Please convince me !

Discussion in 'ProcessGuard' started by Rudy nework, Jan 17, 2004.

Thread Status:
Not open for further replies.
  1. Rudy nework

    Rudy nework Guest

    I see myself as a real security geek, always trying to run my box as safe as possibel.

    I trialed the freeware version of PG 1 process) and i liked it. But :

    Why should i buy the full version ? What more does it offers than Abtrusion protector ?

    I run Abtrusion protector on a 100 % clean system, and (almost) never install downloaded software.

    How can a trojan or virii disable and unload and lets say .DLL inject processes of safety programs (firewall, AT & AV) without excecuting local on my box ?

    Nothing that excecutes runs when Abtrusion P is installed and configured properly.

    So what more protection gives Process guard ?

    Abtrusion protector protects is own processes also (kernel driven util, just like PG)

    convince me that i'm still in danger (technical is ok), and i swear & promise I buy PG Full immediatly !

    Rudy
     
  2. Rudy nework

    Rudy nework Guest

    I forgot to add :

    Abtrusion protector even protect against the new Hacker defender rootkit > you can't even install it :) I tried.

    I also tried to run Beast, optix, Subseven, Bionet, Donald Dick and much more.

    None of these "so called" dangerous trojans could run, no server, no client, nothing.

    So what does Process guard offers more ?

    Regards,

    Rudy
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I run Abtrusion Protector also and it is one of the keys in my security protection. It will stop all complied code for sure, but it may not stop scripts. So just to be safe(layered security concept) I also run PG. Besides if it cost $150 or something I'd maybe agree, but at $19 to me its a no brainer.

    Pete
     
  4. Rudy nework

    Rudy nework Guest

    To protect against scripts i use :

    -Disabled scripting in internet explorer
    -Script defender (from Active X)
    -Avg freeware
    -Pest Patrol
    -ZA Pro 4 with webfiltering

    I guess, i don't need to be afraid from it ;)

    Ruyd
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    of course you are still in danger :)

    not everyone like the following logic, but it is true however.

    what if you download willingly something you want, something you thinks it's ok, but in fact is a spyware or a trojan ?
    When you will launch it, in order to let it run, you will allow it to run in AP, obviously.
    And if then the launched executable starts to inject itself into your trusted processes and why not kill your firewall, install a keylogger and send private information to a remote database ?

    you may think it's a rare case, i will just say to you that one time i have downloaded a screensaver from an official site and the setup was full of spyware, it could have been trojans.

    Any sandboxe software can be bypassed not directly, but because of your mistakes.
    If you think you are a god and will never do any mistakes, so may be PG isn't for you :)

    Nothing you don't want, may be...
    imagine the following case :

    your browser, of course allowed, execute a script and kill your
    security softwares, is AP can prevent this ? No.
    Is PG can prevent this ? Yes.

    I could give you many other cases, but some will say it is very rare cases, so, it's up to you to think what make you feel better ;)
     
  6. Rudy nework

    Rudy nework Guest

    Offcourse GKweb, when you manualy excecute downloaded software, and you give launch permission in Abtrusion protector and your very unlucky the package is infected > your doomed.

    But NO software can prevent from mistakes made by the user. The computer is only as safe as the person using it. No mather how many safety utils your run, if you persist in the evil, you can mess every pc up.

    If i download software (wich is VERY rare) i always check it with AVG, Pest Patrol, RAV online, and if it is not to big with Kaspersky online to.

    If none of these detect anything, changes are very small it contains dangerous code. But offcourse the change still excist if it is brand new malware.

    Please GKweb tell me about the many other possibilities (rare cases) you know to bypass Abtrusion protecter. You got me interested. If it is not to much trouble for you...

    Rudy
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    i disagree, PG is one, a firewall or an antivirus are another.



    Of course, but there is a gap between doing *one* mistake and to be totally dumb :)

    not necessarely.
    It is more correct that there is a small chance that it was a In The Wild threat, but a custom will pass trought without pb
    (i can code you a program which won"t be detected by any AV/AT)

    My imagination can create a lot of scenario that you won't necessarely like :)

    Just another one for you : what if your lovely AP bugs ?
    no software is 100% bug free, and to put all his eggs in the same basket isn't a good tactic ;)
     
  8. Rudy nework

    Rudy nework Guest

    You say (state) a Firewall, AV, PG can protect from mistakes by the user ?

    I agree. But you can say the same from Abtrusion protector also. It doesn't even let you install stuff. So i guess it offers protection against "mistakes" just like PG or FW & AV does. So i still see no reason why Pg could even protect me further (increase my security).

    You say, downloads could even be infected although there scanned with 3 different AV's ?

    I agree. It seems you have something like modified trojans (special custom builds) in mind.

