Questions about PG3 / PG2

Discussion in 'ProcessGuard' started by SimonW, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Just testing out PG3.0 and I'm sure the following behaviour was different (better!?) under PG2 o_O


    1) Downloaded the apt testing program, added calc.exe to the protection list with termination and modification ticked, but tests 7 & 8 (wm_close, sc_close) both kill calc without a warning - if I add secure message handling then I get asked but I thought all the tests used to pass ok with PG2 ? Should I therefore add secure message handling to all items in my protected list?

    2) In the log when an application says 'xxx tried to install a driver/service...' does this mean it failed or succeeded? I got this in relation to thguard.exe so I added drivers/services to its settings anyway - in PG2 i'm sure trojan hunter was constantly trying to access memory and was logged constantly?

    Thanks
    SimonW
     
  2. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    you must not have pg3 setup right.. i have used pg 3 beta 1, beta 2, 3.0 "final release", and 3.05, and they all worked perfectly to keep "apt" from terminating any protected processes.. however, when i first installed pg3 beta1 it did not seem to work properly (for some reason), but it did work after i reinstalled it..

    i would try uninstalling pg3 and then reinstalling it.. pg3's protection will not be active while pg3 is in "learning mode".. incidentally, i never use "secure message handling"..
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    A few things Simon, Apart from the note from redwolfe about learning mode.

    The APT test program must not be on the protected list

    calc.exe must be on the protection list.

    Any program that you apply Secure Message Handling (SMH) must be on the protection list & must not be running BEFORE adding SMH to the program to be protected..

    Read the help file with regards to SMH as it now has a learning mode of it's own

    It is relatively easy to see if a protected program has been protected by checking that procguard.dll has been successfully injected into the SMH protected program by using such tools as Process Explorer or Faber toys.

    HTH Pilli
     
  4. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Thanks for the help guys

    Everything was set up as you describe Pilli.

    My point is that in order to stop APT tests 7&8 from terminating calc I had to add SMH. (redwolfe_98 says that he does not use SMH)

    I might be wrong but I thought that under under PG2, with all 'global' features turned on (not app specific settings which SMH appears to be) the program was protected from all the example APT tests?

    Simon
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Simon, No, K7 & 8 are SMH specific, that is what the SMH component was designed to stop, the four General tabs do the rest :) It was the same in version 2 but not as reliable.

    Pilli
     
  6. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Hi Pilli,

    Sorry to be a pain but I think I'm getting there - slowly !! ( :) )

    Why do I have to apply SMH on an individual basis ? If calc can be killed so easily using WM_CLOSE & SC_CLOSE then how do I know which of my other 92 or so apps in the protection tab should also have SMH applied to (apart from testing each one in turn?)


    Simon
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Simon, What you should be trying to achieve is to protect important programs form close, specifically your AV, AT resident Anti-Spyware and firewall
    For instance, I protect CryptoSuite, TDS3, Port Explorer, Kerio and a couple of other programs.
    I do protect Kav 5 with SMH as it already has good protection.
    Zone Alarm is another well protected app which probably does not need SMH enabled.
    Malware would have nothing to gain from closing things like Calc.exe

    HTH Pilli
     
  8. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Agreed - calc was purely an example to test apt with :)

    In my case the key programs are NOD32, LooknStop & TrojanHunter - so I will set SMH for these.

    I can see that in all cases the recommendation would be for a user to protect their 'defence layer' apps - and understandbly so.

    Yet after running learning mode, as stated I have 92 apps listed! Looking at the list, 20ish look to be key windows files - which should be protected, 3 are security apps mentioned above, but the rest I'm not so sure. I did as suggested after installing and ran all my usual programs while learning mode did its thing. I guess that no overhead is incurred protecting all these other programs but I don't understand why they need to be in the list, other than the fact that learning mode added them as they were run.

    Thanks
    Simon
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Simon, You may be getting confused, there is a vast difference between system files such as svchosts and a program that runs from a GUI. We are talking about Windows close, many programs do not have windows as such and are therefore not susceptable to the same attacks.
    This is what Advanced Process Termination is all about, read the documentation and that will probably help you to understand the various attack vectors.

    I am no techie so you will have to excuse my simplistic explantaion - DCS do it so much better :)

    Pilli
     
  10. SimonW

    SimonW Registered Member

    Joined:
    Feb 22, 2004
    Posts:
    115
    Location:
    Leicester, UK
    Ignoring SMH for a second, I basically meant that it seems PG is defending too much! Important OS files & defence apps - great, but all the other things listed in the security tab?!

    btw, thanks for your on-going help - much appreciated
    Simon
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Simon, I believe the limit is 250 programs in the protection list, though I am not sure if this applies to the latest version or to the security list.
    Learning mode will pick up everything for the protection list but entries can be removed easilly enough when learning mode is disabled.
    I run a much more limited learning mode than most due to so many installs whilst beta testing, I have only 62 entries :)

    Pilli
     
Thread Status:
Not open for further replies.