Discussion in 'ProcessGuard' started by Antarctica, Mar 9, 2005.
Any idea why Spysweeper wants to modify all these programs which were intercepted by PG.?
I not sure I can answer other than it thoroughly checks everything on the system. Since I trust Spysweeper, I just installed it, turned on learning mode, rebooted, and once the system was up completely I turned off learning mode. Everything seems happy.
Note in Spysweeper I did turn off the memory shield as it spikes the cpu to 50% every 10 seconds. Bit of overkill inview of everything else I am running. So I am not suprised that Spysweeper peeks everywhere.
You need to give SpySweeper privileges to:
1. Terminate Protected Applications
2. Install Global Hooks
3. Install Driver/Services
JFI... the latest Spy Sweeper version is 3.5, Build 198.
Oh almost forgot. Don't place "Secure Message Handling" on Spy Sweeper. It causes SS to not start up properly. Something to do with Spy Sweeper's built in tamper protection.
Thank you very much for your fast answer. Problem solved. It's appreciated
I'm not sure it's a good idea to give Spysweeper the right to terminate protected applications. I wrote in another thread about Spysweeper attempting to terminate smss.exe, which is an important windows system process.
Are you sure you trust it that much?
It's Spy Sweepers resident protection (Shields) that's the culprit here. If you disable those SS protections you won't see this behaviour. The Mad code hook injection driver ('MchInjDrv') is caused by the windows shields. MchInjDrv will try to inject a dll into all the running processes (modifying them)
There's a good thread on the issue here -> http://www.wilderssecurity.com/showthread.php?t=47024
Thanks dog for the info and the link to the thread.
After reading all this thread I am still confuse.
Should I let Spy Sweeper to modify all these applications OR NOT??
I never did ... I decided to disable the Shields instead.
Really it's up to you ... it comes down to your 'trust' of Webroot and what you're comfortable with.
If you decided to keep the Shields Active and not 'allow' the modifications ... PG's Attack/Alert count will climb ... which you can reset with regedit ... or you can save the attached txt file I created for you, save it, and change the extension to .reg from .txt ... Double click the file before you shutdown your system, and on reboot the count will be reset. I know this really doesn't answer your question, but it's a nice simple way to reset the alert count.
Spysweeper may check and see if it has the right to terminate Smss.exe, but it doesn't actually do so. I run with those settings and have no problems. I did turn off just the memory shield because of the cpu issue, but that has nothing to do with Process Guard. Yes I do trust Webroot, or I'd have never paid for SpySweeper. I also have run some of their other products, which is the reason I trust them.
Hmmm....interesting. The guys from Webroot have not yet given me an answer about why spysweeper trys to terminate smss.exe, but they didn't say that it was only attempting to do so either.
I do like spysweeper, but I don't think I'm yet at the point of giving it carte blanche.
Thanks to all of you for your help. I think for the time beeing I won't let
Spy Sweeper to modify anything.
But still this bother's me a bit and I am not sure if I will keep Spy Sweeper. Did not have this kind of problems with MS Antispyware.
Now if I remove SpySweeper is he going to mess up my registry?
I'll be surprised if the normal tech support guys even know what you are talking about , But my experience with both Webroot and Spysweeper has been one that gives me a pretty high confidence level. I gave it the necessary privileges and all is well. Also it seems to do a very good job at the spyware game.
With MS AS , you do not have this problem . At least , I did not . S Sweeper peeks my machine at upwards of 90 % every 20 seconds . Webroot told me There was a leak . If there is , it is in their crap . I uninstalled and downloaded three times . Same thing . If others have this problem and think it is ok , good luck . Webroot SAID it was a leak . However , they have yet to do anything about it . Guess I will stay with MS AS until they screw it up . Hopefully , by then , Hay59 may have something up and runnning that I can turn to .
I've been thinking about this for a while now, and I'm a little confused. Granted I am not a programmer, buy I am fairly computer literate. I am puzzled as to how a program would "attempt" to terminate a process with no intention of actually terminating it. If I did not have ProcessGuard running, what is it that makes you think that the "attempt" to terminate smss.exe would not have been successful?
It appears to me that SpySweeper was in earnest when it was trying to kill smss.exe. As was discussed in the other thread to which I referred, there is malware that masquerades as smss.exe, but telling the fakes from the real deal is not that hard.
I do like Spysweeper for a few different reasons, but this appears to me to be a bug that needs addressing. smss.exe is an important windows system process the termination of which could cause stability issues.
I agree with you and until then I won't use Spy Sweeper.
I can't answer how a program attempts to shut something down and doesn't. Maybe Wayne can answer that, but I can tell you this. I am running Spysweeper as I write, and I have given it terminate privileges in Process Guard and so far it hasn't terminated zip. smss.exe is running faithfully as is everything else.
Me thinks you are worrying about nothing.
PS although a bit off topic, I have Spysweeper and Giant AS, and I think Spysweeper is a bit more thorough then Giant. As to the memory leak, I turned of the memory shield and it stopped. I don't think I need a sweep of Ram every 10 seconds.
This feature was added a few months ago. It hooks into smss, csrss, svchost, lsass, winlogon, etc. because these files are often targeted by trojans. As suggested previously, just change PG to give it SS permission to do its job and you'll have no problem.
I've been running the Enterprise version since its release. I think they do a very good job against spyware, comparable to Giant (MS) and much better than Ad-Aware and Spybot (both of which have been falling behind in recent months). The Startup shield protecting the run keys in the registry is especially effective.
FYI... the April issue of PC World rated SpySweeper second to CounterSpy (with Giant engine) in passive scan detection. My opinion: SpySweeper is a more well-rounded product because of the tested active shield feature, which was just added to CounterSpy a few weeks ago.
My only criticism of Webroot is the company is sometimes hasty and don't get all the bugs worked out of new builds before releasing them. The flip-side: they are very proactive when delivering new definitions.
Separate names with a comma.