Thinking of Trying PG

Discussion in 'ProcessGuard' started by Trooper, May 23, 2005.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Blue,

    Yes, I agree. I think a more full featured users manual is needed. Example of the table of contents:

    1) Installation procedures
    2) Putting ProcessGuard into Learning Mode for the first time
    3) Running programs under ProcessGuard for the first time in Learning Mode
    4) Determining what programs should be protected
    5) Putting ProcessGuard into Protected Mode and using the Global Options
    6) When you should put ProcessGuard back into Learning Mode
    7) When you should turn off ProcessGuard
    8 ) When you should use Secure Message Handling and how it will affect processing.
    9) Bubble messages, what they mean, and how to handle them.
    10) Common questions concerning Windows system programs (rundll.exe, svchost.exe, etc.)


    I think each chapter should be replete with common occurrences. For example, update modules for various common AVs and ATs, and how to handle them. Common examples of programs requesting global hooks while in Protected mode and how to handle them. I do not think such a manual would be that difficult to put together, but it does take time. Basically it should lead a user from start to finish using a common sample environment with lots of snapshots. Of course, the manual needs to be tested with new users (of all skill levels) to see if a relatively new user can understand and get up to speed without asking questions, and, of course, the manual should be kept up to date with the latest feedback from this forum (e.g. any known conflicts). I think that DiamondCS would greatly benefit by having such a manual.

    Rich
     
  2. controler

    controler Guest

    It is kinda funny not one person responded to JRKATES questions about Anti-Keylogger. I wonder why?
    Maybe it is because none of you have used it?
    Well then I guess since I was the first to bring any kind of disscussion to this board on Anti-Keylogger, I can answer some of your questions.
    I own PG & Anti-Keylogger.
    Anti-Keyloggers IS a program that runs simple just like BoClean.
    Designed for the person that doesn't want to spend alot of their time on a learning curve. This doesn't mean it is any less efficient. Here is another fact. Anti-Keylogger was one of the first programs mentioned at this board that worked at the Kernel level. I have watched it change with new versions, and the changes are sometimes huge. The latest fad is to take away as much of the thought required to use the program as possiable. Not a great idea, untill they added the exclusion list. Since then others have followed.
    Anti-Keylogger does give some false possitives too. But it is pretty easy to see that a program like BoClean should have RIGHTS. I mean how simple is a RED X , program has been stopped or Green to go program is allowed. One click changes back & forth. Then all you do is add the trusted program to exclusion list & it is not tagged again.
    I dought it provides ALL the protection of PG but as the longest user here, I never paid that much attention since it just sits there quite like BoClean untill a keyloggers hits.
    I use and love both PG & Anti-Keylogger.

    I would say one of the best total noobie setups would be
    Anti-Keylogger
    BoClean
    A firewall that doesn't ask alot of questions such as L&S
    & Shadowsurfer

    ALL installed on a fresh System

    controler
     
  3. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Not all that strange. This is a PG forum. Most of us probably haven't used AK, I certainly haven't.
     
  4. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    controler,

    Thanks for your feedback. I am curious, though, aren't Process Guard and Anti-Keylogger essentially the same type of program/application? Don't they do basically the same thing, or are they different in nature? I realize that you have both, so I am assuming that perhaps they differ as far as the type service or protection that they offer....am I correct?
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi JRCATES,

    I tried out Anti-Keylogger. It seemed to be working well. A couple of things I noticed:

    1) It's primary function is to stopp keyloggers and therefore with a more limited scope than ProcessGuard it is able to maintain a greater level of "silence" during its operation. This is helped by the fact that it maintains a database of trusted applications so it does not alert on these applications.

    2) It looks like Anti-Keylogger is able to get itself started very early during Windows start-up. I am not sure if this is a trick they are using or an illusion.

    I not think that Anti-Keylogger will provide as much security as ProcessGuard in regards to keyloggers, but it appears that it is providing much less overall protection. The advantages for those who are only looking for keylogger protection is that Anti-Keylogger is much quieter.

    There are different approaches that one can take, and controler's approach utilizing Shadowsurfer is certainly one to consider. I have not used products such as Shadowsurfer, so I cannot comment on the pros and cons of this type of approach.


    Rich
     
    Last edited: May 24, 2005
  6. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Just a thought. Things that operate at kernel level are able to block anything except other things that operate at kernel level. Some keyloggers will no doubt operate at kernel level.

