rhythmnsmoke Posted July 11, 2005 Author Share Posted July 11, 2005 (edited) So, let me clarify something. In order to add a new program to the computer, you can't simply tell IE to allow it you have to disable IE complete. Is that not correct? This is what I'm referring to by it not replacing AV. If someone turns off IE and installs a program that turns out to contain a virus, when you turn IE back on, the virus is already there. And since it was installed while your program was disabled, it's now considered a part of the safe list and allowed to run. At least with traditional AV, even if the virus gets in you can still turn the AV back on and run a scan to remove it. Your program doesn't do that. Tell me where in your statements you said your program will remove existing viruses. This is exactly what I mean when I say it may complement traditional AV but will never replace it. The only place I can see this completely replacing AV is in locations where new programs are not regularly installed such as a business environment, but not your average home user.<{POST_SNAPBACK}>Sir, we have the ability to install new software without shutting down ImmE completely. You can tell it to allow you to install, but not allow those executables to stay within the matrix. Kind of like test driving the software (we call it shutting down the probe). If all is good and well with you, THEN tell ImmE to shut down completely. You are jumping ahead and asuming things, before even asking. Ask and you shall recieve. Again, replacing AV. And yes, it works 10 times better in business environments, because they don't just blindly download stuff off of untrusted sites like home users do. And neither do I on my home pc. Don't trust everything from every website to download. The software puts the power over the PC in the users hands. If this was to happen with AV, and it's an unknown virus, then your machine is hosed. If (as they are starting to do now) this was a virus designed to attack your AV, then how is your AV going to protect you if the virus shut it down? This will not happen with ImmE, because it knows everything that shell executes.*Edit* A computer can't reason, you have to do the reasoning for it. How many times have you ever downloaded software from a trusted site that contained malicious code. 0 to None probably. Now, count how many times you get infected un-Knowingly just by opening an e-mail, surfing to a site....a vast majority of all infections are NOT created by you downloading programs blindly. Surely you don't just go download any and everything from anywhere to your box do you?Rhythmnsmoke, it doesn't update any database - we're talking about the product named ProcessGuard, right? It's nowhere stated that it keeps or updates any database at all. Furthermore it doesn't scan as any traditional AV would - as I've understood it merely requires you to grant any driver or process denial or acceptance to run. That makes it about as good as your product except it doesn't "sweep" anything from your HDD.You are not looking at their whole solution. Taking directly from their website...TDS-3: Trojan Defense SuiteFor years, TDS-3 has been widely accepted as being the worlds most comprehensive anti-trojan system with the largest anti-trojan database. In development since 1997 by anti-trojan pioneers DiamondCS, TDS-3 goes where no other anti-trojan systems can and boasts many unique detection methods that are exclusive to TDS-3. The only anti-trojan system in the world that is updated daily Mon-Fri, say goodbye to trojans forever with TDS-3!Exactly how many drivers and process are you going to have to deny? Is that time consuming? By the way, leaving code on the machine is not good. ImmE again, is automatic. Nothing needs to be told to allow or deny. If it don't belong, it don't belong. Does this also prevent the execution of new/previously modified scripts? I might download it just to find out. Also I think I read that the software runs off of system drivers. And if you saw before where I stated the problem with system drivers. (Speaking from an internal hacker threat), you just boot into Safemode and turn off the software. Therefore, by-passing their solution. But I appreciate that you took your time to answer my question being "bombed" with replies of all sorts in this thread But I suppose I'd gain some knowledge of that PG program if I try the free demo from the DiamondCS website ...Speaking of which - you guys REALLY need to look into the potential customer aspect of the marketing process - yes - i know it's been said more than a few times in this thread - but if you've no chance whatsoever to try out the program - may that be as a locked demo or whatever - you don't see in your own environment if it would work as you desire. That makes that particular product fairly useless for the common user - and I suspect that, at some time, you people would want to enter that segment as well ...But I guess that's enough ranting on my part for now, heheWe have to approach the consumer market with caution. Because this software is a different beast altogether. So, I can imagine the influx of tech. support to go along with people trying to figure out how to operate it (been there, done that!). You know, although for every 10 houses you find, 8 might have a computer in them. But for every 1,000 users you find, 2 might actually know how to really work one. Edited July 11, 2005 by rhythmnsmoke Link to comment Share on other sites More sharing options...
