Notice for PG users who use the Block Rootkit\Driver Install feature

[Wayne - DiamondCS]

For ProcessGuard users who take advantage of the "Block Rootkit\Driver\Service Installation" feature, it is recommended that you disallow system32\services.exe from being able to install drivers, as some programs are (legitimately) using services.exe to install drivers on behalf of the calling program.

Thanks to gottadoit for his testing and assistance with this.

[linney]

Are you saying the "driver install" Allow for Services.exe should be turned On only in a case by case scenario when legitimate software request it?

Can you clarify how and when we should allow Services.exe to install a driver and when we shouldn't, or are you saying we shouldn't, full stop?

[Wayne - DiamondCS]

It's best to leave it off by default so that services.exe drivers are initially blocked. If you do get any drivers installing via services.exe for programs that you want to use then you can easily re-enable it, run the program and then re-disable it. Most programs install drivers themselves as opposed to going via services.exe so they won't be affected by settings changes to services.exe.

[Paranoid2000]

Wayne,

This was an issue with PG3 beta Services.exe installing a driver (PG3 final) that was supposed to have been fixed (with both services.exe and the calling program needing Install Drivers privilege) - are you saying that this is not 100% reliable?

[Wayne - DiamondCS]

That's correct, we had developed a unique method to determine which program was using services.exe but at this stage it seems it isn't always possible to determine this, unfortunately. No other program has ever been able to do it, if that gives you an idea of how tricky this is. At this stage it's not possible for us to say if we'll be able to extend it to determine the original caller of all services.exe-invoked driver installations - it just might not be possible (not everything is), so for now it's recommended you simply turn off Allow Driver Installation for services.exe if you use the Block Rootkit\Driver Installation feature. This is only related to one feature of ProcessGuard, and has no affect on any of the other features.

do you mean is uncheak instal driver box in service.exe

[richrf]

Hi Wayne,

For informational purposes, when I remove install services privileges from services. exe, I cannot turn off system restore from the machine. It needs to be re-enabled and then disabled.

Rich

[Nevoeci]

Hey guys, I a newbie, after purchasing processguard ther was a note stating

if you use rootkit blocking to disallow system32\services.exe from being able to install drivers,

how is this done and wahte effect will it have and the rest of the OS

Thanks,nevoeci

[redwolfe_98]

nevoeci, just go to "protection", select "services.exe", then, down at the botton, uncheck the box for "install driver/services"..

i wish that we could allow "services.exe" to only install selected drivers.. my isp program (AOL 9.0 optimized) uses "services.exe" to install a driver every time i log on to the internet..

[gottadoit]

Quote:

Originally Posted by redwolfe_98

nevoeci, just go to "protection", select "services.exe", then, down at the botton, uncheck the box for "install driver/services"..

i wish that we could allow "services.exe" to only install selected drivers.. my isp program (AOL 9.0 optimized) uses "services.exe" to install a driver every time i log on to the internet..

redwolfe_98,
I had hoped that DCS might have provided a solution to this issue by now, the workaround is fine as a short term fix but a real solution would be appreciated, lets hope that a fix or even an extension of this functionality is included in one of the next round of updates.

There are obvious limitations in not showing what the originating program *might* be in the alert because it raises the requirement for the end user to know what is happening.

There is also the small issue that "Learning" mode could quite easily give services.exe that privilege back again and turning it off could easily be overlooked

Regdefend is also useful for blocking drivers and services and you can specify the "driver name" that each program is allowed to install. It is also more usable by giving an allow/deny prompt so you are not fiddling around in the PG GUI configuration all the time

This is a step further along in being able to specify what programs are allowed to load drivers as you have requested, but it doesn't ensure that the correct driver file is specified in the imagepath for the driver/service or that the correct file is on disk, but seeing as I have both PG and GSS/RD I have opted to use the more user friendly of the two to block drivers

Regards

Keeps re-enabling itself on my PC, usually after running installers. Are you sure this actually accomplishes anything?

[Paranoid2000]

Quote:

Originally Posted by Incognito

Keeps re-enabling itself on my PC, usually after running installers. Are you sure this actually accomplishes anything?

This is a symptom of running PG in Learning Mode - check that you have it disabled (it should only be used when setting up PG).

I haven't used learning mode since I installed PG. After I've allowed a few game installers to install drivers/services (they fail otherwise) they modify services.exe.

I'll use Battlefield 2 as my example since it has it's own [well publicized] problems with PG.

I guess it's just another reason to disable PG when running installers.

[The Seeker]

After following Wayne's advice my ProcessGuard is no longer able to initialise after a reboot, therefore I cannot re-enable the change I made.

Has this happened to anyone else and if so, how did you remedy it?