    That's where PG wins handsdown. It prevents driver/service/rootkit installation, so nothing can get to operat at kernel mode...unless you disable PG to install something of course.
     
  7. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Thanks Rich, that is very helpful and useful info that you passed along....I appreciate that.

    And Vikorr, for probably 90-95% of the people who frequent these forums, I'm sure what you just said makes a whole lotta sense. But since I am a newbie at all this, terms like "kernel level" are out of my realm of comprehension. Thanks anyway, though.....
     
  8. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Not sure exactly how to explain it, you'll have to get someone with more technical knowledge than me...but from what I understand - your operating system has numerous levels to it. The highest level is the user level, then there's the admin level, then there's the system level (I think that's right)...and somewhere down the list is the kernel level.

    The higher the level, the more access priveleges you, and your programs have. The lower the level, the less access you, and your programs have.

    The lowest level that non operating system programs can install at, is the kernel level. If a program is installed at kernel level, it can prevent other programs from reading it (if it's programmed right), and it can deny access to other programs, including other kernel level programs <once again depending on programming>

    So if Malware gets to kernel level (and some do), they can sometimes be impossible to remove (or even detect).

    Regdefend, Process Guard and a few other security programs operate at Kernel level. The very best thing about PG is it can prevent other programs (eg Malware) from installing at kernel level, because, as PG is already at kernel level (and the program/malware trying to install is not), PG gets 'first strike' <because it's already at kernel level>

    after something gets to kernel level, then it's a whole different story as to whether or not you can defend against it.

    Hmmm...anyone correct me if I'm wrong. There's not a whole lot of info out there that I can find on it, just bits and pieces that I've read all over the place.
     
  9. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Thanks Vikorr, for someone who was unsure about the best way to explain it, it seems to me that you just did an outstanding job (LOL)! Nice work, I greatly appreciate that.

    OK, it sounds like PG is an excellent product, from everything that I am reading. My main concern would be getting a "warning" regarding something that I am unfamiliar with, and not knowing whether to "allow" or "disallow" certain apps. Say, for example, it recognizes an update for a program that I need taking place, but that I am unsure about. Are there ways to investigate further and find the program it is referring to, before making a decision? Sorry for sounding like an idiot here, but computers are a little like cars to me: I can drive one, but don't ask me to perform an overhaul or rebuild a transmission!
     
  10. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    In the Protection tab, at the middle right of the GUI is a '?' that has a small database on exe files with a short explantion of what they do and who they belong to.

    If you can't find the name of the program requesting permission in that database, it has a connection to google, which will give you info on 99% of the other processes out there.

    Don't worry too much about it, knowing what to permit and deny was also my main concern when I was thinking of buying PG...one of the side benefits was that I learned a lot more about my computer, just by buying PG and learning to use it (did a bit of googling). It's not hard to use - it just takes a bit of time the first time round. If you ever have to install PG again (say you reformatt), then it's a lot easier the 2nd time round.
     
  11. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi JRCATES,

    Usually what happened with ProcessGuard, after you put it into learning mode is this:

    1) You get an alert while installing a new program or udpates. It is usually pretty obvious and you either give permission, or you temporarily turn off ProcessGuard (as when you are doing a Windows Update).

    2) You get an alert complete out of the blue. This usually happens when:

    1) There is a scheduled update that you are not familiar with (e.g. Real Player, one of your security programs). You can minimize this by running most of the update programs while in initial learning mode. If however something pops up, you can usually figure out which program is doing it by the alert or by a google search.

    2) A nasty is trying to execute. Just deny permission. If by chance you accidently deny permission when you should have, you just go to the Protection tab, look for the program and either remove it from the list, or give it permission. No harm.

    The only thing that I have noted is that it is a really good idea to shut off PG when doing Windows Updates. Otherwise you may have to redo it.

    So, after a while it is quite interesting and fun to see all the little things that vendors are trying to do on your system. Gives you a real birds-eye view of why all of the "holes" in the operating system exist (i.e. to give vendors such as MS easy access to your system) and how malware developers take advantage of these "holes" to pull off their nasty tricks. The best way to handle this state of this affairs is to close down these holes, as Vikorr has aptly described.

    Cya around,
    Rich
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    OK from what I understand with the free trial version, you can only "protect" one application correct?

    Which one should I protect?

    Thanks guys,

    Jag
     
  13. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jag,

    Of the programs, I think that NOD32 already has termination protection so I would protect BOClean, your real-time AT.

