ProcessGuard v3.xxx Suggestions / Wishlist

Presets for Basic Windows Universal Processes

I know that the helpfile says that learning mode takes some time to get Process Guard set up just right.

BUT I for one don't want to keep Learning Mode on for long and certainly not at all when I'm "on line"!!

I think that Learning Mode is of limited value, since it is essentially a great big hole in the Defence the whole time it is on.

I feel stongly that Process Guard should be preconfigured with the basics for Windows. It just gives the feel of a lack of professionalism given that it is not.

To have to either:-
1) leave Learning Mode on and then DO absolutely everyting that can be done on your PC and then turn Learning Mode off is VERY VERY TEDIOUS! as well as being unsafe if you then forget to turn Learning Mode off!
2)To set it up the other way and respond to constant alerts as each function you use is blocked is the safer way. But it is also very tedious if you have to do this for loads of BASIC WINDOWS ABSOLUTE ESSENTIALS!

I have no problem with needing to set up the various applications that I have installed on the PC. Fine everyone has different needs and different applications. You CAN'T set that up for us!!!

But:-
the Windows Help System? All the kinds!
resuming after a Power Saving event? with block new and changed apps setting:- very nasty - needed a hard reset!!
the Taskmanager?
logon.scr?
defrag.exe?
dfrgfat.exe
etc

Can these not be preset. Other security software does preset configuration for Basic Windows Stuff. I don't think it is good enough to say that everybodies machine is different. All indications show that XP is here for the long haul! That means that you only have to preset for XP, sp1, sp2, NT and 2000! I for one don't think that is so much to ask!

An added benefit of having presets for basic Windows stuff (with a clear flag indicating that they are presets) is that it would be more difficult for bogus applications to pose as legitimate windows functions and fool the more gullible! If it didn't have that flag then it isn't ms windows! Given that any security software is only as secure as the n.. person who uses it, this cannot be irrelevant ("as Process Guard can't be beat") Just imagine a user (without TDS 3) who gives a Trojan permission to run thinking that it's windows cause it says
"I'm very safe to run.bill.gates.exe.vbs.pif"
or says in the Properties box
"© Microsoft Corporation. All rights reserved."

These Windows Presets would need to be changeable by the user! It wouldn't be good to force acceptance of any service or server that MS wishes to foist on us! But most of these could better be stopped elswhere (or removed with XPlite!)

Then there is all the other DCS software!
It really feels unprofessional for Process Guard not to be preset for the other DCS software, including various TDS 3 scans!!! (I could state this a lot less tactfully but I'd better not!)

Process Guard is Great, just let down by this a bit.

Regards Jo M

 

Hi gottadoit,

I think you will find that ZA, Sygate & OP2 all do a very limited look at changed .dlls but by no means all of them.
As to what .dlls they check I have no idea

Cheers. Pilli

 

My $ 0.02:

I would like a persistent password for the lock feature in PG full. When I lock it, thinking I have everything configured correctly and then need to respond to an alert, after unlocking it to make a change I need to double enter a new password again just to lock it. Maybe I'm missing something but this is pretty tedious - can we make the PWD persistent and offer a "change password" checkbox if we're worried about PWD security?

Suggested change to the "PG" tray icon color scheme:
Alert = red (same as now)
Learning = blue (change from green)
Enabled = green (change from blue)

Reason: Green = on, good, no problem, etc. to me and blue has no defined meaning, so I think blue is a better "learning mode" color and green a better "its on and working; everything's fine" color.

Definitely would like to be able to save/export/import all of the protection and security settings. After a couple of uninstalls/reinstalls (due to another problem app, not PG) the "schooling" of PG is pretty tedious.

 

Pilli,
Thanks for the info, I haven't tried Sygate

I suppose we could check easily enough using Filemon if we really wanted to know what files were being checked (unless it is being done by a file open intercept so it doesn't look like different behaviour...)

