OK. My question is regarding Norton AntiVirus. For some reason I think that I don't have one of the many NAV processes that need protection set up correctly. I say this because everything will be fine one minute, then the next time I restart and look down, my NAV Icon has a big red X through it. Meaning that Auto-Protect is not enabled. When I try to enable it, it gives me an error. So I have to disable PG protection and restart. I think this defeats the purpose of having PG. Here is a screenshot of my protected processes:

http://web.ics.purdue.edu/~dallen/Screenshot.jpg

Here is a list of a portion of the log file that I think is relevant to my problem:
[I highlighted in red what I think is relevant]
-{ Quote: "
28 Apr 20:50:28 - [EXECUTION] c:\windows\pchealth\helpctr\binaries\msconfig.exe with commandline "c:\windows\pchealth\helpctr\binaries\msconfig.exe" was ALLOWED to run
28 Apr 20:58:50 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" was ALLOWED to run
28 Apr 21:02:43 - [EXECUTION] c:\program files\spywareblaster\spywareblaster.exe with commandline "c:\program files\spywareblaster\spywareblaster.exe" was ALLOWED to run
28 Apr 21:31:33 - [EXECUTION] c:\program files\internet explorer\iexplore.exe with commandline "c:\program files\internet explorer\iexplore.exe" was ALLOWED to run
28 Apr 21:36:30 - [P] c:\program files\microsoft office\office11\excel.exe [3236] tried to gain GET INFO access on c:\program files\common files\symantec shared\ccapp.exe [2420]
28 Apr 21:38:54 - [EXECUTION] c:\windows\system32\logonui.exe with commandline logonui.exe /status /shutdown was ALLOWED to run
28 Apr 22:19:57 - Initializing Process Guard over 2 steps. If either step fails some protection may not be active.
28 Apr 22:19:57 - [1 of 2] Success: Driver is active and secure.
28 Apr 22:19:57 - [2 of 2] Success: Process Guard's Protection is currently Enabled.
28 Apr 22:19:57 - General Protection Options
28 Apr 22:19:57 - [1 of 4] Block End-Task is enabled.
28 Apr 22:19:57 - [2 of 4] Block Appinit registry key is enabled.
28 Apr 22:19:57 - [3 of 4] Block Drivers/Services is enabled.
28 Apr 22:19:57 - [4 of 4] Block Global Hooks is enabled.
28 Apr 22:19:57 - [EXECUTION] c:\progra~1\common~1\symant~1\script~1\sbserv.exe with commandline c:\progra~1\common~1\symant~1\script~1\sbserv.exe was ALLOWED to run
28 Apr 22:20:00 - [EXECUTION] c:\windows\system32\slserv.exe with commandline slserv.exe was ALLOWED to run
28 Apr 22:20:00 - [EXECUTION] c:\progra~1\norton~1\norton~2\speedd~1\nopdb.exe with commandline c:\progra~1\norton~1\norton~2\speedd~1\nopdb.exe was ALLOWED to run
28 Apr 22:20:01 - [EXECUTION] c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe with commandline "c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" was ALLOWED to run
28 Apr 22:20:01 - [EXECUTION] c:\windows\system32\zonelabs\vsmon.exe with commandline c:\windows\system32\zonelabs\vsmon.exe -service was ALLOWED to run
28 Apr 22:20:04 - [EXECUTION] c:\progra~1\symantec\liveup~1\lucoms~1.exe with commandline c:\progra~1\symantec\liveup~1\lucoms~1.exe -embedding was ALLOWED to run
28 Apr 22:20:05 - [EXECUTION] c:\windows\system32\imapi.exe with commandline c:\windows\system32\imapi.exe was ALLOWED to run
28 Apr 22:20:06 - [DRIVER/SERVICE] c:\windows\system32\services.exe [792] Tried to modify an existing driver/service named navex15
28 Apr 22:20:09 - [DRIVER/SERVICE] c:\windows\system32\services.exe [792] Tried to modify an existing driver/service named naveng
28 Apr 22:21:44 - [EXECUTION] c:\windows\system32\notepad.exe with commandline "c:\windows\system32\notepad.exe" "c:\program files\diamondcs\processguard\procguard.log" was ALLOWED to run" }-

Hello Dallen, It looks to me as though you may need to allow the Option "Allow driver/service to install on navex15 & naveng.
Remember that setting these options only affects what a process can do within the protected list relative to other listed programmes.
So if you have the General protection set to Block drivers/services from installing then setting the Allow, for individual processes, will overide the General setting for the selected protected process.

