Sygate Firewall informing me that ProcessGuard has changed!

Discussion in 'ProcessGuard' started by knowbodynow, Dec 9, 2006.

Thread Status:
Not open for further replies.
  1. knowbodynow

    knowbodynow Registered Member

    Joined:
    Sep 23, 2005
    Posts:
    48
    Hello,

    Recently I have had one or two alerts from my Sygate Firewall that ProcessGuard has changed. Here is a sample of the latest report:

    ------------------------

    The executable has changed since the last time you used: C:\Program Files\ProcessGuard\procguard.exe
    File Version : 3.4.1.0
    File Description : GUI Aspect of ProcessGuard
    File Path : C:\Program Files\ProcessGuard\procguard.exe
    Process ID : 0x468 (Heximal) 1128 (Decimal)

    ------------------------

    What does this mean? Has ProcessGuard been nobbled? I've run various checks including AVG, Counterspy, Spybot S&D and Hijack This. No malware has been detected.

    Hope someone can help.

    Thanks,

    CaH
     
  2. KDNeese

    KDNeese Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    236
    I wouldn't get too excited about it. It's basically speaking of the MD5 signature of the program. Many times when programs are updated the MD5 hash changes. Most firewalls keep track of programs' hashes, and alert you when it has changed. This happens all the time with certain security software that I use, especially after an update. I don't know if you have updated PG recently, but if you have, that's probably your answer. There are multiple reasons why security software hashes change, but if you're other security software didn't find any problems, I wouldn't worry about it. I get those kind of messages all the time from my firewall, and I know my system is clean. I've gotten pretty used to warnings. Also, you can always verify the MD5 hash at the PG website and make sure everything is in order. From your warning message there seems to be some alteration to the user interface. Did you add or remove any menus, functions, etc? If so, that would generate the warning from Sygate, most likely.
     
  3. knowbodynow

    knowbodynow Registered Member

    Joined:
    Sep 23, 2005
    Posts:
    48
    Thanks for the reply. I haven't updated ProcessGuard recently, nor changed the settings. I'd be grateful if you would tell me how do I go about verifying the MD5 hash. I've never done this before and I couldn't see any information about it at the DiamondCS site.

    Thanks again,

    CaH
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    ProcGuard.exe should not change under normal circumstances so either Sygate is in error or some other program is "interfering" (PG itself should alert on a changed ProcGuard so I would suspect the former).

    You can use an MD5 checksum utility (MD5File being a simple one) to check the file manually or run another program that verifies program checksums like System Safety Monitor (SSM does a similar job to PG but adds many other features). If neither of these confirm any change in ProcGuard then give Sygate a good seeing to for raising a false alarm. ;)
     
    Last edited: Dec 11, 2006
  5. knowbodynow

    knowbodynow Registered Member

    Joined:
    Sep 23, 2005
    Posts:
    48
    Thanks for the reply, I've been thinking of trying out System Safety Monitor. Is it possible to run it with ProcessGuard running or would it be be best to disable or uninstall ProcessGuard?

    Cheers,
    CaH
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    SSM will run with PG perfectly well - SSM's installation does need to load a driver (like most other security software nowadays) so you need to uncheck PG's "Block Rootkit..." option while installing it but that should be the only issue.
     
  7. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    579
    Location:
    South Carolina, USA
    if you are going to run "system safety monitor", i wouldn't run PG along with it since i would expect SSM to provide the same type of protection that PG does..
     
  8. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    exactly

    while my firewall can do some rudimentary checking on aps
    Ive been using FileChecker (install as a Windows Service) for years now to monitor my security aps for changes with only a slight delay to real time. Installed as a service with Processguard watching it its sort of a chicken and the egg problem Id think for the vast majority automated malware. Which then needs to go and wipe its NT event log.

    the idea occurs to me to use a .bat file to generate my own security checksum benchmarks on a regular basis with fsum or Hash. Virtually eliminating the possibility that an automated tool can find all the logs.
     
Thread Status:
Not open for further replies.