PG3 - Correct Protection Settings for Various EXEs

Hi--

I am still more or less a newb with PG 3.0, and probably a lot of users are as well seeing as how the final is only a few days "out in the wild".

So I was wondering, maybe scattered around there is bits of info here and there on the "best" way to configure PG for various services, but I would love for someone (Jason, Wayne, or any other knowledgable member) to post the official recommended "Protection Tab" settings for the following processes:

Code:

Protect From:     Authorize To:      Options:
 T   M   R         T   M   R      IGH IDS APM SMH
====================================================
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]ad-aware.exe[/COLOR]
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      alg.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      apm.exe
[ ] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]ati2evxx.exe[/COLOR] [ati catalyst 4.10]
[X] [X] [ ]       [ ] [ ] [ ]     [X] [ ] [ ] [ ]      [COLOR=DarkRed]cryptosuite.exe[/COLOR]
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      csrss.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      dllhost.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      dwwin.exe
[X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]emule.exe[/COLOR]
[X] [X] [ ]       [ ] [X] [X]     [X] [ ] [ ] [ ]      explorer.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      helpsvc.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      hh.exe
[X] [X] [ ]       [ ] [X] [X]     [X] [ ] [X] [ ]      iexplore.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]javaw.exe[/COLOR]
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      lsass.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      mmc.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      msdtc.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      msiexec.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]nod32krn.exe[/COLOR]
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      ntvdm.exe
[X] [X] [ ]       [ ] [ ] [ ]     [ ] [X] [ ] [ ]      [COLOR=DarkRed]Opera.exe[/COLOR]
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]portexplorer.exe[/COLOR]
[X] [X] [ ]       [X] [X] [X]     [ ] [X] [ ] [ ]      [COLOR=DarkRed]procexp.exe[/COLOR] [process explorer]
[X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      [COLOR=DarkRed]proxomitron.exe[/COLOR]
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      regsvr32.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      rundll32.exe
[X] [X] [ ]       [X] [X] [X]     [X] [X] [ ] [ ]      [COLOR=DarkRed]securitysuite.exe[/COLOR] (Ewido)
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      services.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [X] [X] [ ]      smss.exe
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [X] [ ]      svchost.exe
[X] [X] [ ]       [X] [ ] [X]     [ ] [ ] [ ] [ ]      taskmgr.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      [COLOR=DarkRed]trojanhunter.exe[/COLOR]
[X] [X] [ ]       [ ] [X] [X]     [ ] [ ] [ ] [ ]      vssvc.exe

99% of these are Microsoft code, part of a standard XP install. The 3rd party ones I listed in red (ati, ad-aware, nod32, etc)

I realize it's a long list, but maybe this can become some sort of sticky thread if we can get some definitive answers. I am starting off the chart with my settings and will fill in and update it as people post. Thanks!!

 

Hmm.. thought this thread would be more popular.. guess you all have your settings perfect then? If that's the case, care to share your experience for the rest of us?

 

Exactly... which is why a definitive list is absolutely necessary. Learning mode is GREAT but it should not be relied on (IMHO) to automatically provide the most secure or efficient settings.

You just gave a great example -- iexplore.exe -- does it need "Access Physical Memory" or not? If it doesn't need it, why do you have it on?

More examples, if someone, during their "Learning Mode" period, runs some app that uses services.exe to install a driver, well guess what: now services.exe will get the "install drivers/services" privilege. We have all seen the various posts here from DCS that recommend that services.exe NOT be given this permission, as it is a security risk.

SO... yes learning mode is great but this list is still sorely needed IMHO. To help out I have updated my original post with my current settings to get this started... if anyone has changes that should be made let me know and I will update it.

 

Hi all,

First of all:

This problem has been adressed by now and now it looks like this: PG can now control which apps call services.exe to have their driver/service installed. Now, programs that have the "install drivers/services" privilege can do so either by directly doing it or by having services.exe doing the job. OTOH, programs that don't have that privilege are not allowed to call services.exe to do it for them. Quite ingenious, if you ask me.

