Who has actually had PG save them from a malware attack?

I didn't know that PG blocked scripts.

regards,

-rich

 

No, PG and a good AV program are different layers of security. Both complement each other.

 

Thanks, that's a useful link.

 

Hi,

I have found that Kaspersky can detect and deletes malware while the malware is still dormant and before it gets to the point that ProcessGuard can detect anything. I believe that the earlier malware can be detected the better (since this means that it has the least opportunity to do anything). So KAV would be a first layer in this case (actually the firewall is probably the first layer), and PG would be the second line of defense.

Rich

 

Hi Rich,
Can you think of a situation where something would not be stopped by PG? KAV is certainly a great program, but just in the interest of keeping the list short, if KAV wouldn't be absolutely necessary, I would probably not use it.

regards,

-rich

 

Maybe you have the ability to eyeball a piece of software and know immediately if it should be authorised by PG to run, the rest of us don't

 

Hi Rmus,

Yes, there are points of attack that ProcessGuard alone might not detect. For this reason, I maintain a more layered defense that overlaps and hopefully closes most (if not all) known holes. There is a discussion concerning buffer overflow attacks in the WormGuard forum (on Wilders) that you may find interesting.

It is always a question whether one should be concerned about all potential holes, or just try to create a layered defense that makes it extremely difficult for malware to penetrate. At this point, I am very comfortable with a good firewall and AV (like KAV), ProcessGuard, and a good registry watcher like RegDefend. But obvious holes may be pointed out that would require me to rethink the situation. The discussion about "buffer overflows" in one such instance, but my gut feel is that in all practicality, there is no reason to be concerned about it at this time.

Rich

 

Society is not safe either and if we applied the same principles we would all be walking around with machine guns and body armour. Anything including PC security can be taken to extremes. All an intelligent person has to do is have basic tools to protect them unless they are a business with very valuable assets.

With free AV and firewall the home user is more than adequately protected and in case of an infection these can almost always be removed. A good imaging program can restore the system in almost no time. Layered security along with terms like 'stealth' are marketing terms emphasised to bring in the $$$$. I've been online 6 years now and I never used layered security and never had major problems. I've got PG, TDS 3, WG and many others but I never use them and guess what - I survive nicely. To me, a program actually has to be really beneficial otherwise it just eats up resources 'making me feel secure' when I'm very secure without all these. I've used free AV and free firewalls for ages and never had problems or needed anything more. I've had to format my hard drive and re-install Windows more often from user errors and conflicting software than anything else. But Port Explorer I have always 'needed' because it tells me if anything 'hidden' is trying to use my connection. A brilliant program and extremely useful and a 'must have.

I have PG but I never use it because it makes no difference. It doesn't do anything for me and there has never been any moment in the last year where I've felt I needed desperately to install it. I coast along nicely and until a lot of dangerous things come along in abundance (i.e. everyday) which are a huge threat to my computing, I have no need for it. My AV takes care of Trojans and always has so I've only ever scanned with TDS 3 maybe 3 times in 2 years. The same with Trojan Guard and Trojan Hunter. They just don't do anything because the AV takes care of everything. I've had Trojan Hunter, Boclean, TDS 3 and Wormguard for over 2 years and never even once (except TDS 3 - once only during a scan, not running) have any of these programs intercepted any nasties even though I ran them for quite some time so I rarely use them as my AV seems to pick up most nasties. I have these just in case I need them but have never had to use them. The programs I find really useful are any firewall, any AV, any anti-spyware.

Companies and businesses are a different kettle of fish. They absolutely need extra layers because they are often specifically targeted but I'm not and never have been, apart from some very small attacks, which my AV and firewall took care of. Things can change and that's why I bought these extras but at present I find they don't do anything at all because I already have sufficient protection. When the need arrives I'll use them but for now I have them on standby. I don't get pop ups or dialers and it's been all smooth sailing for ages without all of these but I have them on standby in case.

Dave

 

The important thing first and foremost isn't knowing what is running - this can be determined later, but simply knowing that something is trying to start is important, and without a program like PG which can monitor executions for you you won't be able to have any idea of exactly what is being executed on your system. In most cases you'll know about the file - because you executed it. In some cases you won't (as just one example, if you run a program and it drops and executes another program - trojans are frequently 'bound' to legitimate programs in this way in order to piggyback their way into systems), and obviously if you didn't expect a file to execute tthen that's cause for suspicion, but because PG has alerted you to the attempted execution - and prevented it - you can now analyse the file, or put it aside until somebody has analysed it for you.

... and that's only execution protection - just one weapon in PGs extensive arsenal.

Best regards,
Wayne

 

In regards to worldcitizens last post, while it's fair enough that you have never had a bad experience, I can see too much possibility of people getting themselves in trouble given your last advice (btw most people don't use imaging systems)

For another, if the average user has a RAT installed...it can get him/her in trouble. If they have a keylogger installed without their knowledge, and they do internet banking, they can lose their money. Free AV's are quite bad at detecting them.

see my comments here, Post 8 <heh, seeing as i dont want to write them all over again

https://www.wilderssecurity.com/showthread.php?p=468673#post468673

 

Hi all,

For me, ProcessGuard is like an insurance policy. It gives me added confidence that if my AV/AT fails (KAV in my case), then I have some fail safe mechanism in place (this would also include RegDefend and WormGuard) to trap any potential intruders.

Just because I have never been in a collision does not mean I do not carry collision insurance and just because I have never had a fire in my house, doesn't mean that I no longer need to carry a homeowner's policy. The concept of insurance is to guard against catastrophic failure. Many users have extremely important and confidential information on their computer and on the net. For them, carrying insurance is very important. And these users do not mind "paying the price", even though the insurance policy may never be used. It is the nature of insurance.

