ProcessGuard v3.xxx Suggestions / Wishlist

Discussion in 'ProcessGuard' started by Jason_DiamondCS, Nov 3, 2004.

  1. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's a bit of both - when accessing Help from an application, by default the Help window runs using the same account. It is relatively easy to access the command prompt from within Help allowing almost total freedom if an administrator account was used.

    PG's problem is that the UI has to be run under the Admin user - this means that Help is then run as Admin. The fix is to either allow the UI to be run with a non-Admin user or to change the call to Windows Help so that administrator privileges are not inherited.

    Other products that include a UI running under Administrator or LocalSystem accounts have had similar problems as the article highlights (e.g. Outpost firewall, which fixed this in version 2.5). It does require a coding change to PG itself though so using DropMyRights or RunAs won't help.
     
  2. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Unless I'm misunderstanding what you're saying, I can tell you that this is false. I run almost exclusively for everyday use in a limited user account. I DO get alerts if I run an application that is not already on the allow list. You are given the option to allow/deny and remember. The GUI icon is not there in the system tray so the limited user can't change PG settings via the GUI. But you do get alerts without having to switch to the Admin account. That is, unless the admin user has chosen to "Block new and changed program execution" - which solves the problem of non-admin users giving something access that they shouldn't be.

    Huh? Using fast user switching to go the admin account is no more dangerous than logging off the limited account and logging into the admin account. You just get to leave your limited account programs running if you use fast user switching....
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    You are misunderstanding what I said. ;) I specifcally stated "popup alerts" meaning the ones visible from the PG system tray icon when an activity (hook, driver, physical memory access) is blocked. Aside from the Alerts log, no other indication is given by PG of this happening.
    The problem is not FUS, it is having the PG UI running under an Administrator account in the first place. Using FUS does nothing to change this.
     
  4. jimmytop

    jimmytop Registered Member

    Joined:
    Dec 9, 2004
    Posts:
    268
    Location:
    USA
    Ah ok, I get it. I guess I don't miss all the background stuff when I'm in limited account. My wife and kids also use limited accounts so I would just as soon they not see them either. But I see where you're coming from. Sorry for my misunderstanding!

    I guess I just don't see what the problem is with running the PG UI under admin. I run all my other security software under admin - AV, Antispyware, etc. If I want to administrate PG, I do it from the admin account. That's what it's for. I don't do administrative stuff from the limited account, unless I have to then I use MakeMeAdmin.
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There is a possibilty of another process, script or macro using this to gain Admin access for themselves via PG's Help. If you mistakenly allowed a malicious process to run, this could significantly increase the amount of damage it could do.

    Since this is a generic issue with all programs that have a window running as Admin, the chance of someone producing an exploit for it is higher. On the other hand, you would have to allow such an exploit to run and PG's Help cannot be accessed using the F1 key.
     
  6. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Currently, after clicking its Help button, PG prompts me to Permit/Deny the execution of hh.exe on procguard.chm. If an exploit manages to trigger PG's help system in order to hijack procguard's privilege level, would I see an unexpected Permit/Deny query? If so, would it be for hh.exe or for some other program? If hh.exe, would it have different command-line parameters? Just wondering what this attack would look like if it happened.

    Thanks, P2K for the heads up. I agree that it would be better if procguard.exe can be made to run under a restricted user account.
     
  7. war59312

    war59312 Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    72
    Location:
    U.S.A
    Work correctly with PB. ;)
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Earth1,

    Hh.exe is the Helpfile Viewer which will be called in almost every case when you access an applications helpfile. Assuming that you had previously decided to Permit this (which most people would have), you probably would not see much indication of any malware using this (it would have to access Help, then a command prompt window but could then close these quickly to hide them). However any malware would trigger a PG execution prompt if an executable program. Windows scripts however require other counter-measures.
     
  9. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    602
    Location:
    Australia
    It would be very nice to be able to be able to perform a "validate" from the security menu so we could check and see if any of the binaries had changed since they were last run, and if they were then present the option to accept the changed binary (or deny) as usual

    Seeing as multiple programs can be selected, this would make it relatively easy to check everything in the list - of course there would be a wait whilst the binaries are being read and checksummed but anyone that chose to do this would probably wear that

    The reason that I ask is that it would allow us to perform an install (or windows update patch) and get all the prompts out of the way quickly so that we can return to whatever variety of normal running and/or lockdown mode that we have specified confident that we (or anyone else using the PC) shouldn't be getting any changed executable prompts for existing programs....

