Process Guard - getting log entries for processes, I think I shouldn't ...

Hey, I am using freeware version of Process Guard 1.300, and have few general questions about this driver-based protection princips ...



1. When having proteced zapro.exe (Zona Alarm firewall), I get this kind of entries:

28 Mar 17:38:19 - [P] d:\windows\system32\lsass.exe [842] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\program files\zone labs\zonealarm\zapro.exe [835]


2. When having protected Winlogon.exe, I get this entries bellow (I am 100% sure for this two, cause I copied them from log file), and also similar entries after booting Windows, again for winlogon.exe process (but I don't know, which methods were exactly, so I didn't wote them down here):


29 Mar 19:36:59 - [P] d:\windows\system32\svchost.exe [1092] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\windows\system32\winlogon.exe [728]

29 Mar 19:36:59 - [P] d:\windows\system32\winlogon.exe [728] tried to gain WRITE,TERMINATE,SUSPEND access on d:\program files\processguard free\pg_msgprot.exe [1328]


3. And many others on pg_msgprot.exe process. But not when trying to terminate it, or set CPU priority (like when testing), but entries for programs not related to Proc Guard in any way (as far as I see things). For example, I use one very handy (and actually somehow similar) program SUSTAIN from http://www.securitysoftware.cc/ ...


30 Mar 01:20:27 - [P] d:\cmdfreq\sustain\sustain.exe [1596] tried to gain WRITE,TERMINATE,SUSPEND access on d:\program files\processguard free\pg_msgprot.exe [1328]

30 Mar 01:20:27 - [P] d:\cmdfreq\sustain\sustain.exe [1596] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on d:\windows\system32\winlogon.exe [728]


This program is used to "monitor" choosen program and if program is terminated (or normally closed), SUSTAIN will restart it after choosen time (specified in seconds in command line options). So, usually, when starting to monitor (antivirus or firewall software owned processes), I get ALL alerts, showing, that SUSTAIN is trying to WRITE,READ,TERMINATE,SET INFO,GET INFO, SUSPEND ... But the strange thing is, SUSTAIN is working normally anyhow (meaning restarting choosen processes). So what is happening here ??

Appearantly it wanted to "access" pg_msgprot.exe memory space ... but why, cause SUSTAIN is 100 % not malicious software, like above in svchost.exe, and winlogon.exe cases ??


And if something was blocked, how it is, that it is working just fine (with no failures, or errors, etc, and with all features enabled) ??



Thanks, and best regards

 

All of that is perfectly normal.

what you see, is programs _requesting _ privileges to either Terminate or Write for instance, that means to open a process with many privileges, for afterwards, if needed, to be able to indeed Terminate the process (for instance).

For instance, your program "monitor" request a FULL access to your processes to be able to have all information it wants and to do whatever it wants on them, but Process Guard simply does it job and blocks these accesses which could be from a malware.

If you trust these programs filling your log, add them to your protection list, and give them necessary privileges in the ALLOW area, these allowances applies to other protected processes only.

examples :
lsass.exe WRITE, TERMINATE, SET INFO, SUSPEND
sustain.exe WRITE, TERMINATE, SET INFO, SUSPEND, READ, GET INFO

here i am talking of the column "Allowed Privileges".

regards,

gkweb.