Fast one..

Discussion in 'ProcessGuard' started by jg88swe, Sep 10, 2005.

Thread Status:
Not open for further replies.
  1. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    hey I just tried ProccessGuard and I like it alot but I have a question...

    If I have "Execution Protection", "Block New and Changed Applications" and "DDL Injections" turned ON on a computer.

    Will that block ~99% of malwares/trojans?

    Because then I would only allow to run Trusted applications I don't see how I could get infected.. Cuz then no executible file would be available to run...
     
  2. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    Another Question...

    Does ProcessGuard not work on restricted Windows account but only Administrator accounts?
    Because I can't get it to work, it says Error check DCSUserProt.exe but I can't open it...
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    PG does work on all accounts providing your know that ProcesGaurd must be installed through an admin account and that user accounts, although they will receive alerts, cannot make any changes to ProcessGuard ie. The GUI is inactive.
    You can access ProcessGuard from a restricted user account using the "Run as" command.

    HTH Pilli
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You wont get infected by more than 99% of attacks, and if you secure your browser and email client too, more like 99.99%

    The only realistic attack vector left then is exploiting, overflow attacks on unpatched buggy OS or software running, someone with a new unpatched exploit, and you with insufficient firewalling.

    Something you can do to fight that if you want, is make sure you haven't allowed CMD.EXE, NET.EXE and NET1.EXE to run, or block them from running. A shellcode attacker that exploits some flaw is likely to use this type of attack.. get a remote shell and then net user add.. or similar attack.

    These attacks are still extremely unlikely if you patch the OS first, and almost impossible if you take time to get good firewall rules set up. The bottom line is yes you will be safe from a hell of a lot of attacks. If your system is set up how you like it then PG likes that. Its only when you make a lot of changes you need to tend to things :)
     
  5. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    @ Garvin

    Are these OK or not....
    net.exe >> found in system32
    cmd.exe-087B4001 >> found in pf
    net1.exe >> found in system32
    :doubt:
     
  6. jg88swe

    jg88swe Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    181
    Thanks for the replies..
    I still don't get how to run ProcessGuard on a "Restricted" Windows Account...

    Can someone explain or are there any manual?
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Go to Start - All Programs - - Right click on the "Run ProcessGuard" icon or if you cannot see ProcesGuard in your Start menu then using windows file Explorer navigate to the PG folder and right click procguard.exe then select Runas from the drop down menu:

    The screenshot belows shows what you need to complete.

    HTH Pilli
     

    Attached Files:

  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    net.exe and net1.exe in system32 folder are those used in batch files by malware

    net stop "antivirusservice" would stop a service called antivirusservice

    So making sure they aren't already allowed in your SECURITY list is a good thing to check. Also check for netsh.exe, which can be used in a batch file or by any program, to change Windows Firewall settings :rolleyes:

    netsh firewall add allowedprogram program=trojan.exe (actual command is much longer)
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Any program that runs others could be a loophole if you chose to always allow it in PG - in addition to cmd and net, there is also RunDLL, Java/javaw.exe (for Java .jar applets) and whatever Microsoft's .Net framework uses.
     
  10. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks Garvin............still not clear.........what to do with net.exe and net1.exe should i remove them or not? Found netsh and not sure what to do with that......none are listed on my Security list.......also found something like p2pnet(something)...i dumped it ,as i do not use p2p stuff...ok to remove p2p..right?
     
  11. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    I used explorer to go to window\system32 folder, clicked on the net programs whereupon process guard asked me to approve or block. I said block all the time and they are now in security list as deny always.
     

    Attached Files:

    • aaa.png
      aaa.png
      File size:
      38.8 KB
      Views:
      376
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Blocking them always is not necessarily a good idea since other software may need them (e.g. to start Windows services). Just removing them from the Security list (or set them to Prompt once) will mean you get prompted every time they are run - and can then decide (based on the parameters) whether to allow or not.
     
  13. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    I notriced that setting to permit once causes a prompt, which seems to me be the same as when the program is not on the list. Is there an advantage of setting permit once vs not having program in the security list?
     
Thread Status:
Not open for further replies.