pe guard

Thx all

@winHole7:
you are welcome
I'll try to add these suggestions in the next version

And you are right about richness

@StevieO
There are no options in installation.

@jdd58
I d'nt know .

 

is PeGuard or does it have protection againts termination?

 

surely..
you can try

 

I spoke too soon lol.

Just about to remame the new folder to PE GUARD v1.1 and then put it in my installed Apps folder. Before i did i r-clicked on the PEG Setup file in that folder to try and find it's properties, file version etc. As it happens it's only the Installshield wrapper.

Anyways up pops PEG with this, and also intercepts and blocks setup properties from appearing



OK very good, these alerts last for several seconds before a 10 sec countdown starts. If you don't select anything it closes and then setup properties appears. When i was in the process of moving the folder to it's new location, i also got a PEG alert about the write attempt.

I repeated the process a number of times, and once i got a different alert after the first, warning of a System Restore point !

So all very good so far.

opaida

A suggestion, i think it might be better if there was no countdown, and the alert stayed there until a choice is made.

Well i must have a special version lol.



Only kidding, i presume that's just a generic message box that appears, and i initially thought something was missing, so i now realise you havn't included any options etc !

Are you using mchInjdrv.sys ?



I know it's usually safe as others use it, OA for eg.

 

cool yes it does indeed

 

A user had sent me a notice about the properties window of an exe file.
First he thought that PE Guard didn't work after revoking/denying access, becuase the properties window appeared.
I replyed that the Windows trys to get write access to the file when it shows its propereties and it will show the propereties even if there is no write access!!.

Thx for your suggestion.
I'll extend the value of timer.
I added the timer to prevent the program from bothering the users that playing games , or somthing like so.


Also, I don't know what mchInjdrv.sys is. And my program doesn't use it. :S

 

i believe that mchInjdrv.sys is part of the system files

 

Hi,

Thanks for your answers Opaida, it seems that StevieO agrees with me about the "auto-revoke timer" but, as You said, it may be useful when playing games so, an option to set the countdown time, from 0 second (disable) to what users want, might be appreciate by some of us...

Also, it warns You when You try to display the properties window of '*.exe', '*.sys' or '*.dll' files but, as mentionned in StevieO post, the window appears even if the "auto-revoke timer" reaches to zero.

About the 'PEG.exe' file termination protection: It doesn't work if You use the Windows Task Manager but, with Process Explorer from Sysinternals, You can kill it... Not directly by the "Kill Process" nor the "Kill Process Tree" function but, if You use the "Suspend" one before to click on "Kill Process" or "Kill Process Tree", it will be ended. (I didn't try with another software like Advanced Process Termination)
I don't know if this could be a problem against some malware...



See You...
_ernestoG_

 

PEG can be killed by quite a few methods. Also those using Process Hacker instead of Task Manager or Process Explorer can terminate the process.

 

i hope it is fix cause i am already puting this in my pc

 

Can anyone comment on if this program gives more or less pop-ups that Comodo HIPS? thanks!

 

less i say way more less

 

MchInjDrv by madshi: https://www.wilderssecurity.com/showpost.php?p=1532658&postcount=42

MchInjDrv.sys is SAFE, no worry about.


PROROOTECT

 

Thanks. I was going to say if it is the same, why not just run CIS, and get firewall and AV for only a few megs more. But if PE Guard is less of a annoyance, I can see the value in it.

opaida - thanks for the program and coming to the forums to answer peoples questions!

 

i am testing it and to tell you that this is very promising program

what i like about this peguard is that it has a count down from 10 to 0 and if you dont respond to the alert the ofending program/virus/etc will be block from writing/executing and the security alert will banish/fade away cool

 

Interesting, on trying out a few more r-click properties as i showed earlier, i noticed in Task Manager PEG was on Zero CPU cycles, and the Memory usage doesn't change from 7,816k either !

jmonge

Yes thanx i realise that, just wondered if PEG was using it. Must be something else, so i'll investigate.

Is that so ? See mine and winHole7's posts above regarding this. Can anyone clarify this one way or the other ?

winHole7

I didn't realise you'ld also made a suggestion about the timer, sorry !

 

10 seconds is long enough to decide to apply yes/no well at least for me

 

jmonge

I wasn't talking about the 10 Secs timer in my last post, but this -

I'm not sure if whatever will be automatically blocked after the Timer ends, that's what i'm asking for clarification on, not the 10 Secs ?

 

ah i see it is very convinient this way in my opininon anyway the pop up will apear when drive by or when you are installing files why do you think or what do you think about it?

 

jmonge

Well the CPU cycles/Memory usage is remarkable for one thing ! Early days, but looking good so far.

opaida

Hi, can you clarify whether things will be automatically blocked after the Timer ends, or ?