techniquefreak Posted July 12, 2005 Share Posted July 12, 2005 (edited) @rhythmnsmoke - please take one more look at http://www.diamondcs.com.au ProcessGuard is not part of a "suite" as you state, it's a product that works on its own. The TDS-3 is only an anti-trojan program. So PG doesn't keep databases or definition updates. That's why I figured it works a bit like yours.rhythmnsmoke on Yesterday, 04:18 PMExactly how many drivers and process are you going to have to deny? Is that time consuming?I think it's a "learning" process so you can just allow friendly processes as a one-time job and then only new "unknown" processes trying to execute will require user intervention. Or if they change, e.g. qua Windows Update you will be required to grant them allowance again.Like I said I will try the demo to see how PG works ...Keep up the good spirit GreetsJacob Edited July 12, 2005 by techniquefreak Link to comment Share on other sites More sharing options...
rhythmnsmoke Posted July 12, 2005 Author Share Posted July 12, 2005 (edited) I think it's a "learning" process so you can just allow friendly processes as a one-time job and then only new "unknown" processes trying to execute will require user intervention. Or if they change, e.g. qua Windows Update you will be required to grant them allowance again.Like I said I will try the demo to see how PG works ...Keep up the good spirit GreetsJacob<{POST_SNAPBACK}>I think I will play with it myself, when I have time. I will put it through just a couple of sample test that we had to go through when we came up against the RED team hackers. You may try them as well. I'm not to sure if you have multiple computers, but you will need one machine with PSTOOLS on it. Freely downloaded software that is designed to allow administrators to gain access to a machine remotely. Take PSTOOLS to it to see how it holds up. Also, when you get PG running, boot into safemode to see if it gets turned off. That is just somethings to start with. A lot of the description sounds like it protects other applications from being terminated...ie firewall, AV software..etc, and not the entire machine (I could be wrong, only time will tell). And when it explains that it "Determines which programs are being executed on the machine", does that apply to both Compiled and Non-Compiled programs? ProcessGuard even stops most keyloggers and leaktests, and is recognised by many to be the most comprehensive anti-rootkit solution available.What keyloggers does it not block? And why does it not block those? Edited July 12, 2005 by rhythmnsmoke Link to comment Share on other sites More sharing options...
DrTech Posted July 12, 2005 Share Posted July 12, 2005 What keyloggers does it not block? And why does it not block those?That could simply mean that they won't guarantee it can't be hacked. Just like disinfectants say "destroys 99.99% of germs and bacteria". Can't say 100% because if anyone ever proves them wrong once, it could lead to a false advertising lawsuit. Link to comment Share on other sites More sharing options...
rhythmnsmoke Posted July 12, 2005 Author Share Posted July 12, 2005 (edited) What keyloggers does it not block? And why does it not block those?That could simply mean that they won't guarantee it can't be hacked. Just like disinfectants say "destroys 99.99% of germs and bacteria". Can't say 100% because if anyone ever proves them wrong once, it could lead to a false advertising lawsuit.<{POST_SNAPBACK}>IC, good point. Hope your right about that. *Edit* Is this a home user software, or do they market this to commercial/gov. business? If they market to com/gov. what I would like to know is do the software stop Admin's from shutting it off? Edited July 12, 2005 by rhythmnsmoke Link to comment Share on other sites More sharing options...
techniquefreak Posted July 13, 2005 Share Posted July 13, 2005 Alright ...I've now installed ProcessGuard on one of my desktops ...Will see how that goes.I can confirm it works in safe mode (only the gui seems disabled - but the process proc... is up and running) so it should block unauthorized modifications regardless ...but as it's an entirely new program I think it takes some learning ...@rhythmnsmoke - I think it's primarily targeted towards home users although there is a note that universities etc. can get volume discounts ...Heading off to bed now, though - will be back for more ... Link to comment Share on other sites More sharing options...
