Process Kill Demo- PG is killed, AV survived?

Discussion in 'ProcessGuard' started by aigle, Mar 10, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I just ran Process Kill Demo of PG and I am not able to understand it. Acc to this demo any trojan can terminate PG on my system but not Norton Antivirus. Anybody can clarify this? I think I am making some mistake!
     

    Attached Files:

    • pg2.JPG
      pg2.JPG
      File size:
      28.5 KB
      Views:
      728
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It seems like you haven't set up PG yet, or it would be protecting itself. Please reset your lists, enable Learning Mode manually and follow the setup guide in the help file. Switch off Learning Mode when you are ready to test again.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think at least to me, i have set the PG as I see it is protecting all other applications well. BTW learning mode is must? As far as I think, it is only to decraese the no op popups. However I did use it in learning mode for a few hours. Is that not enough?
     
  4. fred22

    fred22 Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    229
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Learning mode has to be disabled before testing PG - it creates permissions allowing any activity that occurs so should only be used while running your "legitimate" applications after installing PG - PG gives no protection with it active (personally, I don't use it at all and consider it more of a design problem).

    Your results were due to one of 2 things - either you did not protect procguard.exe or (more likely) you gave pg-demo.exe the Terminate privilege (Learning Mode would have done this if active) - removing it should prevent ProcGuard being shut down in future. As for Norton, many anti-virus scanners have implemented some form of termination protection - DiamondCS' Advanced Process Terminator would be a better tool for testing these since PG-Demo is pretty dated.

    Andrea's guide mentioned by Fred22 is well worth reviewing in terms of setting up PG properly.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I never tried Process Kill Demo in Learning mode, infact I used this mode for few hours only.

    See my settings.
     

    Attached Files:

  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    See this one also.
     

    Attached Files:

  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    As I said, the problem is that you have pg-demo listed in your protection settings and the Modify privilege is likely enough to allow it to shut down other programs. Remove it and the results should be as you expect.

    As for not running it in Learning Mode, the only other way it could have got onto your Protection list is if you added it manually. It should not be present - nor should any other program that you do not trust since these are allowed to bypass PG's protection.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It was never in my protection settings, infact I put it manually after ur first post. I just removed it now and result is same, PG is killed!
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Is the "Protection Enabled" box checked on the Main tab? It needs to be for PG to provide any protection.
     
  11. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i would try Gavin's suggestion, reset PG's protection list, and retry the demo.
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You have the free version ? that might be it. I can't actually remember offhand what that version of the kill demo does and what it doesn't do. It fails for me that's for sure :)
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes it,s the free version as u can see in the picture. So does free version not offer protection?
     
  14. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    hmmm, i have pg free 3.3 beta 2 and it passes.
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Ok must be something else :)
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think there was some mistake made by me, anyhow i repeated it with PG in Protection mode, not learning, and PG is not killed now. so it,s ok.
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No mistakes, Process Guard Gui is highly vulnerable against kill attacks, I experienced this more then once be sure!
    Double, Triple Attacks on buff... no procguard.exe even if it is protected.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Are u sure? Can u explain a bit?
     
  19. EASTER.2010

    EASTER.2010 Guest

    If you don't mind could explain your particular angles of attack?
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    It is already known since version 2.0 of procguard.exe that it is high vulnerable against kill attacks. Norton 2006 has a rootkit like driver which is one of the best actually, it is the hardest to kill I ever experienced, even with specialized kernel killer it resists. All the stuff like tiny, panda, the so called intrusion prevention are easier to stop then this norton driver. (don´t think about the quality of the scan engine, I only talk about the hardest to kill process)

    The attacks are simple, nothing special, you don´t need much to do much.
     
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    ProcessGuard survives ALL kill demo attacks, from the latest APT ! if you allow the driver, it will be killed because ONLY kernelmode programs are able to change other kernelmode programs (a kernelmode program is a driver).

    If it fails, it must be something about the configuration or possibly weakened due to something else on the system, but I highly doubt that another program (AV guard) would interrupt our protection. It may just be what is happening, are you using Norton 2006 ?

    I wouldn't be overly surprised if it removed PG's kernel hooks and ASSUMED they were a trojan, they included very aggressive worm blocking recently too. Could this in fact be what is happening ? Please send me a private message with info on what you have if you prefer to keep it private.


    Finally, PhysicalMemory access needs to be blocked just the same as driver access does - PG FREE only gives you process based termination protection, not driver and physicalmemory protection. This would be where the problem in testing the free version lies..
     
  22. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland

    Some factual information might help.
    What attacks are you specifically talking about?
    Please elaborate.
     
  23. EASTER.2010

    EASTER.2010 Guest

    My thoughts err um question exactly.
     
  24. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Ah okay, physical mem protection, that might be the thing, but I still doubt that the full version is armored against all bo´s.
     
Thread Status:
Not open for further replies.