Sygate Firewall informing me that ProcessGuard has changed!

[knowbodynow]

Hello,

Recently I have had one or two alerts from my Sygate Firewall that ProcessGuard has changed. Here is a sample of the latest report:

------------------------

The executable has changed since the last time you used: C:\Program Files\ProcessGuard\procguard.exe
File Version : 3.4.1.0
File Description : GUI Aspect of ProcessGuard
File Path : C:\Program Files\ProcessGuard\procguard.exe
Process ID : 0x468 (Heximal) 1128 (Decimal)

------------------------

What does this mean? Has ProcessGuard been nobbled? I've run various checks including AVG, Counterspy, Spybot S&D and Hijack This. No malware has been detected.

Hope someone can help.

Thanks,

CaH

[KDNeese]

Quote:

Originally Posted by knowbodynow

Hello,

Recently I have had one or two alerts from my Sygate Firewall that ProcessGuard has changed. Here is a sample of the latest report:

------------------------

The executable has changed since the last time you used: C:\Program Files\ProcessGuard\procguard.exe
File Version : 3.4.1.0
File Description : GUI Aspect of ProcessGuard
File Path : C:\Program Files\ProcessGuard\procguard.exe
Process ID : 0x468 (Heximal) 1128 (Decimal)

------------------------

What does this mean? Has ProcessGuard been nobbled? I've run various checks including AVG, Counterspy, Spybot S&D and Hijack This. No malware has been detected.

Hope someone can help.

Thanks,

CaH

I wouldn't get too excited about it. It's basically speaking of the MD5 signature of the program. Many times when programs are updated the MD5 hash changes. Most firewalls keep track of programs' hashes, and alert you when it has changed. This happens all the time with certain security software that I use, especially after an update. I don't know if you have updated PG recently, but if you have, that's probably your answer. There are multiple reasons why security software hashes change, but if you're other security software didn't find any problems, I wouldn't worry about it. I get those kind of messages all the time from my firewall, and I know my system is clean. I've gotten pretty used to warnings. Also, you can always verify the MD5 hash at the PG website and make sure everything is in order. From your warning message there seems to be some alteration to the user interface. Did you add or remove any menus, functions, etc? If so, that would generate the warning from Sygate, most likely.

[knowbodynow]

Thanks for the reply. I haven't updated ProcessGuard recently, nor changed the settings. I'd be grateful if you would tell me how do I go about verifying the MD5 hash. I've never done this before and I couldn't see any information about it at the DiamondCS site.

Thanks again,

CaH

[Paranoid2000]

ProcGuard.exe should not change under normal circumstances so either Sygate is in error or some other program is "interfering" (PG itself should alert on a changed ProcGuard so I would suspect the former).

You can use an MD5 checksum utility (MD5File being a simple one) to check the file manually or run another program that verifies program checksums like System Safety Monitor (SSM does a similar job to PG but adds many other features). If neither of these confirm any change in ProcGuard then give Sygate a good seeing to for raising a false alarm.

[knowbodynow]

Thanks for the reply, I've been thinking of trying out System Safety Monitor. Is it possible to run it with ProcessGuard running or would it be be best to disable or uninstall ProcessGuard?

Cheers,
CaH

[Paranoid2000]

SSM will run with PG perfectly well - SSM's installation does need to load a driver (like most other security software nowadays) so you need to uncheck PG's "Block Rootkit..." option while installing it but that should be the only issue.

[redwolfe_98]

if you are going to run "system safety monitor", i wouldn't run PG along with it since i would expect SSM to provide the same type of protection that PG does..

[Ice_Czar]

Quote:

Originally Posted by KDNeese

I don't know if you have updated PG recently.

exactly

while my firewall can do some rudimentary checking on aps
Ive been using FileChecker (install as a Windows Service) for years now to monitor my security aps for changes with only a slight delay to real time. Installed as a service with Processguard watching it its sort of a chicken and the egg problem Id think for the vast majority automated malware. Which then needs to go and wipe its NT event log.

the idea occurs to me to use a .bat file to generate my own security checksum benchmarks on a regular basis with fsum or Hash. Virtually eliminating the possibility that an automated tool can find all the logs.