ProcessGuard v3.xxx Suggestions / Wishlist

Discussion in 'ProcessGuard' started by Jason_DiamondCS, Nov 3, 2004.

  1. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    A new thread for suggestions and wish-list ideas. :)
     
  2. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I would like the learning mode to apply to everything PG protects and I also think an install mode is needed. Something else I would like is the ability to not use no skin at all. The skin that comes with it is nice and all, but I feel that it should be optional. One more thing... I think there should be seperate check boxes for Blocking new/changed applications.
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Import and export of the Protection & Security lists. Or maybe this could be rolled into a "Save my settings" menu item :D

    Cheers. Pilli :D
     
  4. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Something else that would be nice is a feature simular to "Track 'n' Reverse" in Tiny Personal Firewall.
     
  5. stevenestrada

    stevenestrada Registered Member

    Joined:
    Apr 13, 2004
    Posts:
    43
    How about a readme explaining what the new release is and a painless way to import our exclusion lists.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  7. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Reduce the RAM used by Process Guard...
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi VaMPiRiC_CRoW, If you have noticed a gradual rise in RAM usage of procguard.exe that's easy to fix, simply close the GUI, re-open the GUI and the normal RAM usage will be restored. I believe this is to do with the alert list logging, the logfile.txt will still catch any events whilst the GUI is closed and, of course, providing protection is enabled then it still active with the GUI closed.

    HTH Pilli :)
     
  9. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    I second AJohn's suggestion for an Install Mode.
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jason,
    Why would we need to bring any of the newer requests to the new thread?
    Presumably you have seen them and have considered whether any of them are worthwhile or feasible for implementation already ?

    For what its worth :
    multiple profiles that can also be imported and exported
    advanced mode with :
    fine grained knobs that we can twiddle [ie: explicit control of the different types of global hooks, including the "low level" ones]
    ability to allow execution based on parent process name and flags (and child process flags as well)
    flexible logging - text file logs are so 1990's : eventlog & off host logging (snmp traps, syslog, http method etc)
    allow log file to be moved to arbitrary directory

    Not really sure about the need for this but it would put PG in the same competition space with other anti-keyloggers and anti-screen scrapers
    have an option to stop programs reading from windows that they don't own (ie: screen scraping)
    It would be interesting to hear your reasoning if/why this isn't required.


    You may already do this, but it would be nice to get some feedback every week or three on which of the requested features have made it into the "to be considered list"

    Thanks
     
    Last edited: Nov 4, 2004
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    HI Jason,

    For what it is worth,

    1) Depending upon your target market, I think there needs to be a much better user manual with examples that will guide users in determining what settings should be used given different types of programs. I have reviewed your program, and it does appear to be excellent. However, I have no idea how to manage the settings and since I do not want to get myself in trouble using settings that I am not clear about, I have decided to wait a while before purchasing the product so that I can watch this forum as others raise questions and in this manner figure out how to use the product. I think a user manual would be far more efficient than this piece-meal approach, but unfortunately, it is the only way I can go right now. In the past, I have used software with inadequate documentation (such as registry cleaners) and have gotten myself into lots of trouble by hitting the enter key a bit too quickly. :doubt:

    2) A full-version evaluation period. The free version unfortunately does not allow for the testing of key facilities that could cause conflicts on my system. Lacking a full-version evaluation product, I would recommend a 30-day money back guarantee along the lines that BOClean offers.

    I would put myself in the knowledgeable - but not skilled user - and therefore this is the type of pre-purchase information that I am looking for. Thanks for asking.

    Rich
     
  12. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    I would like to be able to tell PG to never permanently add .exe's/.tmps that are launched from my desktop or from the Local Settings\Temp folders. These are typically apps that I am installing, and I am finding I spend a fair bit of time "pruning and trimming" my PG protection/security lists removing references to these "one time events"

    example, I downloaded a new version of Firefox installer 1.0RC2. It has a unique MD5 hash and a unique filename, winds up on my desktop and I launch it.

    YES of course I want PG to block this and alert me asking if I want to run it BUT no sense it adding it to any permanent list, as the installer will only be run once and then thrown away never to be seen again. No sense in cluttering up the GUI with apps that will never run again. Makes it harder to see the "real" stuff you are protecting.

    comments?
     