 

Re: Presets for Basic Windows Universal Processes

Jo,
Couldn't agree more with regards to having the "ability" to have presets, although I think learning mode would be hard to do without
Its debatable as to the need for DCS to supply them with the product as they *will* change over time and that just dates what they distribute (and makes it less likely for them to implement some form of solution).

One thing that is missing more than having a preset list is a compilation of all the good advice given on the forum about what to (or not to) allow programs do. It would be very useful if there was a way to organise what is being posted into a list of programs with links to the various threads

I also agree that simply displaying the company name from the executable is not nearly sufficient to base a decision on. Its nice to see someone else making the point as well. Its not like you can leave the dialog there (or move it aside) and go and investigate for yourself then click "ok" later on...

The whole point of having profiles that can be exported and imported is to allow that part of the user community that wants presets or shared config across machines to have the functionality without imposing our preferences on anybody else

If the checksums are also exported and checkable then you can do an initial check, see that the checksums are ok then import a baseline list for the common components. Along the way people are very likely to learn just how much different vendors customise various little bits in the OEM installs (when various checksums don't match and there are more/less files than expected)

As many people have said before, security comes from how you approach what you do on the computer
Having the ability to check what you are doing and compare with others is a convenient and repeatable way to do that based on verifyable information

 

Re: Presets for Basic Windows Universal Processes

ProcessGuard DOES come preconfigured with the default processes you need to run Windows - services.exe, winlogon.exe, svchost.exe and more !

It cant come preconfigured for everybody, thats just not possible. The list of known programs for it to check if you have, would be many MB. Even then it would miss things..

 

Re: Presets for Basic Windows Universal Processes

I might add if I havn't already, we are planning an application database for the ProcessGuard website, which will be compiled from our beta testers, forum members, and us.

The database will list which flags specified applications need and also a short description if needed.

 

Excuses regarding Presets for Windows functions

I have just added two to my currentl list of important but basic windows functions which have been blocked by PG

the Windows Help System All the kinds!
resuming after a Power Saving event, very nasty!
logon.scr
defrag.exe
dfrgfat.exe
sysocmgr.exe
mmc.exe
etc

I'm not asking you to preset all of everybodies software. I HAVE MADE THIS QUITE CLEAR!

I am asking, and I still think that this is the MINIMUM to be considered Professional:-

That each and every *.exe, *.com, service and every potential process from any of the Microsoft Windows versions supported should be preconfigured.

That each and every *.exe from the DiamondCS stable be preconfigured

EVERYTHING ELSE is the customers responsibility! This includes all printers, modems, scanners... ie ALL periferals with their own software and drivers (even if included within windows) ALL extra software that the customer loads.

The Database which Jason mentions would be very helpful, not strictly required to be called professional, but certainly giving lots of extra "professional Ponts" !!!

Don't make excuses, just get properly professional

 

What I would like to see :

- Start using SHA-256 / SHA-512 as a replacement of md5, as md5 is starting to crack at the seams
-DLL Hashing
-Force a check of all hashes, and alert you of the changed / deleted ones
-A way to get ProcessGuard to update all of the hashes which have changed
-A way to get ProcessGuard to remove the hashes of programs that cannot be found
-A way to backup settings / lists and migrate them with little effort
- Greater control over each function i.e. allow only allow the loading of a certain driver etc

 

Re: Excuses regarding Presets for Windows functions

Windows Help should not need an entry (I have none for it on my setup), nor should MMC. The only processes that require entries to function are those that need to install drivers/services or modify other processes (though of course, you would want to add others like security software and anything allowed Internet access).

Keeping "default" entries to only the critical ones is better in my view and more secure. As for including other DiamondCS programs, this would require the ProcessGuard install to scan the system to identify what was installed and which folder it was in. A further check would then need to be made to ensure that the programs were legitimate (i.e. not trojans named to take advantage of this feature). It's possible, but it would requre a fair amount of work on DCS' part.

 

Re: Excuses regarding Presets for Windows functions

I think maybe different preconfiguration needs should be considered regardning either protection or security list:

I agree on "always allow to run" preconfigured for logon.src and default.scr, as well as those programs mentioned above, including mmc (altho I don't have XP and haven't seen some of them). I would not include the help system, but if it was there, I would like to also have it protected (because some of the help exes can use the internet, either directly or via an IE component).

