hey I just tried ProccessGuard and I like it alot but I have a question... If I have "Execution Protection", "Block New and Changed Applications" and "DDL Injections" turned ON on a computer. Will that block ~99% of malwares/trojans? Because then I would only allow to run Trusted applications I don't see how I could get infected.. Cuz then no executible file would be available to run...
Another Question... Does ProcessGuard not work on restricted Windows account but only Administrator accounts? Because I can't get it to work, it says Error check DCSUserProt.exe but I can't open it...
PG does work on all accounts providing your know that ProcesGaurd must be installed through an admin account and that user accounts, although they will receive alerts, cannot make any changes to ProcessGuard ie. The GUI is inactive. You can access ProcessGuard from a restricted user account using the "Run as" command. HTH Pilli
You wont get infected by more than 99% of attacks, and if you secure your browser and email client too, more like 99.99% The only realistic attack vector left then is exploiting, overflow attacks on unpatched buggy OS or software running, someone with a new unpatched exploit, and you with insufficient firewalling. Something you can do to fight that if you want, is make sure you haven't allowed CMD.EXE, NET.EXE and NET1.EXE to run, or block them from running. A shellcode attacker that exploits some flaw is likely to use this type of attack.. get a remote shell and then net user add.. or similar attack. These attacks are still extremely unlikely if you patch the OS first, and almost impossible if you take time to get good firewall rules set up. The bottom line is yes you will be safe from a hell of a lot of attacks. If your system is set up how you like it then PG likes that. Its only when you make a lot of changes you need to tend to things
@ Garvin Are these OK or not.... net.exe >> found in system32 cmd.exe-087B4001 >> found in pf net1.exe >> found in system32
Thanks for the replies.. I still don't get how to run ProcessGuard on a "Restricted" Windows Account... Can someone explain or are there any manual?
Go to Start - All Programs - - Right click on the "Run ProcessGuard" icon or if you cannot see ProcesGuard in your Start menu then using windows file Explorer navigate to the PG folder and right click procguard.exe then select Runas from the drop down menu: The screenshot belows shows what you need to complete. HTH Pilli
net.exe and net1.exe in system32 folder are those used in batch files by malware net stop "antivirusservice" would stop a service called antivirusservice So making sure they aren't already allowed in your SECURITY list is a good thing to check. Also check for netsh.exe, which can be used in a batch file or by any program, to change Windows Firewall settings netsh firewall add allowedprogram program=trojan.exe (actual command is much longer)
Any program that runs others could be a loophole if you chose to always allow it in PG - in addition to cmd and net, there is also RunDLL, Java/javaw.exe (for Java .jar applets) and whatever Microsoft's .Net framework uses.
Thanks Garvin............still not clear.........what to do with net.exe and net1.exe should i remove them or not? Found netsh and not sure what to do with that......none are listed on my Security list.......also found something like p2pnet(something)...i dumped it ,as i do not use p2p stuff...ok to remove p2p..right?
I used explorer to go to window\system32 folder, clicked on the net programs whereupon process guard asked me to approve or block. I said block all the time and they are now in security list as deny always.
Blocking them always is not necessarily a good idea since other software may need them (e.g. to start Windows services). Just removing them from the Security list (or set them to Prompt once) will mean you get prompted every time they are run - and can then decide (based on the parameters) whether to allow or not.
I notriced that setting to permit once causes a prompt, which seems to me be the same as when the program is not on the list. Is there an advantage of setting permit once vs not having program in the security list?