Process Guard [doesn't] fail their own test

Original Post:
http://forum.misec.net/board/3PSoftware;action=display;num=1073583878

Thanks for the people who gave me the original url.

Even though the person who started the thread didn't even seem able to configure the program/read the helpfile I will post a reply.

Kill method #5 DebugActiveProcess method
This is still vulnerable on Windows 2000, due to WIN2K using RPC/LPC for this undocumented method. It is fine on Windows XP however.

Kill Method #6 End Task method
Yeah simply turn on the option to block End Task . Protection -> General Protection Options -> Block End Task

Kill Method #7 Window Close method
Forgot to turn on another option. Click on the program you are protecting in the list, click on "Options" in the combobox that appears. Click "Windows Message Protection"

So the only method which isn't covered 100% on Windows 2000 machines is kill method #5. On Windows XP all methods are covered 100% when the program is setup correctly.

-Jason-

- Fixed link to misec.net

 

Hey, thanks Jason for the clarification.

Lookin' forward to next release of PG!

 

The next release also adds protection for the only known attack against Process Guard, which is SetWindowsHookEx. This was tricky to add because it's a system service, so it involves working with things like the Interrupt Descriptor Table which is on the CPU itself so we needed to add extra code to the driver to support multi-processor machines, but it's all working superbly now and our beta team will be able to test it this weekend, with a public release expected next week.

 

Yes Wayne, but the author of the thread isn't talking about SetWindowHookEx, but about APT tests which are in fact all blocked, on my WinXP at least.

He probably didn't read the helpfile.

Good news that next PG release is soon