Some questions

Discussion in 'ProcessGuard' started by Kazuma, May 26, 2005.

Thread Status:
Not open for further replies.
  1. Kazuma

    Kazuma Registered Member

    Joined:
    May 26, 2005
    Posts:
    5
    Bouth TDS-3 like 6 mouth ago and am happy with it so I am thinking about buying procces guard to.

    1. If I allready have a keylogger in my system, woude procces guard prevent it from operating or dose the protection vs those only apply to those that are executed while procces guard is active?

    2. Do procces guard take much of my computer? like procces and memory.

    3. Will it damage "good" programs? It sounds like procces guard might stop alot of non-virus, non-trojans from working like zonealarm did (I use sygate now).
     
  2. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    1. if you have a keylogger it 'should' stop it from working...unless the keylogger is at kernel level (driver)

    2. PG is very resource friendly

    3. PG will let your programs run freely, so long as the correct permissions are given...the easiest way to achieve this is to put PG in learning mode and run every program once (and if it has subprograms, like many AV's and AS's, run those subprograms once also). Learning mode will allow PG to give your programs all the correct permissions. If you forget to run a program before putting PG back into protection mode, that's okay, PG will let you know in the alert screen something like 'rtvscan.exe was blocked from installing a driver' which means you need to give rtvscan.exe (part of NAV) permission to install a driver/service.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Process Guard can certainly stop a keylogger from installing but whether it would block an existing one comes down to how you install PG. If you follow DiamondCS' recommendations about running in Learning Mode to set up permissions, then any existing software on your system (including malware) will be given the permissions to do what it wants - which is why DiamondCS stress the need to ensure your system is clean first.

    Another method of installing PG is to disable Learning mode and reset the Protection list to default (meaning only a few key Windows components are granted permissions) and reboot. Many of your startup programs will fall in a heap and fail, but you can then go through the Process Guard logs to see what was blocked and decide, on a program-by-program basis, what to allow for subsequent restarts. Any keylogger would (almost surely) be caught out by this - so as long as you know what programs are legitimate, you can block out malware in this fashion. It does require detailed knowledge of your software setup however.
     
  4. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    thanks for the clarification Para :)
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm considering a program such as PG; another is FreezeX (now called anti-executable)

    In a sense, with PG you are creating your own white list by giving permissions. What appeals to me about FreezeX is that when you install it, it does a deep scan of the computer and puts everything into a white list. Nothing else will run. Period.

    While this would seem to be a little less maneuverable than PG, my sense at the moment is that it is a more secure way of operating. But I'm still considering...

    Thanks for the good explanations from everyone in this thread.

    regards,

    -rich
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Freezx might duplicate the blocking executables, but does it protect against the other key things in process guard, like termination protection, blocking installs of services and drivers.

    Pete
     
  7. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Sounds similar to abtrusion
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not sure what you mean here... can you explain?

    Thanks,

    -rich
     
  9. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I think what he means is that FreezeX will block programs from executing/running as does PG. However, it's not clear if FreezeX has the additional protective measures that PG has.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks.

    -rich
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Couldn't have said it better if I wrote it myself. :D
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    A couple of things to research in regard to FreezeX,

    1) While it will rollback the system to prior state during re-boots, it still has "vulnerabilities" during the period of time during boots. For this reason, I have noticed that there are FreezeX users who run with PG on the DSLreports forum.

    2) There are certain "updates" that you will not want to rollback. In this case, you will have to put FreezeX in a thawed state. Thus, you as a user, still need to know, and remember, when to place your system in a thawed state and bring it in and out of thaw (I believe this requires a re-boot, but I could be corrected) in order to "hold" the updates.

    As I understand it, FreezeX was designed for public libraries and schools where the environment is both resonably static and highly controlled by central administrators. It may, or may, not be appropriate for home users. I would also research the effort required to uninstall FreezeX type products in case you decide that it is not what you are looking for.

    Hope this helps,

    Rich
     
  13. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I'm not sure if we are getting mixed up here between 2 different Faronics products:

    Deep Freeze which sets the system back to its original state after a reboot and
    FreezeX which is meant to give protection while Deep Freeze is in a thawed state.

    I have read about problems uninstalling Deep Freeze but it worked OK for me following the relatively simple instructions they gave.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is correct. FreezeX blocks any executable from running which is not on its white list; doesn't matter whether the system is frozen or thawed by Deep Freeze.


    According to the Process Guard Web site describing Process Termination:

    -------------------
    The Attack: To terminate any process, a trojan would normally first acquire a special (but easy to obtain) privilege...
    -------------------

    If this works via a trojan, then it is blocked by FreezeX which prevents trojans from running. However, to be certain of this, I've asked for clarification from Faronics.

    As for blocking installs of services and drivers - here again, any install program not already on the system will not run. FreezeX has rename-copy-delete-move protection for all executables, so no contamination of the white list is possible.

    As for some of the other neat features of PG, again the available literature for FreezeX does not go into such detail, so I've asked for more explanation on this.

