ProcessGuard - Is the free version strong enough?

I've tried a few freebies, including DSA.

Processguard, unless being a such a blatant newbie that I'm missing something, seems as good as any. I've made a couple of changes, but it seems solid out of the chute with its preset rules.

SSM had me completely lost. I liked it but couldn't figure out whether to set rules or leave it as is when I installed it.

DSA I really liked, but it seemed 'thin' and to be missing something.

Cyberhawk seems okay but even I, who knows nothing, didn't like the fact that I couldn't do much with it.

ProSecurity, I had it on my machine for quite a while and it's another option when I tire of PG, which I inevitably will. It seems to have the best balance of allowing user intervention and protection without giving too much information to confuse security retards like me.

For now, I'm running PG free. I can even understand the help file which is a major plus in my book.

 

Does anyone see the need to still run an Antispyware program like a squared anti-malware that uses RealTime IDS Behavior Blocking or any Antispware that uses RealTime Heuiristics detection along with ProcessGuard Free? I am currently running Ashampoo AS with ProcessGuard and have used Arovax Shield with it, but again is either needed? I like both of those programs, and Ashampoo even comes with a Rootkit detector scanning feature. Could a Rootkit or something else get by PG Free, besides from the user themselves allowing it to execute? I know what has been said here and want to believe it, but is it just plain wrong of me to think that there has to be some things that can get by PG Free?

 

I would say no.

 

To give one example:-

If you download a 'codec' to enable your media player to view a video, and, unknown to you (and your AV!), the 'codec' happens to be a spyware laden trojan complete with rootkit, to install it you will need to let it run - so you'll click it past PG free, and it'll be a case of 'wham, bam and thank you ma'm'!

You will have been duped, YOU will be the one who ran the file and allowed the rootkit to install. At times like that the better featured PG 'paid for' will help 'cos it can prevent driver/rootkit installation; and if you have Reg protection as well then so much the better. The trouble is, we quite often disable or neuter such apps when we install, that's OK with safe files but not 'risky' ones. If you're running wide ranging Reg protection when you install, it can be a nightmare of pop-ups, the meaning of which will be unclear to most users - this is the weak point of such protection. PG 'paid for' will do the basics of driver and .dll injection blocking, which will be done automatically without pop-up, leaving you able to recover your system and repair any damage.

As to the virtue of running something like A2 with PG free, yes I think there will be advantages because, while PG free gives the desirable execution protection, A2's IDS will be looking for malware like behaviour and should be able to allow you to block a rootkit install (you'll have to answer the pop-up correctly). So if you make a mistake with what you allow to run, it should be able to give you the second chance to stop or limit the damage.

Preventing execution in the first place is the best defence though.

 

It is not unknown to have Processguard reported as a trojan. Avast did report me some time, a year or so ago that too. It was a false positive.
The fact that AVG and Ewido now I think belong to the same company I think, makes me think they are reporting you a false positive.

 

Good point TopperID

Yesterday this I ran into a drive by infection.

Antivir popped-up (a trojan) and DefenseWall shut down IE. After re-boot the settings of my Active X was changed (accepting unsigned Active X, and setting unsafe Active X allowed to execute).

What I can recall was that a pop-up was blocked, so I temporarely allowed IE to accept a pop-up. So yes: I was the initial trigger of the flow of events. Point is you not allways recognise an executable, because it can hide in many forms.

Regards K

 

Did you not run IE sandboxed? I am not familiar with Defensewall, but I think Sandboxie would have left IE intact after reboot, unless meaning the sandboxed one.
A bit off topic for Processguard, but it would have protected also the DefenseWall?

 

Off topic

Normally DefenseWall re-sets every change of IE. I had just done a weekly backup. The truth is after a backup, I just can not resist to try some known mailicious sites. By the way this drive by infection also broke through the SSM-free IE protection module.

Possibly the combination with the abnormal termination of SSM (I got this message after rebooting) prohibited the reset.

Regards

 

Well, I'm sticking with Processguard free for the foreseeable future. I kind of understand processguard, or understand it more than I understand the others.

I'd feel more comfortable if global protection could be engaged, but I don't think you can upgrade to the full version any longer. I suppose I could go hunting for a free program that covers that part the pg free is missing, or maybe it isn't really that important.

All in all, I think Processguard is one program that the developers got right.

 

Sounds to me like you were hit by an exploit that managed to lower your IE settings and thereby plonk a trojan on you. All was well because AntiVir managed to grab the trojan before it could do anything.

But what happens if your AV had missed the trojan? In that case the trojan would have attempted to run and PG free could have prevented that from happening - so again no damage would have been done.

I say no damage, but of course you did have your IE settings changed; this is where Registry protection comes in. A Reg guard could have prevented the changes in IE so that the trojan could not have got in and PG would have had nothing to do in that case!

Actually this is all a little bit different from the example I originally gave, because there I'm assuming PG free's protection was completely circumvented by the user voluntarily (albeit unwittingly) running an installer that containted a trojan. Though of course, in both examples the user was the author of his own misfortunes by starting off the train of events.

 

Or even a Sandbox.

 

So you always download from the developer's site, not some bogus 3rd party site such as P2P or "Warez 'R Us"

 

Although it isn't a Forum favorite, I believe Arovax Shield now offers more IE and registry protection now. Does anyone think it would be a good addition to PG free though? Also how about PG Free and Cyberhawk? The reason ask these questions is because I read on the Diamonds website that PG Free doesn't cover things like dll injection, rootkit installations, and physical memory. How important is having any of this protection though, and what else would do it? I know Cyberhawk should take care of dll injection and rootkits, but what about physical memory? Thanks and take care all.

