Information Request

Discussion in 'ProcessGuard' started by dallen, Apr 13, 2004.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I have looked all the information that I can find regarding PG. I am considering the purchase; however, a few concerns need attention.
    It seems that in order for PG to be effective, one needs to know which processes need protection and which do not. Where can one find information regarding this?
    Due to the excessively long amount of time the development of TDS-4 is taking, I have been delaying my the purchase of PG. The reason for this is because I want to know which software will come with my "Free upgrade" so I can determine first if I like the outcome, and second which programs I need and which I don't. For example, I don't want to double purchase PG because I later find that it comes with one of the other pieces.

    Any information that can help me is appreciated, or anyone that can tell me where to find this information is also appreciated.
     
  2. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Hi Dallen,

    The main programs that PG should be protecting are all your security related applications such as Anti-Virus, Anti-Trojan and firewalls - This is so Trojans do not terminate these processes before executing its payload. Also its nice to protect the running services that are on your system. This is so it prevent Trojans injecting themselves into running processes. I've applied every application that is consantly running like my webserver, irc server etc... If I installed a trojan on this system, I don't want it to take down my webserver and thus no website for people to visit.

    With regards to TDS-4 and PG, I'm not sure what you mean, so I'll try the best to answer that. I doubt TDS-4 will include 'PG' as part of its package, only the technology used in PG will be included in TDS-4, possibly (and im speculating here) it will use PG technology to replace Execution Protection that is currently available in TDS-3. PG currently gives an md5 checksum to every file executed, and awaits for permission to execute. This is used by a kernel driver. TDS-4 will possibly utilise the same technology for execution protection, or other forms of protection which currently aren't available in TDS-3.

    Hope this helps.

    All the best
    Rod
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Process Guard will be (and is) a separate product. Will there be purchase deals later on combining TDS-4 and Process Guard? Most possible. Since you have already purchased TDS-3 these most likely won't apply to you. But I can tell you we won't be bundling Process Guard with the "free upgrade" to TDS-4, they are separate programs.

    I hope this clears it up. :)

    -Jason-
     
  4. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    OK. That does clear up some questions, but will the helpfile that comes with PG be extensive? In other words will it give me a lot of information that will answer other questions I might develop?

    Another important question: It seems that in order to be effective PG would have to be installed initially with Windows. I say this because it seems like PG only protects processes from getting corrupt. I'm talking above my head, but can you comment on the reliability between installing PG on a "clean" system compared to an existing system. Thanks.
     
  5. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    PG can be installed on an existing system, but its targeted at those existing systems that are not infected by trojans. So if your PC is free of trojans, then you can install PG. You can install PG even if you have an infected system, but you will have to go through the execution permission list and check to see which are rogue programs or not.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi Dallen,
    Here's a few answers to some of your questions...

    For the free version of PG (which allows you to protect 1 process), add protection for the security program on your computer that you feel is most likely to be attacked by rogue software such as trojans -- your firewall, antivirus, antitrojan etc programs are usually good choices here.
    For the full version of PG (which allows you to protect as many processes as you like), Process Guard will actually ask you when you first run it if you'd like it to automatically create a list of processes to add to the list - just click Yes and you'll immediately have most of your system protected like it has never been before. Then all you need to do is add your security programs to the list, and you're done. From that point on you'll rarely need to change the configuration of PG - it's the sort of program you can essentially set-and-forget and it will continue providing extremely powerful protection.

    The helpfile is included in the free evaluation version which allows you to protect one process (such as your firewall or other security program), and yes it has a lot of information in it. A lot of your questions about Process Guard will be answered simply by trying the free version, and as that also comes with the helpfile I encourage you to give it a go.

    To help ensure high levels of integrity, yes it's a good practice to install integrity-related programs such as Process Guard immediately after installing the OS itself, but even if the system has been compromised, installing PG may actually be all it takes to stop the problem. For example, if a trojan infects your system and tries to hide itself by injecting into a system process such as winlogon.exe, explorer.exe etc, then Process Guard will block the injection. Most trojans that inject into other processes usually delete themselves from disk - a good example of this is the Beast trojan, so when the Beast trojan is blocked by PG from injecting into a process (which blocks the infection), it then deletes its own file - the result: the trojan has essentially disinfected itself, simply because PG blocked its injection attempt. That's just one example.

    Best regards,
    Wayne
     
  7. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Despite my frustration regarding the release of TDS-4, I still feel that among the computer security software providers that I trust to protect my system Diamond CS is one of the best and this forum is home to some of the best sources of information (even though I get pissed off at some of them from time to time). I am the first to complain when I don't like something, so let me be the first to compliment something I like. I appreciate the thoroughness of the responses to my question, specifically that of Wayne - DiamondCS. For this reason, along with my trust in Diamond CS, I will purchase the full version of Process Guard. Thank you.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dallen, Process Guard, to me, is now my number one security programme, having a router protecting my network and Process Guard protecting applications & processes is just brilliant :)
    As Wayne says once you have all of your security applications protected, which can take time to get right. Process Guard sits quietly in the backround using negligible resoures and all without the need for daily updates.

    All part of a good layered defence.
     
