Taskguardian

Discussion in 'other anti-trojan software' started by JeffNK, Apr 9, 2005.

Thread Status:
Not open for further replies.
  1. JeffNK

    JeffNK Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    4
    Last edited: Apr 9, 2005
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jeff,

    I have been doing some tests with that software after they asked permission to use the CLSID list at CastleCops. I haven't had a chance to test its effectiveness against any real malware, but I will be doing that shortly (I should, because the 21 day trial period is almost over) and post the results.
    My thoughts sofar is that is gives a already experienced user some more insights in what is going on on his computer. But a word of warning about their use to express the probability of something being malicious in percentages should be made IMO.

    Look at the screenshot and you will see that it is easy to draw the wrong conclusions.

    Regards,

    Pieter
     

    Attached Files:

  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A few quick experiments.

    I registered a dll that was recently discovered (sample provided by CalamityJane)

    Of course I monitored the process. You can see below how TaskGuardian shows a new startup entry (in yellow)

    [​IMG]

    When I registered the dll I used HijackThis to see if it worked, because TaskGuardian didn't do anything.
    This was the new entry:
    O2 - BHO: Windows Proxy support DLL - {2DC9D850-144D-11E1-B3C9-10805E499D93} - M:\Manege\openwares\winprox\winprox.dll

    It was recently added to the CLSID-list as: http://castlecops.com/clsid-1781.html
    New items are added there very regularly, so it would be wise to inform how often updates will be done, since I did not find any options in the program to check for updates.
    What puzzled me is that the new BHO was only noticed after a restart of TaskGuardian. (screenshot)

    [​IMG]

    It did effectively remove the BHO without problems.
    When checking if the BHO was still loaded in memory I found one more thing I would have liked to see differently.
    You would expect to get the list of loaded Dynamic Components sorted alphabetically when you click the Loaded Module tab, but that doesn't happen, so you have to scroll through the list. (screenshot)

    [​IMG]

    I'll be back :D

    Regards,

    Pieter
     
    Last edited: Apr 9, 2005
  4. JeffNK

    JeffNK Registered Member

    Joined:
    Apr 1, 2005
    Posts:
    4
    Thanks Pieter,

    I look forward to any other test results you have time to post.

    Jeff
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My last day of the trial, so I had to rush it a bit.

    A random named BHO was recognized and diagnosed correctly.
     

    Attached Files:

  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Note for this screenshot that only the first (highlighted process) is malware.
    What I do like is that it gives the reasoning behind why a process might be "dangerous"
    You can see some of those in the right bottom corner.
     

    Attached Files:

  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    The Network Guardian does not show very much nor does it give much information. I think this part still needs a lot of work.
     

    Attached Files:

  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    As comparison a Port Explorer screenshot made with the computer in the same state.
     

    Attached Files:

  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I hope I was able to give you an accurate impression of what you can expect.

    Regards,

    Pieter
     
  10. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
Thread Status:
Not open for further replies.