MD5 for dlls

there's a WG4 beta out there

Gavin, please read my post again:
"generically block/alert on any attempt to gain write(/delete) access to an *.exe or *.dll file"

is not something PG 2 b4 does and i don't think ProcessGuard will do it very soon. It is something WormGuard will alert about, but just when it's a script that tries to gain that access, not when it's an exe. So that's why I thought a future WormGuard would be the right spot for such a generic blocking/alerting...
And I think this is the logical consequence when you combine the "but-you-have-to-explitcitly-allow-the-exe-that-will-do-the-dll-modification" with the "but-we're-talking-about-protection-that-works-after-the-user-uncarefully-allowed-it" argument...

I don't mean to start the discussion all over, tho. As I said, I'm sure you have dll protection somewhere on the roadmap and that is what is sufficient for me.

 

Wow, how hot this topic is becoming!

To Spy:
Your posts seems contradictory.
1) Once you argue that no malware can ever execute on your multi-layered security config. Then you argue that PG is needed because some malware can eventually execute. Got you! If malware can execute after all, it is meaningfull to make PG even more secure.
2) You already have near 10 security software runnig, and you don't think that is much, but one more (the imaginary File Guard) would be way too much?? 10 shields are neccessary, but 11 are too much? And how do you know the resource needs of it? I show you a test! Do you know the application FileMon from Winternals:

http://www.securityfocus.com/tools/1462/scoreit

It monitors every file system activity. You can test how much does it slow down your computer. And it monitors everything, not just the rare write operations to exe and dll files.

To Gavin,
New beta of what? Is there some new exciting features to chew on?

To Jason,
You convinced me: typical future trojans could also be stopped by PG1.3. I only expect a small fraction of trojans aiming to trick PG specifically, and generally they will not try to trick any securty software.

To Andreas,
I love your optimism.

have a nice day
-hojtsy-

 

This thread is really interesting, thanks to hojtsy to share his ideas about file access monitoring, i'm sure this idea can interest DCS

Everyone have good args, and i'm sure Jason, Wayne, and Gavin, have read this, and who know what we will see in the future ?

Thanks all for this good reading

 

My mistake sorry Andreas and everyon on that though, the driver will be shared among TDS and Wormguard for Execution Protection and file access locking/protection

To hojtsy:
You convinced me: typical future trojans could also be stopped by PG1.3. I only expect a small fraction of trojans aiming to trick PG specifically, and generally they will not try to trick any securty software.

Well as trojans pass through, we look at real world risks. PG already stops any trojan that has been produced with the last 2+ years of development of injectors and rootkits and other "new" technologies that trojan authors use. The trojan scene is something I have studied for many years now and this is of benefit of course I doubt even any private malware has ever been developed (unknown threats are also estimated and accounted for) which can inject or rootkit - real rootkitting requires a driver which can be blocked. So we think its a pretty good addition to layered security