Process Guard V3 Protection Failed for me

Discussion in 'ProcessGuard' started by Frieza, Sep 21, 2004.

Thread Status:
Not open for further replies.
  1. Frieza

    Frieza Guest

    I installed Process Guard V3 (registered) onto my Windows XP Pro SP2 system and then tested it with both the Process Kill Demo that comes with Process Guard V3 and the freeware DCS Advanced Process Termination.

    When I ran the Process Kill Demo it found ''Proxomitron.exe'' and ''Procguard.exe''.

    I made sure that both of these programs had been set with terminate protection and ''securely handle windows closure''.

    I ensured that the Process Kill Demo i.e. ''pg-demo.exe" had no privileges at all before I ran it and I made sure it did not have ''modify processes'' privilege as well.

    When I clicked on ''Next'' in the Process Kill Demo both the ''Proxomitron.exe'' and ''Procguard.exe'' processes were succesfully terminated.

    (There were no alerts given in the logs)

    After this, I ran DCS Advanced Process Termination. When I ran this I found that I could suspend and resume any protected processes as well as kill them using any of the kill methods with no alerts and no blocking.

    As you can see, for whatever reason Process Guard V3 has failed for me.

    However, when I restored a system image which reverted back to when Process Guard V2 had been installed, of course, all of the above tests were not able to kill or suspend any of the protected processes and all filled the log with alerts complete with flashing blue system tray icon.

    I know others have experienced similar problems and I hope it can be resolved since I think Process Guard V3, despite these problems is much better than V2 in terms of usability, learning mode setup, stability, GUI design and much more.

    (I almost forgot to mention, I ensured that I cleanly uninstalled Process Guard V2 before installing V3 and I made sure that both of the V2 .dat files had been deleted)
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Frieza, Sounds as though PG is not running correctly in your set up as it is far better than V2 especially with regard to Close Message Handling.

    Things to check

    The attacking tools should not be on the protected list at all

    All four general tabs are enabled

    All protected apps have Termination and modification blocked.

    Learning mode is disabled and your PC rebooted.

    None of the programs should be running when you enable the "Securely Handle Windows closure" flag

    HTH Pilli
     
    Last edited: Sep 21, 2004
  3. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi Frieza :).

    If you do what Pilli suggests you should return results like mine in the screenshot. As you can see, pg-demo.exe was not able to kill Proxomitron, or the other processes. I included in the screenshot the Protection options I use for The Proxomitron also.


    Best regards,
    Jade.
     

    Attached Files:

  4. Frieza

    Frieza Guest

    Thanks for the help everyone. After following ''Pilli's'' suggestions, I now get similar results to ''bowsermans'' and it works just fine.
     
  5. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Great to hear Frieza :D.

    Regards,
    Jade.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :cool: Well done
     
  7. tlu

    tlu Guest

    Philli, these are very good hints and I hope they will be included in the upcoming helpfile.

    However, they did not prevent that Outpost was killed by APT kill 7 and 8 (and I had made sure through APM that procguard.dll was injected in the Outpost process).

    So, something doesn't work as it should.

    Greetings, Thomas
     
  8. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi tlu :).

    Please read Jason's post here


    Regards,
    Jade.
     
  9. tlu

    tlu Guest

    Thanks for the link. However, Jason was referring to different exit or shutdown routines of various software which are difficult to be handled by PG. I was referring to DCS's own APT that was able to kill Outpost.
     
  10. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi again tlu :).

    APT's Kill#7 and 8 attempts to terminate the process by sending Close messages (WM_CLOSE and SC_CLOSE...see here), which is why I pointed you to that post :).


    Quote from Jason
    .

    Regards,
    Jade.
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    H tlu, Firewalls particualarly usually run as a service, and you must ensure that Close meassage handling is set for the correct file, also some programs have their own protection such as ZA, KAV and Sygate, I am not sure about the latest version of Outpost 2 but will test it tomorrow on a Server 2003 box.
    Usually if procguard.dll is injected CMH works but it appears this may not be 100% in your case :)
     
  12. tlu

    tlu Guest

    Philli, I'm aware of that. A good example is Kaspersky Personal Antivirus where kavsvc.exe is the service (which I protected with CMH) and kav.exe is the GUI. Unfortunately Outpost has only one file oupost.exe although it runs as as service, too.
     
  13. tlu

    tlu Guest

    Thank you Jade. I recognize now what you meant.
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Tlu, I'll check it out and see if I can get the same result :)
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tlu, I can verify that OP2 can be killed with K7 in Server 2003, Having checked three times inluding a reboot, I find that procguard.dll does not appear to be injected into the Outpost.exe process. Other kill methods did fail though.

    I have reported this directly to DCS for further investigation.

    Thanks. Pilli
     
  16. tlu

    tlu Guest

    On my computer also K8 "worked".
    Hm - according to APM procguard.dll was injected in my case. How come?

    Yes, I can confirm that.

    Great - thank you.
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not sure tlu, I was testing on Windows Server 2003 which is a different OS though a similar core but the results are the same.
    Hopefully Jason will soon correct these issues :)

    Cheers. Pilli
     
Thread Status:
Not open for further replies.