And I do think that it is an open question as to whether the scheduling service (tskmgr.exe?), the printer spool service, the scanning service should be included or not (and where? protected? or just allowed to run?), since they are MS apps running permanently on lots of systems, but not on all, and they normally can't do much that running malware cannot do by itself already.

Andreas

 

"trusted instalation" would be handy . So that any new software being loaded that we trust will miss tha barrage of pop ups .

 

Same skins as in PG V.2 would be sooo GREEAAATTTT ....

I want my sexy black logs back !!

Cheers

 

and ALL aspects of it

What if like TDS 3 the program has a host of plugins and functions, some of which run from within the main *.exe but most seem to run from seperate *.exe's! In this case it is most tedious! Also I don't want to run a trace right now!

I found a better way (till DiamondCS catch on and Preconfigure for the DiamondCS stable). Leave Process Guard in full protection mode

Protection enabled,
Execution Protection enabled
Block New and Changed Applications enabled
Learning Mode (permanently) disabled.

Then click on the various modules. They won't actually run, (so you wont be doing a traceroute that you don't want or anything else that will take up time before you can close it down again)

But the programs WILL be listed in the log of alerts and better than that they WILL be listed on the Security Tab. Scan down and right click on each program that is listed as Denied. Check its file path. If it is what you think it is then change the last action to "Permit always"

This will be both faster and more efficient. It will also be safer. The only problem is if a few of the modules run require special priviledges. Then when you actually use that module you will have to go back into the Protection Tab this time and give it the extra priviledge required. This will probably add back onto the time a little bit. But this way you are at least more informed about what programs require what priviliedges.

I HAVE tried both methods! I don't like the Learning Mode method at all! If you have to wait for scans to finish, a module to fully load before you can close it, or have to go through several dialogue boxes before shutting the module down, it does take some time using Learning Mode on a program such as TDS 3!!!

I have said some strong things on this issue. I think that this point of being better informed, and therefore perhaps a safer computer user, is the only advantage to the current situation of BASIC Windows function and DiamondCS products not being properly preset in Process Guard.

Regards Jo M

 

Re: Presets for Basic Windows Universal Processes

Gavin,
You are of course correct that you can't do everything or cater to everyone

Look at it on the flip side, give us the ability to create and share (export) a bunch of settings that can be imported (either as an addition to the current set or a replacement that discards the current rules)...
Then Jo will create the settings that are being discussed, share them on the forum and that will be the end of the discussion

Someone else will no doubt choose to do the same for other applications (as/when they decide that they want to buy a 25 user pack and roll it out on 25 machines without opening each program on every computer one at a time....)

This would be a somewhat tedious chore for someone in a medium size organisation to do (assuming that the support person actually knows what the person runs on their PC). I don't know how many companies have purchased 25 licenses (or more), but what you can choose to do at home is harder to justify in larger environments

You could even get fancy and add the ones that you like to the application database that Jason referred to, that would potentially cater for point and click install of settings straight from your webpage

Excellent that you are doing the reference database, will it be open access to everyone or for "paid up" people only ?
It would be good to have a right click "lookup database" for any alert or program so that its all integrated together

For that matter it would be really good to have a "Forum" button on the Main tab to encourage people to come to the forum and learn more about security and share their experiences with the product

 

Auto Refresh

Hi,

just a quick and less controversial one from the pain in the arse!

On the Security tab it would be nice if it auto refreshed whenever you entered the tab. I can't think of a time when I have opened the tab and havn't needed to refresh it straight away to see what I need to know!

Jo M

 

Pre-configured?

Hi,

I like gottadoit's suggestion about right click access to a database, so that any alert can be given proper consideration and correct treatment! Great Idea!

I had another idea if there was more preconfiguration.

Other people are right in saying that different treatment would be required for the protection and security tabs. Yes I wouldn't want to add eveything to the protection tab either. It might be unnecessarily complicated and might slow the program down and the PC?

