Which Programs should be allowed to terminate others?

Earlier this week I experienced a "melt-down" with applications being terminated including ProcessGuard which didn't prevent the occurrence. I reformatted the hard-drive and used TrueImage to restore an earlier system backup. I'm now reviewing my settings for ProcessGuard. Originally I didn't use learning mode but just OKed or denied requests as I went along. I'd like to know if my current set-up is secure. I suspect not. Currently the following programs are protected from Termination and Modification and have rights to Terminate, Modify and Read:

ad-aware.exe
csrss.exe (also access physical memory)
setup.exe
spybotsd.exe
taskmgr.exe
winlogon.exe

Is this list safe. Should anything else be on this list. For example, BoClean, Counterspy, AVG and ProcessGuard itself?

Thanks,

Chris (Hunt)

 

Hi Chris,

First, what is "setup.exe"? If it is an installer of some kind, it is not necessary to put it in the Protection list. Second, you should include c:\windows\system32\smss.exe in your Protection list with permission to install drivers/services, access physical memory, and terminate other protected apps. I believe those permissions for smss.exe are granted automatically in Learning Mode. You will likely have system stability problems if you don't.

Nick

 

Thanks Nick, I've no idea what setup.exe was. I checked the location which was in the windows temp folder. It doesn't exist. I've removed the reference from the protected list. Regarding c:\windows\system32\smss.exe it is protected but currently it doesn't have the permission to terminate protected applications, it can access physical memory and install drivers/services. I Should give it the power to terminate?

Chris

 

Smss.exe does not have the ability to terminate on my system (install drivers, physical memory, read and modify permissions are set). Csrss.exe is the Windows component that tends to terminate rogue processes and which therefore needs termination permission more. You will get an alert if Smss.exe tries to terminate something that it does not have permissions for anyway, so the best advice is to try it and see.

Note that anything given Install Driver or Physical Memory access could bypass PG's protection (and with Physical Memory access, could disable PG itself) so I'd suggest being especially careful about assigning these permissions to third party software.

 

Yes. Based on my experience, that is the way Learning Mode configures it, along with crss.exe and winlogon.exe. Those are the only protected processes on my systems that are allowed to terminate others.

Nick

 

Thanks Nick,

I've changed the setting of crss.exe as you suggested. You don't allow your anti-virus, anti-trojan software or ProcessGuard to terminate protected applications?

Chris

 

You're welcome, Chris. I prefer not to give any security app blanket permission to terminate other security apps. Every time you give an app blanket terminate permissions, you increase the risk of one app taking everything down. Give permissions only as required (dictated generally by PG alerts or looking at PG's logs).

Nick

 

Looking more carefully I just noticed the process ProcessGuard is protecting on my system is called csrss.exe and NOT crss.exe. Are these processes different? Now I'm confused as to what I should be protecting and what rights it should have.

Chris

 

I think nick s just made a typo csrss is the right one.

 

It's a typo. Sorry for the confusion.

Nick

 

In learning mode, PG granted physical memory access to:

alg.exe
csrss.exe
iexplore.exe
lsass.exe
ntvdm.exe
smss.exe
svchost.exe

Can install global hooks:
explorer.exe
iexplore.exe
msimn.exe
procguard.exe

Can install drivers:

services.exe
smss.exe

Are these ok?

I hesitate to change anything. I have 38 processes protected from termination and modification. Every time I think PG has sufficiently learned and I put it on full mode, I have a mess. While I am trying to examine a PG alert, the application in question will try to run and may be damaged because not all parts of it were allowed fast enough by me. I had to resort to System Restore yesterday after PG tried to block nVidia desktop management from opening my profile. I haven't opened that in months. I wanted to open it to see what theme it was because I couldn't recall. I had a major mess caused by PG trying to stop the process. I ended up with a blank desktop and no ability to open any theme. Every time I put PG in full mode, thinking it has learned enough, I have a disaster.

