VERY HAPPY WITH PG 3 !

Discussion in 'ProcessGuard' started by worldcitizen, Nov 14, 2004.

Thread Status:
Not open for further replies.
  1. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Congratualtions to everyone at DCS and the beta testers. Thanks Pilli for really working so hard to help get this so perfect and allowing me to annoy you with my questions and criticisms. ( which I enjoyed immensely)

    But when it all comes down to it I am VERY,VERY HAPPY to be able to have PG 3 on my pc all the time WITHOUT CRASHES, WITHOUT INSTABILITY, WITHOUT ANY ISSUES - just protecting me from EVERY NASTY OUT THERE.

    Now I can LAUGH at those who think they are being smart trying to close down my security software like last week. Someone tried to close down all my security software and stopped my AV and firewall from starting up but COULDN'T STOP Process Guard. There it was in my system tray all alone showing those idiots that they couldn't stop it from starting up and protecting my pc for them to stuff my pc. I then got their crap off my machine and got back my AV and firewall but Process Guard was something THEY NEVER COUNTED ON SO I LAUGH IN YOUR FACE GUYS. Try again if you dare but with this beauty you've got NO CHANCE!!

    Very happy with this and HIGHLY RECOMMEND IT TO ALL WHO HAVE NOT BOUGHT IT.

    Dave
     
  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Hope I am not off topic but with PG they still managed to shut down your AV and firewall? Were your AV and firewall not protected by PG? Or am I misreading your post?

    Thanks,

    Chris
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    A huge part of the whole point to ProcessGuard is to prevent security software from being terminated. So... Why did yours get terminated anyway? And why would you be raving happy that it did?

    And... (trying to think of a nice way to say this...) I doubt the person who created that malware was an "idiot". He did kill your security software, and he would have done worse on 99.99% of the other desktops out there. And you're the one who let the malware on your system in the first place, so...
     
  4. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    The attack stopped the 'ICONS' FROM LOADING FOR MY AV AND FIREWALL but in task manager the PROCESSES were running and when I tried to shut them down I got a 'not accessible' error.

    What these idiots did was change a few registry keys to try and prevent my AV & firewall from starting up but all they succeeded in doing was to stop the ICON from showing in the system tray, however, the processes of Bit Defender were running and protected and could not be breached. An icon is a very small matter and does not represent a security threat if disabled. The program itself was protected and unbreached so if I'd been attacked by a virus in my email it still would have been intercepted and made no difference whatsoever that the icon had been disabled. The program is not the icon.

    I'm sending a copy of the program to DCS for analysis because it even tried to disable PG and was a very clever attempt at intrusion.

    Dave
     
  5. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I misunderstood the above statement. Glad PG stopped the attempted intrusion.

    Thanks,

    Chris-
     
  6. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Good stuff Dave :)....lucky to have had ProcessGuard mate.

    Regards,
    Jade.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yeh Dave, Good to send the malware to DCS, I am sure that they will enjoy taking it apart. :cool:

    Cheers. Pilli
     
  8. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Pilli. I'd like to send you a screenshot but I can't upload it here because it's over the limit. It did attack PG and tried to disable most of it's functions and did some damage but my security applications were still working.


    Is there somewhere I can post the screenshot to so you can have a good look at what it did?

    Dave
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dave, Bowserman might be able to help you as he sometimes posts large graphics files on a site somewhere.
    I'm sure he'll let you know.

    Pilli
     
  10. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    Here ya go Dave, nice free picture hosting site ;) : http://imageshack.us/index3.php

    Regards,
    Jade.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Dave, if you save it as a ".GIF" you should be able to post it. You can also resize the screen shot through Microsoft Paint, found in Start> All Programs" Accessories> Paint

    Hope this helps...