Hope this Helps. Pilli

http://web.ics.purdue.edu/~dallen/Screenshot2.jpg

I've highlighted the following screenshot to illustrate the various files that match the file names mentioned in the previous log. I am unsure how to handle this. It seems that I would have to allow each of the files that match the file name to override the general setting. And why is c:\windows\system32\services.exe trying to modify what seems to be a virus definition anyway. And it doesn't seem safe to allow any process to modify a virus definition, but I'm way out of my league here.

Hi again Dallen, I do not have Norton but others do use it successfully with Process Guard: Hopefully another Norton user can help with your settings.

Please read through this thread: http://www.wilderssecurity.com/showthread.php?t=21756 Which discusses some of the issues.

Thanks. Pilli

All that is happening, is that NAV is telling services.exe to modify or recreate its service entry. It probably just does this on startup to make sure its service hasn't been removed - and this isnt really effective nor necessary.

Edit
Recommendation : DO allow services/driver install, but contact Symantec support and ask if the next version can stop doing this - or at least modify the service ITSELF, instead of relying on services.exe :)

It starts, but the auto-protect feature [which is critical] is not enabled. So, to answer your question, yes it starts, but it is not functioning properly.

H Dallen which particular part is not working? Sorry but you appear to have most of NAV's critical parts on your protection list, which are therefore protected so I assume you are talking about your programmes ability to protect itself, which is probably protected by Process Guard anyway.

Thanks for any clarification - Pilli

Let me be more specific. I will show you screen shots the next time it happens, but in the mean time. I start up my system and sometimes (1/3 approx.) the NAV icon has a Red X through it. Essentially, this means that the auto-protect feature is not enabled, which means that NAV is not working to automatically protect my system from virus. When I try to enable it, I get an error (which I will capture and show you a screenshot as well). In order to restore this functionality, I have to disable PG protection and restart my system (sometimes more than once). Eventually, auto protect is reenabled and then I can restore the PG protection. It seems that Gavin's explanation:
-{ Quote: "All that is happening, is that NAV is telling services.exe to modify or recreate its service entry. It probably just does this on startup to make sure its service hasn't been removed - and this isnt really effective nor necessary." }-
Is accurate, but I don't necessarily agree with his recommendation to do nothing. I would really like to set PG to function in cooperation with NAV. I know that there is just some setting that can be modified or adjusted to make this happen. I'm just not smart enough to figure out what exactly to do. This is where all you people that are smarter than I come in.

What Dallen is seeing with the NAV icon with the RED X on it is just like PG with RED X on it. There is no NAV virus/trojan/worm/spyware/adware protection active when NAV is disabled (RED X).

My own experience is the same. I have to give Services.exe Options to Install Drivers/Services or NAV will randomly go inactive and also certain features of AOL 9.0 Optimized SE Beta series will not function because it can require some internal services activated when it gets turned on. Just my experience with PG 2.0 on XP-SP1 Home with NIS/NAV 2004 and lots of other stuff.

Thanks for the clarification Dallen, I understand your concern and am hoping that another NAV user will jump in with some help. ;D Maybe DCS will have some more suggestions also.

EDIT: Thanks Siliconman01, We posted at about the same time :)

Hi Dallen

I have followed this thread with interest as I posted a query regarding how you protect the components of NIS2004. From what I can see from you initial post you do not appear to have the key components of NAV in your protect list. Whilst it concerns NIS2004 component protection you may want to have a look at the following thread to see if it gives you any clues:

http://www.wilderssecurity.com/showthread.php?t=28050

Apologies if I have misunderstood your problem and am of the mark with this reponse.

Regards



Baldrick

PS. What is the name of the Auto Protect .exe that you are protecting?

Hi Dallen,

i am a NAV2004 user, and in the following screenshot you can see a configuration which works perfectly for me :

(i had to remove lines to reduce file size, not to hide my progs lol)

I'm no expert ... I had to play around in the dark - LOL to get what I thought was the proper setup ... I'm glad to see an experienced PC user like gkweb has post the attachment of his config. My PG setup for Norton AV is just about the same ... just got a few more entries for system works & NFW and probably some unneccessary one from the symantec shared folder ... but it has worked for me.

