A few questions about Pguard.dat, logging and closing windows.

Discussion in 'ProcessGuard' started by linney, Nov 28, 2003.

Thread Status:
Not open for further replies.
  1. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Thank you DiamondCS for the new version.

    A few questions about Pguard.dat, logging and closing windows.

    Why is my Anti Virus (NOD32) continually checking Pguard.dat incessantly? However there is no sign of any excessive CPU usage.

    Will the Logging file ever have dates included?

    What is the significance of [P] after time in Logging file?

    Is it just the way it is that the "About" window has the 5 letter code to close it?

    Thanks for any clarifications.
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi linney,
    Can you elaborate a bit? I also have NOD32 and don't find it is checking pguard.dat. I suppose you mean NOD's AMON?
    (I've just tried the following - I have both Nod's Control center and PG opened and I watch the last scanned file in Control Center. Then i modify one of the flags in PG's list of processes - I am hearing the harddisk make a noise (the new value is written to pguard.dat), but there's no change in the last scanned file. What file types/extensions and on what action are you scanning with amon?)

    while i cannot speak for DCS, i do think so.

    don't know - i don't have that either. what language/internationalization setting are you using (just an idea)?

    Yes. You're prompted on every window-closing in "Close-Message-Handling"-protected apps. No way around it currently - and for some time to come, I think. See my long posting in the "TDS-3/PortExplorer As Examples?" thread.

    HTHH,
    Andreas
     
  3. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Hi,

    Amon (NOD32) is scanning "All File Ext.". It is scanning on "Open, Execute, and Create". It was not a problem with the previous Process Guard. Do you have two Pguard.dat files one in the Program folder and a larger one in System32 folder? I am not sure which one Amon is scanning but believe it to be the one in System32.

    My query is more about what would be continually opening or accessing Pguard.dat to make it show up in Amon.






    Here is a sample log for my query about the [P], (more in one of my other posts of same day).

    [19:02:38] [P] - c:\progra~1\attack\agnitum\outpos~1\outpost.exe [1196] tried to gain WRITE access on c:\windows\system32\taskmgr.exe [1916]
    [19:04:38] [P] - c:\progra~1\attack\agnitum\outpos~1\outpost.exe [1196] tried to gain WRITE access on c:\program files\eset\nod32kui.exe [1804]
    [19:05:40] [P] - c:\progra~1\attack\agnitum\outpos~1\outpost.exe [1196] tried to gain WRITE access on c:\program files\eset\nod32.exe [1816]


    Notice the [P]. I have settings of English (Australia) in Regional Settings, the Keyboard is U.S.

    I have no problems with any other logs.
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi,

    Hmmm. I'd think the pguard.dat in your PG folder is from the previous version - the current version is using pguard.dat in the system32 folder. I haven't set Amon to scan "all ext.", so that probably explains why I'm not seeing what you've described.

    Actually, I don't know this either - I know that PG keeps that file open or locked continuously so that nothing can mess with it, but I was thinking it was accessed only when there was a change in the settings. Probably we'll have to wait for an explanation from DCS.


    well, now it's getting even more embarrassing for me. I've seen such [P] and [T] marks in other postings over here as well, so I suppose they're in there rather common. I am still using the last unreleased beta version of PG1.100 :rolleyes: and was going to wait for a comment from DCS as to what has changed between that last beta and the released version. Well, obviously there have been changes, and this flag is among them - but I don't know what it is supposed to signify.

    So, all in all, I'm afraid it turns out that I can't help you that much on your questions. Too bad it's weekend now - I suppose (and seeing the frenzy in the beta phase, I agree) DCS are taking a deserved week-end off.

    Hope to get more info on monday. CU then,
    Andreas
     
  5. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Thanks for the reply. I had already deleted the pguard in the program folder when it "clicked' that it might be from the old version. I wonder why the uninstall missed that?

    However Amon (Nod32) is still happily scanning the pguard in System32 folder. (35000 times in 3 hours, so I'm pretty sure it's clean).
     
  6. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi again linney,
    while it is somewhat likely that PG itself is accessing pguard.dat all the time, do you happen to know Sysinternals' Filemon?
    It gave me the attached access stats (I filtered out everything that didn't contain "pguard"). It seems that the CMH module/executable is polling it every second. And, if I read filemon's output right, it checks whether the file has been changed or not.
    At least now we know (or have a suspicion about) what is going on, maybe we will learn why and if it can be worked around... Maybe you can add pguard.dat to your Amon exclusions for the time being...

    Andreas
     

    Attached Files:

  7. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Thank you for the great detective work. You have done half the job for DiamondCS.

    If it's problem I'm sure it will be fixed by them.

    I have deselected the file in Amon (NOD32).
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes ignore this file from any on access antivirus scanner, it cant contain a virus as its a log file, and is protected at the kernel level anyway. Nothing can read or write to the file except Process Guard itself.
     
  9. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    ehm - i understand that it is the preferences file, not the logfile, but that doesn't make any difference. I, for one, will thus leave it up to DCS to decide if the regular polling of pguard.dat shall remain or be replaced by any other method - it's no big thing IMHO.
    CU,
    Andreas
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Oops thanks ! was replying to a few threads at once. Yes this is the config file and in order to control processes and protect them with Close Message Handling, that needs to get some information from the Process Guard at a driver level - pguard.dat serves this purpose as a middle man, protected by one and read by the other.

    Ignoring it should be ok, cant see a dangerous situation occuring by ignoring it :)
     
  11. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The [P] and [T] simply mean PROCESS and THREAD respectively. This won't mean much to a lot of people but it basically means what sort of access is trying to be acquired. Either on the thread level or process level. I added this in the main build so if anyone had any "weird" logs I would be able to tell if it was a thread or process based log. It may help other people too by seeing it.

    -Jason-
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    To clarify:

    We are not supposed to delete pguard.dat - correct?

    It wasn't left in the PG folder by mistake after the un-install of the first version - correct?

    I have one in the PG folder,

    Created Nov 13, 2003
    Modified Nov 27, 2003
    Size: 6.96KB (7,128 bytes)
    Size on disk: 8.00KB (8,192


    and one in the SYSTEM32 folder,

    Created Nov 28, 2003
    Modified Nov 30, 2003
    Size: 14.6 KB (14,972 bytes)
    Size on disk: 16.0KB (16384 bytes)

    Do the sizes and "Modified" amounts/dates look correct on that to you?

    Does the "Modified" date change whenever you change settings in PG or something? Pete
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just get rid of the one in the PG folder :)

    The one in the system folder is protected and in use, but you can back it up if you are going to uninstall or something :)
     
Thread Status:
Not open for further replies.