EWIDO, but there's still nothing to indicate that ewidoguard.exe is running (at least, not by that name). What's up with that? Pete
Hi Pete, It is part of Ewidos self protection, KAV does the same, basically Ewido hides the service so that malware cannot kill it. You will probably find that with Ewido service removed from the protection list that Advanced Process Termination will not kill it. APM is available from here: http://www.diamondcs.com.au/index.php?page=apm
Pilli - I'm not getting a really warm-and-fuzzy feeling about this. If EWIDO can start, run and hide from ProcessGuard, what's to say that malicious software can't do the same thing? And, EWIDO can't be killed by anything in APT?? Is KAV equally well-protected? If EWIDO is that well-protected from any form of termination, is there any real use in having it protected by PG?? Pete
Pete, The malware would have to have been loaded, It would have to be executed & allowed to install a service or driver. ProcessGuard will have given you at least two chances before that could occurr, it requires the same diligence that you need when installing ANY new software - Only install software from trusted sources. Scan with your AV & AT before installing. Cheers. Pilli
I don't think Ewido or KAV really needs PG protection. I think they both defend themselves quite well. The way both Ewido or KAV can be killed is by a driver designed to terminate them. PG protects against that by blocking driver/service installs. The only way around that is by getting the person to lower the PG defense by getting the person to disable the protection during software installs. I usually block all new drivers and services unless I am installing security software, new hardware or software from some trusted company like Raxco (PerfectDisk). I will not allow drivers/ service install from software from third party sites either. Starrob
spy1, It (any program) can't . The first time it runs ProcessGuard will ask you if you want to allow the executable to run. Then if it wants to install a driver, ProcessGuard will again jump in so it has to clear two layers of PG security first - ie. you basically have to say "yes I trust this program" twice before it's allowed to run properly. If it (again it being any program) uses drivers to either hide and/or protect itself in the same way as a rootkit or PG would then yes it would be out of the current realm of APT, as effectively we'd have to add rootkit-detection style capabilities to APT, such tricks would have to wait a while as we have other projects with higher priority levels such as TDS4 (although a new update of APT is due for release very soon)
BTW both Kav and Ewido can both be killed without a driver (ie. in Usermode, one example is using Sdtrestore) if you do not have ProcessGuard installed on the system. So does ProcessGuard help to protect programs like Kav? Yes. However you probably won't need to add them to the protection list, the global protection options and execution protection are the biggest protectors with programs like Kav.