Process Kill Demo- PG is killed, AV survived?

I just ran Process Kill Demo of PG and I am not able to understand it. Acc to this demo any trojan can terminate PG on my system but not Norton Antivirus. Anybody can clarify this? I think I am making some mistake!

 

It seems like you haven't set up PG yet, or it would be protecting itself. Please reset your lists, enable Learning Mode manually and follow the setup guide in the help file. Switch off Learning Mode when you are ready to test again.

 

I think at least to me, i have set the PG as I see it is protecting all other applications well. BTW learning mode is must? As far as I think, it is only to decraese the no op popups. However I did use it in learning mode for a few hours. Is that not enough?

 

hey, i always used this howto: http://www.commontology.de/andreas/win_secure_pg3.html#howto

works perfect each time..

 

Learning mode has to be disabled before testing PG - it creates permissions allowing any activity that occurs so should only be used while running your "legitimate" applications after installing PG - PG gives no protection with it active (personally, I don't use it at all and consider it more of a design problem).

Your results were due to one of 2 things - either you did not protect procguard.exe or (more likely) you gave pg-demo.exe the Terminate privilege (Learning Mode would have done this if active) - removing it should prevent ProcGuard being shut down in future. As for Norton, many anti-virus scanners have implemented some form of termination protection - DiamondCS' Advanced Process Terminator would be a better tool for testing these since PG-Demo is pretty dated.

Andrea's guide mentioned by Fred22 is well worth reviewing in terms of setting up PG properly.

 

I never tried Process Kill Demo in Learning mode, infact I used this mode for few hours only.

See my settings.

 

See this one also.

 

As I said, the problem is that you have pg-demo listed in your protection settings and the Modify privilege is likely enough to allow it to shut down other programs. Remove it and the results should be as you expect.

As for not running it in Learning Mode, the only other way it could have got onto your Protection list is if you added it manually. It should not be present - nor should any other program that you do not trust since these are allowed to bypass PG's protection.

 

It was never in my protection settings, infact I put it manually after ur first post. I just removed it now and result is same, PG is killed!

 

Is the "Protection Enabled" box checked on the Main tab? It needs to be for PG to provide any protection.

 

i would try Gavin's suggestion, reset PG's protection list, and retry the demo.

 

You have the free version ? that might be it. I can't actually remember offhand what that version of the kill demo does and what it doesn't do. It fails for me that's for sure

 

Yes it,s the free version as u can see in the picture. So does free version not offer protection?

 

hmmm, i have pg free 3.3 beta 2 and it passes.

 

Ok must be something else

 

I think there was some mistake made by me, anyhow i repeated it with PG in Protection mode, not learning, and PG is not killed now. so it,s ok.

 

No mistakes, Process Guard Gui is highly vulnerable against kill attacks, I experienced this more then once be sure!
Double, Triple Attacks on buff... no procguard.exe even if it is protected.

 

Are u sure? Can u explain a bit?

 

If you don't mind could explain your particular angles of attack?

 

It is already known since version 2.0 of procguard.exe that it is high vulnerable against kill attacks. Norton 2006 has a rootkit like driver which is one of the best actually, it is the hardest to kill I ever experienced, even with specialized kernel killer it resists. All the stuff like tiny, panda, the so called intrusion prevention are easier to stop then this norton driver. (don´t think about the quality of the scan engine, I only talk about the hardest to kill process)

The attacks are simple, nothing special, you don´t need much to do much.

 

ProcessGuard survives ALL kill demo attacks, from the latest APT ! if you allow the driver, it will be killed because ONLY kernelmode programs are able to change other kernelmode programs (a kernelmode program is a driver).

If it fails, it must be something about the configuration or possibly weakened due to something else on the system, but I highly doubt that another program (AV guard) would interrupt our protection. It may just be what is happening, are you using Norton 2006 ?

I wouldn't be overly surprised if it removed PG's kernel hooks and ASSUMED they were a trojan, they included very aggressive worm blocking recently too. Could this in fact be what is happening ? Please send me a private message with info on what you have if you prefer to keep it private.


Finally, PhysicalMemory access needs to be blocked just the same as driver access does - PG FREE only gives you process based termination protection, not driver and physicalmemory protection. This would be where the problem in testing the free version lies..

 

Some factual information might help.
What attacks are you specifically talking about?
Please elaborate.

 

My thoughts err um question exactly.

 

Ah okay, physical mem protection, that might be the thing, but I still doubt that the full version is armored against all bo´s.