So rather than "tempt fate" and remove insurance policies from the computer's security architecture, I think it is a far better strategy to have it in place and hope it is never needed. But if it needed, then it is sure great that it was in place,

Rich

 

Much better put than I did

 

Thanks Vikorr. It is great having you around, asking the right questions and helping me out. Now I have to figure out this whole buffer overflow thing.

Cya around,
Rich

 

The problem is even with legimate programs, lots of programs will be executed, an example would be MSAS, how would a user know if such behaviour is normal? How about if it was named as "updater.exe" ? Is this expected? Monitor any program that is being installed and you will see lots of exes starting is this expected?

Don't some people advise you to turn off execution monitoring during installation? If so, the malware might run at this very moment

If I'm not a big time security software analyst, how do I know what I expect is correct?

Of course, but in my view one of the least valuable yet , most hyped 'weapon' (compared to other PG features). My point is "execution protection" isn't much protection unless you are very cautious and disclipined enough not to run any new exe, unless you know exactly it is safe. Pretty much the same as safe hex.

It is in other areas (blocking hooks, drive installation etc), that PG is most useful, but for some reason, people prefer to hype PG as a execution protection program, maybe because it sounds cooler and/or is easier to explain.

 

Hi CN232,

While it is possible that some malware will enter your system because PG is turned off day one, it is one of those highly improbably possibilities. And even if it did, then it would have entered whether or not PG was installed.

But the more normal learning process is something like this:

1) People start up processes and learn that certain other processes are started up along with these processes. This is a learning process, and quite a valuable one at that. If one is going to insure the contents of one's home, it is good to know who is coming in and out.

2) Over time, users learn the common processes that are started by other programs or the Windows operating system - e.g. rundll.exe. There are really just a handful of them. If you can memorize telephone numbers, you can probably remember these programs.

3) Once you gain an understanding of the common applications that turn on or off, you will quickly learn to recognize programs that simply come out of the blue. When this happens, the best thing to do is to deny them privileges until you figure out whether they are good or bad. It is very simple to give a program privileges at any time, and it is absolutely no different than learning, as a child, who to let into a house and who not to.

As you can see from the many responses on the PG forum, there are many people who went through the straight-forward learning curve with absolutely no problems. If you want to learn how to use PG you can. If you don't, then you won't. It is no different than moving into a new home. It is a matter of getting acclimated.

Rich

 

Do explain to me how this is "improbably possibilities". I already came up with scenarios where you get infected even with PG turned on! All it takes is trusting the wrong program.

Not sure about your logic, but if this is true, why use PG ))

All this doesn;t help me decide if a new program i installed should be allowed to run some file called update.exe! Say I deny it. Then what? Do reverse engineering on the code to see what it does? LOL.

You mistake "no problems" with effectiveness.

I know I'm only a clueness newbie compared to you, but I'm wondering how you can figure out when to trust a new app.

PS : If I really wanted to go with execution protection I would go with something more robust then PG's. SSM +PG for example.

 

Hi Cluessnewbie,

It isn't really as complicated as you seem to believe. It is really like learning which people to let into a house and which not to. Nowadays I trust Microsoft, Kaspersky, DiamondCS, Ghost Security, Ewido, NSClean (BOClean), ZoneAlarm. When I start up on-demand scans like Giant AS, Ad-aware, Spybot and I request and update, I also trust their update connections.

This is much better than computing in the blind where anything can be executing on my system without me knowing about it (the open door strategy). I guess if you are living in a really nice neighborhood where there has been a crime in 30 years, it is O.K to leave the door open, but that is not the neighborhood I am living in nowadays.

Rich

 

Rich, normal people don't just run security related software, they run other things too
How about this sniffy freeware text editor you saw posted on usenet? Does PG protect me if I choose to run it?

 

Hi CN232,

I use Notepad which is from a trusted source. At some point, people have to decide how secure they want their computer to be. If it is a playtoy then treated it as such. If it is used for important financial transactions then treat it as such. Everyone is different.

Rich

 

So safehex is critical even with proactive defenses like PG/RG/KAV? I'm glad you agree.

 

Hi CN232,

If that was your point, then you could just say so. I don't think anyone on this forum (or any forum I have ever visited) has ever said that one can do anything one wants on the net without thinking.

Rich

 

This is a problem with a lot of security software nowadays - how do you know whether to 'allow' or 'disallow' because the majority of users are not experts. There's a very basic legal issue involved here too - liability. The company cannot be sued if the user gave permission to malware which destroyed his million $ database. Legally, most security companies do not back their own products as their marketing does. The allow/disallow is more to protect themselves than you because they know full well that users do not generally know which to apply in many cases yet still have the option there. Even renowned products like Zone Alarm are completely useless if the user allows something he shouldn't, so how is he to know? To date, I am unaware that there is much software around that will do this for the user because to do this successfully the file that is requesting to be executed would have to be 'checked' against a 'clean' version online. The only product I know of that does this is PC Internet Patrol.

Checking the 'name' only doesn't tell you if the version you have is not infected with code. It only tells you that the name is correct but the program may still be infected. PG can detect a lot of these injections but I don't know if there are some it can't. If it asks the user for approval isn't that stating that it doesn't know and the user has to decide? When PG pops up the permission window I wouldn't have a clue many times but if I say no then some programs won't run and if I say yes then maybe it is infected so it's a very difficult situation.

Dave

 

Hi worldcitizen,

Could you share with me the security product environment that you recommend and use? Thanks.

Rich

 

Such tools exist for enterprise wide software, but it's a very restrictive system, and works only if you use common software.

Exactly.

 

Look up the meaning of safe hex , Rich