rhythmnsmoke Posted July 13, 2005 Author Share Posted July 13, 2005 (edited) Alright ...I've now installed ProcessGuard on one of my desktops ...Will see how that goes.I can confirm it works in safe mode (only the gui seems disabled - but the process proc... is up and running) so it should block unauthorized modifications regardless ...but as it's an entirely new program I think it takes some learning ...@rhythmnsmoke - I think it's primarily targeted towards home users although there is a note that universities etc. can get volume discounts ...Heading off to bed now, though - will be back for more ... <{POST_SNAPBACK}>Unless you are running a different ProcessGuard than I am, it dosen't work in safe mode. I also downloaded it onto a little Sony Vaio. Booted into safe mode, and it was shut off. Unless there is some feature you have to configure/turn on, then let me know, because as of right now, it was disabled when I booted into safe mode. I'm use to ImmE automatic ability that I might have over looked something I needed to configure. This is just one thing I have already done. I have also ran batch files on it, to which it dosen't stop either. Also, just from having it only a few hours, I have come to the conclusion that this is border line Software Restriction policies. It does the same thing, and is ran off System Drivers, to which are disabled when in Safe Mode. I will give some more detailed analysis on it after I have time to play around. Edited July 13, 2005 by rhythmnsmoke Link to comment Share on other sites More sharing options...
^_^ Posted July 13, 2005 Share Posted July 13, 2005 I'm also trying ProcessGuardso far, so goodI'm not really worried about it not working in safe mode, since nobody uses safe mode on a regular basis anyway, and most of the computers won't work properly on a network in safe mode anyway.If somebody wants to mess up a computer on purpose, they'll find a way to do it.what we need is something just to help idi0tproof from adware and stuff.now I need a test machine so I can try to bugger the program with known malware, as I'm not going to risk my regular PC for that Link to comment Share on other sites More sharing options...
techniquefreak Posted July 14, 2005 Share Posted July 14, 2005 (edited) Regarding ProcessGuard I just found this link: http://www.commontology.de/andreas/win_secure_pg3.htmlThat's a nice page regarding that program, so you might want to take a peep ... In addition to my previuos post about whether PG works in safe mode or not -it doesn't, so you're right, rhythmnsmoke ...I know now because i got a reply from a moderator on that Wilders Security Forum where I'd asked about that possibility ...Pilli on Today, 03:16 AM (wilderssecurity.com)Drivers and services such as ProcessGuard do not run in safe mode, usually only some basic system services run in safe mode. This is intentional so that errant drivers can be removed and other troublshooting procedures can be addressed. A good example is your video driver as supplied by your graphics card maker, these will not load in safe mode and Windows defaults to it's generic drivers for safety.There is a limited selection when entering safe mode but this is generally whether to allow things such as networking, again using Windows generic drivers.So safe mode for PG is a no-go ... Edited July 14, 2005 by techniquefreak Link to comment Share on other sites More sharing options...