However I would still like all Window's functions preconfigured in the security tab so that they are all "permit always". Plus of course all the DiamondCS stable also preconfigured on the security tab. So that both windows and Other DiamondCS products run without being blocked and without alerts.

Gottadoit is also right about this being MUCH better for any corporation or business use of your products!

However this WOULD clutter up the Security tab quite a lot!!!

Solution would be to to have three options on the security tab.
1) Main one:- Customer Programs.
2) Windows functions and services.
3) DiamondCS other programs and scans etc etc.

If they were ALL preconfigured then you would not need to open no 2 or 3 much if at all, except for interest!

If the three Windows compatible versions were preconfigured then it might slow down installation somewhat if each one is checked against the database and checked for integrity before being logged onto the security/windows sub-tab. Fine I woulnd't mind the wait! Security is imoportant! It would add yet another raft of intensive checking of the OS, that would enhance the security of the installation! It would be slick and impressive!

Regards Jo M

 

Pre-configured? Pah!

I have just upgraded to the new Process Guard 3.050. As far as I can see what you said here is simply not true! Yes Process Guard started in Learning Mode. It had "forgotten" all my previous Settings. (Was that because I had done the uninstall as instructed and deleted those *.dat files?) The processes that populated the protection and security tabs were ONLY the programs and services that autostart on my system. ABOLUTELY NOTHING ELSE!

So there is NO PRECONFIGURATION HERE! It started with a "blank slate" and relies on "Learning Mode" to do any configuration!

This is not "Pre-configuration"! This is simply and solely "Learning Mode"!

My feelings on "Learning Mode" are already well known! Like its colour its rather green! L. L.. L... L.... "Lazy developer mode"?

Regards Jo M

 

Hi Jo M, Learning mode does what it says, pre-configuration is not an option at this time as you well know re. this wish list.

The installation instructions for users are posted here:
https://www.wilderssecurity.com/showthread.php?t=54499 post#2 With explicit instructions for those that wished to keep their V3.000 configuration

Pilli

 

Hi Pilli, I am dissapointed that I hadn't read Jason's good post before installing 3.050. Especially as the topic would have helped with just the issues I have been addressing! Unfortunately I was following the advice of another moderator!

I have a new definition for learning mode "Let everything run and give everything the priviledges it wants mode". Is this not right?

I certainly won't go on the web in that mode, so I will HAVE to manually configure many web programs and tools. I wouldn't want to run in that mode if I had the slightest suspicion that there was anything "on" my machine before install. It can only reasonably be used on a clean PC!

Other than that it does seem to do its job, it allows everything to run and gives every priviledge to any program that requests it!

Jo M

 

Hi Jo M, I am glad that Learniing Mode did as you expected at least.
Whenever we install security programs on our PCs there are risks as you correctly state. Practising Safe Hex is the best way to secure your machine whilst using all the security tools that you can to assist you.
As stated many times here at Wilders, nothing is 100% secure but having a good layered defence makes you a much harder nut to crack

Cheers. Pilli

 

Alert tab suggestion

Hi,

I was pleased to see my suggestion in #69 already in PG 3.050!

Another less controversial suggestion is to do with the Alerts tab.

What is required here mostly is the "deny" messages or notifications that "*.exe tried to gain some hook" or other or "tried to install some service" or other! The plain vanilla "*.exe was allowed to start" is almost not needed?

So how about a check box or button for "only the denials of service". If it was a button it could use for its icons:
"All" - for All
"X's" for only the denials of service
with an appropriate description in the ballon help.

This would draw attention to the issue better and would help to avoid missing something if your eyes are tired.

PG already has the red taskbar icon to inform you of an issue - excellent! - I don't think it does this just for a denial issue? Perhaps it could? Also if there had just been a denial then perhaps it could auto open direct to the "Alerts" tab. I checked this and it doesn't. Now that would be slick!

Regards Jo M

PS I will officially shut up about "preconfiguration" at least for a month or two! I DO like Process Guard. I have just wanted it to be better!