ProcessGuard v3.xxx Suggestions / Wishlist

Discussion in 'ProcessGuard' started by Jason_DiamondCS, Nov 3, 2004.

  1. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129
    Thanks for the links of those very useful programs!
     
  2. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    I think SMH should be more configurable. eg. it should be possible to disable the X title bar handling, while still having customized SMH confirmations. The reason - Some apps allow you to minimize to the tray when clicking on the X (eg. KAV) so you wouldn't want confirmation in this instance. However, you might still want SMH on this app for a menu item in it's tray icon.

    Another SMH related problem I've come across is -

    If I start the on-line help from within a SMH protected program, then when I try to quit the help window (by clicking X in title bar), I get the SMH confirmation dialog even though I haven't configured it for the help. I assume it's because the program is the parent process and so PG sees it as me trying to close the program instead of the help.
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    azumi21,
    Make sure you look at what else is on each site and possibly even try the programs out on a non-critical machine in order to get an idea of how much you can trust the author... that goes for any program not just API watching or Security programs

    I'm not saying anything for or against those sites as I don't have any references for them yet... its worth having a look around some of the security sites and googling to see if any of the "experts" have any opinions on the programs before you expose your computer to them....
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    If you look back a-ways you'll see a similar request that I made and from what I could gather Jason either didn't understand why I was asking or he didn't want to understand why...

    Have a look back at this thread, posts 98, 99 and 100 where I asked about having a DELETE variant to go with the INSERT that would allow us to remove SMH behaviour for various actions on the application

    I was looking mainly at being able to do it for dialog boxes/pop up windows to avoid HID confirmations for windows that have already been destroyed, I don't see why the same thing wouldn't apply in the example you just gave

    Jason made the very valid point that unless these SMH modification actions were controlled then malware could selectively remove SMH protection
    One fairly obvious way of ensuring that would not happen is to use HID interaction to confirm changes like this whilst we are "training" PG
    In some ways it would be nice to get visual confirmation when we use the INSERT modifier as well so that we know it has happened... a balloon alert would do and an entry in the alert log would be useful

    Once you start messing with SMH for different parts of the application it also becomes obvious that it would be nice to be able to see what has been defined (and it would also make it easier to communicate to others and record for our own re-use at a later point in time)

    In your other thread where you brought this up, Pilli started making point suggestions about specific instances of why this generalised feature wasn't necessary (some of which you rebutted) and I think that just highlights the fact that more fine grained control over SMH would be a useful feature for those ppl that care to train some applications more finely to give them an extra layer of security
     
  5. karaldjag1

    karaldjag1 Guest

    Hi,

    *Firstly, thanks Gottadoit for your opinion about free and paid versions.
    And i want to apologize for talking about the old version.It'not ethical at all.
    I've decided to buy a full licence of PG (i'm waiting for an e-mail of DCSSales).

    Why i've chosen PG?
    Simply because it's the most exhaustive and powerfull of all infection prevention system (no updated signatures) that i'd never tested.

    Some of thoses softs are never mentionned on wilders forum(list on pm only), but most of them are easily bypassed with usuals hackings methods (process termination, dll injection...).

    It's not the case of PG who protects itself against advanced attacks.
    And i really agree that when we find a great soft, we could make an effort to buy it.That's the best way to support it and to reward a very good work.

    *For the links:i will never mention any software that i'd never tested myself(i'm a beta-tester of Winsonar).

    And i hope that some users will agree with me:there's no incorruptible and umbypased system.It's a question of time and resources(DDOS).
    Even with thousands of protections like API monitoring or integrity checkers.
    As i said, Pg with usuals protections is enough for most home users.

    *To stay in the subject:

    *Protection of DCSPGSRV(PG sevice)

    To prevent a deactivation of this service (anyone who's got a physical access on ou pc), it' possible to protect it manually:
    -configuration service-recovery button-first failing:restart the service
    -second ' : ' ' '
    -third ' : turn off the computer.

    But is it possible to integrate this configuration automatically with the installation of PG?

    *An integrity checking scan (SHA-1) of all files -on demand,

    -automatically on Windows start up and before Windows stopped.