Thanks gkweb. ;)

dog - *puppy*

Thanks for jumping in GKWEB :) I dont use NAV very often and wasn't 100% sure, but yes you will have to allow the service install by the sounds :(

gkweb,
Thank you so much. It is 4:17 am here and I haven't slept, so I will check the details of this in the morning and make the appropriate changes. Thanks to all that have given the time.

dog,
Can you be more specific about the differences you mention in the following:
-{ Quote: "...just got a few more entries for system works & NFW and probably some unneccessary one from the symantec shared folder..." }-

I also use System Works. Thank you.

I appreciate all the help. I think that the process for getting PG set up with common programs such as Zone Alarm and Norton AntiVirus could be streamlined and made easier is one of the experts were to assemble a list of settings and post a locked posting at the top. Frankly, this is becoming very difficult. My NAV still fails randomly and now my ZA is failing. I don't know if this is related, but Spoolsv.exe will begin to consume all of my processor time when I open a program like Word. I am beginning to think that PG is a very good, but over complicated software.
Here is one specific question:
20 Apr 02:40:18 - [HOOK] c:\program files\msn messenger\msnmsgr.exe[640] was blocked from creating a global Low Level Mouse hook [0000000E][00000000]
20 Apr 02:40:18 - [HOOK] c:\program files\msn messenger\msnmsgr.exe [640] was blocked from creating a global Low Level Keyboard hook [0000000D][00000000]

What is going on here? I think that this is related to showing that I'm online, but I'm not sure. Any insight on this would be greatly appreciated.

The following describes the screenshot below:
Blue: I have a logitec mouse, but why is it wanting to get info and Read my Symantec file? Is there any harm in allowing it to do so?

Green: I think this is contributing to my Zone Alarm failures. Any thoughts on what to do with this would help.

Yellow: I think I fixed this by allowing taskmgr.exe to getinfo. There is no harm in that I hope.

http://web.ics.purdue.edu/~dallen/log.jpg

****************Seperate Suggestion********************
One suggestion that may benefit the developers would be that you take the protection one step further and allow the users to assign which programs can be modified by specific programs. I read somewhere in a thread that one user was concerned about allowing services.exe to run rampant on his system. What if instead giving services.exe permision to install drivers or modify programs you could give services.exe permission to modify only a particular program. Just a thought.

Hi Dallen

I use Zone Alarm and have no problems. I did for reasons now forgotten give svchost.exe all allow privileges. Since it also is protected I don't see any problem there. I also had to give services.exe allow services install under the options for AOL to work. Again services is protected so shouldn't be a problem.

Peter2150,
Svchost.exe already has all allowed.
-{ Quote: "I also had to give services.exe allow services install under the options for AOL to work. " }-
Also I have allowed all for services.exe.

Sorry to make this so long of a thread, but I really want to perfect my PG settings since it is such a vital layer of security. I also see PG to be a complete waste if it's not configured properly, hence my suggestion that someone put together a list of common configuation settings to assist people. Anyway, the following is a screenshot of my current configuation:

http://web.ics.purdue.edu/~dallen/Screenshot.jpg

Why are some of those Norton processes blocking READ and GETINFO ? this is not needed and you should only block the 4 default flags..

ALLOW privs are a good thing between trusted apps, if you know all your trusted apps are fine then you can go ahead and give them all ALLOW privs. Have you only added allow privs after seeing some logging from certain processes ? It wont hurt to give them more access :)

If you use a browser other than IE, add that too
If you use Trillian or MSN, add those too

-{ Quote: "Why are some of those Norton processes blocking READ and SETINFO ?" }-Gavin, did you mean GETINFO, because SETINFO is set as default for block? I will make the changes to those Norton processes, but only after you clarify this point.

-{ Quote: "ALLOW privs are a good thing between trusted apps, if you know all your trusted apps are fine then you can go ahead and give them all ALLOW privs. Have you only added allow privs after seeing some logging from certain processes ? It wont hurt to give them more access " }-Are you saying that everything that is protected should be given all ALLOW privs.? I guess it makes sense, sense it is protected, but can you also confirm that is your meaning.