  9. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I just got my license, so I will install it now. Of course I use TDS-3 and it tells me my system is clean. So, I think that I will not reformat my system. However, eventually down the road when I do end up giving Windows a "clean" installation I will install PG right after Windows, that is the order I should do it, correct? I've never really paid much attention in the past to the order I install things. Usually I install Windows, then Zone Alarm, then I perform the updates to Windows, then NAV, TDS, etc. Now it seems that since PG is critical to the protection of the integrity of the security software, maybe it should come before the firewall even.
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Personally I'd install other trusted security software first, with PG being the last security program installed - this way PG won't interfere with any installation of drivers or anything like that, and then you can start adding the other security programs to Process Guard's protection list straight away. But yes it would be a good idea to install PG before you start installing any other applications.

    Security software is useless if it isn't running (ie. if it has been terminated), firewalls included. Process Guard secures your security processes from such attacks, keeping them alive when they're needed the most.

    A firewall is essentially just a program designed to filter what is allowed in and out. In the case of allowing what is allowed out, the program that is sending the packets is obviously already running on the system, so usually all it has to do to render your firewall useless is terminate the firewall's process. With Process Guard on the system it won't be able to terminate the firewall ... nor will it be able to suspend it, or modify its memory, or anything of the sort, essentially securing your firewall (and all of your other security programs) from attack.

    Best regards,
    Wayne
     
  11. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    http://web.ics.purdue.edu/~dallen/Screenshot.jpg

    Please tell me if there is anything above that looks incorrect. Also, I want to add the essential files to protect Norton Antivirus 2004. However, I'm not sure which executables I should include. Should I protect Live Update for NAV as well? Oh, MSIMN.EXE seems to be Outlook Express, but I don't use that program so should I remove it, or is it one of those programs that's essential for Windows to function even though it shouldn't be programs? One last question, I notices in the helpfile that it states,
    Which files within NAV should this apply to and give me an example of some other "resident security processes" that are common, so I can enable Close Message Handling on those.
    Thanks for any insight into this. I like this program.
    -------------------------------UPDATE--------------------------------
    I have since added taskmgr.exe to the protected processes.
     
    Last edited: Apr 16, 2004
  12. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, dallen

    The Image of svchost.exe rules look right to me.
    Two post down [Baldrick] is about the setting of Norton Antivirus 2004 in PG.

    Hope this is of some help
    Regards
    TheQuest :cool:
     
  13. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    TheQuest,
    Thanks for the info. I saw that post, but the user seemed to be inquiring about NIS and I run Zone Alarm Pro. I recognized some of the files mentioned, but I wasn't sure which were specific to Norton Internet Security. Can anyone help me get this straight. I imagine that the live update files are the same, but a list of all the .exe files that apply to someone running Norton Sytem Works with NAV 2004 Pro would help me tremendously. Thanks again.
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi Dallen,

    bellow my NAV2004 set up in PG, there is still differences between users about the choice to what privileges to give or not, but the following works great without any logging and above all without interferring with NAV functionalities.
     

    Attached Files:

  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Dallen

    Looked over your setup. Couple of quick comments.

    1. For zonealarm. The two applications that need to be protected are Zclient.exe. This file is located where zonealarm.exe is located. The 2nd file is vsmon.exe which is located in c:\windows\system32\zonelabs\

    The file zonealarm.exe is not needed.

    2. Spywareblaster. Assuming this is Javacool's program, you don't need to protect it. It isn't a running process. When you set protections with Spywareblaster, it sets kill bits in the registry, and thats it. However if you use Javacools's Spywareguard, that should be protected.

    Also I would recommend protecting anything that can connect to the internet.

    I also include outlook, since I do use it for another E-mail server I have. I also include, my AOL software, upgrade programs for Quickbooks, etc. I find Port Explorer a great tool to see what software is actually making connects, although Zone Alarm does that also.

    Pete
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dallen, You can add Close Message Handling to Procguard.exe, Port Explorer & TDS3. Enable General Protection "Block End Task"
    To check that they are protected use Advanced Process Termination (APT) K1 - K7. Kill 7 checks the close message handling method. APT is available as a free download from DiamondCS.
    To check whether an ap with Close Message Handling has protection without using APT use Faber toys or process explorer and look for procguard.dll listed with the protected process
    Also watch your logs for multiple block entries and if necessary add the application or make the allows to protected list items.
    See the screenie below for CryptoSuite shown with the procguard.dll loaded
     

    Attached Files:

    Last edited: Apr 16, 2004
  17. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Thank you everyone for all this valuable information. I have made most of the changes that you all have suggested. One function that I've found within PG is the option to save protection list. Wouldn't it be helpful if there was a way to restore the protection settings? i.e. the option to load protection list. Just a thought. Is this possible? Or is this already possible? I would appreciate any thoughts on this suggestion. Thanks again.
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Probably the easiest way to save your configuration is to back up the following two files.
    \windows\system32\
    pguard.dat & pghost.dat

    The method for doing this is described in the Tips, Tricks & FAq's thread above

    Your request for this to be available from within PG's GUI is already in the Process Guard wish list.

    HTH Pilli
     
    Last edited: Apr 17, 2004
  19. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi Dallen :).

    Have a look at the Process Guard Tips, Tricks & FAQ's here, on how to backup your settings (pguard.dat and pghash.dat) - second last post here.

    If you ever need to restore your settings from your currently saved pguard.dat and pghash.dat, just disable Process Guard and Terminate dcsuserprot.exe. Then copy/paste your backup of pguard.dat and pghash.dat into the C:\windows\system32 (if your drive letter is C:\) folder overwriting the old ones....and then restart your computer.


    Regards,
    Jade.
     
  20. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Damn you people are smart!!! You are the reason I continue reading this forum. Thanks, once again.
     
Thread Status:
Not open for further replies.