    Thanks
     
  10. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    602
    Location:
    Australia
    Back to the issue of having profiles again.... I'd still like to see them and I've been finding more situations when they would be useful

    Assuming that adding profiles is under consideration (at some point in the future when you guys have time.. presumably post TDS4) :
    - it would be really handy to be able to change profile with a right click on the PG icon (and be able to directly select the profile name from the popup menu)
    - from there either a HID window or optionally a password prompt would then need to be satisfied before the profile would actually change...
    - I didn't try and specify the mechanics of copying information between profiles because I was asking for export and import of the data as well, but a copy from one profile to another would be good (as well as the export

    If there was an easy way to swap the binary files around I probably would have just done it by now... but seeing as there isn't without involving reboots (and that is something I certainly won't be doing to achieve this) I've added this as an additional idea for the selection of a profile for easy access
     
  11. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I'd like PG to either alert me when a program tried to access the internet (with allow once, always etc tick box) or else allow me to authorise internet access for selected programs in the protection tab.
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    602
    Location:
    Australia
    SpikeyB,
    I agree that is a good piece of functionality to have as part of application control but it isn't the focus of ProcessGuard.
    I would suggest that you look at one of the many personal firewalls that provide application control because they provide the functionality you are after.

    From all reports Outpost is a good one to consider, but your best bet is to read up on the different ones then choose 2 or 3 and trial them to see which one suits you and your setup the best.
    Have a look on the forums here at Wilders there are plenty of opinions and lots of information because personal firewalls seem to polarise opinions quite strongly
     
  13. "because personal firewalls seem to polarise opinions quite strongly"

    Amen to that one
     
  14. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    im just wondering, will the next release support windows xp x64 edition?

    i had an idea where pg would have predefined rules for which prograsm would be allowed which flags, but then i realized ppl have personal preferences on whether they want gloabl hooks, close message handling etc...neways thats just something that came into my head.
     
    Last edited: Apr 20, 2005
  15. Fear

    Fear Guest

    I don't know if it has been suggested in the past, but file access and registry access control would be an amazing feature. I am using the demo version right now and am so far satisfied with the overall features. It would be nice to be able to permit/deny access to certain files or registry keys eventually, but a start would be to permit/deny file and registry access.
     
  16. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Ditto on folder/file access protection. It can cause quite a lot of alerts, so hopefully the permissions can be granted in such a way that a single program execution can be granted access to a folder/file for the entire duration of the program execution.

    Rich
     
  17. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Hi there,

    here are my comments and suggestions for the (hopefully) upcoming ProcessGuard 3.5 or 4.0 (using Version 3.150):

    System specs: AMD Athlon 1.4 GHz, 512 MB RAM, Asus A7V133 with VIA-Chipset Motherboard, OS MS Windows 2000 Pro SP4, IE 6.0 SP1, Common
    Control Components: 5.81.4916



    -multilanguage GUI support/Versions of ProcessGuard; Either you (DiamondCS) compile international language versions of ProcessGuard
    (i.e. in German, France, etc.) or you make the ProcessGuard GUI multilanguage compatible, so that you and/or users can supply language files in their own native tongue.. (e.g. textfile based language files..)



    -lower System Resource Usage; the RAM consumption of ProcessGuard and their 3 tasks/processes is too high! (about 18-20 MB)
    (you write in the quicktips of ProcessGuard: "The ProcessGuard architecture was carefully designed to use minimal resources, so you can keep it running all the time and shouldn't even notice it's there."
    In my opinion 18-20 MB RAM consumption isn't low.
    If you do things in the main windows of ProcessGuard, like look after some processes/startup objects or set up some options, the "procguard.exe" process increase the RAM usage from about 6-7 MB to about 12-13 MB and don't turn back to 6-7 MB, when closed/minimized to systray.

    You should optimize the code of ProcessGuard in that all processes uses only the half of the current RAM consumption. I.e. lower the RAM usage of the processes "procguard.exe" from about 6-7 MB low to about 3 MB, "DCSUserProt.exe" from about 2-3 MB low to about 1 MB and "pgaccount.exe" from about 2-3 MB low to about 1 MB.
    So all ProcessGuard processes uses only about 5-6 MB of RAM! (that's low/minimal resource usage! :p)



    -btw. why ProcessGuard need 3 tasks/processes? Why you don't integrate/unite/combine the 3 tasks/processes to 1-2 part(s)?!



    -Add/sign (to) all ProcessGuard executables, driver and services (ProcessGuard setup, too) (with) an "digital certificate", so that you
    can ensure the integrity of all files/setup and so that no one can manipulate the files.
    With the digital signature, users can to be sure, that all is ok and the ProcessGuard setup and files are authenificated by and from DiamondCS.
    Many software companies (like Microsoft, Symantec, Skype, etc..) doing that, to ensure/guarantee the integrity and intactness of their products. (setups, files, etc.)!
    And beginner/novice users/customers can trust them, that they really come from that company and aren't malicious or dangerous..!