It makes no sense to me to run every application you have right after you get PG. That would take forever. Plus, you still would not have covered everything. Like nVidia desktop manager that is already allowed but not the little act of opening "my profile" or the hundreds of other little things I can do in desktop manager. There is no way you could possibly run everything right after getting PG. The only plausible way is to leave PG in learning mode for a week or two while you use your computer normally. That still will leave a lot that PG has not encountered. I really am doubting that PG will ever be useful rather than a major headache.

The free version is not a problem. It is the full version that causes the headaches.

 

There are 2 approaches to configuring Process Guard:

• The DCS-recommended way - run every application in Learning Mode so that PG can pick up what permissions are needed. Upside: Simple, though tedious to accomplish. Downside: Applications may be given more privileges than prudent, including any malware. Some applications may only attempt PG-restricted actions when certain functions are used - meaning that every function of every application would need to be checked.
• The masochist's way - Ignore Learning Mode and reset PG to Default settings. If a program fails or behaves strangely, check the PG logs and adjust settings if needed. Upside: Great learning experience, less upfront configuration needed, more control. Downside: Some programs may show bizarre behaviour that does not immediately suggest a PG issue. The first Windows restart will likely require a lot of adjustment followed by another restart to get all startup programs working properly.

While I have encountered some oddities that have required a program to be rerun after adjusting PG's settings, I have never had to restore from a backup. I did try Nvidia's Desktop Manager myself - it did hang when loading a profile but using Task Manager to terminate rundll32.exe (which was using all available CPU) worked OK. It does suggest a deeper conflict between Nvidia's driver and PG though since allowing the permissions requested (CBT and mouse hooks) did not help.

As for configuration specifics, I would simply suggest not giving Internet Explorer any permissions - least of all Physical Memory Access since that would allow it to disable PG. Since IE seems to be the whipping boy of the majority of malware out there, it seems prudent to treat it like a binary leper. Alg.exe and svchost.exe likely don't need this permission either but experimentation is your best guide here - you can always change settings back.

For driver installation and services.exe, please review the sticky thread Notice for PG users who use the Block Rootkit\Driver Install feature.

 

I'd be grateful if someone could comment on the following - I'd like t give as few permissions as practical. Alg.exe and svchost.exe can possibly be denied accessing physical memory. Any other cut backs I can make.

Thanks,

Chris
----------------------------------

INSTALL DRIVES AND ACCESS PHYSICAL MEMORY:

smss.exe


ACCESS PHYSICAL MEMORY:

csrss.exe
svchost.exe
Isass.exe
ntvdm.rxr
alg.exe

INSTALL DRIVERS:

e_s00rn2.exe
services.exe
surmix2.exe
rootkitrevealer.exe
coreldrw.exe
e_s00mt2.exe
ikernel.exe
pxhpinst,exe
rundll32.exe
update.exe
wuauclt.exe

----------------------------------

 

Hope that clarifies things...

 

Have been trawling posts looking for confirmation that this or that process should be given or denied whatever powers, simply because I don't know anything about what they are (apart from looking up the tech explanations, which mean nothing to a brain without the data base to bounce the info off). Is there a thread I have not yet found that gives a 'norm' value for noobies who believe those pesky viruses are still invading the lawn?

So far when someone who sounds knowledgable says deny or allow whatever, I am leaping on it with some surprising agility.....what a field day anyone without integrity, happening upon this forum, could have....given that there are others out there as lawn conscious as I am and still getting around with a torch

Perhaps I am alone in my ignorance though.

)

 

I saw a new post in this thread, started reading and saw I posted in it back in September. Fascinating as PG full version was new to me then and I said I had 34 protected processes after using learning mode for more than two days. Three months later, I now have about 155 protected processes. Most are just protected from termination and modification and are authorized to modify and read. Is this normal after having PG for awhile?

I have 6 that can also terminate, 13 that can install Global Hooks, 7 that can access physical memory, 10 that can install drivers.