Notice for PG users who use the Block Rootkit\Driver Install feature

Discussion in 'ProcessGuard' started by Wayne - DiamondCS, Jun 9, 2005.

  1. Wayne - DiamondCS
    Offline

    Wayne - DiamondCS Security Expert

    For ProcessGuard users who take advantage of the "Block Rootkit\Driver\Service Installation" feature, it is recommended that you disallow system32\services.exe from being able to install drivers, as some programs are (legitimately) using services.exe to install drivers on behalf of the calling program.

    Thanks to gottadoit for his testing and assistance with this.
  2. linney
    Offline

    linney Registered Member

    Are you saying the "driver install" Allow for Services.exe should be turned On only in a case by case scenario when legitimate software request it?

    Can you clarify how and when we should allow Services.exe to install a driver and when we shouldn't, or are you saying we shouldn't, full stop?
  3. Wayne - DiamondCS
    Offline

    Wayne - DiamondCS Security Expert

    It's best to leave it off by default so that services.exe drivers are initially blocked. If you do get any drivers installing via services.exe for programs that you want to use then you can easily re-enable it, run the program and then re-disable it. Most programs install drivers themselves as opposed to going via services.exe so they won't be affected by settings changes to services.exe.
  4. Paranoid2000
    Offline

    Paranoid2000 Registered Member

    Wayne,

    This was an issue with PG3 beta Services.exe installing a driver (PG3 final) that was supposed to have been fixed (with both services.exe and the calling program needing Install Drivers privilege) - are you saying that this is not 100% reliable?
  5. Wayne - DiamondCS
    Offline

    Wayne - DiamondCS Security Expert

    That's correct, we had developed a unique method to determine which program was using services.exe but at this stage it seems it isn't always possible to determine this, unfortunately. No other program has ever been able to do it, if that gives you an idea of how tricky this is. At this stage it's not possible for us to say if we'll be able to extend it to determine the original caller of all services.exe-invoked driver installations - it just might not be possible (not everything is), so for now it's recommended you simply turn off Allow Driver Installation for services.exe if you use the Block Rootkit\Driver Installation feature. This is only related to one feature of ProcessGuard, and has no affect on any of the other features.
  6. nice to see you :)
    Online

    nice to see you :) Guest

    do you mean is uncheak instal driver box in service.exe
  7. richrf
    Offline

    richrf Registered Member

    Hi Wayne,

    For informational purposes, when I remove install services privileges from services. exe, I cannot turn off system restore from the machine. It needs to be re-enabled and then disabled.

    Rich
  8. Nevoeci
    Offline

    Nevoeci Registered Member

    Hey guys, I a newbie, after purchasing processguard ther was a note stating

    if you use rootkit blocking to disallow system32\services.exe from being able to install drivers,

    how is this done and wahte effect will it have and the rest of the OS

    Thanks,nevoeci
  9. redwolfe_98
    Offline

    redwolfe_98 Registered Member

    nevoeci, just go to "protection", select "services.exe", then, down at the botton, uncheck the box for "install driver/services"..

    i wish that we could allow "services.exe" to only install selected drivers.. my isp program (AOL 9.0 optimized) uses "services.exe" to install a driver every time i log on to the internet..
  10. gottadoit
    Offline

    gottadoit Security Expert

    redwolfe_98,
    I had hoped that DCS might have provided a solution to this issue by now, the workaround is fine as a short term fix but a real solution would be appreciated, lets hope that a fix or even an extension of this functionality is included in one of the next round of updates.

    There are obvious limitations in not showing what the originating program *might* be in the alert because it raises the requirement for the end user to know what is happening.

    There is also the small issue that "Learning" mode could quite easily give services.exe that privilege back again and turning it off could easily be overlooked

    Regdefend is also useful for blocking drivers and services and you can specify the "driver name" that each program is allowed to install. It is also more usable by giving an allow/deny prompt so you are not fiddling around in the PG GUI configuration all the time

    This is a step further along in being able to specify what programs are allowed to load drivers as you have requested, but it doesn't ensure that the correct driver file is specified in the imagepath for the driver/service or that the correct file is on disk, but seeing as I have both PG and GSS/RD I have opted to use the more user friendly of the two to block drivers

    Regards
  11. Incognito
    Online

    Incognito Guest

    Keeps re-enabling itself on my PC, usually after running installers. Are you sure this actually accomplishes anything?
  12. Paranoid2000
    Offline

    Paranoid2000 Registered Member

    This is a symptom of running PG in Learning Mode - check that you have it disabled (it should only be used when setting up PG).
  13. Incognito
    Online

    Incognito Guest

    I haven't used learning mode since I installed PG. After I've allowed a few game installers to install drivers/services (they fail otherwise) they modify services.exe.

    I'll use Battlefield 2 as my example since it has it's own [well publicized] problems with PG.

