After uninstalling PG 1.3, and installing PG 2.0 I noticed that pg_msgprot.exe is still privileged, but the file is absent. This means that any hostile app can copy itself to the old location and name of pg_msgprot.exe, and hijack the privileges it was assigned. The PG installer should alert on any privileges assigned to non-existent files to avoid this danger. -hojtsy-
Hi hojtsy, This is not correct as the MD5 signature will change for the offending file and you will be alerted by the Secure Desktop. Simple to try rename any other file for example notepad.exe as pg_msgprot.exe then try to run it Having said that I do agree that an alert would be nice if a file is no longer installed and or been moved. HTH Pilli
There is no checksum for pg_msgprot.exe, as the file is absent. Execution would go unnoticed if done during the learning period, or the user could also think that the pg_msgprot.exe in the Process Guard directory is legitimate and grant execution right later. -hojtsy-
Hi Hojtsy In theory you are right. However the only reason that program is in the protection list is if it is held over from using the old pguard.dat. A brand new user shouldn't see it. Also since the program isn't run there is no process to attack, so a hacker would have to know that exe name, and where to place it for what you are suggesting to work. The simple solution for now is to simply remove that exe from the program protection list, and all it's privileges are gone. Jason may come up with a permanent solution.
The fact that execution blocking could possibly catch the dropper is no reason to ommit the safe configuration of privileges. With that reasoning you can drop the privilege system and the generic protections altogether. Yes, the entry is left over from PG 1.3 config for me, and for several other PG users. I already removed it, but how many of them was observant enough to remove it? All I suggest is to check for non-existent files on installation - trivial to implement, and I see no drawbacks. -hojtsy-