Good trojan defenses?

@Pilli- No offense but you neglected to mention that APT won't run on 95, 98, ME, or NT or Linux.

2) Fabertoys is nice, but requires VB, plus it's 10X larger than ProcessViewer & ProcessExplorer, is much heavier on resource usage, & does fewer functions. Otherwise... it's pretty good

~~~~~~~~~~~~~~~~~~~~~~~~
IMHO, the *greatest of them all* is...
Another Task Manager]

It's only 57K & will run rings around any program of its type, including Faber's bloatware. Uhhh -- did I mention that ATM only runs on Win 9X/ME.

DL it from...
http://www.simtel.net/pub/dl/12339.html

 

Well, All of the windows versions you mentioned are not or will not be supported in the near future by MS so although there are still many users development of new programmes has virtually stopped. Linux is not generally relevent to this board.

 

You are mis-informed. There are still many new programs being written for those who choose not to use XP, & refuse to kow-tow to the M$ concept of forced obsolescence.

Are you saying that those who do not use Windows OS in general, & Win-XP in particular, are unwelcome on these boards? Or are they merely unwelcome as TDS customers? Or both?

 

I believe Pilli stated clearly enough that Linux is not too relevant on this board. Definitely not that linux users or questions are not welcome, merely that it has not been at all frequent. That may change in the future but it is pretty clear that most users here at present are asking questions and seeking answers in a Microsoft OS framework.

Regards,

Dan

 

In the realm of automatic process guards, anyone do a comparison of SSM to PG as far as effectiveness, resource utilization, amount of space & ram taken?

be interesting to throw a-squared in the mix for comp. when/if available.

I'd do it myself except PG does not run on us old (possibly smaller exploit target) OS...

what's with these developers who decide to follow M$ into the abyss and not enable a version compatible below win2k??

 

I can't speak for SSM of course, but in regards to PG, it's driver-based and doesn't actually need the main .exe to be running as the protection is in the driver, so in that sense Task Manager won't show you anything about it

What's with MS building new technologies into their new OS's?
All developers want their software to run on as many OS's as possible - the result is naturally a larger potential customer base, so I don't know of any developers who've intentionally restricted their program so that it won't run on a particular OS. There's always a good reason, such as the program utilising technologies only found in new OS's. Unfortunately it's often not possible to write software for previous OS's as they simply don't support that technology. In some cases the reverse is also true - some of our software only works on Win9x, but not under NT/2K/XP/2003 due to significant OS differences.

Regards,
Wayne

 

So, my conclusion from what you have said is process guard would have never come into existence but for M$ technology Win 2k and above?

seems bass ackwards to me... and a bit of a cop out.

seems like you develop software to meet a need. If the need is there for "halt process unless legit" software which dovetails antitrojan defenses then free enterprise says fill the gap (need) and you make money or attract more customers to your other products....

applying above if PG technology precludes older OS, yet there is a gap which needs filling, then maybe motivation for thinking through the problem and finding a way to make it work... for the older OSs

thanks Max and all other software writers out there for keeping it real and addressing the need... for Win9x and above...

ps. I like the PG idea of running light on resource via driver base tech. ie. doesn't actually need the main .exe to be running as the protection is in the driver, however, maybe the trade off to making it work for older OS is you have to give up this luxury... or maybe there is another way?

 

If you are on Windows 9x / ME then you cannot even begin to compare the extra security NT/2K/XP has over it. There is no way for us to write software which first patches Win9x security up to a WinNT level, then adds Process Guard on top of this. Process Guard relies on WinNT based operating system technology to perform its job. Since 9x / ME does not have this and NEVER will there is nothing we can do for 9x / ME users.

If you don't have Windows 2K/XP/2003 and want/need security then you shouldn't be buying more software, you should be saving up for some hardware which can run those operating systems, or if you have the hardware, saving up for the software . After all, the operating system forms the base of all your security.

I don't mind Windows 9x at all for most software, but it just has so many gaps in it that it makes it difficult to develop products like Process Guard for it. You will be finding more and more companies stop supporting those operating systems in security products so it only makes sense to upgrade/update earlier than later.