The only thing you have to remember is that, now, services.exe does have to have "install drivers/services" allowed !
No risk in that, because, as I said, the access to services.exe itself is now patrolled.

HTH,
Andreas

 

Now for the specific settings:

I suppose it's that IE works with glitches or slower when this is off. And then it's a tradeoff, to be made by the one who's using the program. I have it off, but I am not using IE anyway. (Even my firewall won't let IE pass. In PG, I have removed all allowances from both IE and OE, but left them protected so that nothing could attack them.)

Here are some settings of mine:

Code:

Protect From:     Authorize To:      Options:
 T   M   R         T   M   R      IGH IDS APM SMH
====================================================
[X] [X] [ ]       [ ] [ ] [ ]     [ ] [X] [ ] [ ]      Opera.exe
[X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      emule.exe
[X] [X] [ ]       [ ] [ ] [ ]     [ ] [ ] [ ] [ ]      proxomitron.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      Almost all malware scanners i have, with the exception of:
[X] [X] [ ]       [X] [X] [X]     [X] [X] [ ] [ ]      securitysuite.exe (Ewido)
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      trojanhunter.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [ ] [ ]      apm.exe
[X] [X] [ ]       [ ] [ ] [ ]     [X] [ ] [ ] [ ]      cryptosuite.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [X] [ ] [ ]      procexp.exe
[X] [X] [ ]       [X] [X] [X]     [ ] [ ] [X] [ ]      portexplorer.exe
[X] [X] [ ]       [X] [X] [X]     [X] [ ] [ ] [ ]      taskmgr.exe

Also, I have explorer.exe replaced, both as a window manager and as a file manager. Therefore, it has only T+M protection, nothing else.
The window manager has

Code:

[X] [X] [ ]       [X] [X] [X]     [X] [ ] [ ] [ ]      blackbox.exe

and the same for the file manager.

Those malware scanners and guard with T+M protection and T+M+R authorization include: spywareblaster.exe, sgmain.exe (spywareguard), RegRun's Onsecure.exe Watchdog.exe and regrun2.exe, SpyBotsd.exe and it's teatimer.exe and update.exe, a2guard.exe and a2scan.exe, sweepsrv.sys and wsweepnt.exe (Sophos), tds-3.exe and it's services.exe ntsvcexp.exe ntlansvc.exe mem_obj.exe, and TrojanHunter's thguard.exe autostartexplorer.exe netstatviewer.exe and processviewer.exe.

In some of the cases, I'm not sure - e.g. whether or not teatimer.exe needs terminate priv. or why opera seems to need to install a driver (it continues to work when I have it disallowed, but I'll do more research later).
So much for now.

HTH,

Andreas

 

Hi Luckman212,

I have the same questions and posted it in a different way in another thread. There doesn't seem to be any information that answers your questions at this point. So what I am doing is just waiting and accumulating information and see what is said. When I feel like I know enough about the product to use it then I will make the purchase. I figure it will take a few months.

In the meantime, I have adopted a more conservative web browsing behavior and I am also in the process if putting some image copy procedures in place on my computers which I feel will be the fallback of last resort if I am hit by a virus or malicious trojan again. There is so much stuff out there, I think it is very difficult for the secuirty vendors to stay totally on top of things. New holes are being found all the time. The good news is that I have noticed that the amount of malware (mostly unwanted cookies) on my computers have really subsided with a wiser surfing behavior.

Rich

 

First thank you for all the info.

Where is this documented? Nowhere is this mentioned in the users manual, at least not that I could find. Nice to know, but I feel this stuff is important enough to be documented in the Help file.

As to your specific EXE settings, I have incorporated them into my master list, above.
except for a couple, which I have questions on:

1) Why does Taskmgr.exe need "install global hooks" ?
2) Why does portexplorer.exe need "access physical memory" ?

both of these work fine on my system without the above privs.

 

i like this, posting recommended settings for various applications.. i have been wanting to suggest to dcs that they do that.. lets do make this a sticky and continue to develop it..

