"The Beast" trojan: no match for Process Guard

Discussion in 'ProcessGuard' started by Wayne - DiamondCS, Dec 2, 2003.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    We've received quite a few emails overnight in regards to 'The Beast' trojan (a trojan which injects itself in the form of a DLL into other processes such as explorer.exe, allowing it to remain resident inside another process). While a lot of the queries were about disinfection, it seems that not many people are aware that prevention against DLL-injecting trojans is at last easily achievable due to our recent release of Process Guard :). Users running the full (multi-process) version (even with just the default configuration) are protected from The Beast trojan -- you can try and run The Beast but it just does nothing due to being unable to inject its DLL (as Process Guard prevents it from obtaining Write access which it requires).

    So when it comes to DLL-infecting trojans, you don't have to wait until the thing has infected you - you can prevent the infection from ever happening in the first place simply by installing the full version of Process Guard :)

    (The only reason the free version of Process Guard can't fully protect against The Beast is because The Beast tries to inject into several processes).
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi wayne :)

    Iam fairly new to computers and would like to try PG.

    Problem is i don't think i would even know how to use it properly.
    U said even the default settings will stop the beast.

    Are the default settings sufficient to stop most Trojans?




    Snowbound
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi snowbound,
    Process Guard is a very powerful program "under-the-hood", but it's actually quite easy to use. The first time you start Process Guard full version it'll ask you if you'd like it to automatically add a list of processes to protect - simply press Yes. Your configuration at this stage will then be mostly complete (and The Beast trojan's DLL injection has been rendered useless). All you need to do then is add any other security processes you have (such as your firewall, antivirus, antitrojan, etc). That's all!

    It's fairly easy to use and configure and the helpfile should answer most if not all of your questions, but if it doesn't, don't hesitate to ask here :)

    Best regards,
    Wayne
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Thank u wayne :D

    I appreciate u taking the time to address my question.

    I will most certainly try PG.

    Another great product by DCS :)


    Congratulations


    Snowbound
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Wayne

    Besides the defaults, and security programs, is there a reason to protect any other types of programs, and what types would they be.
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    You should protect basically every program that starts up by default on your PC. This way if a trojan enumerates all processes on your system all the main ones will be blocked, typically the programs which stay active the whole time.

    Another way is to protect every program you run, this is the safer approach but takes a little bit of time to set up. It is very simple though, it only takes 2 clicks to add a program to be protected. Once it is added there is no more work required. :)

    -Jason-
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Another thing I recommend is adding processes that are in your firewall ruleset. This can help a lot when you think about it ;)

    Most wont need terminate protection but adding it (default protection) is not a bad thing at all.
     
Thread Status:
Not open for further replies.