 

i tested againts couple of malware and they were auto-block which is cool but opaida can confirm this
i will test it again to see

 

Hi again You all,

Lots of attractive posts; thanks for that "WSF" members

Here the results I found after some tests.

When the warning window is displayed, if we click on :

"ALLOW", then the process specified below "Process:" will be autorized to access to the file mentionned below "PE File:" but, only one time so, a new access of this process to this same file will warn us again.


"ALLOW" with "Apply to this pair always." checked, the process specified below "Process:" will always be autorized to access to the file mentionned below "PE File:" so, a new access of this process to this same file won't warn us anymore.


"ALLOW" with "Apply to this process always." checked, the process specified below "Process:" will always be autorized to access to any file and not only the one mentionned below "PE File:" so, a new access of this process to any file won't warn us.


"REVOKE WRITE ACCESS", the process specified below "Process:" isn't autorized to access to the file mentionned after "PE File:" (only one time so, new access means new warning) and it seems that any process won't be able to get a write access to it too.


"REVOKE WRITE ACCESS" with "Apply to this pair always." checked... Same as above but there will be no warning window anymore (same "Process:", same "PE File:")


"REVOKE WRITE ACCESS" with "Apply to this process always." checked... Same as above (same "Process:") but for all files and not only the one stated after "PE File:".


"PREVENT ANY ACCESS"... Same as "REVOKE WRITE ACCESS" but all access types are denied (read, write...)


"PREVENT ANY ACCESS" with "Apply to this pair always." checked... Same as "REVOKE WRITE ACCESS" with "Apply to this pair always." checked but all access types are denied (read, write...)


"PREVENT ANY ACCESS" with "Apply to this process always." checked... Same as "REVOKE WRITE ACCESS" with "Apply to this process always." checked but all access types are denied (read, write...)

-

I'm not sure to be really right so, if someone gets different outcomes, please let us know...

-

The properties window of a file is displayed even if we block (revoke/prevent) the "explorer.exe" process... See a previous message from StevieO for details.

Last thing, about the "REVOKE WRITE ACCESS", it seems to occur the same thing if we click on it or if we wait for the timer's end...
The "Apply to this pair always." or "Apply to this process always." boxes can also be checked before the countdown reaches to zero, it works.

-

No problem, it's interesting to see that I'm not the only one to request for a timer setting (enabled and set at 10 seconds for jmonge and quick men / increased or disabled for slow ones like us )
And, for a full screen application (video players, games...), an "always allowed mode/always denied mode" setting could maybe be useful.

See You all...
_ernestoG_

 

Hi,
About termination: It's not a problem at all, cause there are two cases:
1. a virus trying to kill PE Guard, and it will fail like Task Manager.
2. a rootkit trying to kill PE Guard, and it will fail because it need to write a .sys file to do that.

It's user problem if he wants to kill my program(manually by Process Hacker for example). But he won't because there is Exit option .

.
.
I'll explain the options and timer in the alert window:
When an alert appears, The user can choose one action from three available actions:
1. "ALLOW": Allow the process to get write access to the requested file.
2. "REVOKE WRITE ACCESS": The process is allowed only to get a read access to the requested file.
3. "PREVENT ANY ACCESS": Send Access Denied to the process.
Now, the default action is "REVOKE WRITE ACCESS", so when the countdown timer reaches 0, the default action will be selected automatically(that is why the offending process blocks after countdown timer ).

The timer length = 10 sec (before appear) + 10 sec (countdown).

The 2 checkboxes are independent of the selected action:
1. "Apply to this pair always.": by "this pair", I mean this process only and this file only.
2. "Apply to this process always.": this process only and any file.


examples:
You have an alert about process "X" and file "Y":
*if you choose "ALLOW" without checking any checkbox then process "X" will be allowed to access the file for one time only, if it try to do so, the alert will re-appear.
*if you choose "ALLOW" and check "Apply to this pair always.", then whenever process "X" trying to access file "Y" it will be allowed. (if you choose "revoke"/"deny" it will be "revoked"/"denied" always). If process "X' try to access another file, the alert will appear.
*if you choose "ALLOW" and check "Apply to this process always", then process "X" will be allowed to access any file.(if you choose "revoke"/"deny" it will be "revoked"/"denied" always).
*if you choose "ALLOW" and check "Apply to this prcoess always" and "Apply to this process always", then we are in the last case.


NOTE: although I display the full path of the exe file of the process, I identify the process by its PID(Process ID), So if the process was killed and rerun it will have a new PID and PE Guard will identify it as a new process.


GOOD NEWS: I've changed the countdown timer. Now it will be stopped if the ueser move the mouse over the alert window, I think that's batter.
THX all .

-sorry for bad English-

Best Regards.
Opaida.

 

Nothing wrong with your english Opaida. I can understand you just fine.

From what I've read in this thread, this program seems to be very simple to use. Great work.

 

good job opaida ,by the way do we have to install the program to get it updated?thanks