    Cheers :D
     
  12. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
  13. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
  14. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
  15. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    PG start-up disabledo_O?

    http://img4.exs.cx/img4/7222/PGerroronstartup.th.jpg


    However my AV was still protected as I tried to close it via task manager but it wouldn't grant access. So with 3/4 of my start up icons missing including my AV and firewall and PG clearly INJURED in a malicious attack or bug or incompatibility or something unknown STILL PG SOMEHOW kept my AV alive and protected. Is this bravery or what? Maybe we should send PG to Iraq to protect the troopso_O

    Dave
     
  16. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Is my desktop wallpaper inviting or uninvitingo_O?? She's nice but is she really?

    Dave
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nope Dave, She is not physically real, only virtually real, really :D
     
  18. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Any comments about the screenshots. Just click on them to enlarge the picture. Maybe the bow and arrow in the background scared everyone away??

    Pill - you're UNREAL :cool: :cool:

    Dave
     
  19. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    It's already getting late into the evening here in Perth so the rest of my analysis of the malware sample provided by worldcitizen will have to wait for tomorrow. I'll spare you all the gory disassemblies, but preliminary analysis shows a few string references which may interest some of you:
    Code:
    0041A7CD   MOV EDX,ss3_0.0041AC58   ASCII " ==== DoPerform-5 ===="
    0041A7E7   MOV EDX,ss3_0.0041AC78   ASCII "Using WM_CLOSE"
    0041A808   MOV EDX,ss3_0.0041AC90   ASCII "Using WM_QUIT"
    0041A829   MOV EDX,ss3_0.0041ACA8   ASCII "Using Terminate Process"
    0041A850   MOV EDX,ss3_0.0041ACC8   ASCII "Don't Shut Down"
    The three referenced termination methods - WM_CLOSE, WM_QUIT, and TerminateProcess!kernel32.dll -> ZwTerminateProcess!ntdll.dll are all elementary, documented termination techniques that ProcessGuard easily blocks (the first two with Secure Message Handling), and you can test that for yourself with our freeware Advanced Process Termination utility. Don't be surprised though - ProcessGuard also easily handles all known undocumented termination methods (WinStationTerminateProcess is a good example of a futuristic termination method available here today yet still undocumented, and thus hasn't yet been used by malware but ProcessGuard already protects against - another potential attack vector secured).
     
  20. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Thanks very much Wayne for that.

    Two questions - if I didn't have a registry backup how would I have restored my icons to the system tray?

    And if I didn't have Process Guard installed I gather I might have been in a spot of bother?

    I'm so glad I had PG running as I only began using it since the new flawless version 3 came out.

    New or interested users can learn a lot from this and maybe why they need Process Guard!

    Dave
     
  21. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Also Wayne, what does that error message in the above screenshot about pgaccount not running mean? Has PG been tampered with or partially disabled and how would it's (pgaccount) functionality be restored?

    It's great to have been able to document a real attack online to show the indispensibility of Process guard!!

    Dave
     
    Last edited: Nov 15, 2004
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dave, At a guess I would say thet the Icon problem is probably associated to Secure Message Handling NOT being enabled on certain programs. The registry changes, I assume, were made after the malware was allowed to run?
    I am sure Wayne will clarify this when his analysis is complete.

    If I'm reading your screeshots correctly,the malware certainly looks like it created a lot of new start ups for you to get rid of. :(

    Pilli
     
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    How did this malware get on your system in the first place?
     
  24. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi Pilli. You didn't read it right. I had all those items in start up and after using the software they almost all disappeared!! Only my cunning in having a registry backup saved me a lot of work getting all my programs back up again where I could see them although they weren't terminated.

    How did I get it on my machine. It was a free download I got somewhere - supposed to be a P2P client. There's really no way of knowing for sure if something is malware because a lot of software nowadays has malware built into it so the only thing one can safely do is have some good protection like PG because we can't just stop downloading software for fear of malware.

    There should be a thread or sticky showing malware attempts at infiltrating system and how PG stops these attacks. Would give new and prospective users much insight into why we rave so much about PG.

    I dread to think what might have happened had PG not been running or worse still that I didn't even buy it.

    Dave
     
    Last edited: Nov 15, 2004
  25. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Pilli - which programs should I apply Secure Message Handling to and what will be the effect?

    Dave
     
Thread Status:
Not open for further replies.