I was just wondering about some odd behaviour by PG which I can't explain. I wondered if anyone might be able to shed some light. I downloaded and installed a game (winbr34.exe, a self extracting exe containing 43 objects). The shortcut to the game points to a file called mvpbr.exe. When I double click the short cut or the actual file (mvpbr.exe is not on the protection or security tab) the game loads without PG blocking it (even though execution protection is enabled). Notepad also runs (an order form in notepad pops up when the game is closed). I checked the alerts tab and noticed that ntvdm.exe had started, command line: "c:\windows\system32\ntvdm.exe" -f-i3-w-a c:\windows\system32\krnl386.exe ntvdm.exe was in the protection tab with default allows (term+mod, mod+read) and access phys mem but not in the security tab (why does ntvdm.exe start?). I removed ntvdm.exe from the protection tab and set notepad.exe to be blocked on the security tab. Now the game loads and PG shows no alerts, other than notepad.exe has been blocked from starting (how does the game load without any alerts from PG to say it has started?). Anyone have any ideas? Thanks
Just set my system back before the game install. Removed ntvdm.exe from the protection tab and blocked notepad.exe from starting. The installation of the game couldn't proceed without ntvdm.exe being able to access physical memory (which it did have the first time I installed). Maybe it's the physical memory access that allows strange things to happen?
PG can be bypassed/disabled if a process can access physicial memory. We were talking about this in another thread. I have ntvdm.exe set to access physical memory. I didn't set it that way. I have been running PG in learning mode and it got set that way in learning mode. I think I will deny it access to physical memory and see what happens. I also had PG give internet explorer access to physical memory during learning mode. I have changed that as I don't want IE, of all things, to have that ability. See this thread. Post #4. https://www.wilderssecurity.com/showthread.php?t=97907
Thanks for that Mele20. I also just found an explanation for it here as well: https://www.wilderssecurity.com/showthread.php?t=67259&highlight=ntvdm.exe