Process Guard Logging

Discussion in 'ProcessGuard' started by eisefr, Nov 30, 2004.

Thread Status:
Not open for further replies.
  1. eisefr

    eisefr Registered Member

    Joined:
    Nov 23, 2004
    Posts:
    153
    Location:
    Germany
    Good morning from Germany...

    I seen many people being VERY hyper for this processguard tool... And I must admit.. this euphoria made me really curious :)

    So I installed processguard to look how it is .. And So far.. its running and running and running.. No alarms .. nothing.. I can't really test it so much... That I want to do when I am home..

    Ok.. I come to the point now...
    Is it possible to disable such detailed logentries in processguard... because I really don't like it my passwords being logged.

    Other than that.. The program is running.. and I am curious for using it at my privat computer tonight. :)
     

    Attached Files:

    Last edited: Nov 30, 2004
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Helau eisefr,
    I'm afraid there's no good way to avoid having log entries like you've displayed one. Normally PG's "Execution Protection" will log every app that tries to start (and whether it was successful or not) - along with the commandline that has been used to start it.

    Since the latter is a very important information (the net.exe command is a good example, actually, you don't know the slightest thing about what has been (tried to get) done to your system if you only know that net.exe was launched, you need to know the commandline parameters. rundll32.exe is another example.), I suppose suppressing this information will be a feature not sufficiently requested to get DCS to include such an option.

    Thus, the only alternative to getting those log entries is to disable "Execution Protection" altogether. It will leave other essential aspects of PG's protection in place (actually, running processes still are guarded as they would be with Exec. Prot. enabled), but you won't have the additional layer of protection that controlling which apps are allowed to launch in the first place make for.

    You could also re-think if there are other ways to secure the log - restrict access to the log-dir (the user interface can be operated only from admin accounts or via run-as with admin credentials anyway)...

    HTH,
    Andreas
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Testing ProcessGuard can be as simple as using Windows Task Manager and trying to kill a protected process. :)
    For more thorough testing which allows you to test multiple kill methods, try our freeware Advanced Process Termination utility:
    http://www.diamondcs.com.au/index.php?page=apt
    A new build of APT will be released soon which offers even more methods
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Get out of learning mode first ;) Green icon ? PG is learning. If you want to see our new user step by step guide in the help file, that should help set things up nicely

    I guess you could batch a deletion of the PG logfile to get rid of some password evidence. Interesting issue, we will have a think about it for future versions
     
Thread Status:
Not open for further replies.