  13. sick0

    sick0 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    143
    i think that will happen only when you are in learning mode as it will automatically add any programs you launch into the Protection Tab. if you are not in learning mode anymore, you will be alerted to any program you launch if it is not in its lists yet as well as the options of allowing it to permanently allow or block. it will be included in your Security Tab but not in your Protection Tab....

    as for the wish list.....
    option not to use a skin...
    user guide or a pre-configured settings for some of the most popular appz that needs extra settings...
     
  14. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    I miss the PG2 look with colors, my favorite dark color has went away.
    The List was perfect. I like much more the PG2 look with the actionbox.

    On the whole PG2 was much better in the look, maybe you should create a design switch/option between pg2 design and pg3 design.

    Also I think it is much more useful for unskilled people to get a possibility to test the capabilities of the whole programm as a time limited demo maybe.
     
  15. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    It is a fair point and something will most likely be done about this in the future builds. When I am programming and making new builds all the time it also pops up quite regularly so it can get quite annoying.

    Most likely a "safe" area will be able to be setup where anything run from that directory will never be checked by ProcessGuard's execution protection. Since the area is "configurable" by the user no malicious software will be able to determine where the area is and so it shouldn't represent a threat to security. Obviously if a user starts putting things like the Desktop or C:\ in the "safe" area it will lead to problems, but since it would be an advanced feature I think the user could live with the problems they create. :)

    In regards "items run once" which are added to the list, the reason they are added to the list is so you can now check with history when each application was last started. For instance if you have a child on your computer you will be able to find out all the programs they have run whilst they have been on it. I find it not too hard to prune the security list just by sorting by the date and removing all the "old" entries. Though maybe a button which pruned your list for you would be a good thing to have.
     
  16. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    it kick's ass i dont want it ever to change mine :D works perfect
     
  17. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    I agree with Mr. Blaze. DCS has fully met/exceeded my expectations on PG V3.0.

    I'm ready to turn it over to my brother who has limited experience with computers and see how it integrates into his capabilities to manage.

    For non users of the forum routine, it would seem appropriate to have a "Check for PGM Update" feature in the Help menu.
     
  18. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Yes that is something that I diddn't think about, but option to automatically check for updates would be nice for people who cant always use there web browser.
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    While I can understand the reasoning behind this request, this could in my view be a critical compromise of system security. While installers do run programs in the Temp folder, so do many program macros - allowing such execution by default would remove any protection PG may otherwise provide against malicious scripts or ActiveX controls.

    Instead, make it easier to delete all "Permit Once"/"Deny Once" entries in the Protection list - or just don't list them at all! (I personally can't see the point in having them displayed since all this tells you is that you will be prompted again).

    As for PG logging, I would also like to see more control over the information displayed in Alerts (an option to listed all Allowed actions like PG2 along with the use of colour to highlight Blocked actions).

    The ability to launch anti-virus/anti-trojan scanners to check any file reported as modified by Execution Protection is one feature I've mentioned before - but worth repeating. Ideally, this should be able to accommodate multiple scanners (your typical PG user seems to have 5 or 6 of the things anyway :D) with each being run in turn (to avoid file contention).

    Secure Message Handling - add an option to exclude child windows for a protected application (to avoid getting multiple HID prompts when responding to any popup dialogs like Outpost's Rules Wizard for example).

    ProcGuard currently only works if run under an Administrator user - I would like to be able to run this under other users also without having to use "Run As" (perhaps allow "permitted" users to be specified which could have view or modify access to ProcGuard to avoid abuse).

    Finally, how about shutdown protection? Since so much malware requires a system restart to take effect, having this intercepted and trapped by PG would give a further indication if malware ever got executed on a system. Legitimate restart/logout requests could either be confirmed by HID or handled by a Logout/Shutdown button on ProcGuard itself (but then ProcGuard would definitely need to be runnable by non-Admin users). This would allow PG to intercept WM_ENDSESSION messages (which I understand are not currently handled so could be used to terminate an application).
     
  20. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I think those are excellent ideas and should be implemented ASAP.

    As for the shutdown protection idea, I think that is good also, it would be nice to be able to add a secure shutdown item to the desktop/icon/taskbar.
     
  21. Wisher

    Wisher Guest

    A new Learning Mode is EXTREMELY important!

    Here's why:

    I know that most people leave Learning Mode On during the beginning but learning mode isn't that very safe at all safe and Process Kill shows this.

    While in learning mode, if Process Kill gets added into Process Guard's Security settings, it will be given access to modify and read protected programs.

    This means that even if you turn off learning mode, Process Kill will be able to kill ProcessGuard and other security programs to go along with it unless you manually disallow access to modify and read protected programs for the demo.

