Questions about ProcessGuard

Discussion in 'ProcessGuard' started by Khaine, Dec 18, 2003.

Thread Status:
Not open for further replies.
  1. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    Im looking at purchasing ProcessGuard, like everything its just getting the funds to buy all the goodies that I want. I have a few Questions :

    What Termination Techniques does ProcessGuard NOT Protect against. I understand that it doesn't protect against WM_CLOSE, are then any others

    Will you fully disclose the nitty gritty on how all termination techniques work, for up Progammer wanna-be's (I start doing Engineering, Software Engineering next year)

    How does the driver provent itself gfrom being unloaded, or having its memory space modified, or any other shutdown attack.

    Can it be set to write an entry in the event log, if a program attempts to terminate another program.


    Thanks In Advance


    Khaine(BOT)
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello & welcome Khaine.

    Process Guard does have a switch (Close Message Handling) which can block any listed .exe and protects against WM_CLOSE

    SetWindowHookEx (firehole) is not currently covered but PG protection is being developed, currently there are no known exploits of this hook.

    There are examples in the help file

    PG is a driver which loads very early in the startup process, any attempt to close procguard.sys will open a Human Interface Dialogue box, probably impossible to emulate, this requires human input to allow closure.

    Every attempt to access a listed (protected) programme can be logged in the procguard.exe window and or to a text log.

    Please download the trial version which will allow you to list one programme which you can then see exactly happens what when an attempt is made to close it. http://www.diamondcs.com.au/processguard/

    HTH Pilli
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Just a few clarifications. You can't really "Close" the driver. You can try and unload/remove it but Process Guard will never allow that to happen unless Protection has been disabled (which needs the Human Confirmation box to be entered correctly).

    WM_CLOSE (and other close messages) protection is already in there and works great for a lot of programs, it also has it downsides with some programs too, like too many confirmation boxes appearing. Some programs (Outpost firewall) don't seem to like it at all and close down after a Human Confirmation comes up. It is a BETA feature, so use it on programs it doesn't have problems with, and don't use it on others it does have problems with :) . It appears Delphi and VB apps have the most problems with it, due to their over extensive use of hiddens windows, etc.

    -Jason-
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the clarifications Jason :)
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    DiamondCS vs. SetWindowsHookEx

    Jason and I had a very intense R&D session this afternoon - DiamondCS vs. SetWindowsHookEx. It was a challenge we'd been wanting to tackle for a few weeks now but only today were we able to find time to have a real go at it. Anyway after some six hours, SetWindowsHookEx was defeated, by TKO to Jason's driver.

    We can't elaborate much more for now as we still have some testing to finish, but with any luck we'll be able to release a new version of Process Guard this week with SetWindowsHookEx protection which will protect against not only the Firehole (and similar) leaktests, but also most keyloggers, some trojans, and some other nasties.

    Anyway, back to work - I hear a debugger calling ...
     
  6. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Re:DiamondCS vs. SetWindowsHookEx

    This sounds pretty damn good. :)
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    omg Tuuullliiiii!!!!! :D

    nähtykkään aikoihin !

    Man it's been long time, glad to see you are still hanging out on the boards :)

    Cheers,
     
  8. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Terve, Unzy! :D Olen ollut vähän ulkona viime aikoina...

    Yea, I've been a bit absent recently, but at least I've some time off now that it is nearing Christmas. Good to see you around too.
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well done Wayne & Jason - Hope you both enjoy the weekend, looking forward to the next release :D

    BTW Wayne will you be updating APT by adding Kill 8 :D
     
  10. Gary Graham

    Gary Graham Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    28
    Location:
    Michigan
    Once again DiamondCS was issued a challenge, and was up to it.

    It is nice to be protected in this day and age.


    Now: Can you prevent my getting the flu? :rolleyes:
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Great Work Wayne and Jason!

    I'm sure everyone looks forward to the additional capability of an already very formidable program!
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Good news !

    I can't wait the next version :)
     
  13. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    Thanks Jason for correcting me :)

    ProcessGuard appears to have improved alot from its inital release, and I can't wait till I purchase it.
     
Thread Status:
Not open for further replies.