Thanks in advance.

Edit - Never mind, I just rebooted again and it seems to be working fine.

While I'm here though, has anyone else's PG not been able to initialise on start up? I found it a bit worrying as it was providing no protection.

[gottadoit]

That happens to me from time to time, something that I have to check after a reboot, I agree that it can be a little annoying at times but hopefully that will be fixed by the time of the next release

Edit: The thing that usually alerts me to the fact that it isn't running when I forget is when a rundll32 execution takes place (opening control panel or plugging in a USB HDD) because I have rundll32 set to prompt and I just put up with the popup fatigue that it creates and read the command line arguments each time

[Jan J]

My first post here....

It took me a while to determine what was preventing new hardware driver to load, until I remembered this thread, and re-checked that "install driver" box on services.exe....

I had just re-loaded computer, and was new to Processguard, too (After reading this thread a couple days ago) it was the first time I re-attached my DV Transverter to the Firewire port since the re-load, and it didn't load the driver -- or work.

Checked the box, logged out, back in, and re-connected the Transverter, loaded driver, verified that Transverter worked, and then un-checked the "install driver" box for services.exe.

That's the proper way to add hardware, correct?

[iNsuRRecTioN]

Hey,

@Jan J, nooo that's the wrong way..

srry, just joking, its correct

But back to the topic, are there any news to this?

Is the problem now solved with PG 3.3 ?!

Hopefully there is now a way way to permit specified drivers to install and deny all others..

best regards,

iNsuRRecTiON

[zoril]

Re the above posts regarding services.exe - drivers/services apart, what are the other recommended settings for this key?

Do you suggest leaving the other boxes enabled or disabled? - I mean under "other option" - install Global Hooks/Access Physical Memory/ Secure Message handling and under "Authorize to" - terminate/modify/read...

What do most of you have your settings configured to for Services.exe?

Howard

[redwolfe_98]

for "services.exe", under "other options", the default setting is to have "install driver/services" checked with none of the other options there checked..

however, it is advised to not have "install drivers/services" checked (for "services.exe").. the problem is that many times, "services.exe" wants to legitimately install dirivers/services.. so, in that case, you can leave it checked, or you will have to switch the setting back and forth..

most people would probably leave it checked, but i recently started trying to switch the setting, back and forth.. so, i have to switch it on before starting a certain program, and then switch if off after i have started the program..

i only have one program that requires that services.exe be allowed to isntall a driver/service, AOL..

[zoril]

Thanks for that information)

Re "Authorize to" - terminate/modify/read for services.exe is the default normally enabled or disabled for any, or all of them?

.....Howard

[redwolfe_98]

"protect this application from"

reading, unchecked, the others checked

"authorize this applicaton to"

terminate protected applications, UNCHECKED, the others, checked..

[zoril]

Thanks again for that))

I wonder if having "protection enabled" unticked, would completely disable PG - like at times when I need to install new software/system restore/ or download/install drivers etc, or would the settings ticked/unticked earlier still remain in place and cause a problem, if they were incorrectly configured?

Howard

[redwolfe_98]

if you uncheck "protection enabled" on PG's "main" panel, then PG's protection is completely disabled.. it won't matter what the settings are in PG's "protection"..

incidentally, you should disable PG's protection and close all of PG's running processes before uninstalling PG, if you ever want to uninstall it..

if you think that you have goofed up PG's "protection" settings, you can "reset to default", on PG's "protection" panel, and start over..

i usually disable all of the protection on my computer when installing things like windows updates, drivers, or other programs, but i will still scan my downloads with my av before installing something.. i guess that it is up to the individual whether or not they want to temporarily disable PG's protection for whatever reason, and others might know better than i do..

[zoril]

I will remember that if I ever need to uninstall or install programs/drivers

[biteater]

Checking on and off "install driver/services" for "services.exe" is not very handy. "services.exe" NEEDS this privelege for starting McAfee Virusscan 8i right; otherwise the driver for bufferoverflow-protection & the networkprotection is not loaded. Do you have any suggestion please?
Thanks, Fred

Quote:

Originally Posted by redwolfe_98

for "services.exe", under "other options", the default setting is to have "install driver/services" checked with none of the other options there checked..

however, it is advised to not have "install drivers/services" checked (for "services.exe").. the problem is that many times, "services.exe" wants to legitimately install dirivers/services.. so, in that case, you can leave it checked, or you will have to switch the setting back and forth..

most people would probably leave it checked, but i recently started trying to switch the setting, back and forth.. so, i have to switch it on before starting a certain program, and then switch if off after i have started the program..

i only have one program that requires that services.exe be allowed to isntall a driver/service, AOL..