rhythmnsmoke Posted July 14, 2005 Author Share Posted July 14, 2005 (edited) I'm also trying ProcessGuardso far, so goodI'm not really worried about it not working in safe mode, since nobody uses safe mode on a regular basis anyway, and most of the computers won't work properly on a network in safe mode anyway.If somebody wants to mess up a computer on purpose, they'll find a way to do it.what we need is something just to help idi0tproof from adware and stuff.now I need a test machine so I can try to bugger the program with known malware, as I'm not going to risk my regular PC for that <{POST_SNAPBACK}>And you see guys, HERE in lies the problem with the in-ability to work in safe mode. For one little simple test, Test Case1) I had the software in secure mode. And set to PERMANENTLY deny the command prompt(cmd.exe) and the Services admin tools to run. Therefore, everytime you try to get to the command line, or Services menu, it will shut it down before you are able to start it. 2) Now, I booted into Safe Mode via the F8 key. Within Safe Mode (due to the fact that the software runs off System Drivers as every other computer security product in the industry does), I was able to launch the cmd.exe and also access the Services menu. 3) I found the Service that runs the PG software, and disabled the service.4) I rebooted into normal Windows (XP Home edition) and the icon for the PG software was running, but the software was not protecting the machine. I tried the cmd.exe and the services menu, and now they run.I have sucessfully shut down the PG software in a matter of about 5 min. So far my impression of it is that it's a User friendly version of Software Restriction Policies (SRP), to which comes with Windows XP Pro w/Service Pack 2. And that's free! Now, I'm not trying to get into a peeing contest with this software. But the only way I can seem to make the comparison fair and justifiable, is to compare this software to our "OLD" Home Ver. of ImmE. The features that I have described to you thus far, to which has also lead up to previous 21 consecutive pages has been all about our Network ver. of ImmE and it's capabilities. Our Home ver. to which we haven't updated with the new features yet is dated back to Sept. 7, 2004. It would not be a fair comparison to compair this software to our current release of our Network ver., because ImmE would win hands down. So, what I'm going to do is go back and get out the "OLD Home ver." of ImmE (which we call ImmunePC) and put it on this little Fujitsu that I have here. And do some side by side test. PG will not fit into a network corp./gov. environment, due to the fact that: 1) if you were to follow the instructions on how to set it up, it requires that you reboot the machine 3 Times for it to complete the protection. 2) You have to manually open every single application and executable that you are going to use for every single machine that you would install it on. If they can't automate that process, then no corp./gov. environment is going to take a second look at it.And that's just two of the reasons thus far. I have more, but I will save them for my next post. The next post will be of a comparison run down of the "OLD Home ver." of ImmE (dated 9/7/04) and Process Gaurd. Edited July 14, 2005 by rhythmnsmoke Link to comment Share on other sites More sharing options...
rhythmnsmoke Posted July 15, 2005 Author Share Posted July 15, 2005 Guys, as I stated earlier, I believe that PG is just a user-friendly version of Software Restriction Policies (SRP). With what ImmE has done, and the way that we are doing it, has not been duplicated thus far by any other product available or un-available on the market. If I come across one, I will be sure to let you guys know. I am still putting together my comparison of PG (SRP) to our older Home User ver. of ImmE. It does not have some of the features like the network vers. does so, it operates differently and much so like the previous approach we were going after. But because our Home ver. will be updated sometime afterwards (of all "paper-pushing" work), I thought I would go ahead and describe to you the differences in how PG (SRP) using System Drivers to intercept execution vs. how ImmE intercepts execution and beyond. The Older Home ver. intercepts executed programs now, but it does it in a less efficient way than PG (SRP). And PG (SRP) intercepts executed programs in a less efficient way than our network ver. of ImmE. But like I said, the Home ver. has yet to be updated as of 9/7/2004.Ok, when it comes to PG (SRP) they use system drivers to do what they do right. Let me describe the Kernel of the OS for you and how with System driver approach is different from ImmE approach to intercepting the execution of programs. The Kernel has what's called a PID. That stands for Process Entry/Exit Identifier. Therefore, when a program executes, it has an entry point into the kernel and an exit point from the kernel. When you use the System driver approach, they intercept the execution of the program when it enters the kernel. Because the kernel processes instructions within millisec., if you hold it up from doing what it does, you run the potential risk of generating a protection fault. Therefore, when you intercept code execution using System Drivers, you only have the ability to either permit or deny that execution. You can't analyze it any further because you are actually holding up the kernel from doing it's job. Like I said, if you were to try, you would run the risk of causing a general protection fault. So, the System Driver approach is actually intercepting the code AFTER it has already entered the Kernel. Well, when it comes to ImmE (as you know, I'm talking about the network ver., because the home ver. dosen't have it yet, but soon will be added). Where we intercept code execution is actually BEFORE it is passed to the kernel. Were we intercept, is described as "intercepting the Shell". The OS has what's called the Command Processor Interface there are basically 4 levels within the OS. There is the Command Shell (command prompt level), the Shell, the Command Processor Interface (CPI), and the Kernel. ImmE acutally bridges the point between the CPI and the Kernel. Therefore, we have the ability to analyze everything before it is actually sent to the kernel. Now, what this means is this, we can take as long as we want when it comes to analyzing code, because we are not holding up the kernel. Because ALL code starts with a ShellExecute, we can analyze scripts(un-compiled programs), modified scripts, code(compiled programs), etc.. You see, PG (SRP) can only analyze "compiled code" persay. We can analyze "code" whether it's compiled or un-compiled. As well as track when you open a folder, click on a start menu button, or browse to folders of the hard drive. Because of where we are intercepting, we can analyze 100% of the computer and know every step taken in it, and not just when code executes. That is just one way of describing how we are independent of the OS. System Driver approach = wait till the kernel tells you something is executing and then intercept. ImmE approach = get it before the kernel knows about it. Also as you know, booting into safe mode turns off all 3rd party drivers. We were forced to create something new, to which you couldn't just easily blow past it by just booting into safe mode with the F8 key and turning it off. Link to comment Share on other sites More sharing options...
