PG Security Hole?

i recently reset the "defaults" in PG's (PG 3.15) "protection", and after i rebooted, PG did not recognize my kerio firewall or ewido.. those two running processes were not automatically added to PG's protection.. i tried rebooting a second time, still in learning mode, but the two processes (and maybe also ewidoctrl.exe) were still not recognized.. i tested this a second time, resetting PG's "defaults", but had the same results..

perhaps the reason that PG did not recognize these two running processes was because they run at the kernel level.. if so, wouldn't that mean that likewise, any malware running at the kernel level would get past PG?

maybe PG 3.3beta is a move towards patching this security-hole?

 

why would they be added to the protection list automatically? afaik, in learning mode files are just added to the security list. and if they require special permissions then theyll be added to the protection list.

 

Really low services can start before PG (unless you use the option to set PG's driver to SYSTEM), but with PG active on a system you can't install services. They have to get there somehow for it to be any issue. Obviously starting the driver earlier is more secure in a sense, but there is no difference to a booted system.

 

Wouldn't starting PG's driver at BOOT instead of SYSTEM be better (ie. meaning PG would start as early as possible) ?

 

maybe i just never noticed before that some running processes (that i see in task manager, after logging in) were not automatically added to PG's protection when PG is in learning mode..

many of the running processes were automatically added to PG's "protection", but a few were not..

 

Hi Redwolfe.

You could try shutting down those apps,then with PG running,start them up again manually,PG should spot them this time. That's what i did a while ago when i noticed an exe or two weren't there that should have been,i also noticed they started before PG,even with PG starting as 'system'.

 

BOOT is before the filesystem is active ! and also before any Win32 processes are running

Perhaps at some time, BOOT will an option. Not yet, as this driver will not function as a BOOT driver. A boot driver will also be more unstable and needs more work put in for very minimal gain in real world terms. It would be nice of course..