-{ Quote: "If you use a browser other than IE, add that too
If you use Trillian or MSN, add those too" }-I only use IE and did you mean MSN Messenger should be protected. I do use that service. If so, should I simply protect msmsgs.exe and how should that be set? Thanks for all your help.

Hi Dallen, With Messenger add it to the protection list, as with all programmes that have access to the internet. Initialy I would just give it the default blocks and watch the logging, IE is already a default programme on the protection list.
The logitech mouse is shown trying to create a low level global hook and is probably to do with mouse "gestures" - if you have no mouse problems just ignore the one off or few logs that are created.
Task Manager can be listed and given all the allow privileges, although I do not give it terminate allow unless it is needed ie. to terminate a protected list programme.

Thanks Pilli,
I discovered what the Logitech was trying to do. It has to do with a function in the scroll wheel. Is there any harm with putting the em_exec.exe (Logitech file that is trying to create a low-level global hook) in my PG protection list and blocking nothing and allowing READ, GETINFO, and, ALLOW GLOBAL HOOKS? Please let me know if there is any real danger in that?

Sounds ok.. I'd recommend blocking the default blocks on ALL things you add. If anything pops up in the logging then you might need to add an additional process to stop the logging, with allows on both processes.

There is nothing wrong with ALLOWING on trusted processes, and it in effect means that all processes in the list (as long as they are trusted) will work together without any problems. In any case, you should see they work together without adding allow privs so the choice is yours.

Yes, add msnmsgs.exe for users of MSN Messenger, a new trojan does offer injection in MSN / Trillian.

And I did mean GETINFO, not SETINFO :)

Dallen,
-{ Quote: "I also see PG to be a complete waste if it's not configured properly" }-
Not necessarily. For the most part, PG protection is on a per-process basis (each process is protected and given privileges depending on what settings you give it in PG), so if you have incorrect or weak settings for one process, that will only affect that process - not any others. Even if you just have one process protected (such as with the free version of PG) then that process still has dramatically increased security.

Also, the first time you run PG it'll ask you if you want to create a default ruleset for your existing system processes. If you choose Yes to that, it'll automatically protect your primary system processes for you, and you should find that there's very few (if any) modifications that will need to be made to that list - all you really need to do then is add your security programs, and then you're set!

Dallen, I just want to thro this out. The red X , the diabled NAV is a common problem. It may not be the same problem you are having. I had it before I had PG. I tried everything posted by support on their web site. Finnaly gave up and got NOD32.

Hi,WilliamP

-{ Quote: "Dallen, I just want to thro this out. The red X , the diabled NAV is a common problem. It may not be the same problem you are having. I had it before I had PG. I tried everything posted by support on their web site. Finnaly gave up and got NOD32." }-

Very Good choice NOD32.

TheQuest 8)

-{ Quote: "Dallen, I just want to thro this out. The red X , the diabled NAV is a common problem. It may not be the same problem you are having. I had it before I had PG. I tried everything posted by support on their web site. Finnaly gave up and got NOD32." }-William P & TheQuest, I am 100% certain that this problem is associated with PG. The problem began immediately after the installation of PG and both my systems are identically configured. I've heard a lot of people rave about NOD32, but I am satisfied with Symantec and am confident in their system and think that they have earned their position in the market. I know that others are not as loyal; however, this seems to be a matter of personal preference. If I ask you which AV is better, you may argue for NOD32, but many would chime in with supporting evidense in favore of NAV. So who really knows, right?

Hi, dallen

I am not saying NOD32 is better than NAV.

I do not use Symantec products any more because of their high resource usage. and the conflict's with other software.

In no way do I think You are wrong to stay with a Product you like and trust.

I hope you get your system running smooth and bug free soon.

I wished I knew how so I could help
With regards
TheQuest 8)

Given the choice between any of my security programmes and Process Guard, Process Guard would win hands down, any other security programs would have to run with it but that is just my personal opinion. ;D

Dallen, NAV is a very good AV. I would still be using it if it hadn't started acting up. But if you will check the history on some of the security forums you will find a lot of people with NAV disabling itself for no apparent reason. Hope you get everything straightened out.