Thread: pe guard
View Single Post
  #73  
Old September 27th, 2009, 07:13 AM
opaida opaida is offline
Regular Poster
  
Join Date: Sep 2009
Posts: 161
Exclamation Re: pe guard
Hi,
About termination: It's not a problem at all, cause there are two cases:
1. a virus trying to kill PE Guard, and it will fail like Task Manager.
2. a rootkit trying to kill PE Guard, and it will fail because it need to write a .sys file to do that.

It's user problem if he wants to kill my program(manually by Process Hacker for example). But he won't because there is Exit option .

.
.
I'll explain the options and timer in the alert window:
When an alert appears, The user can choose one action from three available actions:
1. "ALLOW": Allow the process to get write access to the requested file.
2. "REVOKE WRITE ACCESS": The process is allowed only to get a read access to the requested file.
3. "PREVENT ANY ACCESS": Send Access Denied to the process.
Now, the default action is "REVOKE WRITE ACCESS", so when the countdown timer reaches 0, the default action will be selected automatically(that is why the offending process blocks after countdown timer ).

The timer length = 10 sec (before appear) + 10 sec (countdown).

The 2 checkboxes are independent of the selected action:
1. "Apply to this pair always.": by "this pair", I mean this process only and this file only.
2. "Apply to this process always.": this process only and any file.


examples:
You have an alert about process "X" and file "Y":
*if you choose "ALLOW" without checking any checkbox then process "X" will be allowed to access the file for one time only, if it try to do so, the alert will re-appear.
*if you choose "ALLOW" and check "Apply to this pair always.", then whenever process "X" trying to access file "Y" it will be allowed. (if you choose "revoke"/"deny" it will be "revoked"/"denied" always). If process "X' try to access another file, the alert will appear.
*if you choose "ALLOW" and check "Apply to this process always", then process "X" will be allowed to access any file.(if you choose "revoke"/"deny" it will be "revoked"/"denied" always).
*if you choose "ALLOW" and check "Apply to this prcoess always" and "Apply to this process always", then we are in the last case.


NOTE: although I display the full path of the exe file of the process, I identify the process by its PID(Process ID), So if the process was killed and rerun it will have a new PID and PE Guard will identify it as a new process.


GOOD NEWS: I've changed the countdown timer. Now it will be stopped if the ueser move the mouse over the alert window, I think that's batter.
THX all .

-sorry for bad English-

Best Regards.
Opaida.