    Thanks for this forum and pardon me for my mistakes (english or computing).

    Regards
     
  6. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    karaldjag1,
    Like I said it was nothing personal against the sites or yourself for suggesting them, it always pays to do some research before using something new

    Also I was wondering if there was any reason you are still appearing as a Guest and haven't registered your login name ?

    Regards
     
  7. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    When i want to reply to a post, i log in.
    But when i'm quite long and slow, i log out automatically and kareldjag become kareldjag1.That's the only reason.

    A friend of mine(a dev.) said that whitch notionally possible is sometimes no be able to develop concretely in reality.
    That's why i'll abandon this whish list theme.

    ProcessGuard could not be an "all in one against all" (attacks).

    But just share your knowledge, it's a little door to immortality.

    Regards.
     
  8. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    If the "Show Extra Information" box on the Permit/Deny security screen used a slightly larger font, I wouldn't be usiing my magnifying glass nearly so often.. Once you've seen that screen a few times, the most important information is the hardest to read. Watching everyday command line parameters illuminates what really happens when I click icons. It would be great if I could follow along without having to scan my arm across the screen too. :)
     
  9. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    to be able to right click on task bar icon and chose "trusted installation" for the installation of trusted software.
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I'd agree with this one. The print is rather small. I would also suggest adding a "Permit with these parameters" option (which would allow future execution with the same details but prompt otherwise) to cover frequently used (i.e. tiresome to permit/block once) but not-completely-trusted programs (as discussed in Rundll32.exe - To Permit or not?).
    May I respectfully cast a vote against this one? This creates two problems - the very practical one of having to disable the "trusted" mode at the end of an install (all too easy to forget) and the (currently) more theoretical problem it opening the door to PG-aware malware to compromise your system (waiting until a program installation would be the ideal time to attempt file or registry alterations). A more secure option would be an interactive mode where PG would prompt on whether a hook/service install should be allowed (like with Execution Protection prompts - this is how System Safety Monitor handles them).

    On the SMH side of things, the human verification popup could include some more explanatory text like PG2's did (e.g. "To prevent malware from carrying out this action, user verification is needed. If you wish to proceed with this, please enter the 5-letter sequence below to confirm."). The current information is not as clear and quite intimidating for new users ("Window class? Message type? What's that?") so could be replaced with more recognisable information (e.g. window titlebar contents, user-specified description for INS-learnt actions) with the raw detail available via a More Info button.

    Finally on the graphics side, could we please have the 3.000/3.050 scrollbars back? The 3.100 ones IMHO look like escapees from the 1980's Apple Macintosh, clash with the rest of PG's graphics, aren't skinnable by WindowBlinds and won't work with mouse scrollwheels.
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Another SMH-related option - add the option to require a password rather than the 5-letter confirmation. This could be a very useful facility for shared computers to prevent certain programs from being shut down - e.g. a family computer could use this to prevent Junior from shutting down the firewall or web filter.
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Very true :).

    Nick
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Come on guys. If a lot of these types of request were added DCS could turn PG into bloatware like some of the well known products on the market. This issue should be at all confusing IF Mr newbie would just read the helpfile.

    I for one would hate to see this code get bloated to make the program so it could be run by a brain dead newbie who won't read. This might sound harsh, but I am afraid I don't have much sympathy for the newbie who wants everything handed to him so he has to make no effort.

    Pete (climbing back off the soapbox) :D
     
  14. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Pete,

    <hastily picking up discarded soapbox>
    I think you might possibly have replied to the wrong post ;-), the bulk of that suggestion was about adding a bit more *text* and you are referring to code bloat

    On a lighter note, DCS are most probably giving considered thought to everything that is posted here and by not responding at all they are not obliged to do anything, least of all make choices that would result in code bloat

    Personally I'd think that they are a bit smarter than that given the responses I have seen to date. They seem to have identified their target market and hence the set of "useful" features that they are considering
    nb: pure speculation based on several posts, one of which was about WFP

    If it turns out that their target market includes "dumb newbies" then nothing anyone says here will change the onset of features to help market the product :)
    </hastily picking up discarded soapbox>
     
  15. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    I just want to second P2K's suggestion that rundll32 have multiple instances of security approval, where each permit/deny decision is relevant only to an invocation of rundll32 that uses exactly the same parameters.
     