 

To be honest, I don't know the answer to either question. AFAIR, not even Jason could say - without doing much digging - why PE needs Access Phys. Memory. I just noticed these two programs requesting the mentioned privileges and being blocked in my PG log. I trust them sufficiently to simply allow them what they want there and to not even risk instabilities because of being over-cautious.

But if someone knows what happens exactly, I might as well change my mind there...

Sorry not to be able to tell you more.
Andreas

 

I just want to say that I support this effort and will be looking over the list and adding any information I can. Mostly, I will be using the information this thread accumulates. I hope that the moderators will support this effort.

Peter2150,
I think learning mode simply makes PG more "user friendly." However, I think that everyone should manually verify and configure PG to ensure that PG is configured properly. Not ensuring proper configuration and solely relying on learning mode is risky.

 

When I installed PG 3.100 - checked the four protection tabs - rebooted. Opened some security programs etc - rebooted again.

I had 3 windows components that are allowed to install drivers, services.exe ( wich has been explained why it is so ) and also smss.exe and csrss.exe.

Also winlogon.exe was grated termination authority.

Now im a PG noob and prior to installing this prog I had no idea what a global hook was... But I think more explanation needs to be done to the core windows system processes and what they should be able to do.

I dont really need to know why explorer.exe should be granted authority to for instance install global hooks.

An idea is to have 3 kinds of settings perhaps for the core programs PG is supposed to protect.

1 - the Paranoids setting

2 - the Secure setting

3 - the hassle free setting

You would be able to from the GUI individually set these three settings to the core processes by the default button for instance.

Just an idea ... thats all ...


/DaK/

 

Actually a few months back I had this same question about how to configure process guard. I posted a request and got very little response. I even recommend that Diamonds make a list of most commonly used programs and what the ideal settings would be for them, but it never happened I know Diamonds is very busy, but I just wish there were some guide lines for inexperienced users to go by. I still love all my Diamonds products. They are the best and I recommend them to everyone.

 

Hi Arctic, We are compiling a database but it is a time consuming and long term effort.
With 3.1 at least a lot of the heartache is taken by learning mode, very few programs are now causing incompatabilities and most of these have been discussed here with many solutions found.

Cheers. Pilli

 

If you follow Andreas1's updated advice in the sticky thread then you are covered for the worst of what has been discussed so far. The main thing left is the potential for a program to be "run once" during startup without prior authorisation [prior to the PG Gui being loaded]

As Peter2150 observes, you are miles better off than someone that doesn't have PG because the simpler and quite probably more common types of exploit just won't work now

Jason said that DCS are compiling a database of this information but that he wasn't sure when it would be ready for public consumption. Presumably that is what Pilli is referring to

 

I think a list and recommended settings is cool and all but why not go further?

The idea is to make PG usable for a broader customer base. I cant possibly recommend PG to most of my friends no matter how good it is simply cuz they dont have the know how to work with it.

Learning mode is a very cool first step. But we all agree that the default settings have to be rather loose in order to get a hassle free start up for most users / systems.

For example - Mr Noob who has PG installed and default settings enabled after learning mode gets an email from his anti virus software company stating that there is a new nasty virus out there infecting the core windows executable infectme.exe. Mr Noob freaks out, opens PG and selects the protection tab, marks infectme.exe right clicks and chooses Paranoid mode for this file.

Now Mr Noob does not need to know what global hooks are etc etc. And the paranoids setting would be a setting for the specefied file that works but not on all systems - ie its not "hassle free".

But perhaps it isnt even possible to make PG lets say "average" computer know how user friendly...

Ah well whatever -- ill stop - tend to write essays full of nothing heh

/DaK/

 

I have the same questions as to which privileges to give programs. I think a sticky would be a great idea. Perhaps someone at Diamond could even post a snapshot here showing their PG protection settings on one of their computers. Not to give away anything confidential but just to allow us to see how to set up the Windows processes, common programs and Diamond programs correctly.