PG & RegDefend ?

Discussion in 'ProcessGuard' started by TouchuvGrey, Jul 29, 2005.

Thread Status:
Not open for further replies.
  1. TouchuvGrey

    TouchuvGrey Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    441
    Location:
    South Mississippi USA ( ya'll )
    With the recent discontinuation of TDS-3 i am re thinking my defense strategy. I run NOD32 and PG, i'm trialing Ewido and am considering RegDefend. Do they play nice together ? Would having both PG and RegDefend be unneccessary overlap ?


    Mike
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I have, in the past, run all of these product concurrently in real-time, with no problems. However, NOD32, was only in trial mode. My primary real-time AV is Kaspersky 5.0.

    There is almost no overlap between PG and RegDefend. PG is 1) alerting on new, possibly unauthorized, executables, 2) preventing installation of possiblye unauthorized drivers/services/rootkits/keyloggers, and 3)guarding authorized processes against unauthorized terminations. RegDefend is alerting on new, possibly unauthorized entries into the registry which could harm the system.

    My current setup is: KAV, Ewido, PG, RD, and WormGuard (to guard against unauthorized scripts).

    Hope this helps,
    Rich
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Regdefend also covers service/driver installation by monitoring the ImagePath value in HKLM\SYSTEM\CurrentControlSet\Services\*

    The recent ProcessGuard bug was not an issue if Regdefend was active because it also alerts when a driver is installed. This is not a bad overlap given that stopping driver/service installation is quite important.

    That was one of the reasons that the recent PG bug of allowing drivers to be installed was verified so easily. The initial issue was seen during a Regdefend install because the RD driver was installed with no alert from ProcessGuard. I also got an alert from RegDefend during some other software installations but no alert from ProcessGuard (due to the same services.exe issue that Wayne has offered a workaround for)

    Regdefend also overlaps in that it protects the value AppInit_DLLs in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows as this is another method to get DLL's loaded into 32bit processes
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi gottadoit,

    Thanks much for the additional information and explanation. Very helpful.

    Regards,
    Rich
     
  5. 0_o

    0_o Guest

    Those programs make up a good rounded protection setup ;)
     
Thread Status:
Not open for further replies.