    -If you Exit/close ProcessGuard (procguard.exe) and ProcessGuard is locked, no question dialog which ask for the correct password is shown. And if you set "Secure Message Handling" and you Exit/close ProcessGuard (procguard.exe), no "Human Confirmation Required" dialog/window is shown..



    -You don't have the possibility to export/save the "Protection" list/settings! (for backup, new OS install, reinstall, etc..)



    -Integrate the ability to build a local database of the applications in the "Protection" list which you can then synchronize with the server application database (on diamondcs server). I.e. during ProcessGuard installation/setup, an predefined application database/list being copied to the pc and then if start ProcessGuard and have Internet connection, you can over an integrated Update Module, download a newer list/database of predefined applications (if there is any).

    And if there are an application that isn't in the application database/list on the diamondcs servers, you have the ability/possibility to upload/submit new entrys to that database/list with the special settings for that new application..
    (e.g. "wintv2k.exe" need rights/access to set/install global hooks (global CBT hook; I think to disalow the screensaver during watching TV, video, etc. or so..)

    So other users don't need to configure settings for "wintv2k.exe" again, if someone submit it with the correct settings to the application database/list on the diamondcs servers and download firstly/before the newer/newest application list/database from the internet/server..



    -Integrate 64bit support for AMD/Intel on Windows NT 5.2.x 64 bit and SMT/SMP support



    -option to disable the PG-Icon in the systray



    -Integrate an advanced Interface, that allows the user to set customize flags for specific applications. I.e. normally if you set for example the "allow termination/terminating" flag to one application, this application can terminate all protected applications from now on..
    But if you want that for example the application "taskmgr.exe" can/may only terminate for expamle the application "iexplore.exe" and no other application/process, it's impossible to do so/specify so.
    With this advanced Interface, you able to define what application(s) can access/modify/terminate all, specific or no applications/processes!



    -Additionally you should be able to set/specify on the advanced interface what kind of modification/termination/terminating should be allowed or disallowed, like End Task or ZwTerminateProcess, etc...

    (in default/standard mode, the ProcessGuard GUI shouldn't show the advanced interface, so that beginners/novices aren't confuse/disturb so much..The advanced Interface should be only for advanced/profi/expert users/customers..!)



    -As a result of the advanced Interface, you should integrate the ability/possibility to set/specify the actions on the "ALERTS" tab/window more precise; i.e. (if advanced Interface is activated and shown) you should able to set/specify that "This application" for example "taskmgr.exe" to "Allow Terminate" (all termination/terminating methods to all applications/processes..) OR to "Allow this Termination/Terminating" for example "Type: ZwTerminateProcess" (the shown specific termination/terminating for all applications/processes..).

    And for the lower part "Was BLOCKED from ..." (for example terminating) there should be the ability/possibility to set/specify "Remove Protection" (for removal the (in this case) terminating protection for all applications) OR "Remove Protection for this app" (for removal the (in this case) terminating protection ONLY for the current application/process (in this case "taskmgr.exe"..)) OR "Remove ALL Protections" (for removal all possible protections from this/current application; in the case, the user want that this application/process doesn't have any protection anymore..) from (the) this/current application/process (in this case "iexplore.exe")..

    (in the default/standard mode, the ProcessGuard GUI (ALERTS tab/window) shouldn't show the "new" action buttons, so that beginners/novices aren't confuse/disturb so much..The "new" buttons/actions should be only for advanced/profi/expert users/customers..!)



    -integrate the ability/possibility to click for expamle on the application/process Icon on the "ALERTS" page/tab/window and then
    ProcessGuard displays/shows detailed info about this application/process in a new info window. (infos like filetype, company/corporation, description, version, Copyright, product name, product version, comments, digital certificate/signature (if there is any..), etc, ...).
    So that you are more informed about this application/process and you can better associate/assign/classify the current application/proccess..!



    -integrate the ability/possibility to set/specify that, if you tick "Terminate protected applications" or "Modify protected applications" in the "Authorize this application to" box in the "PROTECTION" tab/page/window, you able to set/specify whether you will be ask with the human confirmation window (if you for instance terminate a protected application (if allowed to do so..)) or not.
    So you can tick a new option/setting named for example "ask human". In this way you can protect an allowed application from being manipulated from another process or app and ensure that only you (human) can kill/terminate or modify an application or process..



    -Remember "Lock"-Password; you have to enter all the time again the password to lock the ProcessGuard GUI; i.e. if you click on "Lock" in the "MAIN" window/page/tab and then enter a password two times and click OK, the GUI is locked. If you want now to unlock the GUI again, you have to enter the password. (until now, all ok/right..)
    But if you now wants to lock the GUI again, you have to enter a new Password or the same Password two times..
    That's bad, in my opinion it's better that ProcessGuard have to remember the two times typed Password (for the first time, you want lock the GUI..) and then after you have unlocked the GUI and want to lock it again, simple click on the "Lock" Button and no need for entering the Password two times again..!
    Additionally, if you want to change the Password in future, then ProcessGuard have to supply such an feature/option..