    But these modified (and expensive) trojans are not found on the net (you have to search damn hard to find it). Only the freeware ones are common, but these are ALL detected by up-to date AT & AV.

    You talk about bugs ?

    Abtrusion protector is on the marktet a long time...tested by many. Not many bugs are found in that period > and these are all fixed.

    PG is relative new, bugs can still be found. (I hope for Diamonds not). I know there working hard to make it "bullet proof".

    Putting all my egs in 1 basket ?

    Dunno about that ? I have an AV & AT & Firewall with build in process protection &
    script defender & registery prot (freeware from Diamonds). And Abtrusion protector.

    Please tell me your ways to automaticly shutdown my programs (without human interaction) and bypass Abtrusion protector.

    Rudy
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Rudy, Can you download Advanced process termination from DCS here:
    http://www.diamondcs.com.au/index.php?page=products
    Then run all seven kill processes against AP's .exe's and post if any of them kill AP.
    If it is killed there is part of your answer.

    PG is a able to prevent all these kill processes & V1.200 will also stop SetWindowsHookEx. :)
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    that you agree or not, PG add a layer of security.
    After you may like it or not, you may think that your default security is sufficient, but personally i like to add as many different layer as possible.

    I have too SSM, i have AV, AT, firewall, and i use in addition PG.

    You *want* to say you are secure, i have show you ways to bypass all your protection.
    You have said to sume up it is rare, i agree, but possible, and PG add a layer of defense, that you think you need it or not.
    I don't know anyone who like to heard it is still vulnerable, that's why i have warned you that you would not like ;)

    You are may be protected from ITW threats, but are you fully protected ? All depends of you security degree will.

    You have asked for inputs, you have mines.

    Now it's up to you.
     
  11. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Sorry to butt in here, but in order for Rudy to run the 7 kill processes, he has to add/ or allow apt.exe to his trusted ap list.

    I don't think this is a fair test?

    If you said dl apt and run apt.exe, and AP can't stop it from running then run the 7 kill processes then I would say this would be a fair test. This is the same reason I feel that leak tests, though helpful in determining a vulnerability, are unrealistic tests.

    obviously if AP works anything like SSM, apt.exe will not run unless it is allowed to. Therefore it has already defeated apt.exe and the 7 process killers.

    this is the same theory/rationale Rudy used initially and I also use if the .exe will not run because either AP or SSM kills the process then the process has failed.

    I feel this guy is really giving PG a backhand and saying in a sense why pay for PG when nothing will run unless Rudy via AP lets it. All of the hypothetical examples fail, unless you can find a real actual process which can actually bring down or bypass AP.

    Nothing you say will convince him...

    I would say to Rudy, use AP and protect it from being shut down by using the free version of PG. Cost = 0
    snipped against TOS part
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Here was the deal for me:

    SSM is free, but there's a definite learning curve involved with it.

    I plunked down my 19 bucks for ProcessGuard, added the exe for every single defensive tool I have on the computer (all their exes, including their update exes - I even dis-abled the "shut-down protection" that came with my back-up AT and one I'm trialing right now), plus the exes for my other two browsers (FireBird and Opera) - and, bingo, I was off to doing other things again.

    I wasn't worried about what I d/l'ed nor where I went - and I'm still not.

    ProcessGuard is great as is - and fixing to get even better shortly.

    And simple.

    (Read that again)

    And simple.

    If I were DCS, I'd raise the price. Pete
     
  13. Rudy nework

    Rudy nework Guest

    Peakaboo is correct (according to the suggestion from Pilli to test run ATP):

    When i should run ATP to test my security against different shutdown ways, i first have to add (manualy) ATP in the safe list from Abtrusion protector. Otherwise it won't even run. I tried !

    Asking to bypass Atrusion protector manualy is not fair. This is like shutting down your AV to see if it still cathes virusses. Makes no sence doesn't it ?

    After all these post there is still no answer to the following question :

    How is Abtrusion Prot & my other safety programs vurnable against being shutdown by a automated malware?

    (trojans like Beast, Hacker defender etc...)

    Ruyd
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi agiain Rudy, The APT demonstration is just that & yes it does require you to allow it :) The validity is when you consider it as malware that has already bypassed your security apps as is the case of some new malwares which are getting that capability
    The reason PG was developed was for new threats that do not work at the Admin / User mode level - New Trojans are being developed that bypass the Admin - User parts of the OS - Kernel level, as Gavin (DCS) wrote in another reply to someone that said Admin controls your PC Gavin replied. "No it does not - the kernel does" :)
    Most ppl that run PG do it because it has as a very special way of protecting the kernel from interference. i.e. it's kernel mode driver - You can safely protect your Admin - User controls by using PG to protect those processes.

    If every developer developed a kernel mode driver such as PG to protect their security apps your computer would be completely bogged down and probably suffer many conflicts.
    PG gives a logical and strong answer to many new threats that current security apps cannot deal with.