Out of all the products/freeware we have only one or two of them don't work on Windows 9x. So it is not like we are against Windows 9x. Where we can support 9x without limiting our products we will

-Jason-

 

answer = yes

well keep up the good work.

re: below nt gap security... or however characterized,sometimes the smaller target becomes more secure despite the advances...

sometimes not... in this case seems appropo

 

Yes, Process Guard was developed not only for termination protection but also for rootkit protection and against other VERY nasty trojans which are being developed. The best way for us to help users is to also foresee future trojans and this is possible because I monitor the trojan scene very closely. When DLL trojans started really becoming popular, we had to rethink a few aspects of scanner design.

While we have been updating TDS (vastly) in terms of scanning capabilities and this has changed the TDS-4 design a lot, there is a better way to protect against DLL trojans and rootkits. When it comes to rootkits and DLL trojans (the most prized, feature rich trojans being made) Process Guard is far superior to any scanner no matter how big the database is, or how good its unpacking or heuristics are. Cleaning options are also less important, prevention is always far better than cure

 

I guess I didn't explain much about Win9x did I Sorry

Its pointless developing PG for Win9x due to OS design. Making it secure would be impossible. Think of rewriting a whole heap of the OS (including huge DLL's like KERNEL32.DLL) which is probably against the License Agreement anyway Even then, there are design flaws (security wise) we would probably never be able to patch. End result would be years of development for something which doesn't even perform what we intended

Microsoft also dont support Windows 9x anymore.. its a little sad but I dont know if that many users will miss it in the end. The newer OS'es also have their problems, but overall they are a lot better and a program like Process Guard is very powerful - it does exactly what we intended and puts a stop to the favourite trojan attacks. We just set back trojan development by about 2 years I guess. Too bad for them

 

I now understand, accept, & applaud the what & why of PG's non-support of older OS. What I resented deeply was Pilli's snooty, holier-than-thou comments concerning those who -- for reasons of $$ or whatever -- do not use WinXP.

Since Pilli lists himself as one of your Mods, I thought that was the attitude of your entire company.

I *might* move to M$'s Longhorn when it appears. Until then, life in the slow-lane slogs along.

Live long & prosper...........bellgamin

 

bellgamin, Please do not take offence when no offence was intended.
As Paul says I am not employed by DCS but do try have interest in all Windows OS's security problems.
I also run Mandrake 8 on one of my PC's but Wilders is not where I would come for support for Linux based products at this time.

 

I actually think XP will be the OS most Windows consumers stay on for a long time. Longhorn's requirements are going to be even more intensive and it's features security wise won't be that great over Windows XP with SP2. Longhorn is almost being aimed for the gamer, with it's 3D adapter support and such. I have not seen any 3d interface which is more suited/efficient for day to day work then what we are using at the moment, so I don't see it's interface as something that beneficial. Certainly not something worth upgrading to as a feature on its own.

There was a very good reason for upgrading from Win9x / ME to 2K/XP. The OS is more secure, more stable, etc. I cannot see many reasons for upgrading to Longhorn at this stage, it will require even more memory and an even faster CPU. Microsoft better get into the act of adding features that people need if they want people to ugprade to it. Otherwise it will get the same lacklustre response that Windows 2003 has received.

-Jason-

 

Spoken like a true diplomat, PW...
Diplomacy - The art of saying "nice doggie" until you can find a rock.

Read again what Pilli wrote...

Pilli's words are a thinly veiled put-down of users of older OS. They are also a vote in favor of M$'s concept of forced obsolescence. They are also inaccurate.

For instance, the spam deluge is causing the production of new anti-spam programs at an amazing rate. I have trialed 37 of the recent ones within the past month. NONE of them are limited to XP users. Not one!

My friend has a mint-condition classic 1956 Chevrolet BelAir that draws envious glances everywhere it goes. By M$'s & Pilli's philosophy, there would be no parts support for that car, & it wouldn't be allowed on the road.

I never said Pilli isn't a nice & helpful person. But everyone chews on his own foot from time to time, right? Or am I the only one?

Around here, if someone dares take issue with, or even dare to quote, what *certain folks* say, it's construed as mud-slinging.

Mele kalikimaka.........bellgamin

 

You can't compare Windows Versions with car's.
