What I see lacking in PG

Discussion in 'ProcessGuard' started by aigle, Apr 2, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am using PG free and I tried the latest version ProcessGuard v3.3b3 for a while. Did not use it for long time but just want to mention few things,

    1- A bug in settings is not fixed. See my thread please,

    https://www.wilderssecurity.com/showthread.php?t=123332

    especially post no. 21, 22 and 23. I am rather disappointed.

    2- Grossly there is no much increase in application execution control. I compared current version( not beta but I think in this regard both are same) with Antihook and I will say AH has more detailed rules. Just for an example, if i install a software on my PC( suppose its name AA), now this software AA tries to launch my browser to access internet, PG will ask for permission, if I permit and make it a rule, the rule will be generalized so that next time software AA can launch not only my browser but also any other application like outlook express etc without any warning from PG. On the otherhand, if I have AH, it will ask me for permission and if I permit and ask to make a rule, the rule will not be generalized. It will be rather specific, I mean next time this new software AA will be able to launch browser without any warning by AH but if it tries to launch some other application, AH will again ask a permission to do so with a new rule formation, and the process will be repeated again if AA tries to launch some other application and so on.

    I know this is only one aspect of the security offered by PG but I will really like it be more advanced in rules creation like AH.

    Please correct me if I am wrong anywhere. I am PG user and just intend to see improvement in it.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I think you are confusing PG with something else. PG will permit 'AA' to execute, if you create a rule permitting it to run, but PG will not prevent 'AA' from spawning another process, such as your browser (so long as that process has permission to run). PG will however prevent 'AA' from launching a process that does not have permission to run.

    ZAP's 'Operating System' FW will prevent a process with lower priviledges spawning another process with greater priviledges, and presumably that is something SSM will also do, but PG was never designed for that purpose.

    To give one example, if you hit a maliceous site with an exploit that attempts to get I.E. to spawn Rundll32, PG will prevent Rundll32 from executing (if you have configured it to 'Permit Once') while ZAP will prevent I.E. from running Rundll32 because I.E. has lower priviledges than Rundll32. They are both preventing Rundll32 from being launched, but for entirely different reasons.
     
    Last edited: Apr 2, 2006
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    PG should actually operate in reverse from your example, if you allow your browser to run (and tell PG to remember that decision), then any other program will be allowed to run it. The rules could be more finely grained to allow users to specify "allow B to call A but block C from calling A" but I suspect the security requirement for this is less than for other issues.

    System Safety Monitor does allow you to create such rules though so you may wish to trial that - it can be run alongside PG though you will have some duplication of functionality and it is not free (though a trial download is available).
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You mean if AA wil try to launch some new process that is not in the protection list, it will be stopped?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think it will be too much overlap.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Not sure you are giving PG a fair evaluation. The free version isn't intended to be all encompasing. You would need the paid version. Asking for features that are in the paid version for the free version will probably fall on deaf ears.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So you mean all this is available in paid version?
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The Execution Protection feature should be identical on Free and Full versions. The full version offers Global Protection Options to limit program actions by default (which should be able to block any rootkit or keylogger amongst other things).
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    No! If 'AA' tries to launch something that is not permitted 'always' in the 'Security' list, it will be stopped. The 'Protection' list is to prevent unauthorised interference to apps, it is not concerned with their 'execution'.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Totally right, I trust Antihook much more, despite it also has some weakness.
    But in comparison with gss and pg it has actually the most stable state to date.
    I could remember some times where antihook was in a cruel state with many blue screens, but actually its pretty cool, but can also crash.

    All three tools can be BOd, like every exe in windows, no matter how many hooks they install, I tested so many tools and what I can say, no matter if tiny, za, pg, gss, ah, all of them have some malfunctions at some point. The more dangerous are the silent malfunctions, Antihook in most cases showed a crash, but actually it is relatively stable on my PC, PG3 stopped to do his job in silence this is dangerous, PG3.3beta got turned into black with error message @startup. Gssbeta stopped once too in silence, despite it showed active status. Tiny also refused a correct IDS some times, even ZoneAlarm forgot at some point to send messages.

    No tool is perfect.

    PS: What are you worrying about feature problems, there are many cool tools for free you can add.
    For fairness purpose I have to say that I do not use much the PG Execution protection, I used it in the beginning then after a while I turn it off, it´s like a must,
    don´t know why. PGs best side is the alert box and the protection edit box, very nice look. The thing I ignore nearly totally is the security display, in 1000 clicks I only look once in it.

    Concerning System Safety Monitor: I tested it but it was long time ago and its state wasn´t really good it was unstable and ate much perfomance.
     
    Last edited: Apr 2, 2006
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Hmm - sounds good! :D
    Oh! - maybe it's not so good. o_O
    I don't call crashing "relatively stable". :D
    I'd have thought the main point of having PG was to be able to prevent unauthorised programs (eg Trojans) from executing. :rolleyes:

    There's some pretty confused thinking going on here SystemJunkie; on balance I think I'll stick with PG, at least that has never BSODed me. :p
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I forgot to say that this task is done by e.g. Antihook. ;-)
     
Thread Status:
Not open for further replies.