ProcessGuard & 16-bit apps

Discussion in 'other anti-malware software' started by Toby75, Jul 13, 2008.

Thread Status:
Not open for further replies.
  1. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Personally the better solution would be to move on. There are several paid and free HIPS, that are now ahead of ProcessGuard.

    Pete
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you are using PG solely for execution prevention of unauthorized executables -- and not for a full-blown HIPS -- note in the other thread that both redwolfe_98 and Paranoid2000 state that PG blocks the first occurrence of the eicar.com file attempting to launch.

    --
     
  4. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    When I execute eicar.exe, PG says that it blocks ntvdm.exe (auto block enabled) but when I open task manager ntvdm.exe is running. Is eicar blocked by PG? I get a popup displaying the text from eicar. I'm sorry that I am confused about this but I'm just trying to find out if this is a security risk.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you open eicar.com in a text editor you will see that if executed, it prints to screen the enclosed text string:

    Code:
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    
    Since eicar.com is a DOS executable, you will see it in action if you run it from a Command Prompt:

    eicar-cmd.gif
    _________________________________________________________

    If PG does block it from running, you should not see the text string printed to screen.

    --
     
  6. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
Loading...
Thread Status:
Not open for further replies.