techniquefreak Posted July 16, 2005 Share Posted July 16, 2005 (edited) Phew- Thanks for that clarification, rhythmnsmoke ...Well if your software does what you say it does I suppose it's a far better approach than PG's.I didn't mean to start a one-on-one comparison between PG and ImmE either, though. But still I'd like to find similar software as yours that could keep the OS as safe as possible from getting infected with viruses, trojans, keyloggers and the like ...I myself am on a constant hunt for the best possible security solutions and as a side note I've sent an e-mail asking to beta-test your software to that contact e-mail at BBX' home page about 14 days ago but alas I didn't recieve any response ...Well - it's admirable that we can go on this long I think - so you're definately onto something here ... Regarding PG - did you read those links I've posted previously ?@^_^ -Have you tested PG as well now - if so, what do you think ... ?The best testing must be on as many different setups as possible - so that we get a real-life evaluation of the strenghts and weaknesses of the software.Lastly - keep up the spirit, everybody - it's good to keep this thread going ... B) Edited July 16, 2005 by techniquefreak Link to comment Share on other sites More sharing options...
Win2k3EE Posted July 16, 2005 Share Posted July 16, 2005 ...I'd like to find similar software as yours that could keep the OS as safe as possible from getting infected with viruses, trojens, keyloggers and the like ...<{POST_SNAPBACK}>Here's my recipe:Install WinXP+SP2. Then install Symantec Corp. AV 10 or NOD32 as your AV, Sygate Firewall Pro 5.5.2170 and Lavasoft Ad-Aware SE 1.06. I can guarantee you your PC will be a fortress. This is my recipe for over 10 years now(a good AV+FW+anti-spyware), and never had to deal with a virus/keylogger/etc... Link to comment Share on other sites More sharing options...
^_^ Posted July 16, 2005 Share Posted July 16, 2005 techniquefreak, I have installed the PG software, but not the paid version, so I can't examine all the features like I'd like to.Weird thing is, for a day it was acting like the full version, and was asking if I wished to allow processes to start, but then it went back to evaluation version.I do think it is an excellent solution for the price The other thing it does that is cool, even the evaluation version will not allow 1 process to stop another, so it should keep something from disableing Norton, or at least help in that matter.I'm seriously thinking of paying my money to get the registered version, as I think it could be a good toolespecially at 1/10 the price of ImmuneEngine. (no offense rythmnsmoke, I'm a bargain shopper and don't need bulletproof, just a decent shield) Link to comment Share on other sites More sharing options...
rhythmnsmoke Posted July 17, 2005 Author Share Posted July 17, 2005 ...I'd like to find similar software as yours that could keep the OS as safe as possible from getting infected with viruses, trojens, keyloggers and the like ...<{POST_SNAPBACK}>Here's my recipe:Install WinXP+SP2. Then install Symantec Corp. AV 10 or NOD32 as your AV, Sygate Firewall Pro 5.5.2170 and Lavasoft Ad-Aware SE 1.06. I can guarantee you your PC will be a fortress. This is my recipe for over 10 years now(a good AV+FW+anti-spyware), and never had to deal with a virus/keylogger/etc... <{POST_SNAPBACK}>OMG! what does your license renewals cost you? Don't they charge like an annual fee for you to keep updating with new signatures? All that is good and dandy, until you get a batch file virus. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now