Anti-hook Free tries to modify all running processes

Discussion in 'other anti-trojan software' started by Tommy Vercetti, Apr 16, 2005.

Thread Status:
Not open for further replies.
  1. Hi,

    I recently installed antihook and then on restart Processguard Free reported that antihook tries to modify most of the running processes! i.e firewall, antivirus processes etc

    I have not let antihook modify anything. Antihook is set to fingerprint mode.

    Also when i open iexplore.exe or antivirus or antitrojan PG reports that antihook tries to modify whatever i was opening!

    Is this suppose to happen? It looked suspicious to me so i removed antihook.

    Excerpt from PG alert log
    [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\regdefend\regdefend.exe [296]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\regdefend\regdefend.exe [296]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\regdefend\regdefend.exe [296]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\toshiba\toscdspd\toscdspd.exe [420]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\toshiba\toscdspd\toscdspd.exe [420]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\toshiba\toscdspd\toscdspd.exe [420]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\processguard\procguard.exe [452]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\processguard\procguard.exe [452]
    Sat 16 - 19:49:54 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\processguard\procguard.exe [452]
    Sat 16 - 19:49:57 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\spywareguard\sgmain.exe [1356]
    Sat 16 - 19:49:57 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\spywareguard\sgmain.exe [1356]
    Sat 16 - 19:49:57 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\spywareguard\sgmain.exe [1356]
    Sat 16 - 19:50:05 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\spywareguard\sgbhp.exe [1492]
    Sat 16 - 19:50:05 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\spywareguard\sgbhp.exe [1492]
    Sat 16 - 19:50:05 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\spywareguard\sgbhp.exe [1492]
    Sat 16 - 19:50:16 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\windows\system32\wuauclt.exe [1628]
    Sat 16 - 19:50:16 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\windows\system32\wuauclt.exe [1628]
    Sat 16 - 19:50:16 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\windows\system32\wuauclt.exe [1628]
    Sat 16 - 19:50:42 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\internet explorer\iexplore.exe [2056]
    Sat 16 - 19:50:42 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\internet explorer\iexplore.exe [2056]
    Sat 16 - 19:50:42 [MODIFY] c:\program files\infoprocess\antihook\2.0\antihook.exe [256] was blocked from modifying c:\program files\internet explorer\iexplore.exe [2056]

    Is this what is supposed to happen or am i being paranoid and should allow antihook free reign?

    Tommy
     
  2. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  3. Hekx

    Hekx Registered Member

    Joined:
    Mar 30, 2005
    Posts:
    11
    Could it mean that by modifying that it means to access the resource?
    It could be a case of the terminalogy used.
    I didn't notice any modifications being made from AntiHook on my system.
     
  4. Arup

    Arup Guest

    No mods in my system with Antihook, it does however block process explorer program like Faber Toy.
     
  5. Quote:
    if you downloaded from http://www.infoprocess.com.au/ it should be no problem.

    Yes I downloaded antihook from the the site above.

    Chris, i see you have processguard on your system when installing antihook did you not see the same alerts from processguard?

    To others, How do you know if antihook was not modifying processes, if you did not have some kind of process protection like processguard running?

    I'm still unsure if antihook is safe. For now i will not install it.
     
  6. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I have not had them running together for a while as I was testing Anti-Hook I tried with and without. I may try them together tomorrow and let you know.

    Hope this helps,

    Chris
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hopefully, it's simply sloppy programming (IOW, the program doesn't need/use the "Modify" privileges - it just asks for them anyway).

    Whether that's actually the case or not I couldn't tell you - the anti-hook program may not function as designed if it can't "modify' things.

    Without an awful lot of clear evidence as to why it wants to "modify' things - and documentation as to how and in what way it "modifies" whatever - I wouldn't give it permission to do so.

    I see the same thing with AdAware all the time - try removing AA's "permission" to modify stuff and this is what I get here:

    Mon 18 - 01:22:01 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\smss.exe [456]
    Mon 18 - 01:22:02 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\csrss.exe [560]
    Mon 18 - 01:22:02 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\winlogon.exe [620]
    Mon 18 - 01:22:05 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\services.exe [712]
    Mon 18 - 01:22:05 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\lsass.exe [724]
    Mon 18 - 01:22:06 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [916]
    Mon 18 - 01:22:06 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [980]
    Mon 18 - 01:22:06 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [1056]
    Mon 18 - 01:22:13 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [1216]
    Mon 18 - 01:22:13 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\spoolsv.exe [1436]
    Mon 18 - 01:22:14 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\apc\apc powerchute personal edition\mainserv.exe [1688]
    Mon 18 - 01:22:14 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\processguard\dcsuserprot.exe [1736]
    Mon 18 - 01:22:14 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\ewido\security suite\ewidoctrl.exe [1768]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\eset\nod32krn.exe [1864]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\pctspk.exe [1904]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\pgpserv.exe [1968]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\riomsc.exe [228]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\locator.exe [284]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\snoopfreesvc.exe [372]
    Mon 18 - 01:22:15 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\svchost.exe [416]
    Mon 18 - 01:22:16 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\ups.exe [540]
    Mon 18 - 01:22:16 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\system32\alg.exe [1524]
    Mon 18 - 01:22:16 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\explorer.exe [504]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spyblocker software\spyblocker.exe [1176]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\eset\nod32kui.exe [1328]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\mynetwatchman\nwclient.exe [1572]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\processguard\pgaccount.exe [1116]
    Mon 18 - 01:22:18 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\windows\snoopfreeui.exe [1308]
    Mon 18 - 01:22:19 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spybot - search & destroy\teatimer.exe [1876]
    Mon 18 - 01:22:19 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\processguard\procguard.exe [2120]
    Mon 18 - 01:22:19 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\pgp corporation\pgp for windows xp\pgptray.exe [2496]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\shadowstor\shadowuser\shadowuser.exe [2552]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\mru-blaster\scheduler.exe [2664]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\apc\apc powerchute personal edition\apcsystray.exe [2960]
    Mon 18 - 01:22:20 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\cookiemuncher\cookiem.exe [2964]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\id-blaster plus\idblasterplus.exe [3032]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spywareguard\sgmain.exe [3128]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\spywareguard\sgbhp.exe [3220]
    Mon 18 - 01:22:21 [MODIFY] c:\program files\lavasoft\ad-aware se personal\ad-aware.exe [1464] was blocked from modifying c:\program files\kw1337\kw1337.exe [4048]

    Does AA still work correctly if one removes the modify privilege? Darned if I know - I don't depend on AA for anything anymore.

    And if it won't work correctly without the ability to actually "modify" my other trusted security programs at will - then I don't need it, anyway. Pete

    *As an aside, this issue does not exist when one runs SpyBot Search&Destroy and it doesn't have "Modify" privilieges in ProcessGuard. PG never lets out a peep during the SBS&D scan.
     
    Last edited: Apr 18, 2005
  8. controler

    controler Guest

    DO you guys stop all programs from midify protected apps?

    Seems default PG is allow on most programs.

    Bruce
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi, Bruce! I generally let all my A/T's and A/V's have "modify" rights over other "protected" programs (although I don't really see why they would need them - I really wish someone would clearly explain to me if they must have them - and for what purpose).

    But something like AA? Why would it need to modify anything - especially within the programs that I have "Protected" because I trust them and need them?

    Having one of those programs modified on-the-fly when something else runs doesn't exactly make me feel all warm and fuzzy, if you get my drift.

    Of course, if these programs are not actually modifying anything (see "sloppy coding" in my other post), then it's really not an issue at all - it's just screwed up if the program's asking for privileges it doesn't need/use. Pete
     
  10. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I have asked the developer of Anti-Hook to provide an answer if possible. They are located in Australia so it may be later tonight.

    Hope this helps,

    Chris
     
  11. controler

    controler Guest

    I am not so sure it would be a modify as much as an inject like PE does.
    actualy injecting a DLL into all other apps.
    Like Chris says, maybe we will egt our answer tonight.
    I have all my programs set to not allow modify. Doesn't seem to bother.

    Bruce
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I am not sure either but think that many security applications may need the ability to modify other processes if malware is found so they initially test to see if they can.

    Having said that if the program is on PG's protection list it is trusted and should be given the rights it requires.

    I know that this does still not answer the initial question of "Why" so hopefully the program developers will enlighten us.

    Pilli :)
     
  13. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I always wondered this myself until I saw a thread a few months ago (this probably has been adressed a couple of times...) this prob would appear if you installed processguard after installing AntiHook. that way pg would have been in learning mode and would accept all attempts for modification,...

    since a few months I am not letting learning mode do everything for me anymore...whatever processes require a privilege, I'll see it when I receive a popup :) only then I'll give it the privilige it needs. it works on 99% of the situations...sometimes when installing a driver/service the other 1% will occur.

    but I have given ad-aware full reign if you will. no matter what happend to LS, it is a trustworthy program...

    Sincerely

    Andy
     
  14. controler

    controler Guest

    Does anyone know what happened to Infoprocess?

    Did they dissapear off the internet?


    Bruce
     
  15. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
  16. Ivo

    Ivo Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    31
    Location:
    Sydney, Australia
    Good morning!

    First of all I apologize for delaying the answer to this question, but we have had some serious issues with our hosting provider and as you probably have noticed www.infoprocess.biz has been down for a while.
    Our plans are to move www.infoprocess.biz to www.infoprocess.com.au and provide you with more information on AntiHook and all related products.

    As to the question – AntiHook is a kernel based protection that utilizes an NT driver. In addition to this AntiHook provides a fine granular control over system wide hooks and COM/ActiveX/BHO DLLs through a user mode DLL that is being injected in all processes. That’s why you should allow AntiHook to “modify” external processes.

    Please let me know if you have any other questions.

    Thanks!

    Ivo Ivanov
    www.infoprocess.com.au
     
  17. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Thanks for the answer Ivo.

    Thanks,

    Chris
     
Thread Status:
Not open for further replies.