  16. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    hi, :) can you make it so the popups are movable? as talked about in this thread. thanks.
     
  17. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Some GUI suggestions to make it even more useful

    In the Security tab add an extra column "Last Modified" with a date (just like last run)

    Add to the right click menu, an entry to show "previous" properties to bring up a properties window of what the the properties were prior to the last modification. An extension to this that would take a little more work would be to open a custom window showing the current and previous "properties" side by side with differences highlighted (this could be fairly useful)

    In the Alerts window, add a right click menu (very similar to the one on the security tab) to allow the selected program to be manipulated from that window without having to switch tabs and go and find it again
    Alternately a double click on an item in the Alert tab could take you through to the entry for this program in the security tab (if it was there and add it and take you to it if it wasn't already there) at which point you could do the same thing

    A logging omission :

    When programs are allowed to run without operator authorisation during startup (Permit Once - Unable to ask user) the corresponding entry in the text logfile does not show that it was "Unable to ask user", it doesn't even show that it was a permit once item either and the permit once/always could usefully be logged. Having this would enhance the usefulness of the logfile for forensic analysis

    [NB: I would really like a way to stop this happening, once "learning" mode is over and done with I would prefer explicit authorisation]

    A logging enhancement request :

    When a program is found to have changed, output a small table of the differences found (nb: requires PG to be storing and comparing the information presented in a "Properties" display), while not comprehensive it would be a very good start for someone using the logfile to see what has happened (to the core executable at least)
     
    Last edited: Jan 24, 2005
  18. ReTheOff

    ReTheOff Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    4
    First off let me say, YES! This products is the best I have seen so far!

    But, I do have one suggestion. I know that DCS has the Wormguard product, but installing that, to me, is not going to achieve my goal. My goal is to find THE product that can stop us from paying this Bugware Tax. ProcessGuard is the closest thing I can find to doing this by stopping execution and giving the user the control they should have had from MS.

    Anyway, my suggestion is that ProcessGuard be extended to allow or deny scripts. Anything executed by cscript.exe, wscript.exe, or cmd.exe. In a business network, you might have logon scripts or other automation, so you will need to allow execution of those programs from cscript.exe. ProcessGuard does not protect from unwanted scripts. If it did, it would most certainly be perfect!

    It would be very easy to write a vbs script and have it delete files or download other scripts to run, and ProcessGuard would allow it. Having to buy Wormguard or other AV software just makes you pay the Bugware Tax even more. Maybe ProcessGuard can't or shouldn't do this, but it would be nice if it could.
     
    Last edited: Jan 25, 2005
  19. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nice idea :) I too prefer prevention rather than cure as you correctly state a stopped bug is harmless, We certainly must reach a stage shortly with all the definition updates for viruses, spyware, Trojans etc where we are spending more time scanning our machines than actually using them! :D

    Cheers. pilli
     
  20. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Thanks, Jason, for suggesting we try allowing trusted programs via "Permit Once". I like it for internet apps, but I've discovered that with permit once, PG no longer compares the program's checksum to its "last run" value. Ideally, I think PG should be able to apply both permit-once and checksumming in tandem. Otherwise, it seems, I close one hole only to open another.
     
  21. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    something that i think should be added to PG is for there to be a confirmation dialog before removing items from "protection" to help to prevent inadvertently removing something that you do not actually want to remove..
     
  22. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    I agree! :)
     
  23. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    Please make ProcessGuard remeber the darn window size and location and if its maximized or not.

    Sick of having to resize and replace window on screen after every reboot. :(
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, To save the window size you need to "Exit" the GUI so that the settings are remembered. Just closing or clicking the X will not do it ;) When you re-start the ProcessGuard GUI your window size should have been remembered.

    Pilli
     
  25. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,105
    Why don't they just make it so that the GUI settings are saved when the X is clicked ?!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.