From those who have used ProcessGuard, does it advise how to proceed when it flags something. While a software expert may know a flag to be an innocuous false positive result, I wouldn't. This confused me when I was reading about its "learning phase".

If ProcessGuard is a bit too sophisticated for my common computer understanding, is there one of the following:
1) an anti-rootkit product that tells you what to do, or
2) a perpetually up-to-date database of malicious rootkits to compare my results against.

Before I butcher my registry . . .

Thanks,
P220ST

. . . and maybe offer to:
1. backup the registry, and
2. establish a restore point

for the normal users among us.

Before I shoot my Dell . . .

Thanks,
P220ST

Hello,

You bring up a good point and we should start compiling a list of rootkit drivers and a list of benign drivers that may be hook the SSDT and be flagged by protection software.

These databases may help but they presume that you have run a HJT log which is what the numerical entries correspond to. They list both benign and malicious items.
http://wiki.castlecops.com/Hijackthis_Database_Research_Interface

The 023 database lists NT/XP Services and that would be the best one to investigate rootkit threats. Those items that use rootkit type stealth are listed in red.

The 04 startup list is another good one.

The Startup Programs Database at Bleeping Computer is excellent, too:
http://www.bleepingcomputer.com/startups/

This list is very easy to use and it is compiled by Greatis Software makers of UnHackMe. Just plug your query into the search box:
http://www.greatis.com/appdata/index.html

Which leads me to the easiest tools to spot rootkits. One of them is Unhackme, another is Blacklight, and the AVG Rootkit Beta seems friendly an quite effective. Please refer to our Announcement which lists rootkit programs and their download locations.

You should Google any items you cannot find answers to.

Here's a link about backing up the registry:
http://www.theeldergeek.com/windows_xp_registry.htm

The easiest way to backup the registry, isopen regedit and click file | export and the just save to a file. To restore, you double-click the REG file which you just made, but only if it is necessary.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Negster22,

Of course, at my level, the best thing would be to synthesize all of the routine False Positive databases into a singular database to save me the embarrasment of selecting the wrong database. Same goes for True Positives.

Always my biggest grief with these forums is that they target people who don't need them as much as I do by their level of sophistication. I'm a physician, and it's like seeing my mom deathly ill and chucking a copy of The New England Journal onto her bed and shout, "feel better" as the door shuts behind me.

-P220ST

P220ST, take a look at Prevx1. Similar to ProcessGuard, it is HIPS software, but maintains an on line database of "good" software, identified by hashes and names (at least I think they use names), and is easier to use than ProcessGuard. Having said that, I personally use both of them (they are compatible with each other, and work somewhat differently) and between the two, it is pretty complete protection against something unknown being installed on your system or worming its way into your system files (they are also examined by Prevx1). We have a forum on that product here.

Regarding ProcessGuard, the critical thing is to use learning mode for the first fews days, and opening up your most frequently used software, so that ProcessGuard knows what is on your system and permitted. Once you have it trained, it is pretty invisible, except for software installs or changed software. For installs with trusted software (particularly Windows Updates) I usually disable it during the installation, and then immediately turn it on and open the software to get PG trained to recognize it. Even my wife, who is a total computer illiterate finds it easy to use once it is properly trained. It is very strong software and adds considerable protection.

The combination of both, along with a firewall, AV and some good anti-malware software and gateway protection with a good hardware router/firewall, is pretty hard to crack.

You mention you are a physician, so if you have any medical and/or patient records you should consider some very high quality encryption software to protect them. I am an actuary and currently CFO for a medical malpractice insurer (physician owned and controlled), have helped our insureds in this area, and always recommend strong encryption to protect medical records.

PCBruiser,

Thanks for the professional advice. As you are probably aware, doctors, for all their IQ points, are hopelessly illiterate when it comes to computers. Independent analysis comparing medicine with other industries found it to be fifteen years behind the times, computer-wise.

-P220ST

Hi P220ST,

I can understand your frustration but I think being a physician is an advantage when it comes to computer security because there are many parallels between computer infection and human infection - which is why the terms used in both situations are so very similar. I am sure you will come to grips with all of this information overload in no time and then you could probably teach us something.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Negster22,

We're off topic, but who cares. You are absolutely on the mark with that point. Especially as computing philosophy becomes more organic while neurology is being actively considered under the related paradigms of neural nets and neo-Chaos theory. There's a point in time and space just around the bend where these theoretical precepts will converge as a matter of course. Most of the "ways to work the problem" I learned in Med School will be amusing historical footnotes as people with presently incurable neurological diseases will be swiftly cured with an aura of simplicity, or better yet, never afflicted in the first place. DNA is our friend.

And this isn't the LSD talking.

Take Care,
P220ST

one of our staff computer experts and srt is a doctor.....