Of course you get repair things and "support" for a older car.
I can you also give Windows 3.11 even with a printed user manual.

But in the software development you have to take care of much more things.
It starts with the kernel development (for instance drivers fro antivirus solutions) and it goes over the system specific API functions in User Mode. Your Spam Programs don't have any "low-level" stuff inside. They are just plain programs such as Word or Excel. But such Applications like PortExplorer / TDS and so on have to created specific for each OS Version. Because of a "deep" walk into the windows system functions. And Win95 doesn't provide the same functions as Windows XP for instance. It starts with different Memory handling, different support of filesystems ( FAT vs. NTFS for instance ) and and and.

Now what would you do as a software developer ?
Creating 100 years workarounds that a software will run on a very old OS version just to pleasure a very few people?
And i bet my pants that in this moment you did success with it Microsoft does not even make any hotfixes for your old version - means you can handle now a completely unsupported os version. Oh Well.
This time you could used to improve the actual version for the newer windows versions.

Regards,
Michael

 

And speaking about cars i have also a very nice example

Imagine this.....

You have a 2001's Mercedes 280. Now, in the year 2004 comes the new 280.

Does Mercedes takes care that your Wheels from the new 2004 car are allowed at your "old" car ?
If you can use them fine. If not, mercedes doesnt care about this - because this car will be "out of public" soon.

 

Hi

I know we are not allowed to say things like this but I am going to try sneak it in real quick anyways.

God Almighty didn't even get it right the first time as far as I was taught.
He created Adam and then decided Adam need a friend so he created Eve. He then figured he needed more firends so he created Wilders
I was just remembering the old days last night.n those days the michelangilo virus was only being spread around the world via floppy drives in main frames. Weren't those the good days, when life was simple?

 

@controler- Well said!

On thread- a² looks to be the *best* anti-trojan freebie. I have read that its guard {rtm} is really really fast. True? If so, any idea how it achieves such speed?

Off thread- It seems that every time michael posts, he has yet another user name {gladiator, xor, st michael -- what next?}. By the way, his latest nic {Godzilla} was a tall guy in a rubber suit. P.S.> I'm happy that michael is now able to afford a Mercedes 280.

Back on thread- KAV is allegedly the best AV at defending against trojans. What's in 2nd place? {IMHO it's DrWeb}

 

The same arguments you make for reasons to upgrade from Win9x etc to XP will probably be intact for going from XP to Longhorn. Your original statement:

I actually think XP will be the OS most Windows consumers stay on for a long time.

is a nonsequetor when you think in terms of what holes will be uncovered as XP reaches end of life cycle support in 2007 as Longhorn is pushed out to consumers.

http://www.microsoft.com/windows/lifecycle.mspx

Most of us on older OS are waiting as long as possible so we can catch the latest OS (Longhorn) which should be good out to 2015.

In the meantime we applaud those software developers who make their software compatible with older OSs who don't fall for the game which M$ must play in order to be an ongoing profit entity.

BTW Win9x is not less stable when user takes care to maintain system properly (stability issue is a function of poor software writing e.g. memory leaks etc) also going forward, more vulnerability I believe goes to where the majority users exist. If you don't believe this watch the holes which are uncovered in Linux when/if more users start to use this.

 

AVs vs trojans, maybe NOD32 due to some unpacking and some good heuristics. I haven't tested that so its just a first thought.

I have to say, Process Guard can be the best single tool. Trojan writers have all headed down the path of FWB injecting, usermode API hooking, and other stealth techniques. In the foreseeable future, theres nowhere else for them to go really (apart from polymorphic). PG ensures integrity of key parts of the system and really hurts those attacks I may be a little biased but prove me to be wrong?

 

"In the foreseeable future, theres nowhere else for them to go really (apart from polymorphic)."

My guess: They will patch a loadlibrary (or the entire trojan) into other harmless applications. PG will not help. Cleaning will be difficult. Viral techniques at its best ...

Some months ago, Aphex released the source code for a (buggy) static injector ...

 

I forgot to mention that this is the reason why I would like to protect PG the Windows SFC or, alternatively, PG may use its own integrity checker ...

 

SFC again an important area, agreed