Hi there

The exploration of Process Guard v2.000 continues.......and I much like what I see. Effective and light on resources. However, I have some further questions about Global Hook attempts and attempts to modify services/drivers.

I run NIS2004 and since switching on the Global Hook Protection feature (with a number of the key NIS2004 components protected from modification but all allowing Global Hooks..........thanks to siliconman01 for the steer) I have started noticing instances of:

"c:\windows\system32\services.exe tried to modify......"

either NAVEX15 or NAVENG.

Why should it want/need to do this? Should I protect services.exe and give it modifications rights on other processes?

Similarly, I have noticed that:

"c:\windows\system32\taskswitch.exe was blocked from creating a global low leve; keybooard hook "

"c:\program Files\logitech\mousewares\system\em_exec.exe was bloacked from creating a......."

either "global Get Message Hook "

or "global CBT Hook "

Again, why should it want/need to do this? Is this legitimate activity? And if so should I protect each .exe (using default Block & Allow permissions) and set Allow Global Hooks for each?

Any thoughts or advce gratefully accepted.

Best regards


Baldrick

-{ Quote: "
"c:\windows\system32\services.exe tried to modify......"

either NAVEX15 or NAVENG.

Why should it want/need to do this? Should I protect services.exe and give it modifications rights on other processes?

" }-

I have added Services to PG with ALLOW flags as Write, SetInfo, Terminate, Suspend. In OPTIONS, I have Allow Global Hooks and Allow Driver/Services Install.

-{ Quote: "
"c:\program Files\logitech\mousewares\system\em_exec.exe was bloacked from creating a......."

either "global Get Message Hook "

or "global CBT Hook "" }-

I have em_exec.exe protected by PG; however, have not seen any conflicts requiring any ALLOW flags or OPTIONS. I don't see any reason why you cannot give it OPTIONS- Allow Global Hooks.

-{ Quote: "Similarly, I have noticed that:

"c:\windows\system32\taskswitch.exe was blocked from creating a global low leve; keybooard hook "" }-

I have added Taskswitch.exe to PG with ALLOW flags as Write, SetInfo, Terminate, Suspend. In OPTIONS, I have Allow Global Hooks.

I'm not sure "why" these pgms require these settings; but these are the settings I have found stops the RED logs on them. Perhaps Jason or someone else can get into the "technicals" of them.

BE SURE TO LEAVE THE STANDARD BLOCKS ACTIVE ON THESE.
HTH

Hi siliconman01

Thanks as ever for the info/advice. I have followed this and will see if it does the trick.

At present no other red logs but I will keep my eyes open.

Best regards



Baldrick ;D