    As others have stated above it is another low resource layer that helps prevent you from making mistakes.

    Thanks for the discussion I am sure our explanations are not as lucid as DCS's and they I am sure they will correct or add to it :)
     
  15. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Process Guard and Abtrusion Protection are two completely unique but both very powerful layers of security, and with very little overlap too so there's really no reason why you can't use both, but really you can't compare the two programs - they're two completely different layers of security, Process Guard actually being at a lower level (Process Guard still protects against things that you allow to run in Abtrusion Protection so even if you've given a program the green light in Abtrusion Protection, Process Guard will still prevent it from modifying, terminating or suspending other processes) so they seem to compliment each other very nicely and combine to become quite a formidable dual-layer of security.
     
  16. Rudy nework

    Rudy nework Guest

    Prosess guard is a kernel driven-based util, but so is Abtrusion protector.

    If you control the kernel, you control the Pc > I fully agree.

    Copy & paste from AB site :
    -----------------------------------------------------------
    Abtrusion Protector™ is an integrity-based launch protection software that injects itself between the Windows kernel and the user-mode application space. Whenever an executable file is loaded by Windows, a call into kernel mode is made. Abtrusion Protector™ intercepts that call and verifies that the file is allowed to execute before allowing the call to proceed into the Windows kernel.

    Abtrusion Protector™ includes a kernel mode component that performs the actual verification of file thumbprints. It also contains a service component that maintains the database of thumbprints. In addition, it includes a user interface component.

    Files are identified by the strong cryptographic hash function SHA-1. File hashes of executable files are computed using the method used by Windows to sign files, except that Windows normally uses the slightly weaker hash function, MD5. This is utilized by Abtrusion Protector™ to interoperate with regular certificate-based code signatures.

    Abtrusion Protector™ protects its own files and registry settings so that no other applications are allowed to modify them. In addition, Windows access control lists are also used to determine which users are allowed to modify settings or install new software to the computer.
    ----------------------------------------------------------------

    Wouldn't PG & Abtrusion P. load up the kernel TO much ? (if used together).

    ZA Pro also uses something already to disable remote shutdown.

    I agree that using both is another extra layer in defence. BUT isn't this overkill and bogs the whole system down ? Can cause conflicts.

    The main question remains i think > Would it be worth it, honest, Will i be much safer when using Pg ?

    Rudy
     
  17. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    No I don't think it would be overkill at all, there don't appear to be any conflicts and that's probably because there's virtually zero overlap in regards to what each program is trying to do - they both have different goals. AP and PG both offer free versions so I'd encourage you to try both side-by-side, I'd be very surprised if you encountered any conflicts. In regards to "bogging down the kernel", that's not an issue as PG's code is highly optimised and from the user viewpoint they'll notice no extra slowness.
     
  18. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I have _never_ understood why it is so hard to understand that all this tests, trojans/malwares/leaktests, are to show what would happen in a case you first layer of security _has been_ bypassed.
    It doesn't matter *how* it has been, there are many way like the most simple which is one of your mistake, but whatever, your protection has been bypassed.
    As i already said in another thread, security "holes" are mainly human defficienties/mistakes, not really softwares ones.

    => if you will never do any mistakes, you don't even need AP, you are a god, and pls give me advices so :)

    Pilli
    I'm happy that you get the point, i feel better now to not speak in the wind ;)


    Rudy, there is 2 point of view in my opinion, may be three.
    First, against In The Wild threats, you are protected untill you do a mistake. If you only care of this, so, you might want to only focus on not doing mistakes without adding a software which can help you.
    Second, if you are concerned about protecting from someone wanting to hack _you_ in particular (for whatever reason) then you need PG.
    If someone want to crack your computer, it will use private trojans (not private build of existing ones but a totally new private trojans) undetected by any AV/AT nor by you.
    Once it is allowed to run (because you have allowed it or because it execute within a trusted process memory area) it can do virtually what it wants, why not install a root kit ?
    You seems to have absolutly no idea of what an expert cracker can do.

    Third point, whatever is your needs/point of view, in any case your ptotection can leaks (whatever the probability) and PG can save you.

    After you can say that you don't want it, but don't say it's useless ;)
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    First AP and PG run fine together. I have them both running. Only conflict at all is I have to shut all of them down to disable goback which I have to do to run an offline defrag of the system files. Minor inconvenience. Also AP will catch any DLL's installed by an EXE that you have allowed, UNLESS you give that exe permission to install software. Then you are had if its a bad exe. This is where PG saves the bacon. Bascially my philosophy is to protect myself against myself. Like GKWEB said all it takes is one accident and bingo.

    In summary spend $19, bet PG, FOLLOW THE INSTRUCTIONS, and you will love it.

