stalker
March 29th, 2004, 08:39 PM
Hey, I am using freeware version of Process Guard 1.300, and have few general questions about this driver-based protection princips ...
1. When having proteced zapro.exe (Zona Alarm firewall), I get this kind of entries:
28 Mar 17:38:19 - [P] d:\windows\system32\lsass.exe [842] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\program files\zone labs\zonealarm\zapro.exe [835]
2. When having protected Winlogon.exe, I get this entries bellow (I am 100% sure for this two, cause I copied them from log file), and also similar entries after booting Windows, again for winlogon.exe process (but I don't know, which methods were exactly, so I didn't wote them down here):
29 Mar 19:36:59 - [P] d:\windows\system32\svchost.exe [1092] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\windows\system32\winlogon.exe [728]
29 Mar 19:36:59 - [P] d:\windows\system32\winlogon.exe [728] tried to gain WRITE,TERMINATE,SUSPEND access on d:\program files\processguard free\pg_msgprot.exe [1328]
3. And many others on pg_msgprot.exe process. But not when trying to terminate it, or set CPU priority (like when testing), but entries for programs not related to Proc Guard in any way (as far as I see things). For example, I use one very handy (and actually somehow similar) program SUSTAIN from http://www.securitysoftware.cc/ (http://www.securitysoftware.cc/) ...
30 Mar 01:20:27 - [P] d:\cmdfreq\sustain\sustain.exe [1596] tried to gain WRITE,TERMINATE,SUSPEND access on d:\program files\processguard free\pg_msgprot.exe [1328]
30 Mar 01:20:27 - [P] d:\cmdfreq\sustain\sustain.exe [1596] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\windows\system32\winlogon.exe [728]
This program is used to "monitor" choosen program and if program is terminated (or normally closed), SUSTAIN will restart it after choosen time (specified in seconds in command line options). So, usually, when starting to monitor (antivirus or firewall software owned processes), I get ALL alerts, showing, that SUSTAIN is trying to WRITE,READ,TERMINATE,SET INFO,GET INFO, SUSPEND ... But the strange thing is, SUSTAIN is working normally anyhow (meaning restarting choosen processes). So what is happening here ??
Appearantly it wanted to "access" pg_msgprot.exe memory space ... but why, cause SUSTAIN is 100 % not malicious software, like above in svchost.exe, and winlogon.exe cases ??
And if something was blocked, how it is, that it is working just fine (with no failures, or errors, etc, and with all features enabled) ??
Thanks, and best regards
1. When having proteced zapro.exe (Zona Alarm firewall), I get this kind of entries:
28 Mar 17:38:19 - [P] d:\windows\system32\lsass.exe [842] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\program files\zone labs\zonealarm\zapro.exe [835]
2. When having protected Winlogon.exe, I get this entries bellow (I am 100% sure for this two, cause I copied them from log file), and also similar entries after booting Windows, again for winlogon.exe process (but I don't know, which methods were exactly, so I didn't wote them down here):
29 Mar 19:36:59 - [P] d:\windows\system32\svchost.exe [1092] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\windows\system32\winlogon.exe [728]
29 Mar 19:36:59 - [P] d:\windows\system32\winlogon.exe [728] tried to gain WRITE,TERMINATE,SUSPEND access on d:\program files\processguard free\pg_msgprot.exe [1328]
3. And many others on pg_msgprot.exe process. But not when trying to terminate it, or set CPU priority (like when testing), but entries for programs not related to Proc Guard in any way (as far as I see things). For example, I use one very handy (and actually somehow similar) program SUSTAIN from http://www.securitysoftware.cc/ (http://www.securitysoftware.cc/) ...
30 Mar 01:20:27 - [P] d:\cmdfreq\sustain\sustain.exe [1596] tried to gain WRITE,TERMINATE,SUSPEND access on d:\program files\processguard free\pg_msgprot.exe [1328]
30 Mar 01:20:27 - [P] d:\cmdfreq\sustain\sustain.exe [1596] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\windows\system32\winlogon.exe [728]
This program is used to "monitor" choosen program and if program is terminated (or normally closed), SUSTAIN will restart it after choosen time (specified in seconds in command line options). So, usually, when starting to monitor (antivirus or firewall software owned processes), I get ALL alerts, showing, that SUSTAIN is trying to WRITE,READ,TERMINATE,SET INFO,GET INFO, SUSPEND ... But the strange thing is, SUSTAIN is working normally anyhow (meaning restarting choosen processes). So what is happening here ??
Appearantly it wanted to "access" pg_msgprot.exe memory space ... but why, cause SUSTAIN is 100 % not malicious software, like above in svchost.exe, and winlogon.exe cases ??
And if something was blocked, how it is, that it is working just fine (with no failures, or errors, etc, and with all features enabled) ??
Thanks, and best regards