    Rich
     
  14. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Rich,

    As always, thanks very much for your response. :)

    Jag
     
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Hi All,

    Just thought I would let you all know, I just installed the free trial version of PG. :rolleyes:

    I am curious tho what you all set your windows or office related permissions to?

    For example,

    alg.exe (For XP Firewall)
    ati2evxx.exe (ATI display driver I know)
    cmd.exe
    csrss.exe
    ctfmon.exe (Office related)
    explorer.exe
    imapi.exe
    mmc.exe
    rundll32.exe
    rstrui.exe (System Restore)
    services.exe
    smss.exe
    taskmgr.exe
    userinit.exe

    Please keep in mind that this is the FREE version, so I dont have all the extra goodies just yet. ;)

    And, what would some recommended settings be for both the protection and security tabs for each? I read Andreas's pages (have them printed out actually) and also the whole help file too. :)

    Im just looking for some pointers to get me started. I have a lot of things listed in my protection and security tabs, so its gonna be awhile till I get the hang of things I think. Esp if/when I go to the full version. I wonder if the default settings in the protection tab are too restrictive or not restrictive enough after learning mode is done (which by the way it is).

    Any help and or guidance would be much appreciated.

    Kind Regards,

    Jag
     
  16. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jag,

    I give rundll.exe Permit Once permission, since I do not want programs launching other programs without me knowing about it. I know many users give rundll.exe Permit Always. So it is a matter of taste. You can try both ways and see what makes you feel most comfortable.

    Rich
     
  17. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Hi Rich,

    I did just that too. I have rundll.exe set to Permit Once, it was one of the first things I did, just was curious what the others here do.

    Any clue on some of the other services? If not you, then someone else please chime in?

    BTW - Semi off topic but, did any of you get rid of ctfmon.exe? Or do you just allow PG to block it? To me, its a waste of memory. ;)

    Regards,

    Jag
     
  18. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    479
    Jaguar

    The only one from your list that I leave out of the security tab is cmd.exe. I don't use a resident AV and I've noticed from my PG alerts that sometimes cmd.exe is blocked when I've been on the web. I don't know why it should be attempting to run so I leave it as blocked. If I want to run it myself, I turn off the block new and changed applications.

    I don't have ctfmon running.

    I don't have rstrui.exe in my list. I do have system restore switched on though.
     
  19. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    SpikeyB,

    Thanks for the tips. :D

    I wonder, what do you guys set explorer.exe to for both Security and Protection tabs?

    Thanks,

    Jag
     
  20. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    This is primarily a question, although it probably wouldn't be a bad suggestion either.

    I'm curious if there is any kind of "tutorial" that one could view and/or examine, if they are interested in purchasing Process Guard. I have seen that there is a "trial period" (I believe?) according to sites like Major Geeks and others, etc., but I would be interested in seeing more snapshots, and reading more detailed information before installing the product as to know what to expect (much like Webroot's Spy Sweeper has through SnapFiles). Is this possible?
     
  21. tlu

    tlu Guest

    Yes, have a look here: http://www.commontology.de/andreas/win_secure_pg3.html
     
  22. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Thank you, Thomas, I appreciate that link....very helpful.
     
  23. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    JRCATES,

    That is the same link I gave you earlier in this thread.

    So just dl PG and install it. What are you waiting for? :p

    Jag
     
  24. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Processguard is not that hard to use and it really helps secure your computer. Just get it :D ;)
     
  25. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Oops....so it is. It was the second "this" - my bad. Oh well, I thanked you for that link, Jag, but still needed to thank tlu for responding and trying to be of some assistance.

    The reason for the hold up? Well, the only thought worse than having a hacker install a back door trojan, virus, keylogger, etc., is the thought of me destroying my own PC due to a lack of knowledge! In other words, being notified that 00LL32D4004.exe. (otherwise known as either "IAMATROJAN.exe" or "IAMYOURANTIVIRUSUPDATE.exe") and making the WRONG decision!

    Is it really that easy to use? How "frequent" do you guys receive an alert to something with just basic internet surfing, without downloading anything, once the start-up applications and other programs definitions are set? I just wish their was a library type definition referrence/base with helpful suggestions (like you SHOULD or SHOULD NOT allow something, etc.) that came with it. My basic working knowledge of computers is less than impressive (although I am trying to learn).
     
    Last edited: May 28, 2005
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.