 

Check the "what next" post on this forum, I have SSM-free with some pretty extra registry protection (same level as Regdefend). Also SSM free is simular to PG (only protects also physical memory). So I share the vision, just not the statement dropped by others in this post "when I do not allow it, I can not be hit.

 

How would something like Appdefend or regdefend from Ghost Security compare. Never tried them, never even looked at them, but those who use them seem happy - other than the fact that they both seem to be eternally in beta.

 

Same programmer originally. Many happy users indeed. Would most certainly check the stuff out.
Nothing against combining them with PG (free) even though that might be a bit overkill.

 

Appdefend is very similar to processguard free but offers more protection such as outbound network control and rootkit driver protection. In its current beta release i believe the full version is completely free, it says its a trial but still fully works after the trial ends.

 

I can't believe me. Out of nothing but pure curiosity i downloaded and installed AppDefend [Beta] after reviewing this thread.

Well i am impressed! I always fear the worse when adding to the "HEAP" of additional security/hips programs running. As of this posting i can report with some glee that it runs excellent in the company of these drivers.
klif.sys/safemon.sys/sp_rsdrv2.sys/guard.sys

One Note: KIS6 does not running resident. I do too many testings with malware specimens.

How much is too much someone might say? I dunno yet but i am pushing the envelope by installing and running (if without issues/conflicts) multiple HIPS apps now with this latest install and nothing critical to complain about.

I am constantly reviewing the SDT Table to see just which apps are covering what instruction lines and how well they coexist with each other.

I not run malware at them yet, i like to take a few days to review my system's behavior before proceeding with that.

With App/RegDefend's network firewall that also makes this present test config a Triple Run of firewalls and not just HIPS, i don't mind piling them up so long as the coverage is effective & adequate and no serious issues ensue.

UPDATE: Fired up KIS6 with those running together (Scan Critical Areas) (updated db) at the same time and so far so good. Of course i don't recommend going this far unless you & your system is up to it enough.

Since this is a ProcessGuard topic be it known that PG (free) is also effective and creates no issues.

Hmmm, this is getting very interesting..............

 

Ah yes, but what App Rule exclusions have you made? If you have simply allowed IE carte blanche to make changes to IE protection rules you will not be adequately covered when you hit an exploit. If IE is exploited it will be able to make adverse changes. So it all really depends on how the Reg guard is set up. Default settings may be fine, but you water them down everytime you click a pop-up to 'allow' always. Of course I don't know if this applies in your particular case, so I'm speaking generally.

In a sense you weren't 'hit' 'cos AntiVir caught the trojan - if it had failed to catch it then PG/SSM/AD etc could have stopped it from running; which is the point being made in this thread.

You were attacked by an exploit, and in general terms I think it is fair to say that AntiVir is not as good at intercepting exploit code as it is in catching trojans. Another AV may (or may not!) have intercepted the exploit before anything happened at all. However, exploits are, for the most part, harmless in themselves, it is the trojans they drop that do the damage.

As has been said elsewhere, PG/SSM/AD is not a script/code blocker and will not, therefore, stop the exploit itself, but in practical terms little damage will be done without a running executable. PG etc will stop it running, use a cache cleaner to sweep it out and you are more or less done.

 

Easter, one of these days I'm going out and tracking down every piece of security software I can find and posting them, no matter how obscure. It'll be interesting to see how much you can load before crashing your machine.. LOL

Seriously though, I've done some searching in regards appdefend and regdefend and both show pretty good in the reviews and comments I've found.

I guess appdefend keeps working even after the trial. Don't know about regdefend or what happens to it after the trial. I sense another download and play period approaching, just when I thought I had everything the way I wanted it.

 

Indeed Chuck57

I'm already obsessed doing that i think

Same here. Just when i don't think anything else could possibly contribute to tighter security you find yet another player surfacing from the recesses of Wilder's.

 

And, Easter, I've got both regdefend and appdefend on my box as of today. I guess there's no learning mode, but not too many popups and plenty of information in the popups, which I like.

I'd rather have the popups anyway. First, they let me know something is happening, and second, they provide information that even I understand, so I can either allow or not allow something.

In your opinion, which I trust, do you think appdefend and regdefend are equal to processguard or ssm in protection value?

 

The information is also what struck me most. Maybe it's the way it's presented to the user by it's GUI. You can clearly see the [PID] number of detected program and just like traditional HIPS, we can from there make our own decision and it's saved as a rule.

Exactly. It's a very long story but i'll give you the short version that i get from them. PopUps from these HIPS apps for me have never really been so annoying or interfering so long as they can prove to offer ACCURATE information such as name/path/size etc. and also produce an exact TIMESTAMP! the action occured. That's important data you can use for future decisions.

Still too early for me to really draw such a clear distinction or suggest equal similarity to SSM/PG but it does pop up BEFORE system safety monitor and then on allow, SSM pops up next.
This is the very interesting thing for me that first encouraged my choice of Cyberhawk at the beginning of their new release, i like a HIPS that is Lightning Rapid in (micro-seconds) of speed & the accuracy is also on the same levels.

To offer an initial fair opinion at this point i have to go on my very early results, the first few malwares (demos only so far) i put to it, GhostSecSuite jumps up first if that's any indication for reliable first comparisons to SSM/PG.

I'm not sure yet at this point if the reason for that is how it's positioned in the SDT Table that gives it first jump out of the gates at a process emerging or whether it's indicative of something else in it's programming design.

 

Sounds good so far. Keep us (me) informed on tests. If it's as unbeatable as processguard seems to be, gss might be a keeper - for as long as I keep anything on this computer.

 

Regdefend works in a limited mode after the trial expires. I believe the block option is removed when something pops up, however the block all option remains and if you need to block anything specific you can manually add a rule to do so.