    -integrate an "Protocol only" mode. (tickable at the "Protection enable" option/setting..) So that users can protocol/review what a specific tool/installation does/change in the system without stopping or blocking them..
    It's useful for instance for research and learning, etc :D



    -integrate shortcuts/hotkeys in the "Human Confirmation Requirement" window/dialog, so that the user/customer can confirm or cancel the window/dialog just with the keyboard. (You can enter the confirmation word and press "Enter" to confirm, but if you press "Esc" nothing happens (window/dialog should close then..) and if you want to confirm all dialogs ("OK to all" button..) you have to use the mouse and cannot press "ALT+A" or so..)



    -if the GUI is locked out, the Protection Statistics interfere with the lockout screen..




    thx and best regards,

    iNsuRRecTiON
     
  18. squash

    squash Registered Member

    Joined:
    Mar 25, 2005
    Posts:
    313
    1. Limited account (in Windows XP) support.
    2. Password protect option, PG can only exit and/or accept new applications with a password.
     
  19. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    If this was suggested before please excuse the duplicate request.I would like to see an alert for when Windows component(s) needs to do something that it does not currently have permission to do. i.e. I just upgraded the XP Windows update to v6, yes it is out, and during the install services.exe needs to install a driver/service. I do not give services.exe this permission and naturally the update failed. If I were presented with an alert and was able to give it permission to do this on a per-instance (Permit Once) basis the update would have succeeded the first time.

    This would be useful for other components that can run other things, such as rundll32.exe, where if the user is doing an upgrade/update and another process needs additional permission to complete the process.
     
  20. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I would really like to see a "lite" (stripped-down) version that is "mom friendly" I'm thinking a version that has a pre-defined set of system files and popular security programs, only does MD5 hashing for protected programs (with an alert saying "[program x] has changed, did you recently upgrade it?"), no execution protection, only does process and global hook protection.. basically a version that just protects core system files, security software, stops keyloggers, and of course a "friendly" GUI. I think this would be perfect for non-technical users and would give you even greater exposure. You could sell it for $5-$10 and I'm sure plenty of people would go for it (I know at least 4 or 5 that would buy it, or I would buy it for them, my mom being one of them) :)

    I would also like to see an option to prevent processes from escalating privileges and more control with execution protection including the ability to only allow processes to be executed by certain accounts/account groups, along with the previously mentioned things like command line options, what processes can/can't launch others, etc.
     
  21. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    outbound internetfilter even as a plug-in.

    great addition to windows firewall and all intergrated inbound filters used in routers/broadband modems.

    You don't need a software firewall anymore and it's a piece of cake to implement for diamondcs...
    Dolf.
     
  22. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    :) I like Notok's view on things .... a simpler version .... but it would also be nice to have the option to upgrade to the full program once the user felt comfortable with the stripped-down version.

    I really want to install ProcessGuard .... but being a new user & also having heard of other users being unable to start some programs with PG installed, I'm a bit intimidated to install PG right now. These are the ONLY things that are holding me back. On the other hand .... from what I've heard, PG is pretty much one of the best security programs that a user could install on their PC.

    HR :cool:
     
  23. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    afaik, processguard uses a serial number so u just have to purchase it and enter the serial number into the into the lite version to convert it to full
     
  24. Hard Rocker

    Hard Rocker Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    258
    Location:
    Quebec, CANADA
    Hi, and thanks for responding :) .... but what I meant was if PG should come out with a very basic version of their program .... as Notok has suggested above .... it would be nice to be able to upgrade to the full version from this so called stripped-down version as he has called it .... after purchasing the so called (basic) or stripped down program.

    HR :cool:
     
  25. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi HR,

    There is a free version of PG that is has some important functionality stripped out. You can try out this program and if it works for you, all you need to do is add a serial number in order to access the rest of the functionality.

    There are just two things to remember when installing:

    1) Stop a real-time protection (including things like Tea Timer) while installing PG.

    2) Keep it in learning mode for a least three restart cycles and make sure that you run all of your security program Updates while in learning mode.

    This should put you in pretty good shape. Additionally, DiamondCS is now recommending that you do not give "services.exe" Install Driver/Services permission anymore in order to close a hole that might allow a rootkit to be installed.

    This basic setup gives you lots of protection. Personally, I also give Permit Once permission to rundll.exe for some extra protection, but it does make PG a bit more talkative (e.g. control panel functions usually call on rundll.exe).

    Rich