    I guess it's just another reason to disable PG when running installers.
  14. The Seeker
    Offline

    The Seeker Registered Member

    After following Wayne's advice my ProcessGuard is no longer able to initialise after a reboot, therefore I cannot re-enable the change I made.

    Has this happened to anyone else and if so, how did you remedy it?

    Thanks in advance.

    Edit - Never mind, I just rebooted again and it seems to be working fine.

    While I'm here though, has anyone else's PG not been able to initialise on start up? I found it a bit worrying as it was providing no protection.
    Last edited: Oct 29, 2005
  15. gottadoit
    Offline

    gottadoit Security Expert

    That happens to me from time to time, something that I have to check after a reboot, I agree that it can be a little annoying at times but hopefully that will be fixed by the time of the next release

    Edit: The thing that usually alerts me to the fact that it isn't running when I forget is when a rundll32 execution takes place (opening control panel or plugging in a USB HDD) because I have rundll32 set to prompt and I just put up with the popup fatigue that it creates and read the command line arguments each time
  16. Jan J
    Offline

    Jan J Registered Member

    My first post here....

    It took me a while to determine what was preventing new hardware driver to load, until I remembered this thread, and re-checked that "install driver" box on services.exe....

    I had just re-loaded computer, and was new to Processguard, too (After reading this thread a couple days ago) it was the first time I re-attached my DV Transverter to the Firewire port since the re-load, and it didn't load the driver -- or work.

    Checked the box, logged out, back in, and re-connected the Transverter, loaded driver, verified that Transverter worked, and then un-checked the "install driver" box for services.exe.

    That's the proper way to add hardware, correct?
  17. iNsuRRecTioN
    Offline

    iNsuRRecTioN Registered Member

    Hey,

    @Jan J, nooo that's the wrong way.. :eek: :D

    :D :cool: srry, just joking, its correct :p

    But back to the topic, are there any news to this?

    Is the problem now solved with PG 3.3 o_O ?!

    Hopefully there is now a way way to permit specified drivers to install and deny all others..

    best regards,

    iNsuRRecTiON
  18. zoril
    Offline

    zoril Registered Member

    Re the above posts regarding services.exe - drivers/services apart, what are the other recommended settings for this key?

    Do you suggest leaving the other boxes enabled or disabled? - I mean under "other option" - install Global Hooks/Access Physical Memory/ Secure Message handling and under "Authorize to" - terminate/modify/read...

    What do most of you have your settings configured to for Services.exe?

    Howard
  19. redwolfe_98
    Offline

    redwolfe_98 Registered Member

    for "services.exe", under "other options", the default setting is to have "install driver/services" checked with none of the other options there checked..

    however, it is advised to not have "install drivers/services" checked (for "services.exe").. the problem is that many times, "services.exe" wants to legitimately install dirivers/services.. so, in that case, you can leave it checked, or you will have to switch the setting back and forth..

    most people would probably leave it checked, but i recently started trying to switch the setting, back and forth.. so, i have to switch it on before starting a certain program, and then switch if off after i have started the program..

    i only have one program that requires that services.exe be allowed to isntall a driver/service, AOL..
  20. zoril
    Offline

    zoril Registered Member

    Thanks for that information:))

    Re "Authorize to" - terminate/modify/read for services.exe is the default normally enabled or disabled for any, or all of them?

    .....Howard
  21. redwolfe_98
    Offline

    redwolfe_98 Registered Member

    "protect this application from"

    reading, unchecked, the others checked

    "authorize this applicaton to"

    terminate protected applications, UNCHECKED, the others, checked..
  22. zoril
    Offline

    zoril Registered Member

    Thanks again for that:)))

    I wonder if having "protection enabled" unticked, would completely disable PG - like at times when I need to install new software/system restore/ or download/install drivers etc, or would the settings ticked/unticked earlier still remain in place and cause a problem, if they were incorrectly configured?

    Howard
  23. redwolfe_98
    Offline

    redwolfe_98 Registered Member

    if you uncheck "protection enabled" on PG's "main" panel, then PG's protection is completely disabled.. it won't matter what the settings are in PG's "protection"..

    incidentally, you should disable PG's protection and close all of PG's running processes before uninstalling PG, if you ever want to uninstall it..

    if you think that you have goofed up PG's "protection" settings, you can "reset to default", on PG's "protection" panel, and start over..

    i usually disable all of the protection on my computer when installing things like windows updates, drivers, or other programs, but i will still scan my downloads with my av before installing something.. i guess that it is up to the individual whether or not they want to temporarily disable PG's protection for whatever reason, and others might know better than i do..
  24. zoril
    Offline

    zoril Registered Member

    I will remember that if I ever need to uninstall or install programs/drivers:)
  25. biteater
    Offline

    biteater Registered Member

    Checking on and off "install driver/services" for "services.exe" is not very handy. "services.exe" NEEDS this privelege for starting McAfee Virusscan 8i right; otherwise the driver for bufferoverflow-protection & the networkprotection is not loaded. Do you have any suggestion please?
    Thanks, Fred