    Pete
     
  20. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    good sume up Peter ;)


    Moreover, i know a _very highly_ theoritical exploit not known as far as i know which could allow someone to execute abitraty code without beeing caught by any sandbox software or by any hook.
    But i say it again, it is very and highly theoritical.

    Just to point out that we never know all that is possible to breach a computer security. The more layers you have, the more you are safe.
     
  21. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    No one has mentioned vulnerabilities in software that people use to run code on your system. Overflows,underflows, exploits, all can be used to get some foreign code downloaded and run on your machine, in most cases without the user even knowing. Visit a certain site in IE and you may be infected, read a certain email in a specific version of Outlook and you may be infected. Until you KNOW about specific exploits you could be one of the first people to experience something. It happens a lot.

    Getting that out the way, Process Guard doesn't worry about how code began executing on your system, it does what it says, it protects what you specify. There is no "user intervention" required for Process Guard to work. Once you set it up that is all there is to it, so it removes a lot of the human error from it.

    Personally I don't see why you would need a program which asks you "do you want this program to run", because in 99.999% of cases it is you which has "double clicked" on the file you want to run. This means the user would then also click the "Allow in AP". In the rare cases there is some unknown exploit and it launches a new process to get its code to run, and the user recognizes this fact that it MAY be malware, then it may provide some benefit in this rare case.

    You can't really compare Abtrusion Protector to something like Process Guard because AP is simple in comparison. 90% of what AP does can already be done by someone without the software, whereas with Process Guard I would say less than 1% could be done by someone without the software, regardless of their technical ability. In the end you are comparing a program which effectively just asks you if you want a certain program to run, to a program which is like a swiss army knife in regards to protection.

    AP does have some features which PG doesn't have so I am in no way saying you shouldn't use AP over PG in certain circumstances. I just know what I would be using if I had to make a choice between the two, even if that is slightly biased. :)

    -Jason-
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Jason, not sure I agree with you here. AP never really asks you if you want something to run. Once a program is in its database you never hear from AP again unless, a file related to that program changes. AP doesn't ask for permission, it blocks the file and notifies you of the fact.

    Why I consider it a vital layer is this. I've seen a website try to download and execute something on my system. If its purpose wasn't to attack a running process or inject into a dll then unless I am mistaken PG won't stop it. AP caught an instance of this and stopped it dead in its tracks.

    Why I like the layers is in most instances AP will stop a program from running and trying to mess with any process, but like I said, IF I download something, I think is okay, and tell AP to let it install, then I have effectively bypassed AP's protection, and then I have PG,TDS, Wormguard, etc to keep it from doing harm.

    Its all about layers. Gotta have layers. :D
     
  23. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I think that's the point Jason have tried to explain ;)

    I agree about a website trying to do malicious action against your comp, it has happend to me, but if the website uses only IE against your other softwares, i feel better to know that my browser doesn't have the capabilitie to terminate nor inject into any processes :)

    Layer + layer + layer + (...) + layer = layerS = Security
    :D
     
  24. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    we really do get it - the scenario:

    some how the poor stupid user has ok'd a program which is now running wild on his pc behind his back or in his/her face - Rudy (& I) get that and are saying it ain't happening.

    Not because we are gods, and never make mistakes but because we understand potential threats and do the upfront work necessary before allowing a program access.

    After the scanning, we have boards like this to ask if anyone has tried such and such program, we have script defender/or sentry, we have AV's which we keep current, we have firewalls which utilize some form of outbound protection, we have AB or SSM and Reg protect, dso & hta stop - so we have the layers and we really do get it...

    surprised that you refuse to see it from the user/consumer perspective.

    the issue is cost/benefit not simply the nominal $19 dollars.

    a side issue is how much is enough - depends right

    all it would take to convince Rudy is a simple demonstration which proves that he is not completely protected. If you can't provide then you need to say so. So far all the arguments come up short apt.exe is not trusted therefore user control says do not allow - it can't run - period end of story.

    a silent bypass of AP and or SSM demonstration would do the trick - your choice of attack, but stop talking theory.
     
  25. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I do not think it is so much that people are "ignoring" the question posed by Rudy. I think the issue is that these 2 products are rather different in nature. While it may appear they have similarities, as an application that provides some sort of "sandbox" protection from unknown threats, PG is actually the only one protecting the processes from malware. SSM will ask permission if a malware is run, and the net result will be that the malware will be allowed/not allowed to run. It actually does no protecting. The security aspect is more or less the result of a user decision. With PG you do not have to worry about this; as your protected applications will be protected regardless of what harm the malware may want to inflict on these processes. This protection that PG offers can not be undone by other processes as well, from my understanding.

    Basically it is what Jason said ;)
     
Thread Status:
Not open for further replies.