Who has actually had PG save them from a malware attack?

Discussion in 'ProcessGuard' started by Matt_Smi, May 14, 2005.

Thread Status:
Not open for further replies.
  1. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    You see quite a few posts in the NOD32 forum about how IMON caught a Trojan and such before it could infect their system. But I don’t think I have heard many PG stories, so who has had an experience where they would have been infected with something nasty, but thanks to PG were not?
     
  2. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Matt,

    PG has certainly prevented lots of unwanted program executions as well as unwanted (and possibly malicious) program services installations. I am often quite surprised at what is going on behind the scenes of some of the programs that I install. I cannot say that these situations were bonafide malware, because they never go started, but they were definitely unwanted and potentially malicious.

    Rich
     
  3. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Matt,

    That's a very good question and one that should be asked more often.

    I personally don't think much get's through a very good anti-virus and firewall & anti-spyware but many users like to have layered security 'just in case'. If you have good security then Process Guard will enhance it in case your AV and/or firewall meet something they can't kill or intercept. But I think the bottom line is just how valuable your assets are. If you're just a casual home user with a basic PC then you wouldn't be as concerned about security as much as a business with a high end PC and a lot more to lose by infections/downtime, and a good firewall and AV will suffice. But if you have a lot to protect then Process Guard is definitely a 'must have'.
     
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi worldcitizen,

    What you say is certainly true. A person who is doing financial transactions, for example, on a machine would want to take greater care than someone who is just playing games (a safe desposit box is worth more than a Sony playstation - at least to some people :cool: ).

    But I have been involved with situations where even a game machine was made unusable by an over abundance of malware and this required a complete re-install. So for this situation, I would recommend that someone who is not well protected, purchase an image copy program (I use Image for DOS), in order to save the time required to completely bring a system back to current time.

    But even casual users have "privacy" issues (do they want someone to have the password to their online email account?), so it is difficult for me to recommend to anyone nowadays to do anything less than ensure a secured computer. For this reason, I pretty much recommend ProcessGuard to everyone who asks, but only a percentage actually act on my recommendation.

    Rich
     
  5. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    For those that do internet banking...and this is the way I look at it.

    You have a router
    You use an application firewall...then protect the firewall and the applications with internet access using PG...now nothing can get in NOR out without your permission...ie...Normal trojans are useless, and Trojans that infect running processes that have internet access are also useless.

    PG also protects from the Trojans that anyone who does IB fears most...keyloggers and rootkits (havent found out if there is any other way to steal a password, but these two are the main ones that i know of).

    I personally also use PrevX in combo with PG, and AT, AS, and AV, and a system monitor. I know Rich uses it in combo with RegDefend, another good way to go.

    Edit : I've never found malware on my comp since installing PG/PrevX and my scanners have never picked up anything, so I can't attest to it stopping anything yet.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    It's worked for me a few times. Then again, I don't run a resident AV so the chances of it working for me are higher.

    I run PG set to block new and changed applications and also run deep freeze.

    For my most recent case, I was on the internet and got some error messages on the page. I closed the browser and took a look at the PG logs. On this occasion cmd.exe had been blocked from starting. I rebooted and carried on.

    So I guess PG works for me.
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Does PG monitor your HOSTS file by chance in addition to all the other things it is watching/monitoring?
     
  9. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    just add your host in the protected programs list...choose all programs, then you can see your hostfile in system32 > drivers > etc > host
     
  10. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Infinity - Thanks a lot. I am thinking of trying out this software. :D
     
  11. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Hmm, this is news to me, I assumed PG could only protect executables
    Tom
     
  12. dog

    dog Guest

    That is correct ;)

    And to say on topic ... my experience is similar to what Rich mentions in Post #2, so my answer would be a definite Yes. :)
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825

    So can it not protect the HOSTS file then?
     
  14. dog

    dog Guest

    NO ... it only protects executables ;)

    You can pretty much protect your hosts file, by going into the properties and setting it to "read only", you would have to remove the "read only" status to modify your hosts, though.