    This brings up an important issue. Shouldn't users be given balloong dialog box similar to Look 'n' Stop or ZoneAlarm whenever a process starts so that users can choose whether what security privileges a process gets when added to the ProcessGuard's program list in learning mode.

    If not, then programs like Process Kill can be extremely critical when ProcessGuard is in learning mode.

    Here is another weird efect in learning mode that can happen.

    Try this:
    1. Make sure you are in Learning mode
    2. Remove CSRSS.exe from ProcessGuard's Protection List
    3. Open up Command Prompt window
    4. Try to Close Command Prompt Window
    Note: ProcessGuard should successfully blocks CSRSS.exe from closing program)
    5. Now try to Close Command Prompt Window again.

    If learning mode is on, ProcessGuard will now have given CSRSS.exe the ability to close the window.

    Now, I don't know if this is good or bad. But I do know that Learning mode is definitely something to be aware of.

    If ProcessGuard is too lenient in learning mode, a dangerous attack could occur. If it's too strict, learning mode becomes useless. All I can suggest for this is to implement a feature to have system pause and show a pop-up box allowing users to configure the programs as they are added to ProcessGuard's list. Maybe you can call it "User Mode" instead of "Learning Mode"...

    I can only hope that it get implemented soon before problems start appearing.
     
  22. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Re: A new Learning Mode is EXTREMELY important!

    "User Mode" sounds like a good idea. Maybe there could be User Mode, Learning Mode, Track Mode and Install Mode?
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Hi Wisher

    The point you raise is exactly why you need to be perfectly sure your system is clean before installing ProcessGuard. During beta testing we did significant number of uninstall and reinstalls and there was never a problem.

    In my case I know my system was clean, my antivirus was running, my firewall was up, and my spyware stuff was running. Also I was probably in learning mode around 5 to 7 minutes.

    What I do is after the initial reboot, while in learning mode, I open every program I want to protect. Just open it and immediately close it. I can run thru everything quickly. Then I immediately reboot. This catches a few additional startup items. Then immediately reboot, and learning mode is off.

    I just don't see this as a big issue unless you are already infected, and then yes you end up permissioning the nasty.

    Pete
     
  24. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Peter,
    Not everyone is (or wants to be) a PC security expert, nor do they want to reformat and re-install their machines (in order to be "perfectly sure")

    Wisher has brought up a fairly significant point and a confirmation mode would be really useful. The UI designers for PG must have considered this already, simply because it is in all the other products. For the average end user simple tends to be better, but just like cars, some people like automatics and others prefer gears. Something else for expert mode....

    Your point that the machine needs to be clean prior to starting is not something that has been added in "big red letters" to the install procedure. Until the support chaps or developers at DiamondCS think that this is something worth promoting as a pre-requisite for the product to work at its best then the majority of users probably won't be doing a reinstall
    A rebuild was something that I considered doing but I just don't have the time, so I've had to put up with less than "perfectly sure" and hope that TDS3 and my AV and other anti-malware catch up with any nasties that might be lurking around without me knowing about them

    One thing that could potentially be useful to see if your install is "clean" is to compare checksums on the common windows components with a known baseline from a trusted source. There might already be something out there that does checksums and comparisons, but the difficulty is getting updated checksums from a trusted source every time an MS patch comes out

    Seeing as PG keeps checksums on programs it sounds like it wouldn't be a particularly onerous task (for DiamondCS staff) to write a small app to make use of this information in creative ways (import/export/compare). Something useful that doesn't need to be lumped into PG but could be used by people that have purchased PG. If the "export" and "import" functions also captured the "updates" that have been installed on the computer that would help identify if the checksums might be suitable

    If such a thing happened it probably wouldn't be too long before "trusted" members of the forum had posts with checksums from machines that they knew (or at least thought) to be clean. Given that MS now release patch updates at regular intervals it would be fairly easy to label the checksum listings

    In terms of expecting DiamondCS to do something like this it seems a little unlikely (unless its already planned for TDS-4), but it would be very useful and work quite nicely in tandem with PG3
     
  25. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    You could make a "Pro Version" of Process Guard that would include a customizable registry monitor. This may be easier to expand the registry keys monitored within PG rather than create a separate "Registry Guard". (I think I saw a company use that name for their registry monitor so you may want to call it something else). The Registry Monitor should allow customizable keys and include all the keys standard in this Registry Monitor Comparison thread.
    There are marketing benefits to both ways (separate Registry Guard product and "Pro Version" of PG).