Process Guard V3 Protection Failed for me

I installed Process Guard V3 (registered) onto my Windows XP Pro SP2 system and then tested it with both the Process Kill Demo that comes with Process Guard V3 and the freeware DCS Advanced Process Termination.

When I ran the Process Kill Demo it found ''Proxomitron.exe'' and ''Procguard.exe''.

I made sure that both of these programs had been set with terminate protection and ''securely handle windows closure''.

I ensured that the Process Kill Demo i.e. ''pg-demo.exe" had no privileges at all before I ran it and I made sure it did not have ''modify processes'' privilege as well.

When I clicked on ''Next'' in the Process Kill Demo both the ''Proxomitron.exe'' and ''Procguard.exe'' processes were succesfully terminated.

(There were no alerts given in the logs)

After this, I ran DCS Advanced Process Termination. When I ran this I found that I could suspend and resume any protected processes as well as kill them using any of the kill methods with no alerts and no blocking.

As you can see, for whatever reason Process Guard V3 has failed for me.

However, when I restored a system image which reverted back to when Process Guard V2 had been installed, of course, all of the above tests were not able to kill or suspend any of the protected processes and all filled the log with alerts complete with flashing blue system tray icon.

I know others have experienced similar problems and I hope it can be resolved since I think Process Guard V3, despite these problems is much better than V2 in terms of usability, learning mode setup, stability, GUI design and much more.

(I almost forgot to mention, I ensured that I cleanly uninstalled Process Guard V2 before installing V3 and I made sure that both of the V2 .dat files had been deleted)

 

Hi Frieza, Sounds as though PG is not running correctly in your set up as it is far better than V2 especially with regard to Close Message Handling.

Things to check

The attacking tools should not be on the protected list at all

All four general tabs are enabled

All protected apps have Termination and modification blocked.

Learning mode is disabled and your PC rebooted.

None of the programs should be running when you enable the "Securely Handle Windows closure" flag

HTH Pilli

 

Hi Frieza .

If you do what Pilli suggests you should return results like mine in the screenshot. As you can see, pg-demo.exe was not able to kill Proxomitron, or the other processes. I included in the screenshot the Protection options I use for The Proxomitron also.


Best regards,
Jade.

 

Thanks for the help everyone. After following ''Pilli's'' suggestions, I now get similar results to ''bowsermans'' and it works just fine.

 

Great to hear Frieza .

Regards,
Jade.

 

Well done

 

Philli, these are very good hints and I hope they will be included in the upcoming helpfile.

However, they did not prevent that Outpost was killed by APT kill 7 and 8 (and I had made sure through APM that procguard.dll was injected in the Outpost process).

So, something doesn't work as it should.

Greetings, Thomas

 

Hi tlu .

Please read Jason's post here


Regards,
Jade.

 

Thanks for the link. However, Jason was referring to different exit or shutdown routines of various software which are difficult to be handled by PG. I was referring to DCS's own APT that was able to kill Outpost.

 

Hi again tlu .

APT's Kill#7 and 8 attempts to terminate the process by sending Close messages (WM_CLOSE and SC_CLOSE...see here), which is why I pointed you to that post .


Quote from Jason

.

Regards,
Jade.

 

H tlu, Firewalls particualarly usually run as a service, and you must ensure that Close meassage handling is set for the correct file, also some programs have their own protection such as ZA, KAV and Sygate, I am not sure about the latest version of Outpost 2 but will test it tomorrow on a Server 2003 box.
Usually if procguard.dll is injected CMH works but it appears this may not be 100% in your case

 

Philli, I'm aware of that. A good example is Kaspersky Personal Antivirus where kavsvc.exe is the service (which I protected with CMH) and kav.exe is the GUI. Unfortunately Outpost has only one file oupost.exe although it runs as as service, too.

 

Thank you Jade. I recognize now what you meant.

 

OK Tlu, I'll check it out and see if I can get the same result

 

Hi tlu, I can verify that OP2 can be killed with K7 in Server 2003, Having checked three times inluding a reboot, I find that procguard.dll does not appear to be injected into the Outpost.exe process. Other kill methods did fail though.

I have reported this directly to DCS for further investigation.

Thanks. Pilli

 

On my computer also K8 "worked".

Hm - according to APM procguard.dll was injected in my case. How come?

Yes, I can confirm that.

Great - thank you.

 

Not sure tlu, I was testing on Windows Server 2003 which is a different OS though a similar core but the results are the same.
Hopefully Jason will soon correct these issues

Cheers. Pilli