    However, after perusing this and other current threads about using PG on this forum, I've decided that PG is not the program for me. I don't want to have to constantly worry about guessing about permission for this process or that. While it's impressive that PG works at that level, the threat of that type of attack is just not that ominous, IMHO - on the alarm scale of 1 -10, might make it to 1.

    In addition, I had some concerns after reading the "A Word of Caution..." section in the Andreas paper, p. 3. I just don't want the possibility of any conflicts.

    FreezeX is designed to create a white list of all programs when it installs. That's all it does, and it won't nag you unless something not on the white list tries to run; and, it's designed to work in conjunction with Deep Freeze. (DF and my firewall are the only security programs I have). An anti-executable program will complement that, in that no virus, spyware, adware, trojan (rootkit, key-logger, etc) can ever install, and will be removed on reboot.

    Having said that, I'm impressed with what PG does, and it certainly adds to one's feeling of security for those who are concerned about those types of protection.

    regards,

    -rich
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Guys,

    Thanks for the correction.

    PG can easily be set up to create a "white list", which is what it does at inital installation under learning mode. You can "freeze" the system if you want to after that. However, not matter which product you use, if you wish to "add" anything to the system after that, then the user has to make a decision somewhere. Whether it means putting a system into "thaw", or giving "permission" or whatever. It is all the same.

    worldcitizen prefers PC Internet Patrol because there is a "database" that makes the decision for him. That's fine, if he trusts the database. He still has to make a decision to trust the database and the program that is trying to install the new software. Somewhere, a decision has to be made "to permit" or "not permit". It is a matter of how one goes about making that decision.

    There is also the matter of which product is most architectural "hardened" against attacks. A comparison of different products in this respect would be interesting.

    Rich
     
  16. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    I agree with your statement that pg creates a white list
    at initial installation under learning mode, I also use
    pcInternet Patrol, and it has that same feature when you
    first install it, it also has the database which has the
    ability to further check to see if a program that is at
    time of install existing, or one that is later added has
    been authenticated as safe to use.

    pcInternet Patrol also provides a list of all active
    programs, what the program is started by, a component
    list which includes all exes and dlls and it makes for
    a invaluable quick and easy reference, it has other
    features as well, enable disable sharing, quarantine
    for email attachments, pc hacker tracker, and when
    using another 3rd party firewall it can block pretty
    much any leak test you throw at it so it is far more
    than just a database program.

    To me the advantage in using these 2 programs together
    is that say I download a program, go to install it, and
    pg prompts with a alert allow or deny, and I allow it
    and pcInternet Patrol monitors the install and finds
    malware or whatever pcInternet Patrol has the ability
    to stop or block my mistake.

    I agree with you also rich that it would be interesting
    to see a comparison of which product is most hardened
    to attacks, and i look forward to reading more about it.

    Regards,

    Wake
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Since this is a forum for PG users, it's perhaps not the proper place to go on too much about other products. My reason for checking here was to find out more about PG, as I was still considering both it and FreezeX (now called Anti-executable)

    So, I'll just say that I'm beginning to see that they are two different products, and so it's not feasible to say one is better than the other.

    PG offers protection other than just a white list of executables.

    PG is much more user-friendly - you permit/deny on the fly. Cant' do this with FreezeX. You have to turn it off via a password, then do your change.

    A similar comparison can be made between ShadowUser and Deep Freeze - both are lockdown programs, but SU allows changes while in ShadowMode ("commit") and DF does not while in Frozen State.

    The reasons have already been mentioned in another post, that the Faronics products were first designed for institutions - libraries, schools - where few changes are made to the systems. Both DF and FreezeX offer Command Line Control and Remote Console for network-wide administration for their Enterprise Editions.

    With both Faronics products in their institution settings, the user (student, library patron) cannot make any changes - only the administrator can do that, by going into the console via a password, and you can understand why. At home, of course, you are the administrator, but it's still of bit of a hassle if you make frequent changes to your system.

    Which is not my case, and so I chose DF over SU quite some time ago, and just today, FreezeX over PG, for reasons mentioned in an earlier post.

    Having said that, when asked, I have recommended SU over DF for home use just because it is more user-friendly, and having read about PG in the past few days, would not hesitate to recommend it over FreezeX in most situations. It is really quite an awesome product.

    Hope that answers some of your questions, Wake2.

    regards,

    -rich
     
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Wake2 and Rmus,

    Thanks for the additional info and comparisons.

    Rich
     
  19. Wake2

    Wake2 Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    205
    hi Rmus,

    Thanks for your response, reason i mentioned
    pg and the program i did was because i have
    used them both for a long time, and feel that
    they compliment each other nicely.

    Far as the two products you mention i have seen
    them both discussed at Wilders but i really have
    no personal experience with either of them, but
    after reading your comments about them think
    I shall have to check them out for myself and
    thanks for the information and feedback.

    Wake
     
Thread Status:
Not open for further replies.