    If you want to ensure the contents of the hosts stay the same you can use a file checker which would calculate the checksum and verify the file against it for any changes. ;) Keep an update backup of your hosts, and if there are any unauthorized changes simply re-write the hosts with your backup. Every time you update your hosts, you will also have to update the file checkers checksum. This type of protection for your hosts isn't really required, but it's an option should you wish to do so. ;)

    Steve
     
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Thanks for the clarification dog. :D

    Regards,

    Jag
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Well its saved the test machines loads of times :D also helps a LOT in my job, I can't imagine not having it..
     
  17. tlu

    tlu Guest

    A much better way to protect the hosts file: Never work or surf under your administrator account unless absolutely necessary. Under a user account (with restricted rights) you only have read access for this file and the other system files.

    Quite honestly, I've never understood why most Windows users use lots of software (like virus scanners, personal firewalls, registry protection software, PG, ...) but still surf as an administrator thus giving full rights to any virus, trojan or whatever. The consequent use of a user account is IMHO the basic measure to increase the security for your system (and a matter of course for every Linux user, by the way) that should be applied before any other measure.
     
    Last edited by a moderator: May 19, 2005
  18. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I use security software as PG so that I can surf as an admin with peace of mind :) I like to test things and find it handy not to have to hassle with programs that require admin rights.
    As for the topic of this thread. Mostly NOD32 takes care of trojans while surfing (ie before they have a chance to execute so PG can do its job), but lots of times while surfing on certain webpages PG blocks scripts and stuff from reading memory as the first layer of defence. Also it blocks alot of global hooks that are pointless, or maybe its virus/worm activity, dunno cause PG blocks it.
    I rarely get any trojans, worms or virus. So I have downloaded a couple of them just to test PG and it blocked dll injections, driver installation and of memory reads. Havent had opportunity to test rootkits (simply because I dont know where to find them)

    And it is interresting to learn what goes on behind the scene.
     
  19. tlu

    tlu Guest

    Enviable ;)
    Such as ...? Usually you only need admin rights when installing new software - and even then not in every case. Most programs don't need admin rights once installed. An exception is ProcessGuard whose GUI can be started via the runas command (or alternatively with RUNASSPC from http://www.robotronic.de/runasspc.html ).
    My rationale is that no security related software is 100% flawless. Even PG might be defeated some day by a new kind of malware. That's why several layers of protection are needed - and surfing under a user account is an important one.
    Interesting. My first layer of defence is using Firefox instead of IE, the second one Outpost where all active content is disabled by default and only selectively allowed for specific sites which I trust, the third layer is Kaspersky Anti-Virus Pro 5.0. As for emails, all mails containing executables are filtered out, and I use Thunderbird where scripting is disabled. PG is my LAST layer of defence (besides RegDefend). PG has never blocked any scripts for me - they have never come that far :) .
     
  20. PG User

    PG User Guest

    Yep, i used to layer protection but i consider myself advanced enough just to use process guard on its own. Process guard has/and will continue to notify my of dodgy application activity which i usually clean up myself. PC runs a lot faster that way. Keep up good work DCS.
     
  21. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    Slightly of topic, apologies.

    Re: tlu's comment about using restricted user accounts. I used to do that with with my kid's PCs but I was finding Windows update would only work on an admin account and sometimes for whatever reason I hadn't logged on their PCs under admin for a few weeks their updates were quite out of date.

    I see windows update almost as important as many of the security programs so I switched their accounts to Admin to ensure constant windows updates - are there any tips or tricks to run updates under restricted accounts?
     
  22. tlu

    tlu Guest

    q1aqza, that' s not correct. At least on Windows XP (I can't remember the situation on W2K) automatic updates are also downloaded under a normal user account and will be installed during the next reboot.
     
  23. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    Must be something I'm setting up wrong as I have never had windows update working on a restricted account. I know whenever I logged in their PCs under admin to allow a game installation or something then straight away update would start downloading??

    I'll have to do some more searching on this as I just assumed it was the restricted account issue. I am using XP Pro SP2 on their PCs
     
  24. tlu

    tlu Guest

    An article by Microsoft about this topic can be found on http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/intmgmt/27_xpupd.mspx
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why bother with AV? You have to keep it updated... with PG you just forget about it.

    regards,

    -rich
     
Thread Status:
Not open for further replies.